1 |
On Wed, 2005-10-26 at 21:33 -0400, Dale Pontius wrote: |
2 |
> Chris PeBenito wrote: |
3 |
> >On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote: |
4 |
> > |
5 |
> >>I decided to remove it and install syslog-ng. That appeared to work at |
6 |
> >>first. But as far as I can tell, nothing has been logged since the first |
7 |
> >>time I put the systeminto enforcing mode. |
8 |
> > |
9 |
> >Need to see some denials to better understand whats going on.> |
10 |
> > |
11 |
> I get no denials. Once I go enforcing, I get no logging, whatsoever. |
12 |
> Even after switching back to non-enforcing, logging doesn't start |
13 |
> up, again. |
14 |
> |
15 |
> However, I think I've got a clue. My basic system has 4 partitions: |
16 |
> / (root) - ext3 |
17 |
> swap |
18 |
> /home - xfs (I planned for maildirs and news spool to end up, here.) |
19 |
> /tmpvar - ext3 |
20 |
> |
21 |
> I suspect the last entry is my problem. The tmpvar partition has |
22 |
> 3 directories, tmp, var, and chroot. From the root directory, all |
23 |
> 3 of those entries are symlinks into tmpvar. The idea was to keep |
24 |
> root read-mostly, possibly read-only, and have the read/write stuff |
25 |
> on tmpvar. |
26 |
> |
27 |
> However, if I do a ls -Z / and look at tmpvar, tmp, and var I see: |
28 |
> lrwxr-xr-x root root system_u:object_r:default_t tmp |
29 |
> (->../tmpvar/tmp) |
30 |
> drwxr-xr-x root root system_u:object_r:default_t tmpvar |
31 |
> lrwxr-xr-x root root system_u:object_r:var_t var |
32 |
> (->../tmpvar/var) |
33 |
> If I look inside /var, everything is system_u:object_r:default_t. I |
34 |
> suspect that last part is wrong, and they should have been var_t. |
35 |
> |
36 |
> Does this sound like it might be my problem? |
37 |
|
38 |
Default_t is a label you never want to see. It means that when |
39 |
labeling, the file had no match in file_contexts. You need to add |
40 |
matches for all of the files in /tmpvar/var and /tmpvar/tmp since they |
41 |
are in nonstandard locations. You can add them to |
42 |
file_contexts/misc/local.fc (creating it is ok). You can look at the |
43 |
other .fc's for more info. |
44 |
|
45 |
> One workaround might be to mount the volume as /var, and then |
46 |
> symlink /tmp and /chroot into directories there, since they appear |
47 |
> to have no special labelling. |
48 |
|
49 |
No, you'll just have to have a different nonstandard labeling |
50 |
configuration. /var will be right, but you'll still have to add matches |
51 |
for tmp and chroot. However, this is probably the easiest to do, |
52 |
since /tmp has few matches to fix whereas /var has many, and you have to |
53 |
provide matches for /chroot anyway. |
54 |
|
55 |
> Another possiblity might be to us bind mounts instead of symlinks. |
56 |
|
57 |
This won't help in this case since setfiles will ignore bind mounts. |
58 |
|
59 |
> >>2: Can't ssh in when the system is enforcing. I've checked the sestatus |
60 |
> >>-v results, and everything looks ok. I've never seen a bogus console or |
61 |
> >>log message, but then again, see (1). Here's what I get: |
62 |
> >>user1@here ~ $ ssh -v user2@there |
63 |
> > |
64 |
> >Again, need to see some denials on the server, and logs from sshd if |
65 |
> >they have anything interesting other than the failed login message. |
66 |
> > |
67 |
> Again, no logging, no denials. |
68 |
|
69 |
Won't be able to fix this until logging is fixed. |
70 |
|
71 |
> I did notice one anomoly, going through |
72 |
> the FAQ. Everything was correct according to "sestatus -v" except that |
73 |
> there was no file context entry for /sbin/unix_chkpwd. In fact, there was |
74 |
> no file at all called /sbin/unix_chkpwd, but there was a |
75 |
> /usr/sbin/unix_chkpwd. |
76 |
|
77 |
An entry for /usr/sbin/unix_chkpwd just needs to be added |
78 |
in /etc/sestatus.conf. /sbin/unix_chkpwd was moved to /usr/sbin. |
79 |
|
80 |
> >>3: There isn't much about "standard practice". |
81 |
> >>What kinds of admin tasks can I perform while the system is enforcing? |
82 |
> >>What kinds of admin tasks do I have to drop out of enforcing for? |
83 |
> > |
84 |
> >The goal is to always enforce. Ideally, you should never have to switch |
85 |
> >to permissive to do admin tasks. |
86 |
> > |
87 |
> This includes updating packages? I believe I've seen something fly by |
88 |
> about relabeling individual packages. |
89 |
|
90 |
If you merge apache for example, but the apache policy isn't loaded, |
91 |
it's files won't have the right context. You have to relabel it before |
92 |
using it, which is what you're being warned about. |
93 |
|
94 |
> >>I presume emerging a new policy requres "make load". What requires "make |
95 |
> >>relabel"? |
96 |
> > |
97 |
> >You should generally relabel after switching from permissive back to |
98 |
> >enforcing. That may also mean restarting if processes aren't in the |
99 |
> >right context. Other than that, you shouldn't need a complete relabel |
100 |
> >except in recovery type situations. Or massive policy changes. |
101 |
> > |
102 |
> > |
103 |
> You do "make relabel" while in enforcing mode? I inferred from the |
104 |
> handbook that it should be done before changing over. |
105 |
|
106 |
Very much depends on the state of the system, and the circumstances. |
107 |
Generally, the shorter amount of time in permissive, the better. |
108 |
|
109 |
> >>What about things that don't have a policy? Like dovecot, leafnode, etc? |
110 |
> >>On my old system I ran things chroot'ed. Can I still, under SELinux? |
111 |
> > |
112 |
> >Our policy is a little stagnant, since the NSA example policy will be on |
113 |
> >its way out, and we will be switching to Reference Policy |
114 |
> >(http://serefpolicy.sf.net/) when its ready in a couple months. It will |
115 |
> >be a significanly easier policy to manage and develop. It'll also bring |
116 |
> >along with it the targeted policy, for desktops. |
117 |
> > |
118 |
> >You can run stuff chrooted, but it will likely require extra policy work |
119 |
> >to get things labeled right. Though, with a good MAC system like |
120 |
> >SELinux, the usefulness of chroot is questionable. |
121 |
> > |
122 |
> At some point I'd like to learn more about writing policy, if only |
123 |
> because that may be what it takes to get leafnode support. In the |
124 |
> meantime, will my software with no policy work, and what are the |
125 |
> implications? |
126 |
|
127 |
Any access that is not explicitly allowed is denied. Without a proper |
128 |
policy, the process will be running in some other context, and thus be |
129 |
subject to those rules. Unless its a pretty simple program, it will |
130 |
most likely be broken. |
131 |
|
132 |
> As for chroot, I'd like to consider SELinux another layer, not a silver |
133 |
> bullet. That says I'd like to keep the chroot, even if it means doing |
134 |
> the policy work myself, someday. |
135 |
|
136 |
-- |
137 |
Chris PeBenito |
138 |
<pebenito@g.o> |
139 |
Developer, |
140 |
Hardened Gentoo Linux |
141 |
Embedded Gentoo Linux |
142 |
|
143 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
144 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |