Gentoo Archives: gentoo-hardened

From: Stan Sander <stsander@×××××.net>
To: gentoo-hardened <gentoo-hardened@l.g.o>
Subject: [gentoo-hardened] On the right track?
Date: Fri, 04 Nov 2011 01:45:14
Message-Id: 4EB34369.10406@sblan.net
1 Looks like I'm the second newbie in a week to introduce himself to the
2 list. I've been a unix/Linux systems administrator for over a decade,
3 and have been running Gentoo for at least the past 3 years. I have just
4 in the last week or so switched over to the hardened profile and am
5 completely new to SELinux, I know this is going to take a while, but
6 I'm up for it because I also know it will be good for me to gain a more
7 comprehensive understanding and be able to effectively manage and
8 properly configure a SELinux system no matter what flavor the distro
9 happens to be. So, thanks in advance for your patience and guidance as
10 I try to get my mind wrapped around all of this.
11
12 With that said, I am running ~amd64, no multilib, now with the hardened
13 profile. Thanks to the recently updated selinux-handbook I was able to
14 get switched over with only a small bump or two. That part was actually
15 fairly easy. I am running the strict policy in permissive mode since it
16 is quite obvious to me at this point I would have a severely broken
17 system if I switched on enforcing. Here are the policies I currently
18 have installed:
19
20 #semodule -l
21 UWimap 0.6
22 alsa 1.11.0
23 apache 2.3.0
24 apcupsd 1.8.0
25 apm 1.11.0
26 automount 1.13.0
27 bind 1.11.0
28 cdrecord 2.4.0
29 clamav 1.9.0
30 consolekit 1.7.0
31 cpucontrol 1.3.0
32 cpufreqselector 1.3.0
33 cups 1.14.0
34 dbus 1.15.0
35 dhcp 1.9.0
36 dmidecode 1.4.0
37 gpg 2.4.0
38 gpm 1.8.0
39 inetd 1.11.0
40 java 2.4.0
41 ldap 1.10.0
42 logrotate 1.14.0
43 logwatch 1.11.0
44 lpd 1.12.0
45 milter 1.3.0
46 mono 1.8.0
47 mozilla 2.4.0
48 mplayer 2.3.0
49 mysql 1.12.0
50 ntp 1.10.0
51 policykit 1.1.0
52 portmap 1.9.0
53 ppp 1.12.0
54 procmail 1.12.0
55 pyzor 2.1.0
56 radvd 1.13.0
57 rpc 1.13.0
58 rpcbind 1.5.0
59 samba 1.14.0
60 sasl 1.14.0
61 screen 2.4.0
62 sendmail 1.11.0
63 shutdown 1.1.0
64 skype 0.0.2
65 spamassassin 2.4.0
66 thunderbird 2.2.0
67 uptime 1.4.0
68 xscreensaver 1.0.0
69 xserver 3.6.0
70
71 I should also mention that my system runs mail, DNS, and web servers as
72 well as being used as my personal desktop system. I am running this at
73 home -- not work (i.e. not getting paid for doing it) I would like to
74 ask for some feedback from the group on my first attempt at writing
75 selinux rules in the form of a new policy module. I chose my imap
76 server (net-mail/uw-imap) which runs from xinetd, as my starting point
77 for analyzing the audit log entries it was generating and coming up with
78 some selinux rules to address them. I didn't see any pre-existing
79 policy in portage for the UW-imap server, though one of the other
80 policies may cover what is needed and what I have written is not
81 necessary. This policy module has eliminated all of the audit log
82 entries I had been seeing to date that are associated with my imap, but
83 that alone doesn't mean I've written a good policy. I would like for
84 those of you in the group who are more experienced to look this over and
85 offer some feedback with regard to the way I have done things. Thanks
86 for your time.
87
88 UWimap.if:
89
90 interface(`UWimap_domtrans',`
91 gen_require(`type inetd_t, user_mail_exec_t, user_mail_t;')
92 domtrans_pattern($1,inetd_t,user_mail_exec_t)
93 domtrans_pattern($1,user_mail_exec_t,user_mail_t)
94 ')
95
96 UWimap.fc:
97
98 /usr/sbin/imapd --
99 gen_context(system_u:object_r:user_mail_exec_t,s0)
100
101 UWimap.te
102 policy_module(UWimap, 0.6)
103
104 require {
105 type mail_spool_t;
106 type user_mail_t;
107 type fs_t;
108 type chkpwd_exec_t;
109 type inetd_t;
110 class file { execute setattr read lock create execute_no_trans
111 write getattr link unlink open append };
112 class dir { write getattr remove_name add_name };
113 class filesystem associate;
114 class capability sys_resource;
115 class tcp_socket { read write getattr};
116 class fd use;
117 class process setrlimit;
118 }
119 type user_mail_exec_t;
120 application_domain(user_mail_t, user_mail_exec_t)
121 domain_auto_trans(inetd_t, user_mail_exec_t, user_mail_t)
122 allow user_mail_t fs_t:filesystem associate;
123 allow user_mail_t chkpwd_exec_t:file { read execute open execute_no_trans };
124 allow user_mail_t inetd_t:fd use;
125 allow user_mail_t inetd_t:tcp_socket { read write getattr};
126 allow user_mail_t self:file {setattr create link unlink};
127 allow user_mail_t self:dir {write getattr remove_name add_name};
128
129 allow inetd_t self:capability sys_resource;
130 allow inetd_t self:process setrlimit;
131
132 --
133 Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
134 PR - Cindy and Jenny - Sammamish, WA NWR
135 http://www.sblan.net/tashi

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] On the right track? "Anthony G. Basile" <blueness@g.o>
Re: [gentoo-hardened] On the right track? "Francisco Blas Izquierdo Riera (klondike)" <klondike@g.o>