Quantcast
Channel: Dan Walsh's Blog
Viewing all 181 articles
Browse latest View live

New Security Feature in Fedora 18 Part 1: SELinux Systemd Access Control

September 27, 2012, 6:21 am
$
0
0

For Fedora 17 I did a series of blogs on new security features. I guess it is time to start it for Fedora 18.
If you want me to talk about a new security feature,  email dwalsh@redhat.com, or comment on this blog.

New Feature in Fedora 18 SELinux Systemd Access Control.

In previous versions of Fedora/RHEL SELinux could control which processes were able to start/stop services based on the label of the process and the label on the Init Script.

For example NetworkManager (NetworkManager_t) was allowed to execute /etc/init.d/ntp (ntp_initrc_exec_t) but not allowed to access /etc/init.d/httpd (httpd_initrc_exec_t).

With the advent of systemd we lost this ability since systemd starts and stops all services.

We had to allow NetworkManager (NetworkManager_t) to execute systemctl which would send a dbus message to systemd, and systemd would start/stop whatever service NetworkManager requested. Actually we ended up allowing NetworkManager to do everything systemctl could do.   We also wanted to setup confined administrators, but we ended up having to allow them to either start/stop all services or no services.  We could no longer allow the webadm_t to only start/stop httpd_t.

In Fedora 18, we have fixed this by making systemd an SELinux Access Manager.  Now systemd will retrieve the label of the process running systemctl or the process that sent systemd a dbus message.  systemd will then look up the label of the unit file that the process wanted to configure.  Finally systemd will ask the kernel if SELinux policy allows the specific access between the process label and the unit file label.  This means a hacked NetworkManager or any other application that needs to interact with systemd for a specific service can now be confined via SELinux.  Policy writers can use these fined grained controls to confine administrators.

Policy changes.

We have added a new class to SELinux Policy called "service".  The service class has the following permissions defined:

start stop status reload kill load enable disable

This means a policy writer can allow a domain to get the status on a service or start and stop a service, but not enable or disable a service.  This gives us better control then we have ever had in the past.

To demonstrate this, I setup webadm_t as my root process:
Note: For more information on setting up confined users see my other blogs.

# id -Z
staff_u:webadm_r:webadm_t:s0-s0:c0.c1023
# /bin/systemctl status httpd.service
httpd.service - The Apache HTTP Server
      Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
      Active: inactive (dead)
      CGroup: name=systemd:/system/httpd.service

# /bin/systemctl status NetworkManager.service
Failed to issue method call: SELinux policy denies access.

In a separate window running as unconfined_t, I can look at the AVC message created.

# id -Z
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
# ausearch -m user_avc
time->Thu Sep 27 08:54:10 2012
type=USER_AVC msg=audit(1348750450.105:135): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=3267 uid=0 gid=0 path="/usr/lib/systemd/system/NetworkManager.service" cmdline="/bin/systemctl status NetworkManager.service" scontext=staff_u:webadm_r:webadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:NetworkManager_unit_file_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

And of course you could use audit2allow to write policy to allow this access.

audit2allow -la
#============= webadm_t ==============
allow webadm_t NetworkManager_unit_file_t:service status;

# audit2allow -laR
#============= webadm_t ==============
networkmanager_systemctl(webadm_t)

Make sure you have the latest systemd and selinux-policy to try this out.  These are my current versions:

rpm -q selinux-policy systemd
selinux-policy-3.11.1-26.fc18.noarch
systemd-191-2.fc18.x86_64

Search

Where does SELinux allow my application to write?

September 28, 2012, 5:40 am
$
0
0
SELinux's Number one goal:

Stop confined application/process from affecting other processes on the system. 

One of the biggest ways that a process can affect another process is by writing content that that process reads. 
  • If a hacked process can write ~/.bashrc in a users home directory; the next time the user logs in, the hacker gets control of a process running as unconfined_t.
  • If a hacked process can write to /etc/httpd/config, the hacker gets control of the Apache process.
Because of this SELinux blocks confined applications the ability to write content, unless the directories/files have the proper labels.

Users want to know:

What label is my application allowed to write to? 
Where on the file system are these labels?

For example in another blog, I got asked today where can mozilla_plugins write their logs?

Well in an effort to better document SELinux policy we have been auto-generating man pages, and have just added a new section called MANAGED FILES.  This section of the man page will list the files/directories that a confined application is able to write.

man mozilla_plugin_selinux
...
MANAGED FILES
       The SELinux user type mozilla_plugin_t can manage  files  labelled  with
       the  following  file types.  The paths listed are the default paths for
       these file types.  Note the processes UID still need to have  DAC  per‐
       missions.

       gnome_home_type

       home_cert_t

            /root/.cert(/.*)?
            /home/[^/]*/.kde/share/apps/networkmanagement/certificates(/.*)?
            /home/[^/]*/.pki(/.*)?
            /home/[^/]*/.cert(/.*)?

       mozilla_home_t

            /home/[^/]*/.java(/.*)?
            /home/[^/]*/.adobe(/.*)?
            /home/[^/]*/.gnash(/.*)?
            /home/[^/]*/.galeon(/.*)?
            /home/[^/]*/.spicec(/.*)?
            /home/[^/]*/.mozilla(/.*)?
...

In Fedora 18, we now have 951 man pages related to SELinux.

> man -k selinux | wc -l
951

We will be generating these Man Pages in Fedora 17 and RHEL6/RHEL6 and hope to put them up on a web site so that "search engines" will have an easier time searching them.

You can generate your own man pages using these tools, which should be showing up in policycoreutils soon.

http://people.fedoraproject.org/~dwalsh/SELinux/genman/segenman
http://people.fedoraproject.org/~dwalsh/SELinux/genman/senetwork.py

New Security Feature in Fedora 18 Part 2: Mutual Trusts with Active Directory domains

October 1, 2012, 8:45 am
$
0
0

FreeIPA has a couple of new features that are showing up in Fedora 18.  Support for SELinux Confined User labelling will be covered in a future blog...  In this blog I will be talking about better integration with Windows environments.

I am saddened to realize that there are still people out there using Microsoft Windows!  

My house has been Windows free for a number of years now.  It is a lot darker, but much more secure! :^)

I also have heard that those Windows environments are using Active Directory. 

Well Fedora 18 will make these environments a little more secure.

FreeIPA and Active Directory can be setup with mutual trust.

In Fedora 18 it is possible to create a trust relationship between an FreeIPA and an Active Directory domain.  This means users defined in Active Directory can access resources defined in FreeIPA.  In a future release,  users defined in FreeIPA will be able to access resources defined in Active Directory.  You can manage all of your user accounts in a single place.  If you are using Active Directory to manage your users, you can now use the same user accounts on your Linux boxes.

Fedora 17 FreeIPA used winsync to allow users from an Active Directory domain to access resources in the IPA domain. To achieve this winsync had to replicate the user and password data from an Active Directory server to FreeIPA server and attempt to keep them in sync.  Causing potential race conditions.

In Fedora 18,  SSSD, System Security Services Daemon, has been enhanced to work with AD.  SSSD understands some of the native AD controls and features that it did not understand in the previous Fedoras. 

You can set this up without using FreeIPA at all!

In addition SSSD can work in the environment where it is connected to FreeIPA that is in trust relationships with AD. In this case, SSSD not only recognises users defined in FreeIPA but also recognizes users coming from the trusted AD domains.  SSSD can read user and group directory data directly from the Active Directory server.  

Additionally if you do use FreeIPA you can setup Kerberos cross realm trust.  This allows Single-Sign-On between the Active Directory and the IPA domain.

  • A user from the Active Directory Domain can access kerberized resources from the FreeIPA domain without being asked for a password.
  • If you choose to setup users in the FreeIPA Domain, they will be able to access resources from the Active Directory domain. No need to set POSIX attributes in the Active Directory Domain
  • Single sign-on for all kerberized services is possible
We may never get to full single sign on, where I only have one password asked of me, but this is a step in right direction.

New Security Feature in Fedora 18 Part 3: New Confined/Permissive Process Domains

October 4, 2012, 7:32 am
$
0
0
Each Fedora we release a bunch of new domains that will run in permissive mode for the release.  When the next release is released, the permissive domains are made enforcing.

In my blog,10 things you probably did not know about SELinux.. #4, I describe how you can interact with permissive domains.

In Fedora 17, we added 11 new permissive domains, 10 of which are now enforcing in Fedora 18.  matahari policy was removed, since the project was cancelled.

Fedora 17 Permissive Domains/ Now Confined in Fedora 18

couchdb_t, blueman_t, httpd_zoneminder_script_t, zoneminder_t, selinux_munin_plugin_t, sge_shepherd_t, sge_execd_t,
sge_job_t, keystone_t, pacemaker_t

Fedora 18 Permissive Domains

   pkcsslotd_t (daemon manages PKCS#11 objects between PKCS#11-enabled applications)
   slpd_t  (Server Location Protocol Daemon)
   sensord_t (Sensor information logging daemon)
   mandb_t  (Cron job used to create /var/cache/man content)
   glusterd_t (policy for glusterd service)
   stapserver_t (Instrumentation System Server) Note: This was back ported to Fedora 17.
   realmd_t (dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA)
   phpfpm_t (FastCGI Process Manager)

Fedora 18 Confined Domains
With the open sourcing of OpenShift we have created several new process domains.  openshift controls separation between each of its users and users applications, which means it needs to be confined out of the box.  openshift_t is the type that each application runs as, with a difference MCS label.  I will blog on the openshift policy in the future.
      openshift_app_t, openshift_cgroup_read_t, openshift_initrc_t, httpd_openshift_script_t, openshift_t

Fedora 18 Domains Removed
matahari (Project cancelled)

Fedora 18 Domains Reorganization
We split sandbox and sandboxX policy apart, in order to shrink the policy size. and now disable sandbox policy by default.  We are doing this because not many people use sandbox (Character only version of sandbox, used for pipes and streams) versus sandboxX.  sandbox policy is very big, and disabling by default reduces the size of policy by around 8%.

New Security Feature in Fedora 18 Part 4: FreeIPA/SSSD distributes Confined SELinux Users

October 9, 2012, 6:03 am
$
0
0
FreeIPA now supports the distribution of SELinux Users

Confined SELinux Users was introduced a while ago.  The basic idea is to give users different access depending on the machine they log into. 

Using myself as an example, I regularly login to 5 different machines, not including VMs.  My Laptop, My Test machine, shell.devel.redhat.com, people.redhat.com and people.fedoraproject.com. 
  • people.redhat,com and people.fedoraproject.com: I should login as guest_u:guest_r:guest_t:s0.  These machines are used to share content via the Web Servers.  I should be only allowed to modify my home directory.  I should not have access to the network, setuid applications like su and sudo, or be able to build and execute code in the home directory.
  • shell.devel.redhat.com.  This machine is a shared developer shell machine, to be used by all developers.  I should be allowed to execute content in the home directory and maybe setup and test networking applications, since this is a development machine.  But I am not an administrator, I should not be allowed to execute su or sudo.  user_u:user_r:user_t:s0-s0:c0.c1023  would be a good SELinux user label for this machine.
  • My Laptop and test machines, (holycross and redsox), should either be setup to use unconfined_t or staff_t.  In my case I run them with staff_u:staff_r:staff_t:s0-s0:c0.c1023, and administrator processes as staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.
The problem with this configuration is that each one of these machines has to be setup individually.  My identity is shared by a directory server and authorization is confirmed by kerberos.  But until now, there was no standard way to setup these confined users on a centralized server.

One big advantage of FreeIPA is it adds identity to machines.  FreeIPA knows the difference between dwalsh on people.redhat.com versus dwalsh on shell.devel.redhat.com.  The FreeIPA team added the ability to store SELinux Users definitions based on User/Machine mappings.

In Fedora 18 you will be able to setup confined users using the FreeIPA gui.



At Red Hat we could setup a user/machine mapping like all users on people.redhat.com will login with the SELinux user/level  guest_u:s0.

SSSD plays a large role in assigning the SELinux User/Level from IPA to the user process at login.

When a user logins to a box say through sshd, sshd uses the pam stack.  One of the first pam modules used is pam_sss. pam_sss sends a request to SSSD telling it that dwalsh is logging in.  SSSD contacts the FreeIPA server and asks what SELinux User/Level should dwalsh get when he logs in.  SSSD takes the string returned and creates a file in /etc/selinux/POLICYTYPE/logins/dwalsh.  During the session of the pam stack, the pam_selinux  module is called.  pam_selinux reads /etc/selinux/POLICYTYPE/logins/dwalsh and tells the kernel to launch the user process with the SELinux User specified in FreeIPA, for example guest_u:guest_r:guest_t:s0.

Currently SSSD only supports FreeIPA for this transaction.  In the future it could be modified to use other sources for SELinux information.
Note: In FreeIPA you can set up a set of the Host Based Access Control rules. These rules define which users (and groups of users) have access to which machines (and groups of machines) via which login services (like ssh, ftp, sudo, su etc.) The administrator can reuse the user-host associations defined in the HBAC rules to define SELinux user mapping rules. This helps to avoid duplicate management and express a notion: user set X can access set of hosts Y and would get SELinux user Z.
I have been asked many times when I have given the Confined SELinux Users talk, about how would you manage confined users in a large environment, now we have a solution.

New Security Feature in Fedora 18 Part 5: Systemd Secures Journald from attack

October 9, 2012, 7:14 am
$
0
0
Forward Secure Sealing (FSS)

Forward Secure Sealing is a new feature of systemd/journald in Fedora 18.

If your machine is cracked, (Did you disable SELinux?) and a hacker gets administrative control, he wants to cover their tracks, by modifying the system log files.  This presents a problem in that you might not know when the machine was hacked and whether any of your log files have been tampered with.  Before FSS  the only way to know your log files have not been tampered with is to store them on a different machine, IE Setup rsysog and auditlogs to be sent to different machines.  With FSS you can verify the journald logs on your system and know if they have been tampered with.  Even better you will have an idea when the hacker started tampering with them, and which part of the logs files are still valid.

The basic idea is you establish a verification ID and store it externally or just use a QR code and store it on a smart phone.

Read Lennart Poettering posting on Google+ For more explanation.



New Security Feature in Fedora 18 Part 6: KRB5 Credential Cache Moved under /run/user directory

October 15, 2012, 11:50 am
$
0
0

KRB5 Credential Cache Move

The default location of a user's Kerberos Credential Cache (CC) has moved from /tmp to user directory under /run/user.

Back in the 1980's, when Kerberos was first developed, various login programs were enhanced to talk to the Kerberos servers to authenticate users, and to store credentials (tickets and session keys) that they obtained while doing so in a file, sometimes called a ticket file, but now more commonly called a credential cache (ccache for short), for the user to use during their session.

The cache had to be owned by the user, so that additional tickets obtained by the user could be added to the cache, and so that it could be cleared or just destroyed.

For the sake of users whose credentials were needed for accessing a remote home directory, login programs could not store the credentials in the user's home directory.  Since the only other location where a user could write to was the /tmp directory, the cache file was stored there by default.

Security Problems with the Credential Cache file in /tmp.

There were a couple of problems with storing the cache file in /tmp:

  1. All users of the system can write to /tmp.  To sidestep the possibility that a rogue user could trick the system into writing a user's credentials to an incorrect location, many login facilities would generate uniquely-named credential caches for users.  Others used predictable but different names for various other reasons.
  2. But when the name of a user's credential cache isn't predictable, it can cause problems for services which don't run as part of the user's session, and which therefore can't consult the $KRB5CCNAME environment variable to discover which cache to use.  Services like these, for example rpc.gssd (the daemon which handles the client parts of Kerberized NFS), have historically had to make a best-guess as to what the Kerberos credential cache file's name was, and they had to do that by trawling through /tmp, looking for potential matches.
  3. /tmp can be setup using pam_namespace such that processes running in the "root" namespace will see a different /tmp then the user sees when he logs in.  This can prevent services from even being able to find the Credential Cache.
  4. The /tmp directory is often not a temporary file system.   Logging out of the system or rebooting the system would not guarantee the Credential Cache would be removed/destroyed.

SSSD to the rescue in Fedora 18

In Fedora 18 the Credential Cache file was moved by SSSD, System Security Services Daemon, to /run/user/UID/krb5cc_XXXXXX/tkt.
Where XXXXXX is a random number. 

For example on my box when I execute klist i see the following:

> klist
Ticket cache: DIR::/run/user/3267/krb5cc_ca3a4331e17e8e80cb0c46ea507840bc/tkt
Default principal: dwalsh@REDHAT.COM

Valid starting     Expires            Service principal
10/12/12 12:48:17  10/12/12 22:48:17  krbtgt/REDHAT.COM@REDHAT.COM
    renew until 10/12/12 12:48:17

Note: There are two colons between "DIR" and the path part of the ccache name gives away that the parent of the named path is the directory that's being used to hold the cache file (or possibly more than one cache file).

The main benefit here is that /run/user/3267 and all its sub-directories have a mask of 700 and are owned by dwalsh:dwalsh. No other users know that the cache is there, and they can't tell how big it is or when it was last touched.  This means we don't have to deal with other users trying to mess around in /tmp.

 Secondarily /run is always tmpfs,  if the user logs out cache gets destroyed and if the system crashes the cache file is also gone.

Since the tickets are stored in a predictable path, privileged processes like rpc.gssd have an easy time finding the correct tickets.   And since they are off of /tmp, pam_namespace will not hide the credential cache from the system services.

Finally now SSSD can actually get multiple tickets from different domains and easily store them in the /run directory, allowing a user
to login into multiple kerberos domains at the same time.

New Security Feature in Fedora 18 Part 7: Secure Linux Containers

October 18, 2012, 8:54 am
$
0
0

Secure Linux Containers

In Fedora 18 we have enhanced the virt-sandbox package to allow for easy creation of Secure Containers.

Containers are a form of isolating one or more processes from the rest of the system.  Some times containers are described as lightweight virtualization.  Containers are really just a userspace concept.  The Linux kernel has no concept of a container.  The kernel implements namespaces and cgroups.  Userspace tools can combine these kernel services into a "container".

Namespaces

Namespaces are a way of changing a processes view of its environment from its parents processes.  For example the file system namespace allows me to change a processes view of the file system hierarchy.  pam_namespace introduced way back in Fedora 6/RHEL5, allowed a login program to create a namespace and mount file systems that would not be seen by the ancestor processes.  Meaning I could have multiple processes with different /tmp directories and multiple home directories mounted on /home/dwalsh.

The kernel currently implements 5 name spaces.

  1. mount - mounting  and unmounting filesystems will not affect rest of the system 
  2. UTS - setting hostname, domainname will not affect rest of the system
  3. IPC - process will have independent namespace for System V message queues, semaphore sets and shared memory segments
  4. network - process will have independent IPv4 and IPv6 stacks, IP routing tables, firewall rules, the /proc/net  and  /sys/class/net  directory trees, sockets etc.
  5. pid - processes have an independent pids from the rest of the system.  Each namespace can have its own pid 1. 
Note: A UID namespace is being developed, but is not ready to be used yet, and I have some concerns about how well this will work. Our tools do not currently use the UID namespace.

pam_namespace, sandbox -X, unshare, systemd allow allow you to take advantage of namespaces.

CGROUPS

Wikipedia describes cgroups as:

  cgroups (control groups) is a Linux kernel feature to limit, account and isolate resource usage (CPU, memory, disk I/O, etc.) of process groups.

Basically you can use cgroups to control the amount of resources a process or groups of processes can get on a system. 
I put together a little screen-cast of cgroups to demonstrate their power.

LXC
Tools like LXC have existed for a while to allow users to create containers but the tool set is at a very low level

Libvirt-lxc

"Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization support."

libvirt-lxc was introduced in Fedora 16. It enhanced the libvirt API to allow users to build containers using libvirt.  This allows you to manage your kvm/qemu virtualization along with your linux containers, all within the same framework.  The only problem, is setting up a linux container using the libvirt api is fairly difficult.

virt-sandbox

Dan Berrange created a new package called virt-sandbox in Fedora 17.  The virt-sandbox package provides an application development library (libvirt-sandbox) to facilitate the embedding of virtualization into applications.  One of the main advantages of this new tool set, was that it greatly simplified the API for creating virtual machines and containers.

SELinux

Using containers by itself does not give you good security separation.  The reason for this is kernel file systems like /proc, /sys, cgroupsfs and selinuxfs are not containerized.  A privileged process running within a container can affect other processes running outside of the container or processes running in other containers.  In virt-sandbox and libvirt-lxc you can use SELinux Labelling to further lock down privileged processes, for example preventing mounting of random file systems or stopping processes from disabling SELinux. 

virt-sandbox-service

Dan Berrange and I have been working to enhance virt-sandbox.  We have added a command line tool called virt-sandbox-service which allows a user to easily create an application sandbox.  virt-sandbox-service allows an administrator to run multiple services on the same machine each service in a secure Linux Container.   Some major features of virt-sandbox-service containers.

  • Use systemd within the container as the init processes.
  • Uses standard unit files for starting and stopping containerized applications.
  • Shares the /usr partition, meaning if you are running hundreds of Apache containers, and update Apache code, each container will instantly use the new version of Apache.
  • Uses SELinux MCS Labelling to separate each container, preventing even root processes from interfering with the host or other containers.
The goal of this tool is not to allow general purpose applications to run within the container, although we will work to get most services to be able to run.  The tool is not goaled at running full OS chroot, but more towards particular applications.

I have done preliminary tests on running.  httpd, mysql, postgresql, dovecot within these containers.  I am hoping people begin to play with the tool and help us expand which applications can run within the container.  Also you can run multiple applications within a container at the same time.  For example, I have tested httpd and mysql running within the same container.

How to use:

# yum install virt-sandbox httpd
There is a bug in the tool right now where it will not work without an /selinux file.
# touch /selinux

Use the virt-sandbox-service command to create a container.

virt-sandbox-service create -C -l s0:c1,c2 -u httpd.service container1
Created sandbox container dir /var/lib/libvirt/filesystems/container1
Created sandbox config /etc/libvirt-sandbox/services/container1.sandbox
Created unit file /etc/systemd/system/container1_sandbox.service

Manipulate the data within the container while running outside of the container.

cd /var/lib/libvirt/filesystems/container1/var/log
touch content
ls -lZ content
# Make sure the content gets created with the correct MCS label.
# Content should be labeled with s0:c1,c2 : Not s0

Now create a file with a bad label for the container.
cat "Secret" > badcontent
chcon -l s0:c3,c4 badcontent

Start the container:

virt-sandbox-service start container1

In another window

Make sure the processes are running with the proper SELinux label. ps -eZ | grep svirt_lxc You should see processes like systemd, systemd-journal, dhclient and httpd running within the container with the MCS label of s0:c1,c2

Connect to the container

virt-sandbox-service connect container1
id 
getenforce   # Should tell you SELinux is disabled.
setenforce 1 # Should be denied
touch /file  # Should deny you creating this file
touch /var/www/html/content  # Should be allowed
cat /var/www/html/badcontent # Should be denied
Configure the apache server any way you would like, and manipulate html pages
ifconfig eth0  # Grap IP Address for use on next test
# Use the shell running with in the container to attempt to break out of the container. 
^]

On your hosts Firefox use the IP within the container

firefox $IP # Using IP address from container, make sure you see the content.

Shut down the container

virt-sandbox-service stop container1

Now lets try to do the same but starting and stopping the container using systemctl commands

systemctl start container1_sandbox.service
systemctl enable container1_sandbox.service # Check on reboot if the container is running

Make sure the container is running.

virt-sandbox-service connect container1
ps -eZ
^]

I would like to hear what you think?  What enhancements you would like to see?  What 
applications would you like to see run within the containers.  

Since this is a first version, we think there could be some growing pains, so use at your own 
risk, but we would love to work with the community to improve this tool set.
Search

Process Confinement in Fedora 18

October 18, 2012, 12:00 pm
$
0
0
I have not done this blog for a while. Fedora 12?

A good estimate of the number of different confined processes is to count the number of types with the domain attribute.

seinfo -adomain -x | tail -n +2 | wc -l
707

Note: I am removing the first line because it lists the attribute name.

Not all domain types are confined. If we want to look at the number of unconfined domains, we can use the unconfined_domain_type attribute.

seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
61
Unconfined Domains
sosreport_tbootloader_tdevicekit_power_tnova_api_t
nova_network_tdirsrvadmin_unconfined_script_tnova_objectstore_tcertmonger_unconfined_t
unconfined_cronjob_tabrt_handle_event_tsetfiles_mac_tinitrc_t
fsadm_tlvm_tmdadm_trpm_t
wine_tnova_vncproxy_tunconfined_dbusd_tnova_volume_t
nova_scheduler_tprelink_tanaconda_tboinc_project_t
nova_ajax_trpm_script_tsystem_cronjob_topenshift_initrc_t
samba_unconfined_net_tkdumpctl_tdevicekit_disk_tfirstboot_t
samba_unconfined_script_tnagios_eventhandler_plugin_thttpd_unconfined_script_tdepmod_t
insmod_tkernel_tlivecd_tpuppet_t
tomcat_tapmd_tclvmd_tcrond_t
inetd_tinit_tudev_tvirtd_t
nagios_unconfined_plugin_trgmanager_tdevicekit_tinetd_child_t
nova_direct_tsemanage_tsge_shepherd_txdm_unconfined_t
unconfined_tabrt_watch_log_tsge_job_txserver_t

If you disable the unconfined policy package, which I recommend.

This leaves only user domains unconfined, along with some domains that do not make sense to confine.  (anaconda, firstboot, kernel,rpm)

# semodule -d unconfined
seinfo -aunconfined_domain_type -x | tail -n +2 | wc -l
14

Unconfined Domains
rpm_tanaconda_trpm_script_topenshift_initrc_t
firstboot_tkernel_tlivecd_tunconfined_t


You can disable all unconfined domains by disabling unconfineduser module

# semodule -d unconfineduser

Note: You need to setup all your users as confined users, before removing the unconfineduser module.
Disabling the unconfined and unconfineduser policy modules is the equivalent of what we used to call strict policy.

One other interesting domain is permissive domains. Permissive domains can be listed with the --permissive qualifier.

# seinfo --permissive -x | tail -n +3 | wc -l
31
Permissive Domains
phpfpm_tvirt_qemu_ga_tpkcsslotd_trealmd_t
mandb_trngd_tslpd_tglusterd_t
stapserver_tsensord_t


A couple of other interesting statistics.

Total number of file types.

seinfo -afile_type -x | tail -n +2  | wc -l
2375

In order to get the number of allow rules, you need to use sesearch

sesearch --allow | wc -l
81736

Dontaudit Rules

sesearch --dontaudit | wc -l
6532

sandbox can now shred in Fedora 18 and RHEL7

October 26, 2012, 3:33 am
$
0
0
I have heard from a couple of people who are real concerned about security, that they wanted sandbox to not only delete the content but to "shred" it on exit.

policycoreutils-2.1.13-17.fc18
policycoreutils-2.1.13-17.el7

man shred
...
DESCRIPTION
       Overwrite  the specified FILE(s) repeatedly, in order to make it harder
       for even very expensive hardware probing to recover the data.


cat untrustedcontent | sandbox --shred sandbox -M filter.sh > /tmp/trustedcontent

or

sandbox -X -s -W metacity firefox

New Security Feature in Fedora 18 Part 8: Introducing sepolicy

October 26, 2012, 4:27 am
$
0
0
Over the years people have struggled to understand SELinux Policy and how it confined applications.  Administrators would want to know what types the Apache process can read or write.  What booleans were available for samba.  Can one domain write to the users home directory?

sepolicy python bindings

The tool suite we had to do this was called setools, which included apol (A tcl/tk graphical tool) and sesearch and seinfo.  I found that I hardly ever used apol and mainly used sesearch and seinfo.  But I wanted more control.  I decided to add python bindings for these two commands, which in prior releases were in setools package.  These python bindings were rejected for merging upstream, for whatever reason.  I decided to move them into their own package sepolicy.

> python
Python 2.7.3 (default, Aug  9 2012, 17:23:57)
[GCC 4.7.1 20120720 (Red Hat 4.7.1-5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import sepolicy
>>> sepolicy.info(sepolicy.ATTRIBUTE)
Returns a dictionary of all information about SELinux Attributes
>>>sepolicy.search([sepolicy.ALLOW])
Returns you a dictionary of all allow rules in the policy.

sepolicy command

Using these python bindings we have begun to build  a new series of commands that I have found very useful for understanding policy.  I decided to combine these tools into a new command line tool sepolicy.    Some of these tools I have blogged about in the past but now I have consolidated them into a single tool and made it part of the distribution.  Over the next couple of blogs I will explain some of the tools.

> man sepolicy

sepolicy(8)                                                                                                                            sepolicy(8)

NAME
       sepolicy - SELinux Policy Inspection tool

SYNOPSIS
       semanage {manpage,network,communicate,transition,generate} OPTIONS

       Arguments:

       communicate
       Query SELinux policy to see if domains can communicate with each other sepolicy-communicate(8)

       generate
       Generate SELinux Policy module template sepolicy-generate(8)

       manpage
       Generate SELinux man pages sepolicy-manpage(8)

       network
       Query SELinux policy network information sepolicy-network(8)

       transition
       Query SELinux Policy to see how a source process domain can transition to the target process domain sepolicy-transition(8)

DESCRIPTION
       sepolicy  is  a  tools set that will query the installed SELinux policy and generate useful reports, man pages, or even new policy modules.
       See the argument specific man pages for options and descriptions.

New Security Feature in Fedora 18 Part 8: Introducing sepolicy manpage

October 26, 2012, 5:05 am
$
0
0
In my previous blog, I introduced the sepolicy command, today I am going to talk about sepolicy manpage.  This is probably the most important command in the sepolicy command suite. 

man sepolicy-manpage
sepolicy-manpage(8)                                                                                                            sepolicy-manpage(8)

NAME
       sepolicy-manpage - Generate a man page based on the installed SELinux Policy

SYNOPSIS
       sepolicy manpage [-w] [-h] [-p PATH ] [-a | -d ]

DESCRIPTION
       Use sepolicy manpage to generate manpages based on SELinux Policy.

OPTIONS
       -a, --all
              Generate Man Pages for All Domains

       -d, --domain
              Generate a Man Page for the specified domain. (Supports multiple commands)

       -h, --help
              Display help message

       -w, --web
              Generate an additonal HTML man pages for the specified domain(s).

       -p, --path
              Specify the directory to store the created man pages. (Default to /tmp)

We are now using this tool to generate hundreds of man pages to document SELinux policy on every process domain.
Each confined domains will have an _selinux extension added for example.

man httpd_selinux
httpd_selinux(8)                                      SELinux Policy documentation for httpd                                      httpd_selinux(8)

NAME
       httpd_selinux - Security Enhanced Linux Policy for the httpd processes

DESCRIPTION
       Security-Enhanced Linux secures the httpd processes via flexible mandatory access control.

       The  httpd  processes  execute with the httpd_t SELinux type. You can check if you have these processes running by executing the ps command
       with the -Z qualifier.

       For example:

       ps -eZ | grep httpd_t
...

These are pretty extensive man pages including sections:
  • Process types associated with the domain, the tool attempts to associate all process types that begin with the same prefix as the target domain.
  • File Types associated with the domain.   This will list all file types that are included in this policy.  (Using the prefix to gather the information)  The man page describes what the type is used for, along with the default path labelling on the system.
  • Booleans associated with the domain.  The manpage lists all booleans matching the prefix and then describes what the boolean is used for. 
  • Port Types associated with the domain.  The manpage lists the port types matching the prefix and describes the default port numbers assigned to these port types.
  • Sharing Types associated with the domain.  If the domain uses "Sharing Types"  like public_content_t, the man page will have a section explaining how to use them.
  • Managed Files section describes the types that the domain is allowed to write and the default paths associated with these types.
This is pretty extensive documentation, and the beauty of it, is that it is automatically generated so it will not get out of date. 
In Fedora 18, the man page for Apache is over 1600 lines long.

> man httpd_selinux  | wc -l
1603

Currently in Fedora 18 we have over 700 man pages.

> man -k selinux | grep _selinux | wc -l
734

Miroslav Grepl is building a web site that will list all SELinux Policy Man pages for RHEL6, Fedora 17 and Fedora 18.

New Security Feature in Fedora 18 Part 8: Introducing sepolicy network

October 27, 2012, 4:57 am
$
0
0
One problem uses have with SELinux is understanding the network protections.  SELinux controls which ports a domain is able to connect to and which ports it is able to bind to.  Since SELinux is a type enforcement system, it controls ports access via types.  Processes get assigned types and port numbers get assigned types.  Since users think in terms of port numbers, we built a tool to more easily allow users understand the relationships.  I orginally called this tool senetwork, but now we are shipping it as part of the sepolicy suite.


> man sepolicy-network
sepolicy-network(8)                                                                                                            sepolicy-network(8)

NAME
       sepolicy-network - Examine the SELinux Policy and generate a network report

SYNOPSIS
       sepolicy network [-h] (-l | -p PORT [PORT ...] | -t TYPE [TYPE ...] | -d DOMAIN [DOMAIN ...])

DESCRIPTION
       Use sepolicy network to examine SELinux Policy and generate network reports.

OPTIONS
       -d, --domain
              Generate a report listing the ports to which the specified domain is allowed to connect and or bind.

       -l, --list
              List all Network Port Types defined in SELinux Policy

       -h, --help
              Display help message

       -t, --type
              Generate a report listing the port numbers associate with the specified SELinux port type.

       -p, --port
              Generate a report listing the SELinux port types associate with the specified port number.


sepolicy network allows you to ask SELinux what port type is associated with a specific port number.


sepolicy network --port 8080
8080: tcp unreserved_port_t 1024-32767
8080: udp unreserved_port_t 1024-32767
8080: tcp http_cache_port_t 8080

Or what port number is associated with a port type.

sepolicy network -t dns_port_t
dns_port_t: tcp: 53
dns_port_t: udp: 53

Note that sepolicy also supports bash completion.

sepolicy network -t d<tab>
daap_port_t     dccm_port_t     dhcpc_port_t    dict_port_t     dns_port_t      dogtag_port_t  
dbskkd_port_t   dcc_port_t      dhcpd_port_t    distccd_port_t  dnssec_port_t  

Finally you can ask which ports a process domain type is allowed to connect or bind:

# sepolicy network -d cupsd_t
cupsd_t: tcp name_connect
    all ports
cupsd_t: tcp name_bind
    reserved_port_t: 1-511
    rpc_port_type: all ports > 500 and  < 1024
    ipp_port_t: 631,8610-8614
cupsd_t: udp name_bind
    howl_port_t: 5353
    ipp_port_t: 631,8610-8614

New Security Feature in Fedora 18 Part 8: Introducing sepolicy transition

October 29, 2012, 6:26 am
$
0
0
Another advanced topic of SELinux, that is hard to understand is process transitions.  Basically this is the mechanism where most processes get their labels.  The init_t domain transition to the initrc_t domain when it executes an initrc_exec_t labelled script.  initrc_t transition to httpd_t when it executes and file labelled httpd_exec_t ...

Two questions can arise from this,
  • What process domains can one process domain transition too?
  • Can one process domain transition to another?

I orginally created a tool called setrans but now we are shipping it as part of the sepolicy suite.

> man sepolicy-transition
sepolicy-transition(8)                                  sepolicy-transition(8)

NAME
       sepolicy-transition - Examine the SELinux Policy and generate a process transition report

SYNOPSIS
       sepolicy transition [-h] -s SOURCE

       sepolicy transition [-h] -s SOURCE -t TARGET

DESCRIPTION
       sepolicy transition will show all domains that a  give  SELinux  source domain can transition to, including the entrypoint.

       If  a  target  domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the  target  domain,  and  will  list the paths.  If a transition is possible, this tool will print out all transition paths from the source  domain  to  the  target domain

OPTIONS
       -h, --help
              Display help message

       -s, --source
              Specify the source SELinux domain type.

       -t, --target
              Specify the target SELinux domain type.


If I want to see what process domains guest_t can transition too, I can execute the following:

# sepolicy transition -s guest_t
guest_t @ abrt_helper_exec_t --> abrt_helper_t
guest_t @ loadkeys_exec_t --> loadkeys_t
guest_t @ chkpwd_exec_t --> chkpwd_t
guest_t @ passwd_exec_t --> passwd_t
guest_t @ updpwd_exec_t --> updpwd_t
guest_t @ chfn_exec_t --> chfn_t
guest_t @ oddjob_mkhomedir_exec_t --> oddjob_mkhomedir_t
guest_t @ shell_exec_t --> httpd_user_script_t

If I wanted to see how httpd_t can read system_mail_t

# sepolicy transition -s httpd_t -t system_mail_t
httpd_t --> httpd_suexec_t --> httpd_mojomojo_script_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> postfix_showq_t --> spamc_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> uux_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> uux_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> procmail_t --> clamscan_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> postfix_master_t --> postfix_local_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> dovecot_deliver_t --> sendmail_t --> postfix_master_t --> postfix_pipe_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> uux_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_openshift_script_t --> openshift_initrc_t --> openshift_domain --> openshift_t --> openshift_mail_t --> exim_t --> clamscan_t --> system_mail_t
httpd_t --> httpd_suexec_t --> httpd_bugzilla_script_t --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> daemon --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> systemprocess --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> sulogin_t --> unconfined_t --> dhcpc_t --> NetworkManager_t --> pppd_t --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> sulogin_t --> unconfined_t --> rpm_t --> rpm_script_t --> system_mail_t
httpd_t --> abrt_retrace_worker_t --> mock_t --> mount_t --> lvm_t --> insmod_t --> initrc_t --> sulogin_t --> unconfined_t --> rpm_script_t --> system_mail_t
httpd_t --> passenger_t --> system_mail_t
httpd_t --> httpd_bugzilla_script_t --> system_mail_t
httpd_t --> httpd_mojomojo_script_t --> system_mail_t

Note currently this command does not take into account boolean settings, it is just showing you that it is possible.  Future enhancements would be to list the booleans required to allow the access.

New Security Feature in Fedora 18 Part 8: Introducing sepolicy generate

October 31, 2012, 11:23 am
$
0
0
sepolgen

sepolgen is the tool that I recommend people use to start generating policy.  We have decided to merge this tool into the sepolicy suite

sepolicy generate

man sepolicy-generate

sepolicy-generate(8)                                                                                                                                            sepolicy-generate(8)

NAME
       sepolicy-generate - Generate an initial SELinux policy module template.

SYNOPSIS
       sepolicy generate [-h] [-t TYPE] [-n NAME] [-T TEST] [ command | confineduser ]

DESCRIPTION
       Use sepolicy generate to generate an SELinux policy Module.  sepolicy generate will generate 4 files.

       Type Enforcing File NAME.te
       This file can be used to define all the types rules for a particular domain.

       Interface File NAME.if
       This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.

       File Context NAME.fc
       This  file defines the default file context for the system, it takes the file types created in the te file and associates file paths to the types.  Tools like restorecon and RPM will use these paths to put down labels.

       RPM Spec File NAME_selinux.spec
       This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labelling. The spec file also installs the interface file  and  a  man page describing the policy.  You can use sepolicy manpage -d NAME to generate the man page.

       Shell File NAME.sh
       This  is a helper shell script to compile, install and fix the labelling on your test system.  It will also generate a man page based on the installed policy, and compile and
       build an RPM suitable to be installed on other machines

       If a generate is possible, this tool will print out all generate paths from the source domain to the target domain

OPTIONS
       -h, --help
              Display help message

       -t, --type
              Specify the type of policy you want to create.
              Valid Options:
              0 : Standard Init Daemon (Default)
              1 : DBUS System Daemon
              2 : Internet Services Daemon
              3 : Web Application/Script (CGI)
              4 : User Application
              5 : Sandbox
              6 : Minimal Terminal User Role
              7 : Minimal X Windows User Role
              8 : User Role
              9 : Admin User Role
              10 : Root Admin User Role
       -n, --name
              Specify alternate name of policy. The policy will default to the executable or name specified.

EXAMPLE
       sepolicy generate /usr/sbin/rwhod
       Generating Policy for /usr/sbin/rwhod named rwhod
       Created the following files in:
       rwhod.te # Type Enforcement file
       rwhod.if # Interface file
       rwhod.fc # File Contexts file
       rwhod_selinux.spec # Spec file
       rwhod.sh # Setup Script

sepolicy generate has some nice new features over sepolgen.
  1. sepolicy generate does not to be run as root.
  2. sepolicy generate now generates a RPM spec file. This spec file can be used to build and RPM package that will install the policy package file (pp) and interface file (if) in the correct location, install it into the kernel and fix the labelling.
  3. The sepolicy generated setup script continues to install the policy and setup the labelling, and also generates a man page based on the installed policy using sepolicy manpage, finally it build and compiles the policy and man page into an rpm ready to be installed on other machines.
selinux-polgengui no longer needs to be run as root either, since it is using the sepolicy generate python bindings to generate the policy files. sepolgen command will now just execute sepolicy generate as a shell script.
Search

Using Apache and SELinux Together

November 1, 2012, 10:42 am
$
0
0
A few months ago, I wrote an article on "Using Apache and SELinux Together" for DrupalWatchDog Magazine.  They publish it first in hard copy, and then after a couple of months publish it on line.  Here is a link to the online version.

http://drupalwatchdog.com/2/2/apache-selinux


rsync and SELinux

January 7, 2013, 8:28 am
$
0
0
I have been pinged by a couple of users having problems with SELinux and rsync.  We began confining the rsync service back in RHEL5.

The biggest problem SELinux has with rsync is there is no way to distinguish between the client and the server from an SELinux point of view.

rsync as a daemon

If someone sets up an rsync service to listen for connections they use the /usr/bin/rsync executable.  In order to confine this application we label /usr/bin/rsync as rsync_exec_t.  The init daemons (init_t, initrc_t) will transition to rsync_t when they execute /usr/bin/rsync. SELinux policy allows share parts of the host, mainly readonly, and allows admins to setup directories labeled rsync_data_t where content could be uploaded to the rsync domain.

There are lots of booleans defined for rsync_t to share data.  On Fedora 18, I see.

getsebool -a | grep rsync
postgresql_can_rsync --> off
rsync_anon_write --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> of

man rsync_selinux

to see more info.

rsync as a client.

If you execute rsync as a client from a user script, everything works fine, since we do not transition from unconfined_t or other user domains to rsync_t, rsync runs within the user domain and is able to read/write anything the user process label is allowed to read/write.

If a service that SELinux does not have policy runs runs within the init system and attempts to use rsync as a client it can have problems.  You see the service running within the init system that has no policy will run as either init_t or initrc_t.  When a process running as init_t or initrc_t executes /usr/bin/rsync (rsync_exec_t), the rsync process will transition to rsync_t and SELinux will treat it as the rsync daemon not as a client. 

There are many possible solutions for this problem. 
  • Best would be to write policy for the init service that is currently running without confinement.   I realize  that most users will not do this, but you could contact us for help.
  • In RHEL5 you could turn on the rsync_disable_trans boolean.  Which will stop the transition from initrc_t to rsync_t, and rsync_t would just tun in  initrc_t domain, which by default is an unconfined domain.
  • You could use audit2allow to add all of the rules to rsync_t to allow it to run as a client.
  • You could change the label of /usr/bin/rsync to bin_t using semanage fcontext -m -t bin_t /usr/bin/rsync which would also stop the transition.
  • You could make rsync_t an unconfined domain.
There are many ways of fixing this problem.  And perhaps I need to talk to the rsync packagers to see if we could figure a better way of handling this in the future. 

Where did audit2allow go in Fedora 18?

January 18, 2013, 6:37 am
$
0
0
One of the goals of Fedora 18 is to shrink the size of the Minimal install as much as possible.   We are concentrating on keeping this minimal.

Since a minimal install machine does not need to do SELinux policy development, it was decided to remove the selinux-policy-devel package from the minimal install, which is fairly large.  But audit2allow was in policycoreutils-python, and required the selinux-policy-devel package.  audit2allow needs the interface files in selinux-policy-devel package in order for  audit2allow -R to work. 

I decided to move the audit2allow script to policycoreutils-devel package, since its main job is to help develop selinux-policy.
If you do not find audit2allow you your system, just

yum install policycoreutils-devel
or
yum install /usr/bin/audit2allow

Note: The latest setroubleshoot-server package requires policycoreutils-devel, so if you have this installed you will get audit2allow for free...

SELinux Reveals Bugs in Code

March 14, 2013, 11:35 am
$
0
0
I have noticed over the years random confined process that get avc denials for the SYS_RESOURCE and SYS_ADMIN capabilities.  Most of the time, these are not easily repeated.  The combination of these two usually indicate a confined processes is attempting to use a system resources beyond the limits for the owner UID.  For example in RHEL6 a user, dwalsh, is only allowed to run 1025 processes, and an individual process running as dwalsh, is only allowed to open 1024 files.

/usr/include/linux/capability.h documents SYS_RESOURCE as the following

/* Override resource limits. Set resource limits. */
/* Override quota limits. */
/* Override reserved space on ext2 filesystem */
/* Modify data journaling mode on ext3 filesystem (uses journaling
   resources) */
/* NOTE: ext2 honors fsuid when checking for resource overrides, so
   you can override using fsuid too */
/* Override size restrictions on IPC message queues */
/* Allow more than 64hz interrupts from the real-time clock */
/* Override max number of consoles on console allocation */
/* Override max number of keymaps */

The goal of these limits is to prevent an individual user from doing a fork bomb or opening so many files the system gets a Denial of Service.

Even root processes are governed by these limits,  however root processes almost always have SYS_ADMIN and SYS_RESOURCE capabilities, unless they have dropped them using something like libcap/libcap-ng or you are using an Mandatory Access System like SELinux.

Lon Hohberger, who is working on the OpenStack team at Red Hat and currently working on making SELinux work well with OpenStack, discovered some problems in RHEL6, that could and probably are triggering these AVC's.

Bug #1

Prior to RHEL6.4 ANY login to the system, including root,  would get a process limit of 1024.

# ulimit -u
1024

Meaning if you started any processes on a system that already had 1025 processes running, the kernel would be checking SYS_RESOURCE.  If you executed a command like

# service httpd restart

Then httpd would fall under the same limits, since httpd_t is not allowed these Capabilities, httpd_t would generate the AVC's and probably fail to start.

Worse then this, if you executed:

# yum -y update

There is a decent chance that during the update some packages post install would do a

# service foobar restart

If foobar was confined by SELinux, then the AVC could be generated.

Luckily we have had a fix for this in RHEL6.4,  although this fix has not gone into Fedora yet...

The following line as added to /etc/security/limits.d/90-nproc.conf

root soft nproc unlimited

BUG #2

First if you login as root to a RHEL6.4 system, and check the max processes limit, you will get something like:

# ulimit -u
29924

If you login as a normal user you would get:

> ulimit -u
1024

If you run su from your normal user account and check the ulimit you get:

# ulimit -u
29924

But if you run sudo as a normal user and run ulimit you get:
# ulimit -u
1024

su and sudo should work the same way.

This is probably a bug in sudo or in the sudo pam stack.  Have not determined which yet.

BUG #3

This one might be controversial, since these limits are supposed to count the resources used by a particular UID, we should be looking at ALL of the processes kicked off by the user, not only those running under his UID.    Since sudo in the above example was not modifying the maximum running processes when user dwalsh became root, the process started counted against the total number of root processes rather then the total number of processes started by dwalsh.  I believe this is wrong.  The kernel should be counting the number of processes started by user dwalsh and should look at the LoginUID rather then the actual UID.  Now if dwalsh logged onto a system and was able to get some processes running as root, they could continue to count against dwalshs resource constraints and not against the systems.    I realize this might be difficult since you would probably want processes that have the SYS_RESOURCE capability to not count against the total.

systemd to the rescue

systemd has helped fix a lot of these issues.

In RHEL6 if an admin starts/restarts a system daemon, that daemon ends up being a subprocess of the user, meaning inherits any of the constraints on the user processes.  In the latest Fedora's, systemd starts most system daemons.  The user process sends a message to systemd and systemd starts/restarts the service, which means the service gets the system constraints not the user constraints.

Security Vs Usability

March 15, 2013, 7:59 am
$
0
0
One of the interesting things about working in the security field, is walking the balance between security and usability.  

On one of the many mailing lists I read, an admin as complaining about his Apache server being hacked.  Some application had been hacked in a way that it got apache to write to a particular directory and then executed the code it has written.

I decided to look at how SELinux Policy controlled httpd_t.  I wanted to know what file types was httpd_t allowed to write and execute.

In Fedora 19, I executed the following command.

> sesearch -A -C -s httpd_t -p execute -c file | grep write
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]

This indicates that the apache deamon (httpd_t) is allowed to write and execute files that have a label that has the attribute httpdcontent.  But they would have to have the httpd_enable_cgi, httpd_unified, and httpd_builtin_scripting booleans turned on.

#semanage boolean -l | grep httpd_enable_cgi
httpd_enable_cgi               (on   ,   on)  Allow httpd cgi support
# semanage boolean -l | grep httpd_unified
httpd_unified                  (off  ,  off)  Unify HTTPD handling of all content files.
# semanage boolean -l | grep httpd_builtin_scripting
httpd_builtin_scripting        (on   ,   on)  Allow httpd to use built in scripting (usually php)

Out of the box we enable httpd_enable_cgi, so cgi scripts will run with your apache server.  We also enable httpd_builtin_scripting, which allows you to run php scripts within the same processes as apache, this also enabled other builtin scripting tools like mod_python and mod_perl.

We disable httpd_unified, which basically says httpd_t has full access to all httpdcontent files.

# seinfo -ahttpdcontent -x
   httpdcontent
      httpd_sys_content_t
      httpd_user_ra_content_t
      httpd_user_rw_content_t
      httpd_sys_ra_content_t
      httpd_sys_rw_content_t
      httpd_user_content_t

So rather then treating each type differently we combine all access.  We used to have this turned on by default for people who did not understand SELinux, probably still is in RHEL5 and maybe RHEL6.  But in latest Fedora and RHEL7 we will turn it off by default.

If you are running a web site that does not do any scripting, it would probably be advisable to turn off the other two booleans.
Viewing all 181 articles
Browse latest View live
Search