[clug] My windows box got rooted last week... how at risk is Linux? [SEC=UNCLASSIFIED]

Paul Wayper paulway at mabula.net
Fri Jun 13 00:05:20 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rousak, Boris wrote:
| Slightly OT :) but...
|
| after such a great recommendation of SELinux, could you (and/or the
| collective mind) recommend any good books URLs on it? And by good I mean
| books that do more than just say "this is what an SELinux policy looks
| like, feel free to modify it to your needs".

Heh.  Unfortunately, I'm looking for just such a book.  I was going to do the
Red Hat Enterprise SE Linux Policy Administration course (RHS429) to learn
more about this, but I suspect I already know half of it and the other half
will be too brief for my tastes.  Won't stop me doing it when I have some
money to throw at it.

What I've learnt basically comes from studying existing setups.  The SELinux
policies on Fedora and CentOS are quite detailed and contain a lot of ideas
for building your own policies if you know where to look:

1) Use 'll -Z' to see the security contexts on files and directories.
Likewise 'netstat -Z' shows the security contexts on ports.
2) Use 'chcon' and 'restorecon' to work with those security contexts.
3) Use 'grep message /var/log/audit/audit.log | audit2allow -M policy' to find
a denial message and generate a policy file that will allow that in future.
You still have to type 'semodule -i policy' to include that in the running
policy, and that can't be scripted, so you're still safe.  This also generates
intermediate files 'policy.te' as a text description of the actual policy,
which you can edit and recompile.
4) Use 'semanage fcontext -l | grep /path/to/dir' to see the definitions of
what file context get applied to new files in a particular directory.  You can
then add your own patterns - i.e. it works on a regexp-like match system - to
set your own policies.  For instance, if you have /opt/application/cgi-bin as
a CGI directory for your web server, you'll probably want 'semanage fcontext
- -a -t httpd_sys_script_exec_t "/opt/application/cgi-bin/*.cgi"' or similar.

The larger question of how to create a new policy - e.g. you're writing the
norge application and you want to create norge_exec_t, norge_file_rw_t,
norge_config_t types and apply them to directories, and wrap them up in your
norge.1.0.rpm package to be applied when the user installs the RPM - is
something I'm still working on.

Ah, well, there goes most of my talk :-)

Have fun,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIUbnAu7W0U8VsXYIRApSgAKDHrrHKPK5PCnmtlAIwYZmEUbSNcQCgpJ1p
rA8DeXq1wU47CWhHVPKIO9c=
=40EC
-----END PGP SIGNATURE-----

More information about the linux mailing list