RE: Limiting IPC with SELinux?
by Steve Brueckner
Stephen Smalley wrote:
> On Thu, 2005-04-14 at 16:33 -0400, Steve Brueckner wrote:
>> I need to lock down the local interprocess communications (sockets,
>> pipes, shared memory...) for a few untrusted applications under the
>> targeted policy. For example, I want to write policies for Mozilla
>> and Eclipse such that Eclipse may connect to Mozilla's tcp socket 80
>> via loopback, but Eclipse may not connect to any other process's tcp
>> socket 80 via loopback. Same thing goes for other methods of IPC.
>
> You mean apache rather than mozilla, right?
I actually do mean Mozilla, but I guess I don't mean port 80 (it's some
other high port number). Eclipse's help system launches Mozilla to access
the help docs on the local hard drive, and they communicate via loopback.
The problem for me is how to allow this, but not allow Eclipse to
communicate with any other local processes via loopback. The hard part is
that I can't make this decision based on port number; it has to be based on
the actual processes involved.
>> I suspect this means I have to figure out how to label sockets and
>> the like with special contexts as they are created. Am I on the
>> right track here? If so, how would I adjust my policies to label
>> these IPC resources on a per-process basis? Or is this not do-able
>> with SELinux?
>
> You can control network communication (loopback or otherwise) via the
> permission checks between the sending socket security context and the
> security contexts of the network interface, the destination host, and
> the destination port. These are the netif and node tcp_send
> permissions and the tcp_socket send_msg permission. Sockets are
> labeled in accordance with the creating process, so you just need to
> define a domain for eclipse.
Since I can't statically define security contexts for specific port numbers
in my policy, I may have a problem. I think my first example above
illustrates this: either Mozilla or a hostile process could be listening on
the port, so Eclipse needs to know which process is listening on that port.
For my application, I can't deny any process the right to bind to whatever
port it wants. Keep in mind that this is all happening on the local
machine, so I also can't use network interface or destination host to
differentiate, either.
>> What I'm proposing here is a little more involved than most of the
>> SELinux documentation I've found online, so any good resources would
>> be appreciated. Of course, the more that is spelled out for me in a
>> direct reply the bigger my head start will be. At this point I don't
>> even know where to begin.
>
> Possible resources:
> (...lots of good links listed here...)
Thanks for the links. I reviewed most of them a while back, but I just
refreshed myself on the networking portions.
> And going back to your original question, for INET communication, you
> can't truly do process-to-process permission checks (or even
> socket-to- peersocket permission checks) because we don't presently
> have labeled networking support (i.e. labeled network buffers and
> packets). There was experimental support for such labeled networking
> in the older SELinux (courtesy of James Morris), but the necessary
> hooks and security fields to support it were not accepted into Linux
> 2.6. Trent Jaeger of IBM has more recently implemented implicit
> packet labeling via IPSEC security associations for SELinux, but I
> don't think you need that for what you describe; the existing
> permission checks based on network interface, host, and port should
> be sufficient.
Ah, so maybe I can't do exactly what I want to do using SELinux. My network
interface and host will always be the same, so no help there. And I can't a
priori decide which ports to allow or disallow. I think what I need is the
ability to say "eclipse_t may connect only to a socket belonging to
mozilla_t," where the socket gets labeled as belonging to mozilla_t when
Mozilla first calls socket() or bind().
Also, this is not just about networking. I need to make the same
process-to-process decision for other types of IPC, such as shared memory.
However, this may be possible: I assume that unlike a socket, a shared
memory segment gets labeled with the context of the domain that created it?
So I could write a rule such as "allow eclipse_t mozilla_t:shm {read write}"
to allow Eclipse and Mozilla to share memory with each other but nobody
else? (of course now I'm just using Eclipse and Mozilla as examples; these
could be any programs).
So, based on my clarifications above, what are my chances of pulling this
off? I'm afraid that unless my understanding is fundamentally flawed, I may
be goind beyond what SELinux can currently support. A shame about the
labeled networking support being shot down by the kernel folks.
Thanks,
- Steve Brueckner, ATC-NY
19 years
Limiting IPC with SELinux?
by Steve Brueckner
My understanding of the inner workings of SELinux is fairly limited, so
please speak slowly to me. I'm getting the hang of basic file and device
access, but I'm not so good with the other resources SELinux controls.
I need to lock down the local interprocess communications (sockets, pipes,
shared memory...) for a few untrusted applications under the targeted
policy. For example, I want to write policies for Mozilla and Eclipse such
that Eclipse may connect to Mozilla's tcp socket 80 via loopback, but
Eclipse may not connect to any other process's tcp socket 80 via loopback.
Same thing goes for other methods of IPC.
I suspect this means I have to figure out how to label sockets and the like
with special contexts as they are created. Am I on the right track here?
If so, how would I adjust my policies to label these IPC resources on a
per-process basis? Or is this not do-able with SELinux?
What I'm proposing here is a little more involved than most of the SELinux
documentation I've found online, so any good resources would be appreciated.
Of course, the more that is spelled out for me in a direct reply the bigger
my head start
will be. At this point I don't even know where to begin.
By the way, is the Fedora list or the NSA list more appropriate for this
sort of question? I hate to double-post, but I want good exposure.
Thanks,
Stephen Brueckner, ATC-NY
19 years
Updates to yam [patch]
by David Hampton
The attached patch updates the (unused) yam policy to work with the
changes in the FC strict/1.23.10-2 policy. It also fixes httpd access
the the files yam distributes, and suppresses an access denied error
message when webalizer runs.
David
19 years
Updates to razor [patch]
by David Hampton
The attached patch updates the (unused) razor policy to work with the
changes in the FC strict/1.23.10-2 policy.
David
19 years
Re: Problem with installing a new harddisk...
by jckyau@cs.hku.hk
Hello Daniel,
dwalsh(a)redhat.com wrote:
>
> jckyau cs hku hk wrote:
> >
> > Hi,
> >
> > I am very new to SELinux, so, please bear with my ignorance.
> >
> > I have installed a Fedora Core 3 with SELinux enabled. The system
> > has been running pretty stable until I tried to installed a new harddisk
> > to my system. The system fails during the booting process if I have my
> > new harddisk installed. It stops booting whenever I reach the point of
> > setting up the ppp (I rely on a PPPoE line to connect to the Internet).
> > But it boots smoothly when I have the new harddisk removed. I think it
> > is a problem with SELinux (though I am not sure) as it gives me all
> > kinds of complains regarding permissions.
> >
> > I am pretty sure that it isn't a problem with the harddisk, as this
> > harddisk works fine when installed into another computer. I've also
> > tried to install another harddisk to my SELinux box, and got the same
> > result. Any clue??
> >
> > Many thanx in advance!
> >
> >
> >
>
> It needs to be labeled.
>
> touch /.autorelabel
> shutdown machine
> add disk
> boot machine
>
>
> --
>
Thank you for your reply. However, it didn't work for me. With
"/.autorelabel" and my new harddisk installed, the system took a
very long time to "relabel" the filesystem at the booting phase
(I guess it was my original root filesystem that it was relabeling),
and continued with the booting afterwards. But the booting was done
(took a very long time), my root filesystem (which is the only
filesystem on my original harddisk) was mounted as readonly.
Certainly, a system with a readonly root filesystem doesn't do me any
good. More suggestions?
Thanx!
--
Joe Yau.....The Natural Born Uncle!!!
+---------------------------------------------------------------------+
| Email: jckyau(a)cs.hku.hk WWW: http://www.cs.hku.hk/~jckyau |
| |
| First they ignore you... Then they ridicule at you... |
| Then they fight you... Then you win!!! |
| -- Mahatma Gandhi |
+---------------------------------------------------------------------+
19 years
FC3 : Strict Policy and Permissive Mode
by Dan Am
Hi all,
new to the List and SElinux.
I installed FC3, patched up-to.date.
Then I switched to strict, but stayed with permissive, to just check the
scene. However, upon reboot , I could not log in as normal user, with
complaints about context. "cat /selinux/enforce" outputs "0".
Any ideas, what is going on ?
Regrds
Dan
19 years
latest rawhide with strict policy and audit
by Russell Coker
allow $1_t self:netlink_audit_socket { create bind write nlmsg_read read };
After updating the the latest rawhide stuff I needed the above rule in sshd.te
to allow sshd to work correctly (unified diff attached). The first two
accesses (create and bind) are needed to allow sshd to work to the stage of
permitting logins. The last three to stop it spewing messages.
What is this self:netlink_audit_socket access? What is the appropriate access
for such things?
newrole has the same issue, the file newrole.diff applies to
newrole_macros.te. Even after applying that patch I get an error as follows:
[root@community ~]# newrole -r sysadm_r
Authenticating root.
Password:
Error sending status request (Operation not permitted)
[root@community ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=root:sysadm_r:sysadm_t
[root@community ~]#
I guess that this is in the new pam so local_login_t, xdm_t and other domains
will need similar changes.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
19 years
hello all, I just joined the list
by nanocurie
Hello all,
I just joined the list. I just downloaded and installed FC3, and
noticed that it had SE-Linux installed by default. I thought okay, so the
NSA now can/will take control of my secure computers. Good, if there's
anyone I'd want controlling them other than I. Then I saw the post about
setools, and saw how they can be used in an enterprise environment. Reminds
me of Active Directory. Cool. This is probably better.
Just kidding bigbrother.
I look forward to learning with you all about SElinux
nc
19 years
SVN + SELinux + Apache == Problems
by Jerry Dueitt
I have been trying to get a SVN repository set up for access via the
DAV module. I have read that you need to do various things to get this
to work on a Fedora Core 3 system. My repository lives in
/projects/svn-repos/ which is a local filesystem. I have changed group
and owner to apache for all files in that directory with chown -R
apache.apache /projects/svn-repos. This obviously didn't work due to
SELinux security contexts. I found online that I needed to do chcon -R
-h -t httpd_sys_content_t /projects/svn-repos.
I still get the following errors in my /var/log/mesages:
Apr 12 21:50:39 fry kernel: audit(1113360639.475:0): avc: denied {
search } for pid=7147 exe=/usr/sbin/httpd name=/ dev=dm-2 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
tclass=dir
the errors in /var/log/httpd/error_log are like:
[Tue Apr 12 22:03:03 2005] [error] [client 10.3.1.105] (20014)Error
string not specified yet: Can't open file
'/projects/svn-repos/format': Permission denied
[Tue Apr 12 22:03:03 2005] [error] [client 10.3.1.105] Could not fetch
resource information. [500, #0]
[Tue Apr 12 22:03:03 2005] [error] [client 10.3.1.105] Could not open
the requested SVN filesystem [500, #13]
[Tue Apr 12 22:03:03 2005] [error] [client 10.3.1.105] Could not open
the requested SVN filesystem [500, #13]
[Tue Apr 12 22:03:03 2005] [error] [client 10.3.1.105] File does not
exist: /var/www/html/favicon.ico
my /etc/http/conf.d/subversion.conf looks like:
<Location /svn-repos>
DAV svn
SVNPath /projects/svn-repos
</Location>
Most of the information online indicated people were just turning off
SELinux to avoid this problem. I was wondering if anybody could point
me in the direction of resolving this without disabling SELinux.
Thanks!
-Jerry.
19 years