Managing SELinux in the Enterprise
by Douglas Brown
Hi all,
SELinux has some configuration files such as /etc/selinux/config which are easily managed with a tool like puppet. There’s also modular policies that can be managed with rpms (via Satellite) and or puppet (semodule). Finally puppet supports enforcing booleans with 'seboolean’. However, there’s a few things missing:
* SELinux user and role mappings
* Port labels (only supported in base policy or changed with semanage like so: semanage port -a -t httpd_port_t -p tcp 6312)
* Custom file labels (ie. semanage fcontext -a -t httpd_sys_content_t "/data/www(/.*)?")
I know these can be imported and exported with semanage using the -i and -o flags, however it’s slow and doesn't easily facilitate the programmatic query and enforcement of these settings at scale using a tool like puppet. Ideally puppet could manage the .local files in /etc/selinux/targeted/modules/active/, however Red Hat support tells me this won’t work and that semanage is the only supported mechanism. Surely there’s someone in the community who has a non-hackish method of dealing with this?
Is FreeIPA the solution to the user and role mappings? What about the labels?
Thanks,
Doug
9 years, 1 month
Tips for setting up a policy dev environment
by William
Hi,
I regularly report issues with confined users in SELinux as I run as one
on my day-to-day account. Sometimes I have contributed fixes to the
policy, but this has been through fedpkg and diffs that doesn't really
scale well.
How do you (the main developers) setup your selinux policy, what git /
repo do you use for it, how do you build it etc.
Any tips would be appreciated so that I can setup a more "long lasting"
environment and hopefully, get to contribute some more policy.
--
William <william(a)firstyear.id.au>
9 years, 2 months
Recent bash vulnerability and SELinux containment
by Dmitry Makovey
Hi everybody,
while the whole "bash"-storm is gaining force is it reasonable to
develop SELinux policy prohibiting bash invocations from daemons'
contexts to have access to anything but a tiny sandbox? Has anybody
attempted such thing?
--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen
When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330
9 years, 2 months
Roles in selinux
by William
Hi,
On my Fedora 20 system, I list roles and I can see:
semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range
SELinux Roles
guest_u user s0 s0
guest_r
root user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023
staff_r sysadm_r system_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023
sysadm_r
system_u user s0 s0-s0:c0.c1023
system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023
system_r unconfined_r
user_u user s0 s0
user_r
xguest_u user s0 s0
xguest_r
However http://www.selinuxproject.org/page/RefpolicyBasicRoleCreation
lists roles such as logadm_r etc. Is there a reason these are not in
f20?
--
William <william(a)firstyear.id.au>
9 years, 2 months
Re: selinux Digest, Vol 127, Issue 13
by Ted Rule
On 29/09/2014 13:00, selinux-request(a)lists.fedoraproject.org wrote:
> Message: 2 Date: Mon, 29 Sep 2014 10:00:00 +0200 From: Florian Weimer
> <fweimer(a)redhat.com> To: selinux(a)lists.fedoraproject.org Subject: Re:
> SELinux and the bash exploit. Message-ID:
> <54291180.6020903(a)redhat.com> Content-Type: text/plain; charset=utf-8;
> format=flowed On 09/25/2014 11:40 PM, Daniel J Walsh wrote:
>> > https://danwalsh.livejournal.com/71122.html
> I wonder why environment variables aren't labeled because they evidently
> cross trust boundaries in surprising fashions.
>
> -- Florian Weimer / Red Hat Product Security
Hmm. Quite so. I sense a whole raft of environmental cleansing
mechanisms being added to SELinux any minute now..
--
Ted Rule
Director, Layer3 Systems Ltd
Layer3 Systems Limited is registered in England. Company no 3130393
43 Pendle Road, Streatham, London, SW16 6RT
Tel: 020-8769-4484
Mob: 07946-908914
GPG Fingerprint = 9227:3434:b51d:c7a1:eea6:21e2:418a:8997:c104:7566
E: ejtr(a)layer3.co.uk
W: http://www.layer3.co.uk/
9 years, 2 months
Re: SELinux and the bash exploit.
by Miroslav Grepl
On 09/26/2014 09:03 AM, James Hogarth wrote:
>
>
> On 25 September 2014 22:40, Daniel J Walsh <dwalsh(a)redhat.com
> <mailto:dwalsh@redhat.com>> wrote:
>
> https://danwalsh.livejournal.com/71122.html
>
>
> Good article Dan ... it says clearly what I've been trying to drum
> into people's heads about the role it takes and how it confines the
> activity but an exploit that stays within the confines of that
> activity ... well it has to be allowed or else the standard activity
> would fail ;)
>
>
Yes. I also got a lot of questions how SELinux helps us with this
exploit. I believe SELinux helps as much as possible here how Dan wrote
in his blog.
Of course, there are also booleans to make a system with SELinux more
restrictive. Also confined users.
9 years, 2 months
Fwd: Query regarding role hierarchy SELinux
by Harpreet
Hello
I am doing academic project for providing role based access with selinux.
Your blog has been of great help as I was new to SELinux.
I want to define roles hierarchy in my policy file.
And for that i was using dominance role macro to define hierachies.
But now i see that dominance macro has been deprecated when i compile my
policy files.
Please suggest me any other alternative for "dominance" macro.
Thanks and regards
Harpreet
9 years, 2 months
