SELinux survey (was RE: Stupid F7 boot loop)
Rick Sewill
rsewill at cableone.net
Wed Aug 29 18:14:39 UTC 2007
On Wed, 2007-08-29 at 17:09 +0100, Alan Cox wrote:
> > Would any of you out there care to share with me any of your personal
> > experiences with SELinux being useful to you (in any way whatsoever), on
> > a single-user workstation?
>
> I leave it on and haven't had any problems with it for the past few
> releases. It makes a large subset of potentially exploitable holes turn
> into rather unexploitable ones and that to me is of value.
>
I leave it on.
I am notified by setroubleshoot when it stops something.
If I think all the errors reported by setroubleshoot are not errors,
I run a script to permit those accesses.
I got the list of commands for the script from a previous thread:
#!/bin/bash
mkdir -p /root/selinux
pushd /root/selinux
declare name="${1:-local}"
declare rebuild="${2}"
if [ -z "${rebuild}" ]
then
declare origname="${name}"
declare -i index=1
while [ -e "${name}.te" ]
do
name="${origname}${index}"
let index++
done
audit2allow -m ${name} -l -i /var/log/audit/audit.log > ${name}.te
checkmodule -M -m -o ${name}.mod ${name}.te
semodule_package -o ${name}.pp -m ${name}.mod
semodule -i ${name}.pp
else
declare -i index=1
for i in ${name}*.te
do
checkmodule -M -m -o ${i}.mod ${i}.te
semodule_package -o ${i}.pp -m ${i}.mod
semodule -i ${i}.pp
done
fi
popd
My list of exceptions is kept in the directory /root/selinux.
Each time selinux or the target policy for selinux gets updated I remove
the /root/selinux directory and create a new list of exceptions when
setroubleshoot notifies me.
What I am doing requires I look at each notification message and decide
if the message really is bogus. If I guess wrong, I will be creating a
security hole. My hope is the list of notifications remain minimal.
At this moment, I have one file, generated by the
script, /root/selinux/local.te, which contains:
module local 1.0;
require {
type var_lib_nfs_t;
type httpd_t;
type system_dbusd_t;
class dbus send_msg;
class dir search;
}
#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;
allow httpd_t var_lib_nfs_t:dir search;
I do not claim to know what these exception actually do.
I feel comfortable with these exception because I use iptables to white
list IP addresses that may access my computer. If your IP address is
not on my list, for the service I want you to access, iptables is set to
drop the incoming packet from you.
Disclaimer: I want to leave selinux on. I do not pretend to understand
how to properly control/configure selinux. I created the script by
reading threads on this mailing list. If the script does not work or
does something bad, please communicate problems to the mailing list.
This mailing list, or other mailing lists, will be able to give help
with selinux. Any help from me will be the blind leading the blind.
I would appreciate comments from people who do understand selinux on
what I have done.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070829/a19df2a6/attachment-0002.bin
More information about the users
mailing list