Fwd: [clug] My windows box got rooted last week... how at risk is
Linux? [SEC=UNCLASSIFIED]
Lana Brindley
lanabrindley at gmail.com
Fri Jun 13 00:11:36 GMT 2008
Oops - forgot to copy the list.
L
---------- Forwarded message ----------
From: Lana Brindley <lanabrindley at gmail.com>
Date: 2008/6/13
Subject: Re: [clug] My windows box got rooted last week... how at risk is
Linux? [SEC=UNCLASSIFIED]
To: paulway at mabula.net
2008/6/13 Paul Wayper <paulway at mabula.net>:
-----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rousak, Boris wrote:
> | Slightly OT :) but...
> |
> | after such a great recommendation of SELinux, could you (and/or the
> | collective mind) recommend any good books URLs on it? And by good I mean
> | books that do more than just say "this is what an SELinux policy looks
> | like, feel free to modify it to your needs".
>
> Heh. Unfortunately, I'm looking for just such a book. I was going to do
> the
> Red Hat Enterprise SE Linux Policy Administration course (RHS429) to learn
> more about this, but I suspect I already know half of it and the other half
> will be too brief for my tastes. Won't stop me doing it when I have some
> money to throw at it.
>
> What I've learnt basically comes from studying existing setups. The
> SELinux
> policies on Fedora and CentOS are quite detailed and contain a lot of ideas
> for building your own policies if you know where to look:
>
> 1) Use 'll -Z' to see the security contexts on files and directories.
> Likewise 'netstat -Z' shows the security contexts on ports.
> 2) Use 'chcon' and 'restorecon' to work with those security contexts.
> 3) Use 'grep message /var/log/audit/audit.log | audit2allow -M policy' to
> find
> a denial message and generate a policy file that will allow that in future.
> You still have to type 'semodule -i policy' to include that in the running
> policy, and that can't be scripted, so you're still safe. This also
> generates
> intermediate files 'policy.te' as a text description of the actual policy,
> which you can edit and recompile.
> 4) Use 'semanage fcontext -l | grep /path/to/dir' to see the definitions of
> what file context get applied to new files in a particular directory. You
> can
> then add your own patterns - i.e. it works on a regexp-like match system -
> to
> set your own policies. For instance, if you have /opt/application/cgi-bin
> as
> a CGI directory for your web server, you'll probably want 'semanage
> fcontext
> - -a -t httpd_sys_script_exec_t "/opt/application/cgi-bin/*.cgi"' or
> similar.
>
> The larger question of how to create a new policy - e.g. you're writing the
> norge application and you want to create norge_exec_t, norge_file_rw_t,
> norge_config_t types and apply them to directories, and wrap them up in
> your
> norge.1.0.rpm package to be applied when the user installs the RPM - is
> something I'm still working on.
>
> Ah, well, there goes most of my talk :-)
>
> Have fun,
>
> Paul
I do believe that both the RHEL4 and RHEL5 manuals have fairly comprehensive
coverage of SELinux policies. As do the RHCT, RHCE, RHCSS and (as Paul says)
the SELinux Policy Admin courses, of course.
Check out http://www.redhat.com/docs and https://www.redhat.com/courses/
Lana
--
Cheers! Lana
Remember, Ginger Rogers did everything Fred Astaire did, but backwards and
in high heels.
-- Faith Whittlesey
Please avoid sending me Word, Powerpoint or Windows Media File attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
--
Cheers! Lana
Remember, Ginger Rogers did everything Fred Astaire did, but backwards and
in high heels.
-- Faith Whittlesey
Please avoid sending me Word, Powerpoint or Windows Media File attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
More information about the linux
mailing list