SELinux Testing Software/Scripts

SELinux Testing Software/Scripts

[Alex Ackerman]

[-- Attachment #1: Type: text/plain, Size: 968 bytes --]

This may sound like an odd request, but I am currently working on my
master's thesis on the topic of SELinux integration into the workplace.
Part of the analysis involves testing the security containment
capabilities of SELinux; i.e., making sure that SELinux functions as
advertised when dealing with events of escalating privilege. Does anyone
on this list have any recommendations on scripts or programs which can
test these capabilities? My test platforms are Fedora Core 3 (once
released) and Red Hat Enterprise Linux v4.0 Beta 1. My current thinking
would be to downgrade certain packages (httpd, etc) to a known
vulnerable state and test, but would like to know how the members on the
list test their systems.  Any help would be appreciated.  I can be
reached at ackermal at jmu dot edu or alex at darkhonor dot com if you
would like to discuss this off-list.  Thank you for any assistance.

 

Alex Ackerman

James Madison University

 


[-- Attachment #2: Type: text/html, Size: 3244 bytes --]

Re: SELinux Testing Software/Scripts

[Daniel J Walsh]

Alex Ackerman wrote:

> This may sound like an odd request, but I am currently working on my 
> master’s thesis on the topic of SELinux integration into the 
> workplace. Part of the analysis involves testing the security 
> containment capabilities of SELinux; i.e., making sure that SELinux 
> functions as advertised when dealing with events of escalating 
> privilege. Does anyone on this list have any recommendations on 
> scripts or programs which can test these capabilities? My test 
> platforms are Fedora Core 3 (once released) and Red Hat Enterprise 
> Linux v4.0 Beta 1. My current thinking would be to downgrade certain 
> packages (httpd, etc) to a known vulnerable state and test, but would 
> like to know how the members on the list test their systems. Any help 
> would be appreciated. I can be reached at ackermal at jmu dot edu or 
> alex at darkhonor dot com if you would like to discuss this off-list. 
> Thank you for any assistance.
>
> Alex Ackerman
>
> James Madison University
>
>------------------------------------------------------------------------
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list@redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
I don't have any test scripts but i think rolling back the packages to 
one with a known vulerability would work, but since one goal of a hacker 
is to get a root shell, you could use runcon with a shell script to 
simulate what would happen if a hacker was successfull.

runcon -t httpd_t /bin/sh

Of course I can only get this to work in permissive mode. Setting it to 
enforcing kills the shell since it can not access the tty.
Also get an error "execvp: Permission denied" in enforcing.

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Testing Software/Scripts

[Luke Kenneth Casson Leighton]

On Sat, Oct 16, 2004 at 09:56:41AM -0400, Alex Ackerman wrote:

> capabilities of SELinux; i.e., making sure that SELinux functions as
> advertised when dealing with events of escalating privilege. 

 just a comment [other than privilege means private law]:

 as i understand it, there is no "escalation" present in SE/Linux,
 only that assigned in the minds of us humans.

 a good analogy for the way that SE/Linux works is door-cards and
 guards.

 outside a building, you are given a door-card by a guard: depending
 on whether you are on a list, your door-card will now give you
 access a) to an entry point into the building b) the right to go
 through certain doors inside that building.

 at _some_ doors inside the building, there will be another guard.

 if you attempt to go through a door (assuming your card allows you to
 do that), the guard will, depending on whether you are on a list, TAKE
 AWAY your present card and GIVE YOU A TOTALLY DIFFERENT ONE.

 that card might, or might not, give you the right to go back through
 the door you have just gone through (!).

 so, you can enter the university building, use your card to get into
 the lecture theatre, but your card is taken away from you when you
 enter the lecture theatre, and the card you are given only allows you
 to go to the toilet or to the exit out the building.

 in this "world", there is no "escalation" as such.

 certain rooms are only allowed to be accessed by certain people who have
 certain cards: you can only get to a certain place via a specific route
 if you are the right person.

 that's a bit different from "escalating privilege" because that implies
 hierarchy, which SE/Linux doesn't have, per-se.

 l.

 p.s. if this analogy sounds a bit weird, to help you tie it into selinux,
 the guards swapping cards at doors is managed by "domain_auto_trans".


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Testing Software/Scripts

[Erich Schubert]

Hi,

>  as i understand it, there is no "escalation" present in SE/Linux,
>  only that assigned in the minds of us humans.
[...]
>  that's a bit different from "escalating privilege" because that implies
>  hierarchy, which SE/Linux doesn't have, per-se.

As long as you have roles with certain higher privileges (for example
writing to configuration files, binding to arbitrary ports, loading a
new policy...) there is privilege escalation.

Privilege escalation just means getting more rights than you were
supposed to get. You usually don't care about losing access rights,
because you could have done things there earlier. Its only about getting
a privilege you want to have.

Even in normal Linux, becoming root might give you less access rights in
some specific cases. For example with NFS mounts that do root_squash.
(Of course there may be ways of circumventing this, these may exist in
SELinux, too)

Another important aspect in the use of the term "privilege escalation"
is doing multiple steps to get the privileges you really want. A typical
theoretical example is using a game as nobody to get group access to
games, then using this to exploit some game and finally get access to a
user account (which could then be used to get futher access rights)
- referring to the problem that by itself you wouldn't mind for the
"games" group rights, still this may open new points of entry for an
attacker.

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
    Wer keine Zeit mehr mit echten Freunden verbringt, der wird bald   V_/_
            sein Gleichgewicht verlieren. --- Michael Levine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux Testing Software/Scripts

[Luke Kenneth Casson Leighton]

On Sun, Oct 17, 2004 at 03:01:54AM +0200, Erich Schubert wrote:
> Hi,
> 
> >  as i understand it, there is no "escalation" present in SE/Linux,
> >  only that assigned in the minds of us humans.
> [...]
> >  that's a bit different from "escalating privilege" because that implies
> >  hierarchy, which SE/Linux doesn't have, per-se.
> 
> As long as you have roles with certain higher privileges (for example
> writing to configuration files, binding to arbitrary ports, loading a
> new policy...) there is privilege escalation.

 
> Privilege escalation just means getting more rights than you were
> supposed to get. 

 ohright, okay: then my statement is incorrect and it is more that
 policy writers need to get their policies right, by not allowing more
 than is needed!


> You usually don't care about losing access rights,
> because you could have done things there earlier. Its only about getting
> a privilege you want to have.

 my point is that selinux allows that [to go from one domain to the
 next, losing all previous rights of the prior domain and gaining those
 of the next domain].

 which is not a "normal" security system so to speak: i'd consider
 "normal" to be that you get given more privileges by going to a
 "higher" privileged state [but i'm not saying "normal" is "good"].

 l.
 

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.