How can I start SELinux play machine ?

Shintaro Fujiwara shintaro.fujiwara at gmail.com
Fri Feb 19 12:30:24 UTC 2010 

What's  sandbox showshadow ?
I didn't know the command sandbox.
Pretty interesting.
But my boss doesn't konw what the /etc/shadow is...


2010/2/19 Daniel J Walsh <dwalsh at redhat.com>:
> On 02/18/2010 04:44 PM, Dominick Grift wrote:
>
> On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote:
>
>
> Hi, I 'm ready to start SELinux server in my office first time, and I
> want to persuade everyone how safe the SELinux server is.
> How can I demonstrate administrators and my boss the advantage of
> SELinux comparing other servers?
> SELinux play machine hit me but is too far or should I just
> demonstrate in a certain ocassion for certain purpose?
>
>
> It depends a bit on your distro and policy model.
> But generally you can demonstrate how TE enforces integrity for targeted
> system daemons.
> If you use strict policy you can also enforce integrity for user
> processes. You can also demonstrate role based access control.
> You can demonstrate how MCS can be useful to restrict processes access
> to objects.
> If you use MLS model you can demonstrate enforcement of confidentiality.
> I never actually connected to play machine but i gather it mapped the
> root Linux login to the user_u SELinux user.
> There are a lot of ways to demonstrate SELinux. You could restrict a
> simple hello world shell script and shows what happens if you extend the
> script to make it do something it is not intended to do.
> Same goes for webapplications. You could write a webapp and make it do
> something that SELinux policy does not allow it to do.
> Generally TE tries to prevent privilege escalation. It restricts processes.
>
>
> Thanks in advance.
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Simple demonstration in Fedora 12.  Create a script.
>
> cat > /usr/bin/showshadow << _EOF
> #!/bin/sh
> id
> cat /etc/shadow
> _EOF
>
> chmod +x /usr/bin/showshadow
>
> showshadow
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> root:*:::
> bin:*:14043:0:99999:7:::
> daemon:*:14043:0:99999:7:::
> adm:*:14043:0:99999:7:::
> lp:*:14043:0:99999:7:::
> sync:*:14043:0:99999:7:::
> shutdown:*:14043:0:99999:7:::
> halt:*:14043:0:99999:7:::
> mail:*:14043:0:99999:7:::
> news:*:14043:0:99999:7:::
> uucp:*:14043:0:99999:7:::
> operator:*:14043:0:99999:7:::
> games:*:14043:0:99999:7:::
> gopher:*:14043:0:99999:7:::
> ftp:*:14043:0:99999:7:::
> nobody:*:14043:0:99999:7:::
> vcsa:!!:14043:0:99999:7:::
> distcache:!!:14043:0:99999:7:::
> nscd:!!:14043:0:99999:7:::
> tcpdump:!!:14043:0:99999:7:::
>
>
> # sandbox showshadow
> uid=0 gid=0 groups=0,1,2,3,4,6,10
> context=staff_u:unconfined_r:sandbox_t:s0:c512,c625
> cat: /etc/shadow: Permission denied
>
> To see the error message
>
> # ausearch -m avc -ts recent
> ----
> time->Thu Feb 18 17:03:36 2010
> type=PATH msg=audit(1266530616.620:1997): item=0 name="/etc/shadow"
> inode=5688120 dev=fd:01 mode=0100400 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:shadow_t:s0
> type=CWD msg=audit(1266530616.620:1997):  cwd="/tmp"
> type=SYSCALL msg=audit(1266530616.620:1997): arch=c000003e syscall=2
> success=no exit=-13 a0=7fff6bb88798 a1=0 a2=7fff6bb88120 a3=a items=1
> ppid=26934 pid=26938 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=3 comm="cat" exe="/bin/cat"
> subj=staff_u:unconfined_r:sandbox_t:s0:c512,c625 key=(null)
> type=AVC msg=audit(1266530616.620:1997): avc:  denied  { open } for
> pid=26938 comm="cat" name="shadow" dev=dm-1 ino=5688120
> scontext=staff_u:unconfined_r:sandbox_t:s0:c512,c625
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
>
> grep shadow /var/log/messages
> Feb 18 17:03:42 localhost setroubleshoot: SELinux is preventing /bin/cat
> "open" access on /etc/shadow. For complete SELinux messages. run sealert -l
> 95108dbb-8254-4a00-886d-028bafa4996a
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>



-- 
http://intrajp.no-ip.com/ Home Page

More information about the selinux mailing list