| 1 |
I've recently installed a few proof-of-concept hardened Gentoo servers |
| 2 |
at work, with the hardened toolchain + SELinux as security measures. |
| 3 |
I'll probably end to "training" the admins and other devs on how to |
| 4 |
write and configure security policy, so I'm trying to understand it |
| 5 |
better myself :) The documentation from the hardened project has been |
| 6 |
helpful, but there's one element that I seem to be missing. |
| 7 |
|
| 8 |
I have a good grasp on how the policy rules work, and how to write a |
| 9 |
policy rule, but I'm still confused on exactly *why* I should be writing |
| 10 |
a policy rule. My confusion stems from the fact that there are what I |
| 11 |
believe to be an excessive number of avc denial messages being logged |
| 12 |
right out of the box, just to boot the system. I obviously could run |
| 13 |
audit2allow and figure out what TE rules to add, and silence the log |
| 14 |
messages. But some of the rules it recommends just look wrong to me. |
| 15 |
Things like this: |
| 16 |
|
| 17 |
allow consoletype_t file_t:chr_file { getattr ioctl read write }; |
| 18 |
allow consoletype_t file_t:dir search; |
| 19 |
allow dmesg_t file_t:chr_file { read write }; |
| 20 |
|
| 21 |
I was under the impression that nothing should ever be permitted to |
| 22 |
transition to file_t, and that errors referencing the file_t domain mean |
| 23 |
there's something mis-labelled. In this case, it looks like |
| 24 |
/dev/console is the biggest culprit, but I've also 20 or so errors from |
| 25 |
initrc, a few from ifconfig, a half-dozen from udev. If I install, say, |
| 26 |
sshd or sudo, I get more, even after merging and reloading their policy |
| 27 |
files. |
| 28 |
|
| 29 |
Is this normal or expected? Should I just add all of these rules that |
| 30 |
audit2allow recommends, or did I miss some key step in the installation? |
| 31 |
Are there any guidelines for tracking down the cause of these errors |
| 32 |
and fixing them "the right way" so as not to compromise the security of |
| 33 |
the system with over-broad rules? Are there any kinds of best practices |
| 34 |
guidelines for SELinux that I can use to explain the "why" of policy |
| 35 |
writing, once I get past the "how"? |
| 36 |
|
| 37 |
Thanks for any help you can give me, |
| 38 |
|
| 39 |
--Mike |
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-hardened@g.o mailing list |
Archives