1 |
I've recently installed a few proof-of-concept hardened Gentoo servers |
2 |
at work, with the hardened toolchain + SELinux as security measures. |
3 |
I'll probably end to "training" the admins and other devs on how to |
4 |
write and configure security policy, so I'm trying to understand it |
5 |
better myself :) The documentation from the hardened project has been |
6 |
helpful, but there's one element that I seem to be missing. |
7 |
|
8 |
I have a good grasp on how the policy rules work, and how to write a |
9 |
policy rule, but I'm still confused on exactly *why* I should be writing |
10 |
a policy rule. My confusion stems from the fact that there are what I |
11 |
believe to be an excessive number of avc denial messages being logged |
12 |
right out of the box, just to boot the system. I obviously could run |
13 |
audit2allow and figure out what TE rules to add, and silence the log |
14 |
messages. But some of the rules it recommends just look wrong to me. |
15 |
Things like this: |
16 |
|
17 |
allow consoletype_t file_t:chr_file { getattr ioctl read write }; |
18 |
allow consoletype_t file_t:dir search; |
19 |
allow dmesg_t file_t:chr_file { read write }; |
20 |
|
21 |
I was under the impression that nothing should ever be permitted to |
22 |
transition to file_t, and that errors referencing the file_t domain mean |
23 |
there's something mis-labelled. In this case, it looks like |
24 |
/dev/console is the biggest culprit, but I've also 20 or so errors from |
25 |
initrc, a few from ifconfig, a half-dozen from udev. If I install, say, |
26 |
sshd or sudo, I get more, even after merging and reloading their policy |
27 |
files. |
28 |
|
29 |
Is this normal or expected? Should I just add all of these rules that |
30 |
audit2allow recommends, or did I miss some key step in the installation? |
31 |
Are there any guidelines for tracking down the cause of these errors |
32 |
and fixing them "the right way" so as not to compromise the security of |
33 |
the system with over-broad rules? Are there any kinds of best practices |
34 |
guidelines for SELinux that I can use to explain the "why" of policy |
35 |
writing, once I get past the "how"? |
36 |
|
37 |
Thanks for any help you can give me, |
38 |
|
39 |
--Mike |
40 |
|
41 |
|
42 |
-- |
43 |
gentoo-hardened@g.o mailing list |