| 1 |
Most of this is replies to specific sections, below. But given greater |
| 2 |
functionality, I have |
| 3 |
a new question, too. |
| 4 |
|
| 5 |
I decided to try running BIND on the SELinux system. I get this message: |
| 6 |
* Starting named ... |
| 7 |
named: capset failed: Operation not permitted: please ensure that the |
| 8 |
capset kernel module is loaded. see insmod(8) |
| 9 |
|
| 10 |
I've made sure that "commoncap" was built and loaded prior to trying to |
| 11 |
start BIND. A bit |
| 12 |
of google searching, and this seemed to have helped everyone else, but |
| 13 |
not me. Or might |
| 14 |
this be linked into the fact that I don't have /tmp properly labeled, |
| 15 |
yet? I don't see anything |
| 16 |
in /tmp on this system, and looking with "lsof -c named" on another |
| 17 |
system currently |
| 18 |
running BIND,I don't see any files in /tmp. |
| 19 |
|
| 20 |
I'm not trying to chroot bind at this point, just get it running. |
| 21 |
|
| 22 |
Chris PeBenito wrote: |
| 23 |
|
| 24 |
> <snip> |
| 25 |
> |
| 26 |
> |
| 27 |
>No, you'll just have to have a different nonstandard labeling |
| 28 |
>configuration. /var will be right, but you'll still have to add matches |
| 29 |
>for tmp and chroot. However, this is probably the easiest to do, |
| 30 |
>since /tmp has few matches to fix whereas /var has many, and you have to |
| 31 |
>provide matches for /chroot anyway. |
| 32 |
> |
| 33 |
> |
| 34 |
Shuffling my partitions worked wonders. Logging now works, and I can ssh |
| 35 |
in while the |
| 36 |
system is in enforcing mode. To date, I've just gotten the /var stuff |
| 37 |
into the right place. I |
| 38 |
haven't fiddled with /tmp or /chroot yet, but things are much more |
| 39 |
functional. (But not |
| 40 |
yet fully) |
| 41 |
|
| 42 |
><snip> |
| 43 |
> |
| 44 |
> |
| 45 |
>> I did notice one anomoly, going through |
| 46 |
>>the FAQ. Everything was correct according to "sestatus -v" except that |
| 47 |
>>there was no file context entry for /sbin/unix_chkpwd. In fact, there was |
| 48 |
>>no file at all called /sbin/unix_chkpwd, but there was a |
| 49 |
>>/usr/sbin/unix_chkpwd. |
| 50 |
>> |
| 51 |
>> |
| 52 |
> |
| 53 |
>An entry for /usr/sbin/unix_chkpwd just needs to be added |
| 54 |
>in /etc/sestatus.conf. /sbin/unix_chkpwd was moved to /usr/sbin. |
| 55 |
> |
| 56 |
> |
| 57 |
I'd changed the entry in /etc/sestatus.conf, (and removed the |
| 58 |
/sbin/unix_chkpwd) and |
| 59 |
I believe this is part of getting ssh running while in enforcing mode. |
| 60 |
But it brings up |
| 61 |
another question... It appears to me that /etc/sestatus.conf is really |
| 62 |
derived when the |
| 63 |
policy is compiled, and that I need to go into the original source in |
| 64 |
order to make this |
| 65 |
change persist. Correct? At one point, I could have sworn I saw a |
| 66 |
notation like: |
| 67 |
"(/usr)?/sbin/unix_chkpwd" that looks like it should have matched either |
| 68 |
"/sbin/unix_chkpwd" or "/usr/sbin/unix_chkpwd". But looking now, I can't |
| 69 |
find it, and |
| 70 |
it should have prevented my problem from ever happening. |
| 71 |
|
| 72 |
Along those lines, I should go looking for /tmp and /chroot in the src |
| 73 |
tree, I presume? |
| 74 |
Update there and "make load", etc? |
| 75 |
|
| 76 |
> |
| 77 |
> |
| 78 |
>>>>3: There isn't much about "standard practice". |
| 79 |
>>>>What kinds of admin tasks can I perform while the system is enforcing? |
| 80 |
>>>>What kinds of admin tasks do I have to drop out of enforcing for? |
| 81 |
>>>> |
| 82 |
>>>> |
| 83 |
>>>The goal is to always enforce. Ideally, you should never have to switch |
| 84 |
>>>to permissive to do admin tasks. |
| 85 |
>>> |
| 86 |
>>> |
| 87 |
>>> |
| 88 |
>>This includes updating packages? I believe I've seen something fly by |
| 89 |
>>about relabeling individual packages. |
| 90 |
>> |
| 91 |
>> |
| 92 |
> |
| 93 |
>If you merge apache for example, but the apache policy isn't loaded, |
| 94 |
>it's files won't have the right context. You have to relabel it before |
| 95 |
>using it, which is what you're being warned about. |
| 96 |
> |
| 97 |
> |
| 98 |
Now that I have the /var working right, I can "emerge sync" and "emerge |
| 99 |
-atuvDN world" |
| 100 |
without problems. The system spends most of its time in enforcing mode. |
| 101 |
|
| 102 |
|
| 103 |
<snip> |
| 104 |
|
| 105 |
>>>>What about things that don't have a policy? Like dovecot, leafnode, etc? |
| 106 |
>>>>On my old system I ran things chroot'ed. Can I still, under SELinux? |
| 107 |
>>>> |
| 108 |
>>>> |
| 109 |
>>>Our policy is a little stagnant, since the NSA example policy will be on |
| 110 |
>>>its way out, and we will be switching to Reference Policy |
| 111 |
>>>(http://serefpolicy.sf.net/) when its ready in a couple months. It will |
| 112 |
>>>be a significanly easier policy to manage and develop. It'll also bring |
| 113 |
>>>along with it the targeted policy, for desktops. |
| 114 |
>>> |
| 115 |
>>> |
| 116 |
I see where Fedora Core 3/4 has a policy for Dovecot. Is this likely |
| 117 |
based on the example |
| 118 |
policy, in which case I could grab it and try working with it, or is FC4 |
| 119 |
likely already on |
| 120 |
the Reference Policy? |
| 121 |
|
| 122 |
>>>You can run stuff chrooted, but it will likely require extra policy work |
| 123 |
>>>to get things labeled right. Though, with a good MAC system like |
| 124 |
>>>SELinux, the usefulness of chroot is questionable. |
| 125 |
>>> |
| 126 |
>>> |
| 127 |
>>> |
| 128 |
>>At some point I'd like to learn more about writing policy, if only |
| 129 |
>>because that may be what it takes to get leafnode support. In the |
| 130 |
>>meantime, will my software with no policy work, and what are the |
| 131 |
>>implications? |
| 132 |
>> |
| 133 |
>> |
| 134 |
> |
| 135 |
>Any access that is not explicitly allowed is denied. Without a proper |
| 136 |
>policy, the process will be running in some other context, and thus be |
| 137 |
>subject to those rules. Unless its a pretty simple program, it will |
| 138 |
>most likely be broken. |
| 139 |
> |
| 140 |
> |
| 141 |
> |
| 142 |
>>As for chroot, I'd like to consider SELinux another layer, not a silver |
| 143 |
>>bullet. That says I'd like to keep the chroot, even if it means doing |
| 144 |
>>the policy work myself, someday. |
| 145 |
>> |
| 146 |
>> |
| 147 |
Just glancing through the policy source, I see where policy provisions |
| 148 |
are already made |
| 149 |
for using named and dhcpd chrooted. Obviously I'll need to update for my |
| 150 |
mount mess. |
| 151 |
|
| 152 |
Thanks, |
| 153 |
Dale |
| 154 |
-- |
| 155 |
gentoo-hardened@g.o mailing list |
Archives