View previous topic :: View next topic |
Author |
Message |
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Wed Jan 30, 2013 11:45 am Post subject: Questions about implementing SELinux |
|
|
Hey folks,
I am working on a SELinux setup on one of my Gentoo boxes. At the moment, it is running in permissive mode, so the systems works fine, but AVC logs a whole bunch of denials every day, for example
Code: | Aleph kernel: [80079.723550] type=1400 audit(1359544352.143:2218): avc: denied { write } for pid=14663 comm="iptstate" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket
Aleph kernel: [80079.723627] type=1400 audit(1359544352.143:2219): avc: denied { read } for pid=14663 comm="iptstate" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=netlink_socket
Aleph kernel: [80356.603170] type=1400 audit(1359544629.452:2220): avc: denied { name_bind } for pid=2330 comm="busybox" src=68 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:dhcpc_port_t tclass=udp_socket
Aleph kernel: [80475.076135] type=1400 audit(1359544748.108:2221): avc: denied { read write } for pid=15261 comm="ip" path="socket:[627824]" dev="sockfs" ino=627824 scontext=system_u:system_r:ifconfig_t tcontext=system_u:system_r:initrc_t tclass=tcp_socket
Aleph kernel: [81387.625721] type=1400 audit(1359545662.073:2222): avc: denied { node_bind } for pid=27109 comm="squid" scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket
Aleph kernel: [81463.164770] type=1400 audit(1359545737.729:2223): avc: denied { create } for pid=2330 comm="busybox" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket
Aleph kernel: [81463.221315] type=1400 audit(1359545737.785:2227): avc: denied { read } for pid=2330 comm="busybox" path="socket:[633448]" dev="sockfs" ino=633448 scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:initrc_t tclass=packet_socket
Aleph kernel: [62146.934761] type=1400 audit(1359526391.561:1956): avc: denied { open } for pid=1640 comm="eix" path="/var/lib/portage/world" dev="md1" ino=1348507 scontext=staff_u:staff_r:staff_t tcontext=staff_u:object_r:portage_cache_t tclass=file
|
I identified a few applications, which produce errors: eix, iptstate, busybox, squid, dnsmasq and perhaps some more. Now I am unsure what to to - should I fix the labels of the files? Or should the applications get more rights? I read http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml but I still have problems with understanding and implementing the correct contexts.
selinux-squid and selinux-dnsmasq are installed - I guess, that I simply have to adjust the permissions.
To keep it short: I do not know how to react on log messages like the ones above.
Any help would be really appreciated.
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Jan 30, 2013 1:04 pm Post subject: |
|
|
I would suggest looking into Hardened Gentoo, instead. Hardened Gentoo includes SELinux, and they furnish a targeted policy. I would think it much easier to pick up a working policy from there, rather than trying to do one on your own, especially if you're not currently experienced with it. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Wed Jan 30, 2013 3:37 pm Post subject: |
|
|
depontius,
thank you for your reply. Maybe I misunderstand you, but I am using a hardened kernel (3.7.0) and a correct profile (hardened/linux/amd64/no-multilib/selinux). I installed all available (and needed) policies, as shown by semodule -l:
Code: | aide 1.6.1
apache 2.6.9
application 1.2.0
arpwatch 1.10.4
authlogin 2.4.2
bootloader 1.13.2
clock 1.6.2
consoletype 1.10.0
cron 2.5.10
dhcp 1.10.1
dmesg 1.3.0
dnsmasq 1.9.2
fstools 1.15.0
getty 1.9.1
gpm 1.8.2
hostname 1.8.0
hotplug 1.15.1
init 1.19.6
iptables 1.13.1
kerberos 1.11.6
libraries 2.9.2
locallogin 1.11.1
logging 1.19.6
lvm 1.14.1
makewhatis 0.1
miscfiles 1.10.2
modutils 1.13.3
mount 1.15.0
mta 2.6.5
netutils 1.11.2
networkmanager 1.14.5
nscd 1.10.3
ntp 1.10.3
portage 1.13.7
raid 1.12.5
rpc 1.14.4
rpcbind 1.5.4
rsync 1.12.2
selinuxutil 1.17.0
shutdown 1.1.2
slocate 1.11.1
squid 1.11.2
ssh 2.3.3
staff 2.3.1
storage 1.11.0
su 1.12.0
sysadm 2.5.1
sysnetwork 1.14.6
udev 1.15.4
unprivuser 2.3.1
userdomain 4.8.5
usermanage 1.18.1
xdg 1.0.0
zabbix 1.5.3 |
Or did you mean, that I should look for dedicated hardened support?
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Jan 30, 2013 4:02 pm Post subject: |
|
|
No, I was just suggesting that hardened would be a good place to start, and I thought that their 'targeted" policy should be a good beginning. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Wed Jan 30, 2013 7:29 pm Post subject: |
|
|
Hm, do you perhaps confuse hardened with SELinux? As far as I understand, Hardened Gentoo is a Project to implement numerous security concepts - one of these is SELinux (beside grsecurity and so on).
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Jan 30, 2013 8:04 pm Post subject: |
|
|
No, in this case I saw Hardened as the easy entry point for SELinux under Gentoo, _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Thu Jan 31, 2013 6:14 am Post subject: |
|
|
But then I simply do not understand what you mean with "I would suggest looking into Hardened Gentoo, instead". :\
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Thu Jan 31, 2013 3:14 pm Post subject: |
|
|
Your initial post left me with the impression that you were trying to roll SELinux on your own, installing it on top of regular Gentoo. I suggested that hardned Gentoo would be a better starting point. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Thu Jan 31, 2013 4:16 pm Post subject: |
|
|
Oh, then you got me wrong :)
I run a hardened kernel with the correct profile. SELinux seems to wokr so far, I have just problems with a few single applications, that seem not to have the correct permissions.
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Sat Feb 02, 2013 1:02 pm Post subject: |
|
|
Oh, now it seems so simple...I installed sys-process/audit, which brings a few useful applications like audit2allow. This programm reads the denial messages from (e.g.) /var/log/audit/audit.log
and creates type enforcement rules.
I'll wait a few days and keep an eye on that.
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Sat Feb 02, 2013 2:09 pm Post subject: |
|
|
I've always kind of felt that I should be running something like this, but it was always too intrusive to get started. I'll be curious to learn from your experiences.
One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition. That was one of the things that led me to turn it off. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Jimini l33t
Joined: 31 Oct 2006 Posts: 601 Location: Germany
|
Posted: Sat Feb 02, 2013 6:55 pm Post subject: |
|
|
depontius wrote: | I've always kind of felt that I should be running something like this, but it was always too intrusive to get started. I'll be curious to learn from your experiences. |
I guess I had this project on my to-do-list for more than 5 years. I read a (german) book about it (http://www.amazon.de/SELinux-AppArmor-Mandatory-einsetzen-verwalten/dp/3827323630/ref=sr_1_1?ie=UTF8&qid=1359831038&sr=8-1), which explains the whole concept really well.
Afterwards, I set up the system using http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml and http://wiki.centos.org/HowTos/SELinux - but of course, you need some spare time for this stuff. Now I will check the logs over the next days, until I will switch to "Enforcing" mode.
Quote: | One of the bigger problems is that in a dual-boot setting, at least when one of the boots is non-SELinux and also has access to one or more of the SELinux partitions, whenever you boot back to the SELinux it feels compelled to re-label the entire partition. That was one of the things that led me to turn it off. |
Hm...you could create the file /.autorelabel on shutdown. So the whole filesystems gets relabeled on booting the SELinux OS.
Best regards,
Jimini _________________ "The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu) |
|
Back to top |
|
|
|