| 1 |
On Wed, 2005-10-26 at 21:33 -0400, Dale Pontius wrote: |
| 2 |
> Chris PeBenito wrote: |
| 3 |
> >On Sun, 2005-10-23 at 13:54 -0400, Dale Pontius wrote: |
| 4 |
> > |
| 5 |
> >>I decided to remove it and install syslog-ng. That appeared to work at |
| 6 |
> >>first. But as far as I can tell, nothing has been logged since the first |
| 7 |
> >>time I put the systeminto enforcing mode. |
| 8 |
> > |
| 9 |
> >Need to see some denials to better understand whats going on.> |
| 10 |
> > |
| 11 |
> I get no denials. Once I go enforcing, I get no logging, whatsoever. |
| 12 |
> Even after switching back to non-enforcing, logging doesn't start |
| 13 |
> up, again. |
| 14 |
> |
| 15 |
> However, I think I've got a clue. My basic system has 4 partitions: |
| 16 |
> / (root) - ext3 |
| 17 |
> swap |
| 18 |
> /home - xfs (I planned for maildirs and news spool to end up, here.) |
| 19 |
> /tmpvar - ext3 |
| 20 |
> |
| 21 |
> I suspect the last entry is my problem. The tmpvar partition has |
| 22 |
> 3 directories, tmp, var, and chroot. From the root directory, all |
| 23 |
> 3 of those entries are symlinks into tmpvar. The idea was to keep |
| 24 |
> root read-mostly, possibly read-only, and have the read/write stuff |
| 25 |
> on tmpvar. |
| 26 |
> |
| 27 |
> However, if I do a ls -Z / and look at tmpvar, tmp, and var I see: |
| 28 |
> lrwxr-xr-x root root system_u:object_r:default_t tmp |
| 29 |
> (->../tmpvar/tmp) |
| 30 |
> drwxr-xr-x root root system_u:object_r:default_t tmpvar |
| 31 |
> lrwxr-xr-x root root system_u:object_r:var_t var |
| 32 |
> (->../tmpvar/var) |
| 33 |
> If I look inside /var, everything is system_u:object_r:default_t. I |
| 34 |
> suspect that last part is wrong, and they should have been var_t. |
| 35 |
> |
| 36 |
> Does this sound like it might be my problem? |
| 37 |
|
| 38 |
Default_t is a label you never want to see. It means that when |
| 39 |
labeling, the file had no match in file_contexts. You need to add |
| 40 |
matches for all of the files in /tmpvar/var and /tmpvar/tmp since they |
| 41 |
are in nonstandard locations. You can add them to |
| 42 |
file_contexts/misc/local.fc (creating it is ok). You can look at the |
| 43 |
other .fc's for more info. |
| 44 |
|
| 45 |
> One workaround might be to mount the volume as /var, and then |
| 46 |
> symlink /tmp and /chroot into directories there, since they appear |
| 47 |
> to have no special labelling. |
| 48 |
|
| 49 |
No, you'll just have to have a different nonstandard labeling |
| 50 |
configuration. /var will be right, but you'll still have to add matches |
| 51 |
for tmp and chroot. However, this is probably the easiest to do, |
| 52 |
since /tmp has few matches to fix whereas /var has many, and you have to |
| 53 |
provide matches for /chroot anyway. |
| 54 |
|
| 55 |
> Another possiblity might be to us bind mounts instead of symlinks. |
| 56 |
|
| 57 |
This won't help in this case since setfiles will ignore bind mounts. |
| 58 |
|
| 59 |
> >>2: Can't ssh in when the system is enforcing. I've checked the sestatus |
| 60 |
> >>-v results, and everything looks ok. I've never seen a bogus console or |
| 61 |
> >>log message, but then again, see (1). Here's what I get: |
| 62 |
> >>user1@here ~ $ ssh -v user2@there |
| 63 |
> > |
| 64 |
> >Again, need to see some denials on the server, and logs from sshd if |
| 65 |
> >they have anything interesting other than the failed login message. |
| 66 |
> > |
| 67 |
> Again, no logging, no denials. |
| 68 |
|
| 69 |
Won't be able to fix this until logging is fixed. |
| 70 |
|
| 71 |
> I did notice one anomoly, going through |
| 72 |
> the FAQ. Everything was correct according to "sestatus -v" except that |
| 73 |
> there was no file context entry for /sbin/unix_chkpwd. In fact, there was |
| 74 |
> no file at all called /sbin/unix_chkpwd, but there was a |
| 75 |
> /usr/sbin/unix_chkpwd. |
| 76 |
|
| 77 |
An entry for /usr/sbin/unix_chkpwd just needs to be added |
| 78 |
in /etc/sestatus.conf. /sbin/unix_chkpwd was moved to /usr/sbin. |
| 79 |
|
| 80 |
> >>3: There isn't much about "standard practice". |
| 81 |
> >>What kinds of admin tasks can I perform while the system is enforcing? |
| 82 |
> >>What kinds of admin tasks do I have to drop out of enforcing for? |
| 83 |
> > |
| 84 |
> >The goal is to always enforce. Ideally, you should never have to switch |
| 85 |
> >to permissive to do admin tasks. |
| 86 |
> > |
| 87 |
> This includes updating packages? I believe I've seen something fly by |
| 88 |
> about relabeling individual packages. |
| 89 |
|
| 90 |
If you merge apache for example, but the apache policy isn't loaded, |
| 91 |
it's files won't have the right context. You have to relabel it before |
| 92 |
using it, which is what you're being warned about. |
| 93 |
|
| 94 |
> >>I presume emerging a new policy requres "make load". What requires "make |
| 95 |
> >>relabel"? |
| 96 |
> > |
| 97 |
> >You should generally relabel after switching from permissive back to |
| 98 |
> >enforcing. That may also mean restarting if processes aren't in the |
| 99 |
> >right context. Other than that, you shouldn't need a complete relabel |
| 100 |
> >except in recovery type situations. Or massive policy changes. |
| 101 |
> > |
| 102 |
> > |
| 103 |
> You do "make relabel" while in enforcing mode? I inferred from the |
| 104 |
> handbook that it should be done before changing over. |
| 105 |
|
| 106 |
Very much depends on the state of the system, and the circumstances. |
| 107 |
Generally, the shorter amount of time in permissive, the better. |
| 108 |
|
| 109 |
> >>What about things that don't have a policy? Like dovecot, leafnode, etc? |
| 110 |
> >>On my old system I ran things chroot'ed. Can I still, under SELinux? |
| 111 |
> > |
| 112 |
> >Our policy is a little stagnant, since the NSA example policy will be on |
| 113 |
> >its way out, and we will be switching to Reference Policy |
| 114 |
> >(http://serefpolicy.sf.net/) when its ready in a couple months. It will |
| 115 |
> >be a significanly easier policy to manage and develop. It'll also bring |
| 116 |
> >along with it the targeted policy, for desktops. |
| 117 |
> > |
| 118 |
> >You can run stuff chrooted, but it will likely require extra policy work |
| 119 |
> >to get things labeled right. Though, with a good MAC system like |
| 120 |
> >SELinux, the usefulness of chroot is questionable. |
| 121 |
> > |
| 122 |
> At some point I'd like to learn more about writing policy, if only |
| 123 |
> because that may be what it takes to get leafnode support. In the |
| 124 |
> meantime, will my software with no policy work, and what are the |
| 125 |
> implications? |
| 126 |
|
| 127 |
Any access that is not explicitly allowed is denied. Without a proper |
| 128 |
policy, the process will be running in some other context, and thus be |
| 129 |
subject to those rules. Unless its a pretty simple program, it will |
| 130 |
most likely be broken. |
| 131 |
|
| 132 |
> As for chroot, I'd like to consider SELinux another layer, not a silver |
| 133 |
> bullet. That says I'd like to keep the chroot, even if it means doing |
| 134 |
> the policy work myself, someday. |
| 135 |
|
| 136 |
-- |
| 137 |
Chris PeBenito |
| 138 |
<pebenito@g.o> |
| 139 |
Developer, |
| 140 |
Hardened Gentoo Linux |
| 141 |
Embedded Gentoo Linux |
| 142 |
|
| 143 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 144 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives