| 1 |
Chris PeBenito wrote: |
| 2 |
|
| 3 |
>On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
>>I decided to remove it and install syslog-ng. That appeared to work at |
| 7 |
>>first. But as far as I can tell, nothing has been logged since the first |
| 8 |
>>time I put the systeminto enforcing mode. |
| 9 |
>> |
| 10 |
>> |
| 11 |
> |
| 12 |
>Need to see some denials to better understand whats going on. |
| 13 |
> |
| 14 |
> |
| 15 |
I get no denials. Once I go enforcing, I get no logging, whatsoever. |
| 16 |
Even after switching back to non-enforcing, logging doesn't start |
| 17 |
up, again. |
| 18 |
|
| 19 |
However, I think I've got a clue. My basic system has 4 partitions: |
| 20 |
/ (root) - ext3 |
| 21 |
swap |
| 22 |
/home - xfs (I planned for maildirs and news spool to end up, here.) |
| 23 |
/tmpvar - ext3 |
| 24 |
|
| 25 |
I suspect the last entry is my problem. The tmpvar partition has |
| 26 |
3 directories, tmp, var, and chroot. From the root directory, all |
| 27 |
3 of those entries are symlinks into tmpvar. The idea was to keep |
| 28 |
root read-mostly, possibly read-only, and have the read/write stuff |
| 29 |
on tmpvar. |
| 30 |
|
| 31 |
However, if I do a ls -Z / and look at tmpvar, tmp, and var I see: |
| 32 |
lrwxr-xr-x root root system_u:object_r:default_t tmp |
| 33 |
(->../tmpvar/tmp) |
| 34 |
drwxr-xr-x root root system_u:object_r:default_t tmpvar |
| 35 |
lrwxr-xr-x root root system_u:object_r:var_t var |
| 36 |
(->../tmpvar/var) |
| 37 |
If I look inside /var, everything is system_u:object_r:default_t. I |
| 38 |
suspect that last part is wrong, and they should have been var_t. |
| 39 |
|
| 40 |
Does this sound like it might be my problem? |
| 41 |
|
| 42 |
One workaround might be to mount the volume as /var, and then |
| 43 |
symlink /tmp and /chroot into directories there, since they appear |
| 44 |
to have no special labelling. |
| 45 |
|
| 46 |
Another possiblity might be to us bind mounts instead of symlinks. |
| 47 |
A peek around google suggested that "overlabeling" might be a |
| 48 |
problem, but other than a nondescript/unused mount point, access |
| 49 |
to the directories is exclusive. I'd prefer to keep the separation, and |
| 50 |
I'd rather not crack into more partitions, since too many has always |
| 51 |
given me slack space in the wrong partition. |
| 52 |
|
| 53 |
>>2: Can't ssh in when the system is enforcing. I've checked the sestatus |
| 54 |
>>-v results, and everything looks ok. I've never seen a bogus console or |
| 55 |
>>log message, but then again, see (1). Here's what I get: |
| 56 |
>>user1@here ~ $ ssh -v user2@there |
| 57 |
>> |
| 58 |
>> |
| 59 |
> |
| 60 |
>Again, need to see some denials on the server, and logs from sshd if |
| 61 |
>they have anything interesting other than the failed login message. |
| 62 |
> |
| 63 |
> |
| 64 |
> |
| 65 |
Again, no logging, no denials. I did notice one anomoly, going through |
| 66 |
the FAQ. Everything was correct according to "sestatus -v" except that |
| 67 |
there was no file context entry for /sbin/unix_chkpwd. In fact, there was |
| 68 |
no file at all called /sbin/unix_chkpwd, but there was a |
| 69 |
/usr/sbin/unix_chkpwd. |
| 70 |
Nor was there a file context entry for /usr/sbin/unix_chkpwd, although |
| 71 |
"ls -Z /usr/sbin/unix_chkpwd" showed the right context. It just wasn't |
| 72 |
"active???" For jollies, I copied /usr/sbin/unix_chkpwd to |
| 73 |
/sbin/unix_chkpwd, |
| 74 |
and did a "make relabel" and got the right label on it, and the file |
| 75 |
context |
| 76 |
is correct now. But still no-go on ssh while enforcing. |
| 77 |
|
| 78 |
At this point, I'll mention that I'm using 2005.1, and one post dated |
| 79 |
during the Summer mentioned that it wasn't quite ready for prime- |
| 80 |
time. But given that there were 2004.1 and 2005.1 profiles available, |
| 81 |
I had chosen the most recent. |
| 82 |
|
| 83 |
>>3: There isn't much about "standard practice". |
| 84 |
>>What kinds of admin tasks can I perform while the system is enforcing? |
| 85 |
>>What kinds of admin tasks do I have to drop out of enforcing for? |
| 86 |
>> |
| 87 |
>> |
| 88 |
> |
| 89 |
>The goal is to always enforce. Ideally, you should never have to switch |
| 90 |
>to permissive to do admin tasks. |
| 91 |
> |
| 92 |
> |
| 93 |
This includes updating packages? I believe I've seen something fly by |
| 94 |
about relabeling individual packages. |
| 95 |
|
| 96 |
>>I presume emerging a new policy requres "make load". What requires "make |
| 97 |
>>relabel"? |
| 98 |
>> |
| 99 |
>> |
| 100 |
> |
| 101 |
>You should generally relabel after switching from permissive back to |
| 102 |
>enforcing. That may also mean restarting if processes aren't in the |
| 103 |
>right context. Other than that, you shouldn't need a complete relabel |
| 104 |
>except in recovery type situations. Or massive policy changes. |
| 105 |
> |
| 106 |
> |
| 107 |
You do "make relable" while in enforcing mode? I inferred from the |
| 108 |
handbook that it should be done before changing over. |
| 109 |
|
| 110 |
>>What about things that don't have a policy? Like dovecot, leafnode, etc? |
| 111 |
>>On my old system I ran things chroot'ed. Can I still, under SELinux? |
| 112 |
>> |
| 113 |
>> |
| 114 |
> |
| 115 |
>Our policy is a little stagnant, since the NSA example policy will be on |
| 116 |
>its way out, and we will be switching to Reference Policy |
| 117 |
>(http://serefpolicy.sf.net/) when its ready in a couple months. It will |
| 118 |
>be a significanly easier policy to manage and develop. It'll also bring |
| 119 |
>along with it the targeted policy, for desktops. |
| 120 |
> |
| 121 |
>You can run stuff chrooted, but it will likely require extra policy work |
| 122 |
>to get things labeled right. Though, with a good MAC system like |
| 123 |
>SELinux, the usefulness of chroot is questionable. |
| 124 |
> |
| 125 |
> |
| 126 |
> |
| 127 |
At some point I'd like to learn more about writing policy, if only |
| 128 |
because that may be what it takes to get leafnode support. In the |
| 129 |
meantime, will my software with no policy work, and what are the |
| 130 |
implications? |
| 131 |
|
| 132 |
As for chroot, I'd like to consider SELinux another layer, not a silver |
| 133 |
bullet. That says I'd like to keep the chroot, even if it means doing |
| 134 |
the policy work myself, someday. |
| 135 |
|
| 136 |
Thanks for taking the time to answer. SELinux is a complex-looking |
| 137 |
beast, and it's taken me some time to decide to jump in. I guess I'd |
| 138 |
consider myself part of the "next wave" where less-than-experts |
| 139 |
start to use it. |
| 140 |
|
| 141 |
Dale Pontius |
| 142 |
-- |
| 143 |
gentoo-hardened@g.o mailing list |
Archives