1 |
Chris PeBenito wrote: |
2 |
|
3 |
>On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote: |
4 |
> |
5 |
> |
6 |
>>I decided to remove it and install syslog-ng. That appeared to work at |
7 |
>>first. But as far as I can tell, nothing has been logged since the first |
8 |
>>time I put the systeminto enforcing mode. |
9 |
>> |
10 |
>> |
11 |
> |
12 |
>Need to see some denials to better understand whats going on. |
13 |
> |
14 |
> |
15 |
I get no denials. Once I go enforcing, I get no logging, whatsoever. |
16 |
Even after switching back to non-enforcing, logging doesn't start |
17 |
up, again. |
18 |
|
19 |
However, I think I've got a clue. My basic system has 4 partitions: |
20 |
/ (root) - ext3 |
21 |
swap |
22 |
/home - xfs (I planned for maildirs and news spool to end up, here.) |
23 |
/tmpvar - ext3 |
24 |
|
25 |
I suspect the last entry is my problem. The tmpvar partition has |
26 |
3 directories, tmp, var, and chroot. From the root directory, all |
27 |
3 of those entries are symlinks into tmpvar. The idea was to keep |
28 |
root read-mostly, possibly read-only, and have the read/write stuff |
29 |
on tmpvar. |
30 |
|
31 |
However, if I do a ls -Z / and look at tmpvar, tmp, and var I see: |
32 |
lrwxr-xr-x root root system_u:object_r:default_t tmp |
33 |
(->../tmpvar/tmp) |
34 |
drwxr-xr-x root root system_u:object_r:default_t tmpvar |
35 |
lrwxr-xr-x root root system_u:object_r:var_t var |
36 |
(->../tmpvar/var) |
37 |
If I look inside /var, everything is system_u:object_r:default_t. I |
38 |
suspect that last part is wrong, and they should have been var_t. |
39 |
|
40 |
Does this sound like it might be my problem? |
41 |
|
42 |
One workaround might be to mount the volume as /var, and then |
43 |
symlink /tmp and /chroot into directories there, since they appear |
44 |
to have no special labelling. |
45 |
|
46 |
Another possiblity might be to us bind mounts instead of symlinks. |
47 |
A peek around google suggested that "overlabeling" might be a |
48 |
problem, but other than a nondescript/unused mount point, access |
49 |
to the directories is exclusive. I'd prefer to keep the separation, and |
50 |
I'd rather not crack into more partitions, since too many has always |
51 |
given me slack space in the wrong partition. |
52 |
|
53 |
>>2: Can't ssh in when the system is enforcing. I've checked the sestatus |
54 |
>>-v results, and everything looks ok. I've never seen a bogus console or |
55 |
>>log message, but then again, see (1). Here's what I get: |
56 |
>>user1@here ~ $ ssh -v user2@there |
57 |
>> |
58 |
>> |
59 |
> |
60 |
>Again, need to see some denials on the server, and logs from sshd if |
61 |
>they have anything interesting other than the failed login message. |
62 |
> |
63 |
> |
64 |
> |
65 |
Again, no logging, no denials. I did notice one anomoly, going through |
66 |
the FAQ. Everything was correct according to "sestatus -v" except that |
67 |
there was no file context entry for /sbin/unix_chkpwd. In fact, there was |
68 |
no file at all called /sbin/unix_chkpwd, but there was a |
69 |
/usr/sbin/unix_chkpwd. |
70 |
Nor was there a file context entry for /usr/sbin/unix_chkpwd, although |
71 |
"ls -Z /usr/sbin/unix_chkpwd" showed the right context. It just wasn't |
72 |
"active???" For jollies, I copied /usr/sbin/unix_chkpwd to |
73 |
/sbin/unix_chkpwd, |
74 |
and did a "make relabel" and got the right label on it, and the file |
75 |
context |
76 |
is correct now. But still no-go on ssh while enforcing. |
77 |
|
78 |
At this point, I'll mention that I'm using 2005.1, and one post dated |
79 |
during the Summer mentioned that it wasn't quite ready for prime- |
80 |
time. But given that there were 2004.1 and 2005.1 profiles available, |
81 |
I had chosen the most recent. |
82 |
|
83 |
>>3: There isn't much about "standard practice". |
84 |
>>What kinds of admin tasks can I perform while the system is enforcing? |
85 |
>>What kinds of admin tasks do I have to drop out of enforcing for? |
86 |
>> |
87 |
>> |
88 |
> |
89 |
>The goal is to always enforce. Ideally, you should never have to switch |
90 |
>to permissive to do admin tasks. |
91 |
> |
92 |
> |
93 |
This includes updating packages? I believe I've seen something fly by |
94 |
about relabeling individual packages. |
95 |
|
96 |
>>I presume emerging a new policy requres "make load". What requires "make |
97 |
>>relabel"? |
98 |
>> |
99 |
>> |
100 |
> |
101 |
>You should generally relabel after switching from permissive back to |
102 |
>enforcing. That may also mean restarting if processes aren't in the |
103 |
>right context. Other than that, you shouldn't need a complete relabel |
104 |
>except in recovery type situations. Or massive policy changes. |
105 |
> |
106 |
> |
107 |
You do "make relable" while in enforcing mode? I inferred from the |
108 |
handbook that it should be done before changing over. |
109 |
|
110 |
>>What about things that don't have a policy? Like dovecot, leafnode, etc? |
111 |
>>On my old system I ran things chroot'ed. Can I still, under SELinux? |
112 |
>> |
113 |
>> |
114 |
> |
115 |
>Our policy is a little stagnant, since the NSA example policy will be on |
116 |
>its way out, and we will be switching to Reference Policy |
117 |
>(http://serefpolicy.sf.net/) when its ready in a couple months. It will |
118 |
>be a significanly easier policy to manage and develop. It'll also bring |
119 |
>along with it the targeted policy, for desktops. |
120 |
> |
121 |
>You can run stuff chrooted, but it will likely require extra policy work |
122 |
>to get things labeled right. Though, with a good MAC system like |
123 |
>SELinux, the usefulness of chroot is questionable. |
124 |
> |
125 |
> |
126 |
> |
127 |
At some point I'd like to learn more about writing policy, if only |
128 |
because that may be what it takes to get leafnode support. In the |
129 |
meantime, will my software with no policy work, and what are the |
130 |
implications? |
131 |
|
132 |
As for chroot, I'd like to consider SELinux another layer, not a silver |
133 |
bullet. That says I'd like to keep the chroot, even if it means doing |
134 |
the policy work myself, someday. |
135 |
|
136 |
Thanks for taking the time to answer. SELinux is a complex-looking |
137 |
beast, and it's taken me some time to decide to jump in. I guess I'd |
138 |
consider myself part of the "next wave" where less-than-experts |
139 |
start to use it. |
140 |
|
141 |
Dale Pontius |
142 |
-- |
143 |
gentoo-hardened@g.o mailing list |