Quantcast
Channel: Dan Walsh's Blog
Viewing all 181 articles
Browse latest View live

Fedora 17 New Security Feature part V - sudo can now use sssd for authorization data (sudoers)

February 28, 2012, 9:03 am
$
0
0
Currently sudo can be configure to read the /etc/sudoers file locally or to look it up via sudoers content via LDAP.  The LDAP server provides a useful feature for organizations  which wanted to centralize authorization data. 

But, as in all types of centralized authorization/authentications systems, it does not work well when your machine is disconnected
from the network.

sssd - System Security Services Daemon to the rescue.

sssd was added to Fedora a few releases ago, as I blogged about back in March 2011.

One of the biggest benefits of sssd is that it allows for disconnected access to cached authorization/authentication data. 
A new feature in Fedora 17 adds sssd as a source for sudoers data.

The benefits of this integration as described on the feature page are:

  • offline access - sudoers rules would be stored in a persistent cache, allowing sudo to fetch the rules seamlessly even in cases when the LDAP server is not reachable such as user roaming with a laptop.
  • unified configuration of LDAP parameters such as the servers used, timeout options and security properties at one places (sssd.conf)
  • sudo would take advantage of the advanced features SSSD has such as server fail over, server discovery using DNS SRV lookups and more
  • only one connection to the LDAP server open at a time resulting in less load on the LDAP server and better performance
And from an SELinux point of view one less network access for the sudoers application.
  • caching of the rules - less load on the LDAP server and better performance on the client side as the client wouldn't have to go to the server with each request
  • back end abstraction - data may be stored in NIS or other databases and accessed by the sudo transparently
Imagine if sssd and IPA could eventually cache SELinux Roles/Confined Users, maybe sometime in the not too distant future ...
Search

Fedora 17 New Security Feature part VI - systemd-journal

February 29, 2012, 6:53 am
$
0
0
There has been a lot written about the systemd-journal, this link gives a pretty good description of why it is good from a security point of view, although I don't see this as a full replacement of syslog.

http://techspear.com/2011/11/systemd-journal-an-alternate-for-the-syslog/

Since the syslog format is ubiquitous, I don't see it going away.  Also systemd-journal caused a lot of people who were working on "Structured Logging" to get all up in arms over it, since Lennart and Kay did not work with them.

I still like it. 

systemd has become the central point of launching system apps, so it knows more about what is going on in the system then any other process save the kernel.

Years ago when the audit system was being build Karl MacMillan of Tresys believed that some of the problems that the audit system was trying to fix could be handled by extending syslog to record all the information about the sending process.  ALL of the UIDs associated with a process as well as recording the SELinux Context.   Systemd-journald now does this. 

Let me give an example of where systemd-journal could be used to increase security. 

SELinux controls processes by only allowing them to do what they were designed to do.  Sometimes even less depending on the security goals of the policy writer.  This means SELinux would prevent a hacked ntpd process from doing anything other then handle  Network Time.  SELinux would prevent the hacked ntpd from reading mysql database or credit card data from the users home directory,  even if the ntpd process was running as root.  However, since the ntpd process sends syslog messages, SELinux would allow the hacked process to continue to send syslog messages.  The hacked ntpd could format syslog messages to match other daemons and potentially trick and administrator or even better a tool that reads the syslog file (Intrusion detection tools?) into doing something bad.   If all messages were verified with the systemd-journal then the administrator or syslog analysis tool could notice that ntpd_t is sending messages about sshd, and we could realize your ntpd daemon was hacked.

.cursor=s=f328cc4b2615417189ab76b00c7ae041;i=2;b=4c3d0faf6b774fb7930972c1a4a5f87
.realtime=1329940273078467
...skipping...
SYSLOG_IDENTIFIER=sshd
SYSLOG_PID=2302
MESSAGE=sshd Fake message from sshd.
_PID=2302
_UID=0
_GID=0
_COMM=ntpd
_EXE=/usr/sbin/ntpd
_CMDLINE=/usr/sbin/ntpd -n -u ntp:ntp -g
_SYSTEMD_CGROUP=/system/ntpd.service
_SYSTEMD_UNIT=ntpd.service
_SELINUX_CONTEXT=system_u:system_r:ntpd_t:s0
_SOURCE_REALTIME_TIMESTAMP=1330527027590337
_BOOT_ID=4c3d0faf6b774fb7930972c1a4a5f870
_MACHINE_ID=432d8198a8fc421caf2dca48ccde1cf2
_HOSTNAME=dhcp-189-250.bos.redhat.com
 

VMWare wants you to turn SELinux off? Really?

March 1, 2012, 5:50 am
$
0
0
i·ro·ny
1.  The use of words to convey a meaning that is the opposite of its literal meaning: the irony of her reply, “How nice!” when I said I had to work all weekend.
2. an outcome of events contrary to what was, or might have been, expected.

One of the great features of KVM Virtualization is that each virtual machine is wrapped in an SELinux sandbox.   All the software used to run a virtual machine on a host is called a hypervisor.  When you run virtual machines, you have to worry about hypervisor vulnerabilities, which would allow your guest operating system to attack the host or other virtual machines you have running on the host.

We strive to make the Linux KVM Hypervisor as secure as possible, but bugs happen.  SELinux can control what the virtual machine process can and can not do on the host machine.   If you are running virtual machines on you Fedora or Red Hat box, you really should be running SELinux in enforcing mode.

It has come to my attention that VMWare support is suggesting people turn off SELinux...  I guess SELiux is too complicated for the VMWare crack support team to handle.

At Red Hat we consider security a priority, VMWare I am not so sure.

If you are having a problem running any VMWare product on a RHEL or Fedora Operating system, contact me dwalsh@redhat.com and I will help you run your virtual machines and leave the security in place...

Hacking the Cloud
April 2011 "How it Works" issue of Popular Science,   by Marie Pacella

senetwork: new tool for examining SELinux networking policy.

March 2, 2012, 1:35 pm
$
0
0
A couple of years ago I added some python bindings for setools.  I hoped we would start to see new tools arise to analyze SELinux policy.  Maybe making SELinux easier to user and understand. 

Lately I have gone back to these tools and started playing with them to see what tools I could build. 

Last couple of days I have hacked together a little script called senetwork

The goal was to answering questions like:

What ports can a particular domain connect to?  Bind to?

# senetwork ftpd_t
ftpd_t tcp name_connect
    ephemeral_port_t: 32768-61000
    ldap_port_t: 389,636,3268
    dns_port_t: 53
    ocsp_port_t: 9080
    kerberos_port_t: 88,750,4444
ftpd_t tcp name_bind
    ephemeral_port_t: 32768-61000
    ftp_port_t: 21,990
    ftp_data_port_t: 20
    unreserved_port_t: 1024-32767,61001-65535
    port_t: all ports with out defined types

What type(s) are associated with a particular port number?

# senetwork 8080
8080: tcp unreserved_port_t 1024-32767
8080: udp unreserved_port_t 1024-32767
8080: tcp http_cache_port_t 8080

What ports are associated with a particular port_type?

# senetwork ftp_port_t
ftp_port_t: tcp: 21,990
ftp_port_t: udp: 990

Basically senetwork looks at the argument and figures out whether or not it is a number, port type or domain type
and then prints out the information.

I plan on packaging up these little scriptlets with setools-console.

bash completion for setsebool/getsebool added for Fedora 17

March 6, 2012, 8:43 am
$
0
0
policycoreutils-python-2.1.10-26.fc17.x86_64 now has bash completion scripts for semanage and setsebool/getsebool

/etc/bash_completion.d/semanage-bash-completion.sh
/etc/bash_completion.d/setsebool-bash-completion.sh

# getsebool -<tab>
# getsebool -a

# getsebool samba_<tab>
samba_create_home_dirs   samba_export_all_ro      samba_share_fusefs
samba_domain_controller  samba_export_all_rw      samba_share_nfs
samba_enable_home_dirs   samba_run_unconfined   

# setsebool -<tab>
# setsebool -P<tab>

# setsebool -P samba_<tab>
samba_create_home_dirs   samba_export_all_ro      samba_share_fusefs
samba_domain_controller  samba_export_all_rw      samba_share_nfs
samba_enable_home_dirs   samba_run_unconfined

semanage completion is a little more complicated.

# semanage <tab>
boolean     fcontext    login       node        port       
dontaudit   interface   module      permissive  user

# semanage fcontext -<tab>
-a           -d           --deleteall  -f           --help       --modify
--add        -D           -e           --ftype      --locallist  -t
-C           --delete     --equal      -h           -m           --type

# semanage fcontext -a -t samba<tab>
samba_etc_t                     samba_secrets_t
sambagui_exec_t                 samba_share_t
samba_initrc_exec_t             samba_unconfined_script_exec_t
samba_log_t                     samba_unit_file_t
samba_net_exec_t

...

Try it out.  If you find problems, patches accepted... :^)

Excuse me son, but your code is leaking !!!

March 7, 2012, 8:34 pm
$
0
0
I have written over the years about leaked file descriptors, and what a pain they have been to SELinux.

C on Unix many many years ago was designed to leak by default.  A file descriptor is leaked if you open a file descriptor or socket and then do a fork/exec.  The new process will automatically get access to the file descriptor unless SELinux blocks it. 

When SELinux blocks the leaked file descriptor you usually end up with a strange looking AVC about the new domain trying to read or write a random file or a socket owned by the parent or even worse an ancestor.

Talking with Uli Drepper the other day about leaked file descriptors.  He reminded me that the gcc/glibc teams had added a flags to open,fopen, socket, accept4 to change the default.

man open
...
By  default,  the  new  file descriptor is set to remain open across an execve(2) (i.e., the  FD_CLOEXEC  file  descriptor  flag  described  in fcntl(2)  is  initially  disabled; the O_CLOEXEC flag, described below, can be used to change this default).
...
O_CLOEXEC (Since Linux 2.6.23)          Enable the close-on-exec  flag  for  the  new  file  descriptor. Specifying  this  flag  permits  a  program  to avoid additional fcntl(2) F_SETFD operations to set the FD_CLOEXEC  flag.   Additionally,  use  of  this flag is essential in some multithreaded programs since using a separate fcntl(2)  F_SETFD  operation  to set  the  FD_CLOEXEC  flag does not suffice to avoid race conditions where one thread opens a file descriptor at the same  time as another thread does a fork(2) plus execve(2).

Sadly this can not be made the default, but as a good programing practice all open/socket,accept and fopen calls should use this flag in order to close the file descriptor by default.

open(path, O_CLOEXEC | flags)
socket(DOMAIN, SOCK_CLOEXEC | type, PROTOCOL)
accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen, SOCK_CLOEXEC | flags);
fopen(path, "rc")

If you can not open a file descriptor with one of these commands then you can execute

fctnl(fd, F_SETFD, FD_CLOEXEC)

He gcc developers or code analysys tools, you probably should catch when leaks happen, especially if they are not STDIN, STDOUT, STDERR.

Just be neat and stop leaking all over the place.

Fedora 17 New Security Feature part VI - man pages for SELinux user/role domains

March 8, 2012, 8:46 am
$
0
0
Ok, maybe this should be Security Feature IV.5 but Roman numerals do not support decimal points.  :^)

After I wrote the tool to generate service domains man pages, Miroslav Grepl thought it would be a good idea to generate similar policy for user domains and roles.

We hacked up a new script called segenuserman, which generates 13 new SELinux user and Role man pages.

auditadm_selinux.8  git_shell_selinux.8  logadm_selinux.8 secadm_selinux.8    sysadm_selinux.8 user_selinux.8    xguest_selinux.8 dbadm_selinux.8 guest_selinux.8  nx_server_selinux.8  staff_selinux.8 unconfined_selinux.8  webadm_selinux.8

Note segenuserman also requires senetwork.py.

Here is the staff_selinux.8 for an SELinux user, and webadm_selinux.8 for an SELinux role.

I have also updated the SELinux service domain man pages to include booleans,process types, file context paths, better descriptions, network ports.

Here is an update zebra_selinux.8



Fedora 17 New Security Feature part VII - thumbnail protection.

March 12, 2012, 8:55 am
$
0
0

John Leyden wrote an interesting article Linux vulnerable to Windows-style autorun exploits, about how security researches had discovered that Linux is potentially vulnerable to a user sticking a USB device or CDRom into a locked machine.  The basic idea was that "Nautilus" would execute thumbnail drive code, to display thumbnails icons in the file browsers based on the content on the removable media, even if the machine was locked.  If the thumbnail executables were vulnerabile, a cracker could use the code used to process the thumbnail images to kill the screensaver/lock. 

Never mind this, just plugging in a USB stick when you a logged in, could allow a cracker to take over your machine.

At that time, I wrote policy for all thumbnail drivers to be locked down with SELinux, but I only turned it on for confined users.
I and other users have been running this confinement thoughout Fedora 16. 

In Fedora 17 I have turned this on for the unconfined user. 

We are confining the following applications.

/usr/bin/evince-thumbnailer
/usr/bin/ffmpegthumbnailer
/usr/bin/gnome-exe-thumbnailer.sh
/usr/bin/gnome-nds-thumbnailer
/usr/bin/gnome-xcf-thumbnailer
/usr/bin/gsf-office-thumbnailer
/usr/bin/raw-thumbnailer
/usr/bin/shotwell-video-thumbnailer
/usr/bin/totem-video-thumbnailer
/usr/bin/whaaw-thumbnailer
/usr/lib(64)?/tumbler-1/tumblerd

I have seen these applications try to "execstack" when running mplayer executable on an thumbnails, kind of scary.

If you know of other thumbnail applications that get launched as thumbnails, please tell me.

Search

Fedora 17 New Security Feature part VIII - New SELinux Domains in F17

March 13, 2012, 7:47 am
$
0
0
Each Fedora we release a bunch of new domains that will run in permissive mode for the release.  When the next release is released, the permissive domains are made enforcing.

In my blog,10 things you probably did not know about SELinux.. #4, I describe how you can interact with permissive domains.

Any ways these are the permissive domains in Fedora 16 that will now be confined.

Fedora 16 Permissive Domains

pptp_t quota_nld_t sshd_sandbox_t nova_ajax_t nova_api_t nova_compute_t nova_direct_t nova_network_t nova_objectstore_t nova_scheduler_t nova_vncproxy_t nova_volume_t rabbitmq_epmd_t rabbitmq_beam_t deltacloudd_t iwhd_t mongod_t thin_t chrome_sandbox_nacl_t matahari_sysconfigd_t

Fedora 17 Permissive Domains

couchdb_t (/usr/bin/couchdb)
blueman_t (/usr/libexec/blueman-mechanism)
httpd_zoneminder_script_t (/usr/libexec/zoneminder/cgi-bin(/.*)?)
zoneminder_t (/usr/bin/zmpkg.pl)
selinux_munin_plugin_t (/usr/share/munin/plugins/selinux_avcstat)
sge_shepherd_t (/usr/bin/sge_shepherd)
sge_execd_t (/usr/bin/sge_execd)
sge_job_t
matahari_rpcd_t (/usr/bin/sge_execd)
keystone_t (/usr/bin/keystone-all)
pacemaker_t (/usr/sbin/pacemakerd)

Of course I reserve the right to add to this list.  our goal is to make sure all init/dbus services run with a type other then initrc_t. 

If you see a process on your machine that is shipped from Fedora running as initrc_t, please open a bugzilla on SELinux policy.

Secure Boot versus Ksplice.

March 15, 2012, 5:50 am
$
0
0
I have been attending many talks on Secure Boot.  The basic idea behind secure boot is to ensure that the bios/bootloader and kernel have not been hacked.  My understanding of how this is done is everything is signed and verified during the bootup.  Nothing can run in the kernel that was not signed and verified.  

Then we Oracle pushing Ksplice.

I can't help but ask the question?

Is ksplice a security disaster waiting to happen?

SELinux Types Revisited.

March 19, 2012, 9:06 am
$
0
0
A common mistake people make with SELinux is thinking all types are the same. 

I often get bugzilla's from people who first got a bug saying that httpd_t can not read some directory, say /myapache.  The admin then does some limited research and discovers the chcon command.  The admin then assumes if he uses the chcon command with the httpd type, it will solve his problem.

# chcon -t httpd_t /myapache
chcon: failed to change context of `/myapache' to `staff_u:object_r:httpd_t:s0': Permission denied

What, wait I am unconfined_t, why won't this be allowed.

# setenforce 0
# chcon -t httpd_t /myapache
#

Works, I guess I am all set.
# setenforce 1

Apache blows up.

Now they have AVC messages that indicate they need

allow unconfined_t httpd_t:dir relabelto;
allow httpd_t fs_t:filesystem associate;

Since the admin forced the label onto the system, other parts of SELinux start to break.  Later locate runs and they get an AVC that requires

allow locate_t httpd_t:dir getattr;

What the ...

The assumption, the administrator mistakenly made, was that all types are created equally.  But SELinux groups different types and then controls what "Classes" they can be assigned to.  SELinux block you from assigning a type to unsupported objects.

For example SELinux has types for Files (file_type), Processes(domain), Ports (port_type), Ethernet Interfaces (netif_type), Node names (node_type), filesystems (filesystem_type) ...

Types are grouped together using the policy attribute notated above within the ().

SELinux only allows administrators to assign file_type to a filesystem_type object.  This access is controlled by the associate access.

# sesearch -A -s file_type -t filesystem_type -p associate  | grep file_type
   allow file_type fs_t : filesystem associate ;
...

If you want to list all file_types, execute:

seinfo -afile_type -x
   file_type
      bluetooth_conf_t
      cmirrord_exec_t
      colord_exec_t
...

I have added an setroubleshoot plugin to Fedora 17 to try to help the administrator out.

SELinux is preventing chcon from relabelto access on the directory myapache.

*****  Plugin associate (99.5 confidence) suggests  **************************

If you want to change the label of myapache to httpd_t, you are not allowed to since it is not a valid file type.
Then you must pick a valid file label.
Do
select a valid file type.  List valid file labels by executing:
# seinfo -afile_type -x

Hope this hopes, although I agree this is a difficult concept to understand.

Solution to /myapache labeling problem from yesterday...

March 20, 2012, 6:30 am
$
0
0
Twitter's @Plaimclock  tweeted me @rhatdan yester. 
He pointed out that  yesterdays blog on SELinux Labeling did not provide a solution to the /myapache problem.

The solution is to label /myapache and all its children with a label httpd can read. 

You can figure this out by using:

man httpd_selinux
...
      httpd_sys_content_t

       - Set files with the httpd_sys_content_t type, if you want to treat the
       files as httpd sys content.

       Paths:
            /usr/share/icecast(/.*)?,                  /usr/share/htdig(/.*)?,
            /etc/htdig(/.*)?,                         /var/www/svn/conf(/.*)?,
            /usr/share/doc/ghc/html(/.*)?,       /usr/share/mythtv/data(/.*)?,
            /var/lib/htdig(/.*)?,                         /srv/gallery2(/.*)?,
            /srv/([^/]*/)?www(/.*)?,               /usr/share/ntop/html(/.*)?,
            /usr/share/mythweb(/.*)?,                /var/lib/cacti/rra(/.*)?,
            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
            icy[^/]*/html(/.*)?,   /usr/share/drupal.*,   /var/lib/trac(/.*)?,
            /var/www(/.*)?, /var/www/icons(/.*)?


Or

# ls -lZd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

You could simply put the labels in place using chcon.

chcon -R -t httpd_sys_content_t /myapache

The best solution is to tell SELinux about the label change.

# semanage fcontext -a -t httpd_sys_content_t '/myapache(/.*)?'
# restorecon -R -v /myapache

Done

Note:  If you wanted to allow httpd to write to the directory you would use the httpd_sys_rw_content_t type.

Eating my own dogfood.

March 22, 2012, 7:19 am
$
0
0
I am going on a trip tomorrow, I went to the Jet Blue web site to print my boarding pass.  The Jet Blue site has what I believe is a java application  running in the browser that displays your boarding pass.  I pressed the "Print" button on the screen and a print dialog came up, without any printers, and the "Print" button grayed out.   I did not notice the, setroubleshoot warning in gnome 3.  Figuring the print application was just broken, I decided to select print from the browser.  Sadly the browser printed a blank page.  I then bad mouthed Firefox/Linux printing.

Mia Culpa

I noticed that I had AVC's that looked like mozilla_plugin_t was trying to getattr on lpr_exec_t.    I put mozilla_plugin_t into permissive mode, to find out all the access required.

# semanage permissive -a mozilla_plugin_t

I went back to Jet Blue and tried to print the boarding pass again.  This time the printers showed up and I was able to print my boarding pass.

Now I had AVC's that indicated  mozilla_plugin_t was executing lpr_exec_t.  Also lpr was connecting to the cups and gnome-keyring daemon. 

Should I transition or add allow rules for mozilla_plugin_t?

As a policy writer I had to choice whether to allow mozilla_plugin_t all of these accesses or have mozilla_plugin_t transition to the lpr_t domain when it executes  /usr/bin/lpr.   These decisions are key to writing good security policy.  My rule of thumb is if the domain i would transition to is very powerful, I hesitate to transition.   Especially if the parent application requires limited access when executing the child. For example a user can run rpm in their current domain (staff_T) to list all rpm packages, while if I allowed them to transition to the rpm_t domain, they would be allowed install rpm packages.  In the mozilla_plugin_t case the advantage of transitioning to lpr_t allows me to continue to prevent mozilla plugins from talking directly to the cups server and  the gnome-keyring and lpr_t is a very limited domain, so I chose to transition.

My initial policy looked like this:

policy_module(mypol, 1.0)

require {
    type mozilla_plugin_t;
}
lpd_domtrans_lpr(mozilla_plugin_t)

Now I tried to print the boarding pass again, and now I had AVC's that stated lpr_t was trying to connect to keyring. 

audit2allow -R indicated that I should use:

gnome_stream_connect_gkeyringd(lpr_t)

audit2allow also showed that I was failing on Roles Based Access Control (RBAC).   Users seldom see these types of errors. They show up in the log file as SELINUX_ERR rather then AVC.

type=SELINUX_ERR msg=audit(1332420617.119:909): security_compute_sid:  invalid context staff_u:staff_r:lpr_t:s0-s0:c0.c1023 for scontext=staff_u:staff_r:lpr_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:lpr_t:s0-s0:c0.c1023 tclass=unix_stream_socket

This AVC is basically saying the staff_u:staff_r:lpr_t:s0-s0:c0.c1023 is an invalid label.

Hard to tell from this error what is wrong, but luckily audit2allow translates this into:

role staff_r types lpr_t;

Since I run with the staff_r role, I had to add an RBAC rule that would allow staff_r role to reach the lpr_t type.

My final policy looks like:

policy_module(mypol, 1.0)
require {
    type mozilla_plugin_t;
    type lpr_t;
    role staff_r;
}
lpd_domtrans_lpr(mozilla_plugin_t)
role staff_r types lpr_t;
gnome_stream_connect_gkeyringd(lpr_t)

Notice how I am transitioning from mozilla_plugin_t to lpr_t.  This does not mean staff_t will transition to lpr_t when running /usr/bin/lpr.  
In fact, staff_t executes lpr in the staff_t domain, since the staff_t domain has the ability to connect to the cups and gnome-keyring daemons. 

But when staff_t executes a firefox plugin, the plugin will transition to a locked down domain mozilla_plugin_t.  When the mozilla_plugin_t plugin executes /usr/bin/lpr, the lpr command will transition to the lpr_t domain.

Printing now works well.  Now I can remove the permissive flag from mozilla_plugin_t.

# semanage permissive -d mozilla_plugin_t

I have added all these rules into Fedora 17 policy, it should show up in the next policy update.

This is why I live in Rawhide, I want to find problems before users do.

runuser versus su

March 28, 2012, 5:40 am
$
0
0

Many years ago, we noticed SELinux having problems with the su command.  Many confined domains were using su to switch user from root to some non privileged user.  But this would generate lots of bogus SELinux errors such as:

Domain X_t wants to getattr on the fingerprint device or look at the pid file of the Smart Card reader. 

su using the pam_stack was the cause of these errors.  Depending on which pam_modules you had in the /etc/pam.d/su configuration, certain access would be checked.  Services using su do not want/need these side effects of using the pam stack.  SELinux policy writers do not want to allow the access or add dontaudit rules all over the place.

In order to fix this, we built a new application called runuser.  runuser is actually built from the su.c source code.  You just define the RUNUSER constant when compiling su.c.  Basically runuser is just the su command with the pam stack removed as well as verifying the command is running as root, not setuid.

Whenever an service is running as root and wants to change UID using the shell it should use runuser.

When you are logged in to a shell as a user and want to become root, you should use su.  (Or better yet sudo)

Fedora 17 New Security Feature part IX - File Name Transitions

April 24, 2012, 7:12 am
$
0
0
File Name Transitions were introduced to the kernel in Fedora 16 by Eric Paris.

Eric actually expected policy writers to only add a few dozen file name transition rules, well in Fedora 17 we now have nearly 100,000 rules:

sesearch -T /etc/selinux/targeted/policy/policy.27 | grep \" | wc -l
94736

Most of these rules are to make devices created in /dev and files/directories created by the unconfined/admin processes be labelled correctly.  A common problem users of SELinux have seen was when an unconfined_t user creating /root/.ssh or $HOME/.ssh.  Then they would place authorization content in the directory.  When they tried to use the content to gain access to the system via sshd, sshd would be blocked from the directory by SELinux because the directory and its contents had the wrong label.  The user needs to run restorecon -R -v /root/.ssh to fix the labels.

Before File Name Transitions the directory would be created with the label based on the label of /root, admin_home_t.   But as of Fedora 16 Policy Writers write rules that say:  "If the unconfined_t user creates a directory named .ssh in a directory labelled admin_home_t, it will get created as ssh_home_t."

  type_transition unconfined_t admin_home_t : dir ssh_home_t ".ssh";

How is this a security feature?

I explained in a previous blog, there are three ways content gets labeled within a directory.  The File Transition rule is a mechanism the policy writer has used since SELinux was first developed to create content within a directory with a different label then the directories label.  Policy writers wrote rules that said if a process running as NetworkManager_t created a file in a directory labeled etc_t it would be labeled net_conf_t.

  type_transition NetworkManager_t etc_t : file net_conf_t;

Or if a process running as mozilla_t created a directory in a directory labeled user_home_dir_t, it would get created as mozilla_home_t.

  type_transition mozilla_t user_home_dir_t : dir mozilla_home_t;

But this is not very fine grained control.  A hacked NetworkManager could create any file in a any directory labeled etc_t, if it did not exist.  If /etc/passwd did not exist for some reason SELinux would not block a confined NetworkManager from creating its own /etc/passwd.  A hacked firefox running as mozilla_t would not be blocked from creating a missing $HOME/.ssh directory.

With File Name Transition rules, policy writers can now specify the file name.  Meaning we can writer finer grained control.  We can say NetworkManager can only create the "resolv.conf" file in a directory labeled etc_t or a   confined firefox can only create the .mozilla directory in a users home directory

As an example of this the Thumbnail confinement added in Fedora 17 has:

type_transition thumb_t user_home_dir_t : file thumb_home_t "missfont.log";
type_transition thumb_t user_home_dir_t : dir thumb_home_t ".thumbnails";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-12";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-10";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-0.10";
type_transition thumb_t user_home_dir_t : dir gstreamer_home_t ".gstreamer-0.12";

Which means thumbnailers running as thumb_t can only create a file labelled missfont.log or directories labeled .thumbnails or .gstreamer-* in the home directory.

Nice job Eric, you increased the Security of SELinux and made it easier to use at the same time!
Search

Fedora 17 New Security Feature part X - Firewalld

April 25, 2012, 5:37 am
$
0
0

FirewallD is a service daemon with a D-BUS interface that provides a dynamic managed firewall.

It will be the default firewall in Fedora 18, but will be available to run in Fedora 17.

NOTE:  I was informed that this feature was supposed to be default in Fedora 17, but has been decided to wait until Fedora 18.

The problem with the previous firewall model was that it was static, you would need to basically reload the firewall rules any time you made a change, and this would break established connections.  This is a real problem for virtualization (libvirt), since you might be changing your firewall often bringing up and down virtual machines.  FirewallD provides a daemon that applications can talk to over DBUS, to request modifications to firewall rules. 

Another nice feature would be to allow a user to have rules that control firewall rules depending on the wireless network to which they connect.  For example NetworkManager could come up with a question of whether this is the Home Network, Work Network or Public Network.   Firewall rules might allow Avahi to connect if you are on a Home or Work network but not a Public Network.

In the future I would like to add make FirewallD a SELinux Userpace Manager.  This would allow a policy writer could to control which applications are able to manipulate firewall rules pertaining to which ports.  Something like

allow cupsd_t cups_port_t:tcp_firewall { open close };

SELinux with cp/mv

July 30, 2012, 11:40 am
$
0
0
Back in March 22nd, 2006, I wrote a blog on coreutils and SELinux . In that blog I had a couple of paragraphs on cp and the mv command.

mv

The mv command will attempt to maintain the security context of the file when it is moved to a different directory... This causes some
confusion, but this works the same was as with discretionary access. If I create a file owned by dwalsh in /tmp and then copy it to /etc, the ownership of the file will still be dwalsh in /etc. Similarly if the file was created in /tmp, it will have a security context of tmp_t, so when it is moved to /etc. It will continue to have tmp_t as it's security context.

cp

The cp command is a little different. If a file exists at you are copying over, the new file will maintain the file context of the previous file. So if I look at /etc/resolv.conf, I will see that it is labeled net_conf_t. If I copy a file over it say /tmp/resolv.conf, labeled tmp_t, onto /etc/resolv.conf, it will still be labeled net_conf_t. If I moved the file /tmp/resolv.conf onto /etc/resolv.conf, it will end up with tmp_t.

If the file does not exist it follow the rules defined above, IE it will either get the security context of the directory, or if a file_transition rule exists it will transition the context to follow the rule. So if you remove /etc/resolv.conf and cp /tmp/resolv.conf to /etc, you will end up with a security context of etc_t. Similarly if cp /etc/resolv.conf to ~/ it will end up with a security context of user_home_t. cp has an option to preserve the mode, ownership, and timestamps, but this option does not work with the file_context, you  need to use -Z.

UPDATE: We now have named file transitions in Fedora which for certain files/directory get labeled correctly on creation, so cp of a file named resolv.conf into a directory labeled etc_t will now get labeled net_conf_t atomically.

One of the problems we see quite often is a user creates an html file in his home dir or in /tmp and then moves it to /var/www/html. Apache then gets an access denied because apache is not allowed to read user_home_t. The quickest way to clean this up is with the restorecon command. The restorecon command reads the default file_contexts for the installed policy and then resets the file_context of all specified files.

restorecon /var/www/html/mypage.html

Sadly people continue to stumble on this.  Today I saw email from a user who was setting up a apache server and obviously mv'd content from his home dir to the  /var/www/html/updates directory.  I know this because the person attached a setroubleshoot message
Which showed the following alert.

Raw Audit Messages
type=AVC msg=audit(1343656110.659:126): avc:  denied  { open } for  pid=13506 comm="httpd" name="updates" dev="dm-1" ino=278541 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

Notice the open access, from httpd to the updates dir.  I figure the admin mv'd it from his home directory since the content is labeled with he user_home_t type. SELinux is complaining because from its point of view, the web server is trying to read content in the users homedir. This users homedir might contain credit card information, tax returns, password etc, stuff we would want to block a hacked web site from accessing.    I am pretty sure the user went in an changed the discretionary ownership/permissions, since the apache user would not be allowed to read a directory owned by the user with the default permissions on a directory created in his homedir.
After fixing these permissions he did not think about SELinux and tried to run apache and got permission denied.  Luckily the setroubleshoot tool was installed and the user got an alert that said.

SELinux is preventing /usr/sbin/httpd from open access on the directory /var/www/html/updates.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label.
/var/www/html/updates default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/updates

If you create content in your home dir to be used  by a service, it is always a good idea to check all the security attributes of the content after you cp/mv it in place.  restorecon is often the correct tool to use.  And please read the alerts...

For more information on SELinux and apache, you can read the apache_selinux man page.

man apache_selinux

SELinux Apache Security Study

August 2, 2012, 1:01 pm
$
0
0
Kirill Ermakov recently posted a study he did of SELinux protections against a vulnerable Apache server.

After reading the study you might come a way with the idea that SELinux did not block anything.  After all it allowed the hacked process to read /etc/passwd.  SELinux also allowed a hacked Apache to upload a file and execute it.

This points out what most people do not understand about SELinux.  SELinux does not necessarily block errors in applications from happening.  SELinux will just contain them.  If you are able to subvert the Apache application then you can become the Apache application and will have the rights allowed to the apache application.  In his examples he was able to take over the Apache server and do what an apache server needs to do, including reading the /etc/passwd file.  A better test would be:
  • Try to connect to a few network ports like the mail port  - Out of the box we should not allow Apache to connect to many network ports.
  • Read /secrets/mysecrets  - Random content on the file system should not be readable by Apache
  • Read /home/dwalsh/creditcard.txt - Random content in a users home dir should not be readable by apace
  • Read /var/lib/mysql/mysqld.data. - Database data should not be readable by Apache except if allowed through a constricted path like a unix domain socket.
  • Try to run su or sudo, or strace, or network sniffer.
All things the Apache server should not be allowed to do.

If an Apache server has a bug in its code, then it can be owned whether or not SELinux is in enforcing mode, the goal is to confine the attacker to just the Apache data and not allow him to attack other data or processes on the system.

Apache Booleans

Now lets look further at Apache SELinux policy configuration.  A while ago I wrote a blog on "Security vs Usability", in which I explained the continuing conflict between setting up a machine with security as tight as possible, but not so tight as forcing people to turn the security off.  When we ship SELinux policy we have to make compromises on security, to avoid the "Just turn it off crowd".
Lets look at some of these compromises,  and maybe explain how you could tighten the security in your Apache.

Out of the box SELinux in RHEL6 has the following boolean settings for an Apache server.

On RHEL6 we have

# semanage boolean -l | grep httpd | grep -v off
httpd_enable_cgi               (on   ,   on)  Allow httpd cgi support
httpd_dbus_avahi               (on   ,   on)  Allow Apache to communicate with avahi service via dbus
httpd_unified                      (on   ,   on)  Unify HTTPD handling of all content files.
httpd_builtin_scripting         (on   ,   on)  Allow httpd to use built in scripting (usually php)
httpd_tty_comm                  (on   ,   on)  Unify HTTPD to communicate with the terminal. Needed for entering the passphrase for certificates at the terminal.

On RHEL7 and Fedora we have

#  semanage boolean -l | grep httpd | grep -v off
httpd_enable_cgi               (on   ,   on)  Allow httpd cgi support
httpd_graceful_shutdown    (on   ,   on)  Allow HTTPD to connect to port 80 for graceful shutdown
httpd_builtin_scripting        (on   ,   on)  Allow httpd to use built in scripting (usually php)

I was interested on how he was able to execute tmp_t content.

# sesearch -A -s httpd_t -t httpd_tmp_t -p execute -C
Found 1 semantic av rules:
DT allow httpd_t httpd_tmp_t : file { ioctl read getattr lock execute
execute_no_trans open } ; [ httpd_tmp_exec httpd_builtin_scripting && ]

# sesearch -A -s httpd_sys_script_t -t httpd_tmp_t -p execute -C
Found 1 semantic av rules:
DT allow httpd_sys_script_t httpd_tmp_t : file { ioctl read getattr lock execute execute_no_trans open } ; [ httpd_tmp_exec httpd_enable_cgi && ]

Reading this, it looks like SELinux should have blocked the ability for the Apache process or a cgi script to execute the content by default. IE You would need to turn on the httpd_tmp_exec boolean as well as the httpd_enable_cgi boolean.

But examining further the booleans, I wanted to know what content could httpd_t (Apache) or httpd_sys_script_t (Apache CGI Scripts) could execute and write.

# sesearch -A -s httpd_sys_script_t -t httpd_sys_content_t -p execute -C
Found 3 semantic av rules:
   allow httpd_sys_script_t exec_type : file { ioctl read getattr lock execute execute_no_trans open } ;
   allow httpd_sys_script_t httpd_sys_content_t : file { ioctl read getattr lock execute entrypoint open } ;
ET allow httpd_sys_script_t httpd_sys_content_t : file { ioctl read getattr lock execute execute_no_trans entrypoint open } ; [ httpd_enable_cgi httpd_unified && ]

So the problem here is actually httpd_unified.  httpd_unified basically says to SELinux allow Apache processes to treat all Apache content with the same rules.  In RHEL7 we feel users are familiar enough with SELinux to disable the httpd_unified boolean by default.   If this boolean is off, then users would have to label files/directories as httpd_sys_content_rw_t if they wanted Apache to be able to write to a directory rather then the read/only label of httpd_sys_content_t.  With the boolean on, Apache processes can read/write/execute all httpd_sys_content* labels.

If you are not uploading data to Apache then it is a good idea to turn off this boolean.

# setsebool -P httpd_unified 0

Now lets look at other booleans that are turned on by default in RHEL6. (And RHEL7 for that matter).

httpd_enable_cgi

This boolean enables your Apache server to run cgi scripts.  We leave this on by default because out of the box, any person running Apache would blow up with a permission denied when they tried to execute a cgi script.  If you were not running cgi scripts, it would be a good idea to turn this off.

# setsebool -P httpd_enable_cgi 0

httpd_builtin_scripting

This boolean your Apache server to run builtin scripting, mod_php, mod_python, mod_perl ...
We leave this on by default because out of the box, any person running Apache would blow up with a permission denied when they tried to execute a php script.


If you are just allowing users to view Apache content, then you really should turn off both of these booleans.

# setsebool -P httpd_builtin_scripting 0

httpd_tty_comm                 

This boolean allows httpd to talk to the terminal that launches it.  The risk here is a hacked apache server could trick an admin into entering his password, by putting a passwd: prompt on the screen and then reading the admins commands.  This access is necessary for people who setup apache servers which require a passwd from the admin when they start, it also allow apache to output errors to the screen, like the configuration is screwed up.  In Fedora and RHEL7 this output is handled by systemd, so this access is no longer needed, and can be disabled by default.  If your apache server does not require a password at start and you know that your config is correct you should turn this boolean off.

# setsebool -P httpd_tty_comm 0

httpd_dbus_avahi

This boolean allows apache to communicate with the avahi daemon over DBUS.  This boolean should have been disabled by default, but most likely does not add much risk.  It is turned off by default in Fedora and RHEL7.

# setsebool -P httpd_dbus_avahi 0

Bottom line as people grow to peoples understanding of SELinux, we can slowly tighten up the controls...

Article I wrote on Harvard PAAS.

August 4, 2012, 4:52 am
$
0
0
Occasionally I write longer articles that I feel are too long for a blog...

Harvard CS Uses PAAS and Fedora.

Kind of nice to get the message out to other people also.  Thanks to OpenSource.com for publishing it.


Running unconfined scripts from a confined domain

September 5, 2012, 12:31 pm
$
0
0
I received the following email from an engineer named Marko.

I've got a program (actually a shell script) which does various things and sudoers is configured so that users can run it without a pw being asked. By using sudo from the cmd line everything works as expected.

However, if the script is invoked by udev rules (and thus run as root) under certain circumstances, it fails on several cases due to AVCs as the commands it is trying to execute won't work or the services it starts/stops fail partially as the context (udev_t) is not what it'd be when run with sudo from the command line. Examples include inability to communicate with dbus, accessing log/config files, etc. So figuring out all of those would be quite a task and if the local program is later changed it might require even more policy changes.

So what would a custom policy look like for a program "foo" so that it would work equally well when invoked by udev like it now works when a user invokes it from the command like with sudo? Any examples, blog posts, howtos, etc to look at?

Basically since his users are most likely running as unconfined_t, the sudo command is running the script as unconfined_t and SELinux is not blocking anything.  When he runs the command out of udev, it is running as udev_t and udev_t is not allowed the access.

To solve this problem, Marko has three choices:
  1. Add the allow rules to allow udev to have all the access required to run his application
  2. Write policy for his application and transition from udev and unconfined_t to this new domain.
  3. Write policy to allow udev_t to transition to unconfined_t when running only his application.
Since Marko did not want to all udev scripts this access, he chose not to do 1.  Marko decided it would be to difficult to do 2 and difficult to maintain, so he chose to do 3.

Here is the original policy written by Marko.

# cat myapp.fc /usr/sbin/myapp --
gen_context(system_u:object_r:myapp_exec_t, s0)

# cat myapp.te
policy_module(myapp, 1.0.0)

require {
    type fs_t; type setfiles_t;
    type udev_t; type unconfined_t;
    class process transition;
}

type myapp_exec_t;

allow setfiles_t myapp_exec_t:file { getattr relabelto };
allow myapp_exec_t fs_t:filesystem { associate };

allow unconfined_t myapp_exec_t:file *;

domain_auto_trans(udev_t, myapp_exec_t, unconfined_t);

Not bad. 

The first problem I notice is lots of rules around myapp_exec_t.  Since the myapp_exec_t was never defined as a particular TYPE of type.  Since myapp_exec_t is planned to be used on a file or directory it needs to have the attribute  file_type.  All domains that interact with all files/directories, have rules defined in policy which allow them to interact with the attribute file_type.  You can add the file_type attribute to a file by using the files_type(myapp_exec_t) interface.  This will eliminate most of the rules involving myapp_exec_t.

As a rule of thumb, anytime you define a new type in policy you should call an interface to define the "TYPE" of the type.  domain_type() for processes, files_type for files/directories, dev_node() for devices corenet_port() for network ports etc.

Here is a my simpler policy.

policy_module(myapp, 1.0.1)
gen_require(`
  type udev_t;
  type unconfined_t;
  role system_r;
')

type myapp_exec_t;
files_type(myapp_exec_t)

domain_auto_trans(udev_t, myapp_exec_t, unconfined_t);
allow unconfined_t myapp_exec_t:file entrypoint;
role system_r types unconfined_t;

The domain_auto_trans rule tells the SELinux kernel, when a process labeled udev_t executes a file labeled myapp_exec_t, transition the new process to unconfined_t. 

SELinux controls the labels of "entrypoint", so we need to state that myapp_exec_t is an entrypoint to the unconfined_t domain.
For a further description of the entrypoint access see: SELinux By Example 2.2.4

Finally I added the role definition for system_r, since udev_t will be running as system_r, when it executes myapp_t it will attempt to run unconfined_t was system_u:system_r:unconfined_t:s0.  roles system_r types unconfined_t, states that the unconfined_t type can be executed in the system_r role.

While the ideal solution for this problem from a security point of view would have been to write policy for myapp_t, and have unconfined_t and udev_t transition to this domain, as a work around and not shutting SELinux off this is a decent alternative.

Note:  When ever you write a shell script that will have more privs then the calling app, you should be really carefull that the calling application can not effect the running app.  The script needs to up its environment and ignores stuff from the calling program, if the script takes arguments you must be sure these arguments are handled properly and can not get the script to do something unexpected.  SELinux will protect you somewhat but you need to be careful.  Every python scripts I write, I always use "#! /usr/bin/python -Es" for example.  Apple has a nice page on this.
Viewing all 181 articles
Browse latest View live
Search