There is a sublte difference between trolling and ...

Oh what the hell, yes selinux is a PITA.

Its only really useful on systems that only do one thing and you can
spend the hours/days/months to tweak all the things that cause
exceptions. Setting everything with chattr, etc

There is also AppArmour on Ubuntu, same levels of headfsck. I moved to
Debian to avoid it.

Kim

On Wed, 10 Sep 2014 03:15:59 +0930
I was going to say much the same as Kim.
Unusable != Secure. Pretty much grabs it.

Buying into the culture is also a pain.
AppArmor is also um unevenly approached.
I was under the impression that 'Buntu was walking slowly away from it..
but I'm usually wrong about that sort of thing)

Security is not a wallpaper.
Pasting it on is (self) delusional.
But hey it makes the folks feel better and has some real utility so why
not :)

(sorry my bad and jaded and pre caffeinated)

We do have choice.
You want a secure system drive a toaster.
Else plan on an invasion, even corrosion over time.


-- Pete <gossner at internode.on.net>
Wednesday 10 September 07:43:01 ACST 2014
As long as there are sovereign nations possessing great power,
war is inevitable.
--Albert Einstein "Einstein on the Atomic Bomb"

In my current job there is a culture to use selinux where it makes
sense. Nearly all applications run on dedicated VMs, and with selinux
enabled.

Today in the RedHat world (maybe beyond) the default policy is targeted
and the provided default rules are good. You get a working system with
selinux enabled out of the box. Good place to start.

Most tools eg ls have a -Z flag to display selinux info. You need to be
aware that copying a file from one place to another does not update its
context to be correct for the new location, so it is advisable to be
mindful of moves and run restorecon on the destination path after moving
files around. restorecon will update selinux permissions that need to be
updated and report what was changed when in verbose mode.

Other than that, you can get most apps working by running the system in
permissive mode for testing or in production with real users hammering
it until you know the application has been solidly used. Then use tools
like audit2why to provide some clearer insight as to whats been logged
to the audit log (things which would have been blocked, but wernt) and
audit2allow to generate policies which will allow the behaviour
observed. Probably the rules wont be too complex and you can tweak by
hand if something looks too restrictive.

For example, a light weight monitoring cgi which runs under apache and
reports if a process is alive. This needs more access than apache has
out of the box. Without a deep understanding of selinux internals you
can make a policy and get it working with:

# disable enforcement of selinux so the app will run in full
[root at process01 ~]# setenforce 0

# check the existing context on new file(s)
[root at process01 ~]# ls -Z /var/www/cgi-bin/status.cgi
-rw-rw-r--. root root
unconfined_u:object_r:user_home_t:s0 /var/www/cgi-bin/status.cgi

# see if they are correct for the system, and fix if they arn't
[root at process01 ~]# restorecon -rv /var/www/cgi-bin/
restorecon reset /var/www/cgi-bin/status.cgi context
unconfined_u:object_r:user_home_t:s0->unconfined_u:object_r:httpd_sys_script_exec_t:s0

# optionally inspect he new context
[root at process01 ~]# ls -Z /var/www/cgi-bin/status.cgi
-rw-rw-r--. root root
unconfined_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/status.cgi

#Use the app, make it do what it needs to, while gathering the denials

[root at process01 ~]# tail -f /var/log/audit/audit.log > denials

# have a look at what would have been denied:
[root at process01 ~]# audit2why < denials |grep denied
type=AVC msg=audit(1403496601.298:59710): avc: denied { getattr } for pid=13593 comm="appname" path="/var/run/appname.pid" dev=dm-2 ino=1249 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1403496601.298:59711): avc: denied { read } for pid=13593 comm="appname" name="appname.pid" dev=dm-2 ino=1249 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1403496601.298:59712): avc: denied { open } for pid=13593 comm="appname" name="appname.pid" dev=dm-2 ino=1249 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1403496601.298:59713): avc: denied { ioctl } for pid=13593 comm="appname" path="/var/run/appname.pid" dev=dm-2 ino=1249 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:object_r:initrc_var_run_t:s0 tclass=file
type=AVC msg=audit(1403496601.298:59714): avc: denied { getattr } for pid=13593 comm="appname" path="/proc/21465" dev=proc ino=2347059 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=dir

# generate a policy with just enough access for this app:
[root at process01 ~]# audit2allow -M statusapp < denials

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i statusapp.pp

# inspect the rules
[root at process01 ~]# cat statusapp.te

module statusapp 1.0;

require {
type initrc_var_run_t;
type httpd_sys_script_t;
type initrc_t;
class dir getattr;
class file { read getattr open ioctl };
}

#============= httpd_sys_script_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t initrc_t:dir getattr;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t initrc_var_run_t:file { read getattr open ioctl };

# install the policy
[root at process01 ~]# semodule -i statusapp.pp

# re-enable enforcement, and retest the app
[root at process01 ~]# setenforce 1

# re-test the app, it should now work with no denials logged.

And for that you get the warm fuzzy feeling that your system is still locked down tight with an additional layer of defence.

Ant


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.linuxsa.org.au/pipermail/linuxsa/attachments/20140910/685aef22/attachment.html

I'll add to that. One thing I don't enjoy about Linux is having to constantly enter sudo and a password to do certain things. It feels like a self punative act. Or when a permissions issue appears to be breakage.

One thing Netbsd does right is the same thing Lindows got right...make root the default user.

:p

J

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.linuxsa.org.au/pipermail/linuxsa/attachments/20140910/07d92bbb/attachment.html