1 |
Hi Andy, |
2 |
|
3 |
Andy Dustman wrote: |
4 |
> I had to tweak the apache2 policy a little bit so that SSL would work |
5 |
> properl. The stock policy has: |
6 |
> |
7 |
> /var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t |
8 |
> |
9 |
> I had to add: |
10 |
> |
11 |
> /var/cache/apache2 system_u:object_r:httpd_cache_t |
12 |
> /var/cache/apache2/ssl.*\.sem system_u:object_r:httpd_cache_t |
13 |
|
14 |
this is fixed in selinux-apache-20040925 (currently ~x86) |
15 |
|
16 |
> /var/lib/ntp/ntp.drift wasn't being labelled correctly; I looks like |
17 |
> this is fixed in the testing policy. I expect apache is probably fixed |
18 |
> that way too. |
19 |
|
20 |
yup. fixed in selinux-ntp-20041014. |
21 |
|
22 |
> Of course, /root is not relabeled for root being a normal user. But |
23 |
> then, if you do relabel it, it's has a context of |
24 |
> system_u:object_r:default_t, which is not right either. su without the |
25 |
> - works fine. |
26 |
|
27 |
/root(/.*)? should end up root:object_r:sysadm_home_t, not default_t. |
28 |
|
29 |
you should have in your users file a line like: |
30 |
user root roles { sysadm_r staff_r }; |
31 |
|
32 |
if you recreate the file contexts |
33 |
make -C /etc/security/selinux/src/policy reload contexts |
34 |
|
35 |
you should end up with these 2 lines in /etc/security/selinux/src/policy/file_contexts/file_contexts: |
36 |
/root -d root:object_r:sysadm_home_dir_t |
37 |
/root/.+ root:object_r:sysadm_home_t |
38 |
|
39 |
> However I suspect there is some more locking down to do |
40 |
> to keep root from doing bad things like various denial-of-service |
41 |
> attacks. Just as a example: |
42 |
> |
43 |
> # dd if=/dev/zero of=/tmp/foo |
44 |
|
45 |
other then filling up the /tmp fs, I don't see what else it can do. |
46 |
|
47 |
> This actually seems to lock up the machine in a bad way: An oops and a |
48 |
> kernel panic: Fatal Exception in Interrupt Handler, starring Sharon |
49 |
> Stone. |
50 |
|
51 |
I can't reproduce this on my ext3 fs |
52 |
|
53 |
> I have a separate XFS /tmp filesystem, running |
54 |
> hardened-dev-sources. I could probably reproduce this, but won't... |
55 |
|
56 |
> Maybe there should be a guest_r role (or punk_r) for users we really |
57 |
> don't want to do anything? |
58 |
|
59 |
if they are not permitted to do anything, they shouldn't have received an account in the first place. :) |
60 |
|
61 |
bye, |
62 |
peter |
63 |
|
64 |
-- |
65 |
petre rodan |
66 |
<kaiowas@g.o> |
67 |
Developer, |
68 |
Hardened Gentoo Linux |