1 |
Most of this is replies to specific sections, below. But given greater |
2 |
functionality, I have |
3 |
a new question, too. |
4 |
|
5 |
I decided to try running BIND on the SELinux system. I get this message: |
6 |
* Starting named ... |
7 |
named: capset failed: Operation not permitted: please ensure that the |
8 |
capset kernel module is loaded. see insmod(8) |
9 |
|
10 |
I've made sure that "commoncap" was built and loaded prior to trying to |
11 |
start BIND. A bit |
12 |
of google searching, and this seemed to have helped everyone else, but |
13 |
not me. Or might |
14 |
this be linked into the fact that I don't have /tmp properly labeled, |
15 |
yet? I don't see anything |
16 |
in /tmp on this system, and looking with "lsof -c named" on another |
17 |
system currently |
18 |
running BIND,I don't see any files in /tmp. |
19 |
|
20 |
I'm not trying to chroot bind at this point, just get it running. |
21 |
|
22 |
Chris PeBenito wrote: |
23 |
|
24 |
> <snip> |
25 |
> |
26 |
> |
27 |
>No, you'll just have to have a different nonstandard labeling |
28 |
>configuration. /var will be right, but you'll still have to add matches |
29 |
>for tmp and chroot. However, this is probably the easiest to do, |
30 |
>since /tmp has few matches to fix whereas /var has many, and you have to |
31 |
>provide matches for /chroot anyway. |
32 |
> |
33 |
> |
34 |
Shuffling my partitions worked wonders. Logging now works, and I can ssh |
35 |
in while the |
36 |
system is in enforcing mode. To date, I've just gotten the /var stuff |
37 |
into the right place. I |
38 |
haven't fiddled with /tmp or /chroot yet, but things are much more |
39 |
functional. (But not |
40 |
yet fully) |
41 |
|
42 |
><snip> |
43 |
> |
44 |
> |
45 |
>> I did notice one anomoly, going through |
46 |
>>the FAQ. Everything was correct according to "sestatus -v" except that |
47 |
>>there was no file context entry for /sbin/unix_chkpwd. In fact, there was |
48 |
>>no file at all called /sbin/unix_chkpwd, but there was a |
49 |
>>/usr/sbin/unix_chkpwd. |
50 |
>> |
51 |
>> |
52 |
> |
53 |
>An entry for /usr/sbin/unix_chkpwd just needs to be added |
54 |
>in /etc/sestatus.conf. /sbin/unix_chkpwd was moved to /usr/sbin. |
55 |
> |
56 |
> |
57 |
I'd changed the entry in /etc/sestatus.conf, (and removed the |
58 |
/sbin/unix_chkpwd) and |
59 |
I believe this is part of getting ssh running while in enforcing mode. |
60 |
But it brings up |
61 |
another question... It appears to me that /etc/sestatus.conf is really |
62 |
derived when the |
63 |
policy is compiled, and that I need to go into the original source in |
64 |
order to make this |
65 |
change persist. Correct? At one point, I could have sworn I saw a |
66 |
notation like: |
67 |
"(/usr)?/sbin/unix_chkpwd" that looks like it should have matched either |
68 |
"/sbin/unix_chkpwd" or "/usr/sbin/unix_chkpwd". But looking now, I can't |
69 |
find it, and |
70 |
it should have prevented my problem from ever happening. |
71 |
|
72 |
Along those lines, I should go looking for /tmp and /chroot in the src |
73 |
tree, I presume? |
74 |
Update there and "make load", etc? |
75 |
|
76 |
> |
77 |
> |
78 |
>>>>3: There isn't much about "standard practice". |
79 |
>>>>What kinds of admin tasks can I perform while the system is enforcing? |
80 |
>>>>What kinds of admin tasks do I have to drop out of enforcing for? |
81 |
>>>> |
82 |
>>>> |
83 |
>>>The goal is to always enforce. Ideally, you should never have to switch |
84 |
>>>to permissive to do admin tasks. |
85 |
>>> |
86 |
>>> |
87 |
>>> |
88 |
>>This includes updating packages? I believe I've seen something fly by |
89 |
>>about relabeling individual packages. |
90 |
>> |
91 |
>> |
92 |
> |
93 |
>If you merge apache for example, but the apache policy isn't loaded, |
94 |
>it's files won't have the right context. You have to relabel it before |
95 |
>using it, which is what you're being warned about. |
96 |
> |
97 |
> |
98 |
Now that I have the /var working right, I can "emerge sync" and "emerge |
99 |
-atuvDN world" |
100 |
without problems. The system spends most of its time in enforcing mode. |
101 |
|
102 |
|
103 |
<snip> |
104 |
|
105 |
>>>>What about things that don't have a policy? Like dovecot, leafnode, etc? |
106 |
>>>>On my old system I ran things chroot'ed. Can I still, under SELinux? |
107 |
>>>> |
108 |
>>>> |
109 |
>>>Our policy is a little stagnant, since the NSA example policy will be on |
110 |
>>>its way out, and we will be switching to Reference Policy |
111 |
>>>(http://serefpolicy.sf.net/) when its ready in a couple months. It will |
112 |
>>>be a significanly easier policy to manage and develop. It'll also bring |
113 |
>>>along with it the targeted policy, for desktops. |
114 |
>>> |
115 |
>>> |
116 |
I see where Fedora Core 3/4 has a policy for Dovecot. Is this likely |
117 |
based on the example |
118 |
policy, in which case I could grab it and try working with it, or is FC4 |
119 |
likely already on |
120 |
the Reference Policy? |
121 |
|
122 |
>>>You can run stuff chrooted, but it will likely require extra policy work |
123 |
>>>to get things labeled right. Though, with a good MAC system like |
124 |
>>>SELinux, the usefulness of chroot is questionable. |
125 |
>>> |
126 |
>>> |
127 |
>>> |
128 |
>>At some point I'd like to learn more about writing policy, if only |
129 |
>>because that may be what it takes to get leafnode support. In the |
130 |
>>meantime, will my software with no policy work, and what are the |
131 |
>>implications? |
132 |
>> |
133 |
>> |
134 |
> |
135 |
>Any access that is not explicitly allowed is denied. Without a proper |
136 |
>policy, the process will be running in some other context, and thus be |
137 |
>subject to those rules. Unless its a pretty simple program, it will |
138 |
>most likely be broken. |
139 |
> |
140 |
> |
141 |
> |
142 |
>>As for chroot, I'd like to consider SELinux another layer, not a silver |
143 |
>>bullet. That says I'd like to keep the chroot, even if it means doing |
144 |
>>the policy work myself, someday. |
145 |
>> |
146 |
>> |
147 |
Just glancing through the policy source, I see where policy provisions |
148 |
are already made |
149 |
for using named and dhcpd chrooted. Obviously I'll need to update for my |
150 |
mount mess. |
151 |
|
152 |
Thanks, |
153 |
Dale |
154 |
-- |
155 |
gentoo-hardened@g.o mailing list |