Re: Re: SELinux and security tools?

Re: Re: SELinux and security tools?

[Subba Rao]

Thank you for replying.  In the past I would login as root to use these tools.
My current practice is to use 'sudo' to use these security tools.  I will login
as a regular user but use 'sudo' to use nessus or tcpdump etc.

One basic question about policy,  is this some configuration file that you develop
based on your needs and then use it to compile a new kernel?

Subba Rao
sailorn@attglobal.net
2002-11-07


======= At 2002-11-07, 00:49:00 you wrote: =======

>On Wed, 6 Nov 2002 20:24, Wayne Salamon wrote:
>> On Wed, 6 Nov 2002, Subba Rao wrote:
>> > I am planning to install SELinux on one of my laptop.  The key tools I
>> > plan to use are security tools such as Nessus, nmap, Snort and
>> > tcpdump. Will these tools work well on on SELinux?  Has anyone
>> > experienced problems with these tools on SELinux?
>>
>>   There shouldn't be a problem running these utilities under SELinux, but
>> you will have to modify the policy for some of them. tcpdump is already
>> known to the example policy (in the netutils domain), as is snort (it has
>
>One thing to note is that network utility programs such as those have the 
>sample policy setup to allow them to be run from an administrative session 
>(sysadm_r).  If you want to run them from a laptop then you are probably 
>doing so not as an administrative task but to use a laptop as a workstation 
>or test machine for administering other machines on the network.  Therefore 
>you'll probably want to run them from user_r instead which will require some 
>minor adjustments to the policy.
>
>For a while I have been thinking of setting up the policy to make it easier to 
>allow separate domains for ping and netutils when run from different user 
>roles.  However I don't want to enable it for everyone (as is done for most 
>such domains) but to do it selectively for the particular roles that deserve 
>it.
>

= = = = = = = = = = = = = = = = = = = =
			





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Re: SELinux and security tools?

[Tom]

On Thu, Nov 07, 2002 at 04:55:13AM -0500, Subba Rao wrote:
> One basic question about policy,  is this some configuration file that you develop
> based on your needs and then use it to compile a new kernel?

It's a configuration file (rather: several), but you don't need to
recompile the kernel to activate a new policy. There is a load_policy
tool that can load/update a policy on a running system, much like you
can activate modules at runtime with insmod.


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Re: SELinux and security tools?

[Russell Coker]

On Thu, 7 Nov 2002 10:55, Subba Rao wrote:
> Thank you for replying.  In the past I would login as root to use these
> tools. My current practice is to use 'sudo' to use these security tools.  I
> will login as a regular user but use 'sudo' to use nessus or tcpdump etc.

In a default setup of SE Linux you will need to use both SUDO for "root" 
access and "newrole" for "sysadm_r" access (and newrole does not have the 
facility to allow certain commands to be run without password).

I suggest that the best mode of operation for a laptop to be used as a network 
analysis tool is to have those tools SUID root and setup such that the 
regular user domain can transition to the domains for those tools 
automatically.

My laptop is mostly a SE Linux development machine so I keep an Xterm logged 
in as sysadm_r all the time which is what I use for network sniffing etc.  
However when I get SE Linux doing most of the things I want it to do I'll 
probably cease working in this fashion and instead set it up such that I can 
use user_r or staff_r...

> One basic question about policy,  is this some configuration file that you
> develop based on your needs and then use it to compile a new kernel?

No, the policy is comprised of a set of policy files which are written with M4 
macros.  They are processed with M4 to produce a single policy.conf which is 
then compiled into a binary form that the kernel can use.  A new policy can 
be loaded into the kernel at any time.

The NSA ship a set of default policy files which do most of the things you 
will want to do, something more than a third of that is my work.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.