SELinux policy configuration tutorial?

SELinux policy configuration tutorial?

[Tracy R Reed]

[-- Attachment #1: Type: text/plain, Size: 644 bytes --]

After months of thinking about it I have finally gotten around to
installing SELinux. Very impressive. I am comparing and contrasting it to
LIDS and it seems that SELinux is far more flexible although LIDS was far
easier to figure out.

I am having problems understanding how to define policies and how the
roles, domains, types, etc. work to do this. I am slowly making my way
through the documentation on the web site but I find most of it to be
quite inscrutable. Has anyone written up a general tutorial on how all of
this stuff works in practice?

-- 
Tracy Reed      http://www.ultraviolet.org
My karma ran over your dogma.

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: SELinux policy configuration tutorial?

[Stephen Smalley]

On Fri, 16 Nov 2001, Tracy R Reed wrote:

> I am having problems understanding how to define policies and how the
> roles, domains, types, etc. work to do this. I am slowly making my way
> through the documentation on the web site but I find most of it to be
> quite inscrutable. Has anyone written up a general tutorial on how all of
> this stuff works in practice?

I don't think anyone has written a general tutorial.  However, you'll find
quite a bit of useful information in the security server section of the
first technical report, the entire second technical report, and the OLS
2001 paper, all of which are on the web site.  Several people outside of
the SELinux project have already contributed to the example policy
configuration, including both refinement of the existing domains and new
domains (e.g. Mark Westerman's mount_t, ipsec_t and gdm_t domains,
Yuichi Nakamura's named_t domain, David Wheeler's ping_t and hwclock_t
domains).  Feel free to ask specific questions about policy configuration
on the list.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux policy configuration tutorial?

[Tracy R Reed]

[-- Attachment #1: Type: text/plain, Size: 2712 bytes --]

On Mon, Nov 19, 2001 at 08:37:53AM -0500, Stephen Smalley wrote:
> I don't think anyone has written a general tutorial.  However, you'll find
> quite a bit of useful information in the security server section of the
> first technical report, the entire second technical report, and the OLS
> 2001 paper, all of which are on the web site.  Several people outside of

Thanks. I am slowly making progress. Over the last few nights I've been
going though "A Security Policy Configuration for the Security-Enhanced
Linux" in the documentation section and I have noticed that I get a 404
if I stop reading and pick it up again later. Looks like the url changes
periodically. Odd.

A policy question: I didn't have apache installed at the time I installed
SELinux but now I want to install, make it run some useful web app, and
try to secure it. SELinux seems to come with a policy for the stock apache
install so I installed the rpm that normally comes with RH6.1. 

Then I did:

make relabel && make load

Just to make sure the newly installed files get assigned the right type
and the policy gets compiled and loaded. But when I try to start apache I
get permission denied:

[root@tracy policy]# /etc/rc.d/init.d/httpd start
Starting httpd: execvp: Permission denied
[root@tracy init.d]# /usr/sbin/httpd 
bash: /usr/sbin/httpd: Permission denied
[root@tracy init.d]# 
[root@tracy init.d]# ls -la /usr/sbin/httpd 
-rwxr-xr-x   1 root     root       337500 Mar 29  2001 /usr/sbin/httpd
[root@tracy init.d]# ls -la --context /usr/sbin/httpd 
-rwxr-xr-x root     root     system_u:object_r:httpd_exec_t
/usr/sbin/httpd

What am I missing here?

Also, I notice that when I log in as the user "jdoe" and do an ls -la on /
the jdoe user sees this:

ls: lost+found: Permission denied
ls: ...security: Permission denied

Not much good for hiding files is it?

As a result of the ls I get this in the messages file:

Nov 21 01:03:53 bench3 kernel: avc:  denied  { getattr } for  pid=9640 exe=/usr/local/selinux/bin/ls path=/...security dev=08:01 ino=38857
Nov 21 01:03:53 bench3 kernel:    scontext=jdoe:user_r:user_t
Nov 21 01:03:53 bench3 kernel:    tcontext=system_u:object_r:file_labels_t
Nov 21 01:03:53 bench3 kernel:    tclass=dir

I'm not sure if I would really want the ls of every user in / to set that off
but even more of a problem is that the message takes up four lines in the
messages file. I normally run logcheck once an hour which sends me
anything interesting from the logfiles after filtering out the bits I have
deemed non-interesting so it would be quite convenient to have it all on
one line.

-- 
Tracy Reed      http://www.ultraviolet.org

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: SELinux policy configuration tutorial?

[Tracy R Reed]

[-- Attachment #1: Type: text/plain, Size: 600 bytes --]

On Wed, Nov 21, 2001 at 01:32:04AM -0800, Tracy R Reed wrote:
> Just to make sure the newly installed files get assigned the right type
> and the policy gets compiled and loaded. But when I try to start apache I
> get permission denied:
> 
> [root@tracy policy]# /etc/rc.d/init.d/httpd start
> Starting httpd: execvp: Permission denied

I just discovered in the docs:

No domain is currently allowed to bind http_port_t

Why have fully defined policies for running apache if it isn't allowed to
bind to the port? How can I allow this?

-- 
Tracy Reed      http://www.ultraviolet.org

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: SELinux policy configuration tutorial?

[Stephen Smalley]

On Wed, 21 Nov 2001, Tracy R Reed wrote:

> No domain is currently allowed to bind http_port_t
>
> Why have fully defined policies for running apache if it isn't allowed to
> bind to the port? How can I allow this?

The technical reports aren't up-to-date.  The first report (Integrating
Flexible Support for Security Policies into the Linux Operating System)
still describes the design and implementation of the original
2.2-based SELinux kernel patch, not the LSM-based SELinux security
module.  We're working on a new technical report that describes the
LSM-based SELinux security module.  The second technical report (A
Security Policy Configuration for the Security-Enhanced Linux) describes
the original example security policy configuration that was developed for
the original SELinux on RH6.1, and doesn't reflect subsequent changes.
Much of it is still applicable, but this particular note about http_port_t
is not true in the current example policy.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux policy configuration tutorial?

[Stephen Smalley]

On Wed, 21 Nov 2001, Tracy R Reed wrote:

> Thanks. I am slowly making progress. Over the last few nights I've been
> going though "A Security Policy Configuration for the Security-Enhanced
> Linux" in the documentation section and I have noticed that I get a 404
> if I stop reading and pick it up again later. Looks like the url changes
> periodically. Odd.

Everything on the web site is updated for a new release, and the release
timestamp is appended to the technical report filenames, just like the
archive and patch filenames, so the URL changes with each release.  Not
sure if there is any point in timestamping these documents, since these
technical reports haven't been changed in quite a while.

> A policy question: I didn't have apache installed at the time I installed
> SELinux but now I want to install, make it run some useful web app, and
> try to secure it. SELinux seems to come with a policy for the stock apache
> install so I installed the rpm that normally comes with RH6.1.

Just a side note - we're using RH7.1 as our base platform currently for
the LSM-based SELinux prototype.  We are also investigating transitioning
to RH7.2 (but the latter is pending on 2.4.15 for ext3 support, upgrading
the modified utilities, and updating the policy).

> [root@tracy policy]# /etc/rc.d/init.d/httpd start
> Starting httpd: execvp: Permission denied
> [root@tracy init.d]# /usr/sbin/httpd
> bash: /usr/sbin/httpd: Permission denied

Right.  You need to be logged into the sysadm_t domain and you need to use
the run_init program to run init scripts.  Otherwise the script isn't run
in the proper security context and fails.

> Also, I notice that when I log in as the user "jdoe" and do an ls -la on /
> the jdoe user sees this:
>
> ls: lost+found: Permission denied
> ls: ...security: Permission denied
>
> Not much good for hiding files is it?

SELinux doesn't try to hide individual filenames within a directory.
If a process has read permission to a directory, it can see all names in
that directory.  But the process might not have getattr permission to
individual files, so it may not be able to stat the file for a 'ls -l'.
Filenames are part of the directory's state, not part of the file's
state.  Hiding filenames would be possible by filtering directory reads,
as is done in some other systems, but it isn't clear it is worth the cost.

Multi-Level Secure (MLS) systems frequently provide a partitioned
directory mechanism known as multi-level directories for things like
/tmp, where a process is transparently redirected to a dynamically
created subdirectory of /tmp based on its security level.  The SELinux
architecture includes support for a generalization of this idea, but we
haven't implemented the corresponding mechanism in the filesystem.  See
the discussion of polyinstantiation and security union directories in the
Flask paper.  This hasn't been a high priority for us yet.

> As a result of the ls I get this in the messages file:
>
> Nov 21 01:03:53 bench3 kernel: avc:  denied  { getattr } for  pid=9640 exe=/usr/local/selinux/bin/ls path=/...security dev=08:01 ino=38857
> Nov 21 01:03:53 bench3 kernel:    scontext=jdoe:user_r:user_t
> Nov 21 01:03:53 bench3 kernel:    tcontext=system_u:object_r:file_labels_t
> Nov 21 01:03:53 bench3 kernel:    tclass=dir
>
> I'm not sure if I would really want the ls of every user in / to set that off
> but even more of a problem is that the message takes up four lines in the
> messages file. I normally run logcheck once an hour which sends me
> anything interesting from the logfiles after filtering out the bits I have
> deemed non-interesting so it would be quite convenient to have it all on
> one line.

I suppose we could grant getattr permission to these types without any
real harm.  Alternatively, you can configure the policy to disable
auditing of specific permissions through the use of the auditdeny rules.
This is already done in several cases in the example policy.

With regard to putting the AVC messages into a single line, that was the
original format, but I think it was changed later at someone's request to
make it easier to read on the console.  Personally, I would tend to agree
that each AVC audit message belongs on a single line, so I'm ok with
changing it back, but I don't know if this will bother anyone else.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux policy configuration tutorial?

[L. T. Seet]

Hi,

I tried to download the technical report titled "A security policy 
configuration for the security-enhanced linux." from the SELinux website 
but to no avail. The response quoted below indicates that the file cannot 
be found on the server.

"The requested URL /selinux/doc/policy-200110161355.pdf was not found on 
this server."

Is this because of the server is down ?

L.T. Seet
ISRC, QUT

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux policy configuration tutorial?

[Stephen Smalley]

On Wed, 21 Nov 2001, L. T. Seet wrote:

> I tried to download the technical report titled "A security policy
> configuration for the security-enhanced linux." from the SELinux website
> but to no avail. The response quoted below indicates that the file cannot
> be found on the server.
>
> "The requested URL /selinux/doc/policy-200110161355.pdf was not found on
> this server."

That's the URL from the previous release, so you probably have a
stale cached copy of the policy-abs.html file that still uses the old URL.
Try reloading the page and then selecting the PDF document.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.