| 1 |
Hi Andy, |
| 2 |
|
| 3 |
Andy Dustman wrote: |
| 4 |
> I had to tweak the apache2 policy a little bit so that SSL would work |
| 5 |
> properl. The stock policy has: |
| 6 |
> |
| 7 |
> /var/cache/ssl.*\.sem -- system_u:object_r:httpd_cache_t |
| 8 |
> |
| 9 |
> I had to add: |
| 10 |
> |
| 11 |
> /var/cache/apache2 system_u:object_r:httpd_cache_t |
| 12 |
> /var/cache/apache2/ssl.*\.sem system_u:object_r:httpd_cache_t |
| 13 |
|
| 14 |
this is fixed in selinux-apache-20040925 (currently ~x86) |
| 15 |
|
| 16 |
> /var/lib/ntp/ntp.drift wasn't being labelled correctly; I looks like |
| 17 |
> this is fixed in the testing policy. I expect apache is probably fixed |
| 18 |
> that way too. |
| 19 |
|
| 20 |
yup. fixed in selinux-ntp-20041014. |
| 21 |
|
| 22 |
> Of course, /root is not relabeled for root being a normal user. But |
| 23 |
> then, if you do relabel it, it's has a context of |
| 24 |
> system_u:object_r:default_t, which is not right either. su without the |
| 25 |
> - works fine. |
| 26 |
|
| 27 |
/root(/.*)? should end up root:object_r:sysadm_home_t, not default_t. |
| 28 |
|
| 29 |
you should have in your users file a line like: |
| 30 |
user root roles { sysadm_r staff_r }; |
| 31 |
|
| 32 |
if you recreate the file contexts |
| 33 |
make -C /etc/security/selinux/src/policy reload contexts |
| 34 |
|
| 35 |
you should end up with these 2 lines in /etc/security/selinux/src/policy/file_contexts/file_contexts: |
| 36 |
/root -d root:object_r:sysadm_home_dir_t |
| 37 |
/root/.+ root:object_r:sysadm_home_t |
| 38 |
|
| 39 |
> However I suspect there is some more locking down to do |
| 40 |
> to keep root from doing bad things like various denial-of-service |
| 41 |
> attacks. Just as a example: |
| 42 |
> |
| 43 |
> # dd if=/dev/zero of=/tmp/foo |
| 44 |
|
| 45 |
other then filling up the /tmp fs, I don't see what else it can do. |
| 46 |
|
| 47 |
> This actually seems to lock up the machine in a bad way: An oops and a |
| 48 |
> kernel panic: Fatal Exception in Interrupt Handler, starring Sharon |
| 49 |
> Stone. |
| 50 |
|
| 51 |
I can't reproduce this on my ext3 fs |
| 52 |
|
| 53 |
> I have a separate XFS /tmp filesystem, running |
| 54 |
> hardened-dev-sources. I could probably reproduce this, but won't... |
| 55 |
|
| 56 |
> Maybe there should be a guest_r role (or punk_r) for users we really |
| 57 |
> don't want to do anything? |
| 58 |
|
| 59 |
if they are not permitted to do anything, they shouldn't have received an account in the first place. :) |
| 60 |
|
| 61 |
bye, |
| 62 |
peter |
| 63 |
|
| 64 |
-- |
| 65 |
petre rodan |
| 66 |
<kaiowas@g.o> |
| 67 |
Developer, |
| 68 |
Hardened Gentoo Linux |
Archives