View previous topic :: View next topic |
Author |
Message |
nsoveiko n00b
Joined: 04 Dec 2004 Posts: 53 Location: somewhere over the rainbow
|
Posted: Fri May 17, 2013 8:51 pm Post subject: selinux: writing local policies |
|
|
i'm a selinux noob and this is my first install with hardened/selinux profile. after reading selinux handbook i decided to go with the 'strict' policy. after booting into permissive mode and examining /var/log/avc.log i found a whole bunch of denials.
1) apparently there's no dhclient policy. audit2allow suggests rules that are way too permissive:
Code: | # grep dhclient /var/log/avc.log | audit2allow -m local_dhclient
module local_dhclient 1.0;
require {
type dhcpc_t;
type unreserved_port_t;
type var_lib_t;
class dir { write add_name };
class udp_socket name_bind;
class file { write create open getattr };
}
#============= dhcpc_t ==============
allow dhcpc_t unreserved_port_t:udp_socket name_bind;
allow dhcpc_t var_lib_t:dir { write add_name };
allow dhcpc_t var_lib_t:file { write create open getattr }; |
from what i inderstand, this allows wholesale writing to /var/lib and binding to any udp port. how do i make it more restrictive?
2) i'm usually running sshd on a port different to 22. agang, audit2allow suggest allowing sshd to bind to any port:
Code: | # grep sshd /var/log/avc.log | audit2allow -m local_sshd
module local_sshd 1.0;
require {
type reserved_port_t;
type sshd_t;
class tcp_socket name_bind;
}
#============= sshd_t ==============
allow sshd_t reserved_port_t:tcp_socket name_bind; |
how do i properly redefine sshd port? |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Sat May 18, 2013 5:55 pm Post subject: |
|
|
Regarding dhclient (dhcpc_t), try to find out what it wants to do in /var/lib. It might have a subdirectory there that shouldn't be labeled var_lib_t but dhcpc_state_t instead:
Code: |
# semanage fcontext -l | grep dhclient
/etc/dhclient-script regular file system_u:object_r:dhcp_etc_t
/etc/dhclient.*conf regular file system_u:object_r:dhcp_etc_t
/etc/dhcp/dhclient\.d(/.*)? all files system_u:object_r:bin_t
/etc/dhcp3?/dhclient.* all files system_u:object_r:dhcp_etc_t
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* regular file system_u:object_r:bin_t
/sbin/dhclient.* regular file system_u:object_r:dhcpc_exec_t
/var/lib/dhclient(/.*)? all files system_u:object_r:dhcpc_state_t
/var/lib/dhcp3?/dhclient.* all files system_u:object_r:dhcpc_state_t
/var/run/dhclient.* regular file system_u:object_r:dhcpc_var_run_t
/var/run/nm-dhclient.* all files system_u:object_r:NetworkManager_var_run_t
|
If the /var/lib/dhclient directory doesn't exist by default, and dhclient creates it, it doesn't get this proper context automatically.
Since you run in permissive mode, you might just need to run restorecon -Rv /var/lib to correct the labels.
The unreserved port might be correct to add though, can't tell without looking at the AVC denial itself and perhaps dhclient code.
On the SSH port stuff, it's better to assign the non-default port the ssh_port_t type instead. Below tells SELinux that port 8022 should also be labeled ssh_port_t:
Code: |
# semanage port -a -t ssh_port_t -p tcp 8022
|
_________________ Please add "[solved]" to the initial topic title when it is solved. |
|
Back to top |
|
|
nsoveiko n00b
Joined: 04 Dec 2004 Posts: 53 Location: somewhere over the rainbow
|
Posted: Sun May 19, 2013 4:40 am Post subject: |
|
|
Sven Vermeulen wrote: | Regarding dhclient (dhcpc_t), try to find out what it wants to do in /var/lib. It might have a subdirectory there that shouldn't be labeled var_lib_t but dhcpc_state_t instead: |
it writes to /var/lib/dhcp/dhclient.leases creating that directory at runtime if necessary. and since it's not included in the policy module, it gets default context for /var/lib. bug?
Quote: | The unreserved port might be correct to add though, can't tell without looking at the AVC denial itself and perhaps dhclient code. |
/var/log/avc.log: | May 19 06:31:02 spook kernel: [248066.681969] type=1400 audit(1368937862.040:197): avc: denied { name_bind } for pid=18961 comm="dhclient" src=29949 scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket |
Quote: | On the SSH port stuff, it's better to assign the non-default port the ssh_port_t type instead. Below tells SELinux that port 8022 should also be labeled ssh_port_t:
Code: |
# semanage port -a -t ssh_port_t -p tcp 8022
|
|
neat! will it survive a reboot? |
|
Back to top |
|
|
nsoveiko n00b
Joined: 04 Dec 2004 Posts: 53 Location: somewhere over the rainbow
|
Posted: Sun May 19, 2013 8:21 pm Post subject: |
|
|
nsoveiko wrote: | neat! will it survive a reboot? |
well, it did. thank you! |
|
Back to top |
|
|
|