Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: julien.thomas@×××××××××××××.fr
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] SELinux module proposal for pamldap
Date: Wed, 28 Nov 2007 17:32:42
Message-Id: 20071128183027.9s8v9a5us08884w0@webmail.enst-bretagne.fr
In Reply to: Re: [gentoo-hardened] SELinux module proposal for pamldap by Julien Thomas
1 After a few investigation during my freetime (SELInux is not part of
2 my work, for the moment, I hope ;p), here are some points about what I
3 said previously :
4
5 In the base modules, we have :
6 interface(`ldap_read_config',`
7 gen_require(`
8 type slapd_etc_t;
9 ')
10
11 files_search_etc($1)
12 allow $1 slapd_etc_t:file { getattr read };
13 ')
14
15 However, no module has the ldap_read_config rights (and no other
16 occurences of slapd_etc_t in the SELinux sources).
17
18 However, a ls -ZR | grep slapd_etc (on /) gives me
19 -rw-r----- root ldap system_u:object_r:slapd_etc_t slapd.conf
20 -rw-r----- root root system_u:object_r:slapd_etc_t slapd.conf.default
21 -rw-r----- root ldap system_u:object_r:slapd_etc_t slapd.conf.tmp
22
23 So, if we use slapd_etc_t for pam ldap data, we would
24 allow accesses from
25 - slapd allowded domains to pam ldap configuration files
26 - pam ldap allowded domains to slapd configuration files
27
28 which are according to me not required authorization.
29
30 Best Regards.
31
32 -- Julien Thomas
33
34 PS: previous comment / questions are still relevant :D
35
36 Julien Thomas <julien.thomas@×××××××××××××.fr> a écrit :
37
38 > Yes, you are right for the etc_t rules redundancy. I have added this for
39 > several reasons such as
40 >> adding all the required rules if we consider the module as an
41 > independent one, which means that is must be standalone. Thus, the
42 > redundancy is present but may prevent possibly conflict in the future
43 > (in the case of new domains adding)
44 >
45 > The slapd_etc_t, if I'm not wrong, is not dedicated to pamldap but more
46 > to LDAP server and LDAP in general (openldap, ... which do not need to
47 > access this file) ?. So, adding a new type dedicated to pamldap
48 > engenders a more precise confinement. But I can not check this for the
49 > moment.
50 >
51 > Otherwise, thanks for your greetings :D
52 >
53 > If you want a policy rebuilding for reference policy style compliance,
54 > please tell me (at least if you agree with my previous comments).
55 >
56 > Julien Thomas
57 >
58 >
59 > Chris PeBenito a écrit :
60 >> On Mon, 2007-11-19 at 01:13 +0100, julien.thomas@×××××××××××××.fr wrote:
61 >>> The main aspect of this SELinux module consists in defining a new
62 >>> domain for the
63 >>> confinement of the PAMLDAP module. I have created this module as when
64 >>> I used the
65 >>> PamLDAP extension for remote authentications, I discovered that it used
66 >>> sensitive information for LDAP connexions.
67 >>>
68 >>> The module aims to protect these datas (security enhancement in order
69 >>> to prevent to prevent root services from accessing these previously
70 >>> etc_t labelled files).
71 >>
72 >> Thanks for your submission. I especially appreciate the design document
73 >> you wrote. However, I don't think this particular action is required,
74 >> but another.
75 >>
76 >> First, the specified domains already have access to etc_t, so these
77 >> rules are redundant. You suggest adding a type for the ldap.conf
78 >> because it has authentication data, which I agree with. However, the
79 >> ldap policy already has a type which might be appropriate for this file,
80 >> slapd_etc_t.
81 >>
82 >> As for the style, the reference policy style is preferred. Please see
83 >> the website [1] for more details.
84 >>
85 >> [1] http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted
86 >>
87 >
88 >
89 > --
90 > My RSA public key for email authentication is avaiblable at
91 > http://www.rennes.enst-bretagne.fr/~jthomas2/
92 >
93
94
95
96 --
97 gentoo-hardened@g.o mailing list
Report Message
Find on MARC Find on Google Groups