Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Questions about implementing SELinux
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Wed Jan 30, 2013 11:45 am    Post subject: Questions about implementing SELinux Reply with quote

Hey folks,

I am working on a SELinux setup on one of my Gentoo boxes. At the moment, it is running in permissive mode, so the systems works fine, but AVC logs a whole bunch of denials every day, for example
Code:
Aleph kernel: [80079.723550] type=1400 audit(1359544352.143:2218): avc:  denied  { write } for  pid=14663 comm="iptstate" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket
Aleph kernel: [80079.723627] type=1400 audit(1359544352.143:2219): avc:  denied  { read } for  pid=14663 comm="iptstate" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket
Aleph kernel: [80356.603170] type=1400 audit(1359544629.452:2220): avc:  denied  { name_bind } for  pid=2330 comm="busybox" src=68 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
Aleph kernel: [80475.076135] type=1400 audit(1359544748.108:2221): avc:  denied  { read write } for  pid=15261 comm="ip" path="socket:[627824]" dev="sockfs" ino=627824 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Aleph kernel: [81387.625721] type=1400 audit(1359545662.073:2222): avc:  denied  { node_bind } for  pid=27109 comm="squid" scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket
Aleph kernel: [81463.164770] type=1400 audit(1359545737.729:2223): avc:  denied  { create } for  pid=2330 comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket
Aleph kernel: [81463.221315] type=1400 audit(1359545737.785:2227): avc:  denied  { read } for  pid=2330 comm="busybox" path="socket:[633448]" dev="sockfs" ino=633448 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket
Aleph kernel: [62146.934761] type=1400 audit(1359526391.561:1956): avc:  denied  { open } for  pid=1640 comm="eix" path="/var/lib/portage/world" dev="md1" ino=1348507 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:portage_cache_t tclass=file


I identified a few applications, which produce errors: eix, iptstate, busybox, squid, dnsmasq and perhaps some more. Now I am unsure what to to - should I fix the labels of the files? Or should the applications get more rights? I read http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml but I still have problems with understanding and implementing the correct contexts.

selinux-squid and selinux-dnsmasq are installed - I guess, that I simply have to adjust the permissions.

To keep it short: I do not know how to react on log messages like the ones above.

Any help would be really appreciated.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2525

PostPosted: Wed Jan 30, 2013 1:04 pm    Post subject: Reply with quote

I would suggest looking into Hardened Gentoo, instead. Hardened Gentoo includes SELinux, and they furnish a targeted policy. I would think it much easier to pick up a working policy from there, rather than trying to do one on your own, especially if you're not currently experienced with it.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Wed Jan 30, 2013 3:37 pm    Post subject: Reply with quote

depontius,

thank you for your reply. Maybe I misunderstand you, but I am using a hardened kernel (3.7.0) and a correct profile (hardened/linux/amd64/no-multilib/selinux). I installed all available (and needed) policies, as shown by semodule -l:
Code:
aide    1.6.1
apache  2.6.9
application     1.2.0
arpwatch        1.10.4
authlogin       2.4.2
bootloader      1.13.2
clock   1.6.2
consoletype     1.10.0
cron    2.5.10
dhcp    1.10.1
dmesg   1.3.0
dnsmasq 1.9.2
fstools 1.15.0
getty   1.9.1
gpm     1.8.2
hostname        1.8.0
hotplug 1.15.1
init    1.19.6
iptables        1.13.1
kerberos        1.11.6
libraries       2.9.2
locallogin      1.11.1
logging 1.19.6
lvm     1.14.1
makewhatis      0.1
miscfiles       1.10.2
modutils        1.13.3
mount   1.15.0
mta     2.6.5
netutils        1.11.2
networkmanager  1.14.5
nscd    1.10.3
ntp     1.10.3
portage 1.13.7
raid    1.12.5
rpc     1.14.4
rpcbind 1.5.4
rsync   1.12.2
selinuxutil     1.17.0
shutdown        1.1.2
slocate 1.11.1
squid   1.11.2
ssh     2.3.3
staff   2.3.1
storage 1.11.0
su      1.12.0
sysadm  2.5.1
sysnetwork      1.14.6
udev    1.15.4
unprivuser      2.3.1
userdomain      4.8.5
usermanage      1.18.1
xdg     1.0.0
zabbix  1.5.3


Or did you mean, that I should look for dedicated hardened support?

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2525

PostPosted: Wed Jan 30, 2013 4:02 pm    Post subject: Reply with quote

No, I was just suggesting that hardened would be a good place to start, and I thought that their 'targeted" policy should be a good beginning.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Wed Jan 30, 2013 7:29 pm    Post subject: Reply with quote

Hm, do you perhaps confuse hardened with SELinux? As far as I understand, Hardened Gentoo is a Project to implement numerous security concepts - one of these is SELinux (beside grsecurity and so on).

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2525

PostPosted: Wed Jan 30, 2013 8:04 pm    Post subject: Reply with quote

No, in this case I saw Hardened as the easy entry point for SELinux under Gentoo,
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Thu Jan 31, 2013 6:14 am    Post subject: Reply with quote

But then I simply do not understand what you mean with "I would suggest looking into Hardened Gentoo, instead". :\

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2525

PostPosted: Thu Jan 31, 2013 3:14 pm    Post subject: Reply with quote

Your initial post left me with the impression that you were trying to roll SELinux on your own, installing it on top of regular Gentoo. I suggested that hardned Gentoo would be a better starting point.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Thu Jan 31, 2013 4:16 pm    Post subject: Reply with quote

Oh, then you got me wrong :)
I run a hardened kernel with the correct profile. SELinux seems to wokr so far, I have just problems with a few single applications, that seem not to have the correct permissions.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Sat Feb 02, 2013 1:02 pm    Post subject: Reply with quote

Oh, now it seems so simple...I installed sys-process/audit, which brings a few useful applications like audit2allow. This programm reads the denial messages from (e.g.) /var/log/audit/audit.log
and creates type enforcement rules.

I'll wait a few days and keep an eye on that.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 2525

PostPosted: Sat Feb 02, 2013 2:09 pm    Post subject: Reply with quote

I've always kind of felt that I should be running something like this, but it was always too intrusive to get started. I'll be curious to learn from your experiences.

One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition. That was one of the things that led me to turn it off.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 543
Location: Göttingen, Germany

PostPosted: Sat Feb 02, 2013 6:55 pm    Post subject: Reply with quote

depontius wrote:
I've always kind of felt that I should be running something like this, but it was always too intrusive to get started. I'll be curious to learn from your experiences.

I guess I had this project on my to-do-list for more than 5 years. I read a (german) book about it (http://www.amazon.de/SELinux-AppArmor-Mandatory-einsetzen-verwalten/dp/3827323630/ref=sr_1_1?ie=UTF8&qid=1359831038&sr=8-1), which explains the whole concept really well.
Afterwards, I set up the system using http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml and http://wiki.centos.org/HowTos/SELinux - but of course, you need some spare time for this stuff. Now I will check the logs over the next days, until I will switch to "Enforcing" mode.

Quote:
One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition. That was one of the things that led me to turn it off.

Hm...you could create the file /.autorelabel on shutdown. So the whole filesystems gets relabeled on booting the SELinux OS.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum