RE: post direct-file-modification commands
by Joshua Brindle
> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
>
> Joshua Brindle wrote:
> >> From: Steve Friedman [mailto:steve@adsi-m4.com]
>
> <snip>
>
> >> Call me old-fashioned, but it is nice to be able to send a
> colleague
> >> / customer / friend a text file that can be edited,
> diffed, reviewed,
> >> archived, and updated. Policy servers are convenient for one
> >> organization, but sometimes this transfer occurs across
> organization
> >> boundaries. (Not to mention the delay between this hoped-for tool
> >> and the actual, production-ready deployment schedule...)
> >>
> >
> > That's fine, and the bug added is to export the data, but I
> am dubious
> > about the usefulness of doing so. Policies probably aren't
> going to be
> > compatible across organization boundaries in a meaninful
> way, systems
> > and policies are specific to the organization. For example,
> why would
> > you send the selinux user and linux user to selinux user
> mappings to
> > another organization?
> >
>
> You probably wouldn't send user mappings to other
> organizations but booleans, file context, port labeling, etc.
These should be directly dependant on the services being run and the
local configuration, if two organizations are running services in an
identical manner then sure but what about all the unrelated noise?
(exporting all ports when really you are trying to configure policy for
a single service).
> are all probably fairly portable. Additioanlly, there are
> other uses like backup, automatic system provisioning (e.g.,
> kickstart), or integration with existing administration
> scripts and processes.
>
Agreed, the interface for this would likely be export all, something
that is not useful for the above scenerio.
> The policy server is a particular kind of solution for a
> particular set of circumstances - no reason to not support
> other solutions. Especially as they are likely - as Steve
> points out - to be viable sooner.
>
That's fine, how do you suppose the exporting will work? What about
policy modules? Should it be all or nothing or do you choose which parts
you want to export? Clearly backup is a concern here, I didn't say it
wasn't, but backup can be done very simply whereas some sort of
portability of specific pieces is less trivial.
17 years
Strict policy working?
by Jimmy
Does the strict policy work at all?
Ive installed FC6 4 times on 2 different PCs, and after the default
installation ive installed the strict policypackage and enabled it,
relabeled the disk and rebooted it.
X boots up, but i cant login. I get an error message, and looking deeper
into it it says:
"Xlib: connection to ":0.0" refused by server
Xlib: no protocol specified
xrdb: Can´t open display ':0'
...
..."
When i switch off enforced (setenforce 0), it works fine. I have tried
this with the latest policy and updates as well, and seriously starting
to wonder if the policy really works "out of the box".
The reason i want the strict policy is Fedoras own description of the
strict policy:
"Strict policy works best where you have a controlled userspace. For
example, you can setup a security policy where your users are only
allowed to use the Web browser to view files on the Internet and only
allowed to download to certain directories. You could limit what
applications the Web browser can launch to /helper/ applications."
This is exactly what i want to do, i want to be able to boot up a FC6 on
my Vmware machine, and start a firefox session and browse some stuff on
the web in a secure way.
Sooo... is the strict policy broken, or am i broken? ;)
With best regards / Tomten
17 years
cups-lpd
by Matthew Saltzman
Am I supposed to have to disable SELinux protection for cups-lpd in order
to use it?
After installing and enabling cups-lpd, I can't print using it from a
remote system. Disabling SELinux protection in
system-config-securitylevel clears the problem.
Nov 25 13:57:18 xxxxx kernel: audit(1164481038.379:173): avc: denied {
read } for pid=11640 comm="cups-lpd" name="random" dev=tmpfs ino=2172
scontext=system_u:system_r:cupsd_lpd_t:s0
tcontext=system_u:object_r:random_device_t:s0 tclass=chr_file
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
17 years
Re: fedora-selinux-list Digest, Vol 33, Issue 28
by stefano@proinco.net
esto es un mensaje automatico.
al momento estare ausente en las proximas semanas. por qualquiera comunicacion de trabajo comuniquense a la oficina. saludos
stefano bagnasco
17 years
Firefox on strict policy
by mantaray_1
I am attempting to get a strict policy working on my FC-6 system
(version 2.4.3-2.fc6). I have successfully created a user account, and
I can log both the root and the user account into the GUI. I am
attempting to get Firefox to work and I am having difficulties. If I
click on the Firefox icon, I see the program listed as opening, and it
stays that way for a few seconds and then disappears. If I check the
message log (var/log/messages), there are no messages (either avc or
other) generated as a result of the attempt. This only happens when the
policy is enforcing. When the policy is is not enforcing, Firefox loads
properly -- also with no messages. I have noticed that Firefox is not
writing to its .mozilla folder when the policy is enforcing, and that it
does write to several files in this folder when it loads properly. This
problem affects both my user account and the root account. Can someone
please explain why I am not receiving any error messages (or any
messages at all), and let me know what needs to be changed in order to
load Firefox?
17 years
RE: post direct-file-modification commands
by Joshua Brindle
> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
>
> Stephen Smalley wrote:
> > On Wed, 2006-11-29 at 18:41 -0500, Steve Friedman wrote:
> >> The various GUI tools are nice for getting a policy configured
> >> correctly; however, to propagate this configuration to a series of
> >> like modified machines one runs into a speed bump.
> >>
> >> The files (e.g., booleans.local) state that the semanage command
> >> should be used to modify the file; however, via the GUI I am
> >> blissfully unaware of the actual commands (and would like
> to remain so).
> >>
> >> But, it would seem that it should be perfectly legal to
> propagate the
> >> various ".local" files directly. If this is legal, what commands
> >> must be issued to cause selinux to read the various policy
> updates?
> >> If this isn't legal, then what means can be used to
> propagate the policy?
> >
> > I don't think it is "legal" in the sense that those files are the
> > private state of libsemanage and are only supposed to be
> manipulated
> > via the libsemanage interfaces by programs like semodule,
> semanage and
> > setsebool. libsemanage will ultimately support other
> backends beyond
> > just the current direct access to the local file store,
> such as access
> > to local and ultimately remote policy management daemons.
> >
> > However, I'm not sure that there is a good mechanism at
> present to do
> > what you want in a "legal" way (Joshua or Karl feel free to
> contradict
> > me if there is). If you do simply copy them over using
> your favorite
> > utility for doing so, you can run semodule -B on the target
> machine to
> > force a rebuild and reload of the kernel policy from the updated
> > policy store there. Not sure if that is exported through
> any GUI at present.
> >
>
> I think that this is needed functionality. Opened a bug -
> http://sourceforge.net/tracker/index.php?func=detail&aid=16061
03&group_id=21266&atid=121266.
>
At some point in the near (hopefully) future we'll be putting the
network libsemanage backend into the library and after that a simple
daemon could be written to send policy and local changes across the
network. This would, ofcourse, be the predecessor to a full policy
server with access control on policy changes.
17 years
post direct-file-modification commands
by Steve Friedman
The various GUI tools are nice for getting a policy configured correctly;
however, to propagate this configuration to a series of like modified
machines one runs into a speed bump.
The files (e.g., booleans.local) state that the semanage command should be
used to modify the file; however, via the GUI I am blissfully unaware of
the actual commands (and would like to remain so).
But, it would seem that it should be perfectly legal to propagate the
various ".local" files directly. If this is legal, what commands must be
issued to cause selinux to read the various policy updates? If this isn't
legal, then what means can be used to propagate the policy?
Steve Friedman
17 years
Policy for denyhosts
by Jason L Tibbitts III
I would like to revisit the issue of denyhosts and selinux and address
it properly. From what I gather from the earlier discussion, it would
be best to write a proper policy for denyhosts. Unfortunately, I'm
almost completely ignorant of what needs to happen here.
Here's some essential info about denyhosts:
Denyhosts is written in python. It runs as root either as a daemon or
spawned from cron. It consists of an executable script
(/usr/bin/denyhosts.py), some python modules in
/usr/lib/python2.4/site-packages/DenyHosts, a config file
(/etc/denyhosts.conf), and some databases under /var/lib/denyhosts.
During its operation it reads /var/log/secure, maintains databases and
such under /var/lib/denyhosts, and writes to /etc/hosts.deny. It may
also make some xmlrpc calls out over the 'net if so configured
(although by default this is not the case).
One complication is that denyhosts can call out to user-supplied
scripts which can do pretty much anything. I've no idea how to
properly handle that kind of thing.
Could someone perhaps help me to get started with a policy?
- J<
17 years
Still unconfined?
by Jimmy
Hi!
Im trying to learn SELinux from bottom up, but having some fundamental
issues regarding the basics.
Im trying to load the mozilla.pp module in targeted, which works fine. I
set the correct contexts with restorecon on firefox-bin. But when i run
the binary it stills runs in unconfined_t when looking at running
processes (ps auxZ).
Ivé tried to compile it myself from different sources, and load it, but
get the same results all the time. Then i tried with netutils.pp and
discovered the same problem witrh ping.
Why doesnt firefox get transfered to the $1_mozilla_t domain??? I know
im making some really fundamental mistake somewhere, but i cant find out
what it is!
With best regards / Tomten
17 years
How to write in Tomcat webapps directory?
by Paolo D.
Good evening everybody,
I need I can write in Tomcat "webapps" folder, but default SELinux Context
var_lib_t doesn't allow it.
What's the best way to accomplish my need, before fatal "setenforce 0"?
To change SELinux Context to "User data" or "Temporary data"?
I see no boolean in SELinux policy through which I can allow writing in this
directory, or selectively disable MAC for Tomcat....
Paolo
17 years
