1 |
Looks like I'm the second newbie in a week to introduce himself to the |
2 |
list. I've been a unix/Linux systems administrator for over a decade, |
3 |
and have been running Gentoo for at least the past 3 years. I have just |
4 |
in the last week or so switched over to the hardened profile and am |
5 |
completely new to SELinux, I know this is going to take a while, but |
6 |
I'm up for it because I also know it will be good for me to gain a more |
7 |
comprehensive understanding and be able to effectively manage and |
8 |
properly configure a SELinux system no matter what flavor the distro |
9 |
happens to be. So, thanks in advance for your patience and guidance as |
10 |
I try to get my mind wrapped around all of this. |
11 |
|
12 |
With that said, I am running ~amd64, no multilib, now with the hardened |
13 |
profile. Thanks to the recently updated selinux-handbook I was able to |
14 |
get switched over with only a small bump or two. That part was actually |
15 |
fairly easy. I am running the strict policy in permissive mode since it |
16 |
is quite obvious to me at this point I would have a severely broken |
17 |
system if I switched on enforcing. Here are the policies I currently |
18 |
have installed: |
19 |
|
20 |
#semodule -l |
21 |
UWimap 0.6 |
22 |
alsa 1.11.0 |
23 |
apache 2.3.0 |
24 |
apcupsd 1.8.0 |
25 |
apm 1.11.0 |
26 |
automount 1.13.0 |
27 |
bind 1.11.0 |
28 |
cdrecord 2.4.0 |
29 |
clamav 1.9.0 |
30 |
consolekit 1.7.0 |
31 |
cpucontrol 1.3.0 |
32 |
cpufreqselector 1.3.0 |
33 |
cups 1.14.0 |
34 |
dbus 1.15.0 |
35 |
dhcp 1.9.0 |
36 |
dmidecode 1.4.0 |
37 |
gpg 2.4.0 |
38 |
gpm 1.8.0 |
39 |
inetd 1.11.0 |
40 |
java 2.4.0 |
41 |
ldap 1.10.0 |
42 |
logrotate 1.14.0 |
43 |
logwatch 1.11.0 |
44 |
lpd 1.12.0 |
45 |
milter 1.3.0 |
46 |
mono 1.8.0 |
47 |
mozilla 2.4.0 |
48 |
mplayer 2.3.0 |
49 |
mysql 1.12.0 |
50 |
ntp 1.10.0 |
51 |
policykit 1.1.0 |
52 |
portmap 1.9.0 |
53 |
ppp 1.12.0 |
54 |
procmail 1.12.0 |
55 |
pyzor 2.1.0 |
56 |
radvd 1.13.0 |
57 |
rpc 1.13.0 |
58 |
rpcbind 1.5.0 |
59 |
samba 1.14.0 |
60 |
sasl 1.14.0 |
61 |
screen 2.4.0 |
62 |
sendmail 1.11.0 |
63 |
shutdown 1.1.0 |
64 |
skype 0.0.2 |
65 |
spamassassin 2.4.0 |
66 |
thunderbird 2.2.0 |
67 |
uptime 1.4.0 |
68 |
xscreensaver 1.0.0 |
69 |
xserver 3.6.0 |
70 |
|
71 |
I should also mention that my system runs mail, DNS, and web servers as |
72 |
well as being used as my personal desktop system. I am running this at |
73 |
home -- not work (i.e. not getting paid for doing it) I would like to |
74 |
ask for some feedback from the group on my first attempt at writing |
75 |
selinux rules in the form of a new policy module. I chose my imap |
76 |
server (net-mail/uw-imap) which runs from xinetd, as my starting point |
77 |
for analyzing the audit log entries it was generating and coming up with |
78 |
some selinux rules to address them. I didn't see any pre-existing |
79 |
policy in portage for the UW-imap server, though one of the other |
80 |
policies may cover what is needed and what I have written is not |
81 |
necessary. This policy module has eliminated all of the audit log |
82 |
entries I had been seeing to date that are associated with my imap, but |
83 |
that alone doesn't mean I've written a good policy. I would like for |
84 |
those of you in the group who are more experienced to look this over and |
85 |
offer some feedback with regard to the way I have done things. Thanks |
86 |
for your time. |
87 |
|
88 |
UWimap.if: |
89 |
|
90 |
interface(`UWimap_domtrans',` |
91 |
gen_require(`type inetd_t, user_mail_exec_t, user_mail_t;') |
92 |
domtrans_pattern($1,inetd_t,user_mail_exec_t) |
93 |
domtrans_pattern($1,user_mail_exec_t,user_mail_t) |
94 |
') |
95 |
|
96 |
UWimap.fc: |
97 |
|
98 |
/usr/sbin/imapd -- |
99 |
gen_context(system_u:object_r:user_mail_exec_t,s0) |
100 |
|
101 |
UWimap.te |
102 |
policy_module(UWimap, 0.6) |
103 |
|
104 |
require { |
105 |
type mail_spool_t; |
106 |
type user_mail_t; |
107 |
type fs_t; |
108 |
type chkpwd_exec_t; |
109 |
type inetd_t; |
110 |
class file { execute setattr read lock create execute_no_trans |
111 |
write getattr link unlink open append }; |
112 |
class dir { write getattr remove_name add_name }; |
113 |
class filesystem associate; |
114 |
class capability sys_resource; |
115 |
class tcp_socket { read write getattr}; |
116 |
class fd use; |
117 |
class process setrlimit; |
118 |
} |
119 |
type user_mail_exec_t; |
120 |
application_domain(user_mail_t, user_mail_exec_t) |
121 |
domain_auto_trans(inetd_t, user_mail_exec_t, user_mail_t) |
122 |
allow user_mail_t fs_t:filesystem associate; |
123 |
allow user_mail_t chkpwd_exec_t:file { read execute open execute_no_trans }; |
124 |
allow user_mail_t inetd_t:fd use; |
125 |
allow user_mail_t inetd_t:tcp_socket { read write getattr}; |
126 |
allow user_mail_t self:file {setattr create link unlink}; |
127 |
allow user_mail_t self:dir {write getattr remove_name add_name}; |
128 |
|
129 |
allow inetd_t self:capability sys_resource; |
130 |
allow inetd_t self:process setrlimit; |
131 |
|
132 |
-- |
133 |
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
134 |
PR - Cindy and Jenny - Sammamish, WA NWR |
135 |
http://www.sblan.net/tashi |