paranoid FC3 setup: banning all login access (!)

paranoid FC3 setup: banning all login access (!)

[Luke Kenneth Casson Leighton]

hi,

i have a requirement for setting up a server that might even ban
logins - even admin logins.

the only things that should be allowed are reboot (ctrl-alt-delete at
console) and services (e.g apache).

my question is, therefore: is it possible to _conveniently_
load a completely different selinux policy file (by typing
"linux init 3" or other incantation at the grub prompt)

what i want to be able to do is say to my customer "yes, in
order to do upgrades and maintenance, you press ctrl-alt-delete,
selection option 2) on the boot-loader menu, and you will be
dropped into standard admin mode.  when you are done, reboot
again and let it go back into 'paranoid' mode")

can anyone help advise?

ta,

l.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: paranoid FC3 setup: banning all login access (!)

[David Caplan]

Luke Kenneth Casson Leighton wrote:
> hi,
> 
> i have a requirement for setting up a server that might even ban
> logins - even admin logins.
> 
> the only things that should be allowed are reboot (ctrl-alt-delete at
> console) and services (e.g apache).
> 
> my question is, therefore: is it possible to _conveniently_
> load a completely different selinux policy file (by typing
> "linux init 3" or other incantation at the grub prompt)
> 
> what i want to be able to do is say to my customer "yes, in
> order to do upgrades and maintenance, you press ctrl-alt-delete,
> selection option 2) on the boot-loader menu, and you will be
> dropped into standard admin mode.  when you are done, reboot
> again and let it go back into 'paranoid' mode")
> 
> can anyone help advise?
> 

How about using a conditional expression (aka "boolean")?  That way you can 
have a whole chunk of plicy that gets turned on only when you need it 
(maintenance mode).  All of the types would always be defined, but the 
rules would only be active when the conditional expression/boolean is 
turned on/off.  That way you also don't run into the labeling insanity you 
might encounter with two distinct policies.

David

-- 
__________________________________

David Caplan     410 290 1411 x105
dac@tresys.com
Tresys Technology, LLC
8840 Stanford Blvd., Suite 2100
Columbia, MD 21045

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: paranoid FC3 setup: banning all login access (!)

[Luke Kenneth Casson Leighton]

On Mon, Dec 20, 2004 at 02:27:45PM -0500, David Caplan wrote:

> Luke Kenneth Casson Leighton wrote:
> >hi,
> >
> >i have a requirement for setting up a server that might even ban
> >logins - even admin logins.

> How about using a conditional expression (aka "boolean")?  That way you can 
> have a whole chunk of plicy that gets turned on only when you need it 
> (maintenance mode).  

 that's a bleeding good idea.  thanks.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: paranoid FC3 setup: banning all login access (!)

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 544 bytes --]

On Mon, 20 Dec 2004 16:00:39 GMT, Luke Kenneth Casson Leighton said:
> hi,
> 
> i have a requirement for setting up a server that might even ban
> logins - even admin logins.
> 
> the only things that should be allowed are reboot (ctrl-alt-delete at
> console) and services (e.g apache).

Umm.. how about this:

# chkconfig sshd off
# chkconfig telnetd off

and then 'grep -v getty' to remove those from /etc/inittab?

Leave the ctrl-alt-del entry in inittab, and have a grub entry
that boots with init=/bin/bash or similar single-user setup.


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: paranoid FC3 setup: banning all login access (!)

[Luke Kenneth Casson Leighton]

On Tue, Dec 21, 2004 at 11:06:41PM -0500, Valdis.Kletnieks@vt.edu wrote:

> On Mon, 20 Dec 2004 16:00:39 GMT, Luke Kenneth Casson Leighton said:
> > hi,
> > 
> > i have a requirement for setting up a server that might even ban
> > logins - even admin logins.
> > 
> > the only things that should be allowed are reboot (ctrl-alt-delete at
> > console) and services (e.g apache).
> 
> Umm.. how about this:
> 
> # chkconfig sshd off
> # chkconfig telnetd off
> 
> and then 'grep -v getty' to remove those from /etc/inittab?

 that's the practical side: thank you.

 i hope to recommend removing even the selinux policy that
 allows getty, sshd, telnetd and other login mechanisms from
 being run by users (!)

 
> Leave the ctrl-alt-del entry in inittab, and have a grub entry
> that boots with init=/bin/bash or similar single-user setup.
 
 ... with enable=0 most likely for simplicity, and no networking.

 the key issue is whether the customer says that running
 "enable=0" in that single-user no-networking mode is okay.

 if they say "no it isn't" then i will need to go further, as
 david caplan recommends, by instead of removing the selinux
 policy for getty, to enable it via a dynamic boolean.

 l.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.