1:21 p.m.
Some SELinux issues I've been experiencing when running in enforcing mode:
* Only my own user processes show up in top/gnome-system-monitor/ps aux,
no root or other users processes are visible.
* /lib/modules is marked with '?--------- ? ? ? ? modules' for me as
normal user, I can't even cd into it. Looks ok as root though.
* Normal user can't mount cdrom, only root can.
* fam & nautilus are the ones spewing out the most avc messages in
dmesg.
Running latest rawhide as of 2004/04/19
policy : 1.11.2-9
libselinux : 1.11.1-1
/Jacob
2:25 p.m.
On Mon, 2004-04-19 at 14:21, jacob wrote:
Some SELinux issues I've been experiencing when running in
enforcing mode:
* Only my own user processes show up in top/gnome-system-monitor/ps aux,
no root or other users processes are visible.
That's expected.
* /lib/modules is marked with '?--------- ? ? ? ? modules'
for me as
normal user, I can't even cd into it. Looks ok as root though.
That's also expected. The ??? is because user_t is denied getattr for
modules_object_t.
* Normal user can't mount cdrom, only root can.
Do you have the "user" option in /etc/fstab and the user_can_mount
tunable enabled?
* fam & nautilus are the ones spewing out the most avc messages
in
dmesg.
fam is known to be incompatible with SELinux. I'm working on a patch to
disable it if SELinux is enabled. What nautilus AVC messages are you
seeing? the /initrd one is a known issue, also on my queue of stuff to
fix.
5:57 p.m.
* Colin Walters <walters(a)redhat.com> [2004-04-19 21:26]:
On Mon, 2004-04-19 at 14:21, jacob wrote:
> * fam & nautilus are the ones spewing out the most avc messages in
> dmesg.
fam is known to be incompatible with SELinux. I'm working on a patch to
disable it if SELinux is enabled. What nautilus AVC messages are you
seeing? the /initrd one is a known issue, also on my queue of stuff to
fix.
Not sure what you mean by "incompatible". Writing policy for fam is not
difficult, in fact I have written some policy for fam some time ago
(diff against CVS attached). It is however impossible to prevent some
information leakage when using fam. The attached policy is very liberal
regarding this, allowing any userdomain to monitor any file. For a more
secure setup fam should only be able to monitor user_home_t and
user_tmp_t.
A full solution requires modifications to fam: it should check the
security context of the caller (like it does already with uid and gid)
and only monitor the files if they can be accessed by the caller.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
Disclaimer: The quote was selected randomly. Really.
6:34 p.m.
On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote:
Not sure what you mean by "incompatible". Writing policy
for fam is not
difficult, in fact I have written some policy for fam some time ago
(diff against CVS attached). It is however impossible to prevent some
information leakage when using fam. The attached policy is very liberal
regarding this, allowing any userdomain to monitor any file. For a more
secure setup fam should only be able to monitor user_home_t and
user_tmp_t.
Well, that's not the only thing that it's desirable to monitor. For
example, the GNOME theme manager monitors the theme installation
directory, so if you install a new theme, it automatically shows up in
the theme list. Similarly with the menu system.
A full solution requires modifications to fam: it should check the
security context of the caller (like it does already with uid and gid)
and only monitor the files if they can be accessed by the caller.
Right - I think someone here looked at doing that and just gave up. We
have someone working on writing a new file monitoring system, hopefully
something will happen there soon.
Anyways, I think it makes some sense to include your FAM policy as a
temporary solution for people who run SELinux and also want the file
monitoring. But I will leave that decision up to Dan Walsh, the main
policy maintainer. Hopefully he'll comment here.
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
I see you're using Arch to maintain the policy, very cool. I really
wish we could do that here. Editing patches in Emacs' diff-mode and
committing to CVS just isn't quite the same...
7:09 a.m.
On Wed, 2004-04-21 at 19:34, Colin Walters wrote:
On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote:
> A full solution requires modifications to fam: it should check the
> security context of the caller (like it does already with uid and gid)
> and only monitor the files if they can be accessed by the caller.
Right - I think someone here looked at doing that and just gave up. We
have someone working on writing a new file monitoring system, hopefully
something will happen there soon.
I don't know that it would be technically difficult to modify famd to
perform such checks (and SELinux does export an API for performing such
checks that is already used by other programs), but you would still have
a situation where famd would have to be highly trusted and a potential
conduit through which domains could communicate in violation of the
policy. It would be preferable to instantiate separarate famd's per
client context.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
10:15 a.m.
On Wed, 2004-04-21 at 16:34, Colin Walters wrote:
Right - I think someone here looked at doing that and just gave up.
We
have someone working on writing a new file monitoring system, hopefully
something will happen there soon.
"file monitoring system" on what level? A fam replacement or a dnotify
replacement? I know he's employed by Novell these days, but RML seems
pretty close to replacing both of these (of course, I haven't been able
to find any code for his mysterious "kernel events layer"...)
--
Shahms King <shahms(a)shahms.com>
4:37 p.m.
* Colin Walters <walters(a)redhat.com> [2004-04-22 01:35]:
On Wed, 2004-04-21 at 18:57, Thomas Bleher wrote:
> http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
I see you're using Arch to maintain the policy, very cool. I really
wish we could do that here. Editing patches in Emacs' diff-mode and
committing to CVS just isn't quite the same...
Yeah, arch is just So Cool! I really hope it gets adopted more widely.
Right now I have some patches and cleanups in my local trees; I haven't
sent them yet because preparing patches, splitting and cleaning them
requires extra work. With arch this process would be much easier.
So I hope someone soon makes an official arch archive where merge
request can be sent to. That would really rock :-)
For the time being I will maintain my arch repository. I have attached
the small script I use to replay changes from CVS into arch. I didn't use
cscvs because I wanted to use taglines (really useful with all the file
moving).
Syncing the other way round (arch->cvs) is not done yet, but shouldn't
be too difficult; only the taglines need to be filtered out.
Thomas
--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7
Write a wise saying, and your name will live forever.
-- Anonymous
7308
days inactive
7311
days old
selinux@lists.fedoraproject.org
6 comments
6 participants
participants (6)
-
Colin Walters -
jacob -
Shahms King -
Stephen Smalley -
Thomas Bleher -
Thomas Bleher