Is SELinux appropriate for my use?

Is SELinux appropriate for my use?

[Tetsuji Maverick Rai]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm considering SELinux on my Gentoo box, if it's worth installing.
My box is running apache2 with phpBB forum with mysql.   So only http
server is accessible from the Internet.   But I may begin to allow ssh
access.

I am dubious SELinux is necessary if I use only apache2 with phpBB and
other php based web applications.   Am I correct?   I am the only shell
user of the machine.

My understanding is SELinux is effective on a multi-user box.  Is it
effective when a hacker (cracker) tries to hack into my site using phpBB
or any other http based apps' vulnerabilities, executing his/her own
code?   Actually older version of phpBB had a vulnerability to run
arbitrary linux commands with apache permission.  If any such
vulnerability is found in the future, is SELinux effective?

Thanks in advance.

//tmr
- --
Tetsuji 'Maverick' Rai
Main http://maverick6664.bravehost.com/
Profile:
http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123
pubkey http://mav.atspace.com/tmr_at_gmail.txt
PGP Key ID: 82335CD9
Key fingerprint = 41CA 94B4 2A89 3FF1 5B11  BC37 D597 E667 8233 5CD9


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEagzo1ZfmZ4IzXNkRAjIQAKDgECZnlABxzdDtHrXEEOWrg9fUmQCePiFr
08es4ztBpMDMEw5/hIhqA4E=
=aEBY
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Russell Coker]

On Wednesday 17 May 2006 03:33, Tetsuji Maverick Rai 
<tetsuji.maverick.rai@gmail.com> wrote:
> I am dubious SELinux is necessary if I use only apache2 with phpBB and
> other php based web applications.   Am I correct?   I am the only shell
> user of the machine.

If an attacker cracks phpBB (which has been done before as you note) then 
without SE Linux there is no restriction on their ability to try and crack 
SETUID programs on the system.  When running SE Linux Apache is not permitted 
to run /bin/passwd and other privileged programs so that someone who cracks 
phpBB can not go on to attack such programs.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Tetsuji Maverick Rai]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Coker wrote:
> On Wednesday 17 May 2006 03:33, Tetsuji Maverick Rai 
> <tetsuji.maverick.rai@gmail.com> wrote:
>> I am dubious SELinux is necessary if I use only apache2 with phpBB and
>> other php based web applications.   Am I correct?   I am the only shell
>> user of the machine.
> 
> If an attacker cracks phpBB (which has been done before as you note) then 
> without SE Linux there is no restriction on their ability to try and crack 
> SETUID programs on the system.  When running SE Linux Apache is not permitted 
> to run /bin/passwd and other privileged programs so that someone who cracks 
> phpBB can not go on to attack such programs.
> 

Thank you for your reply.  But I still wonder....

What if apache's permission is set so that it isn't allowed to execute
most commands?    But actually most commands (i.e. even cat, ls) can be
dangerous, because it will display files containing mysql password.   So
does SELinux exist to prevent attackers from executing these "usual"
programs with http server's permissions(role)?   If so, I can understand
a bit....actually I understand this is secure.

And what's more?

I am writing this because SElinux isn't available with my favorite
reiserfs.   I need to use xfs or jfs to use SELinux (I don't like
ext2/3).  If reiserfs is compatible with SELinux, I'm sure I use
SELinux....or I am wondering I should move to jfs...(xfs is too slow.)

Regards,

- -tetsuji
- --
Tetsuji 'Maverick' Rai
Main http://maverick6664.bravehost.com/
Profile:
http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123
pubkey http://mav.atspace.com/tmr_at_gmail.txt
PGP Key ID: 82335CD9
Key fingerprint = 41CA 94B4 2A89 3FF1 5B11  BC37 D597 E667 8233 5CD9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEbNN81ZfmZ4IzXNkRAj9zAJ9Vu+bq8nhFAo2i4GX3ycM2YLQZCQCfVfpj
Xvw97AKcjydhjeJfd3awKA8=
=vThj
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]

On Fri, 19 May 2006 05:05:17 +0900, Tetsuji Maverick Rai said:

> What if apache's permission is set so that it isn't allowed to execute
> most commands?    But actually most commands (i.e. even cat, ls) can be
> dangerous, because it will display files containing mysql password.   So
> does SELinux exist to prevent attackers from executing these "usual"
> programs with http server's permissions(role)?   If so, I can understand
> a bit....actually I understand this is secure.

Remember - the design of SELinux is that *nothing* is permitted, unless
there's something in the policy that specifically says it's allowed.
So Apache can't even run /bin/cat unless there is a rule that says something
in httpd_t context (apache) is allowed to run bin_t binaries (bin_t includes
most common binaries).  However, /bin/ls *isn't* a bin_t, there's a separate
ls_exec_t for it, so things like ftpd can be restricted to be able to
run /bin/ls, but not other things in /bin.

(Aside for the list - anybody know why ftp.te in the 2.2.40 strict policy has:

corecmd_exec_bin(ftpd_t)
corecmd_exec_sbin(ftpd_t)
# Execute /bin/ls (can comment this out for proftpd)
# also may need rules to allow tar etc...
corecmd_exec_ls(ftpd_t)

I know why ftpd's traditionally need /bin/ls - what are exec_bin and
exec_sbin there for?)

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Is SELinux appropriate for my use?

[Russell Coker]

On Friday 19 May 2006 06:05, Tetsuji Maverick Rai 
<tetsuji.maverick.rai@gmail.com> wrote:
> Thank you for your reply.  But I still wonder....
>
> What if apache's permission is set so that it isn't allowed to execute
> most commands?    But actually most commands (i.e. even cat, ls) can be
> dangerous, because it will display files containing mysql password.   So
> does SELinux exist to prevent attackers from executing these "usual"
> programs with http server's permissions(role)?   If so, I can understand
> a bit....actually I understand this is secure.

Firstly, let's not consider cat etc (because with some difficulty we can 
prevent access to them).  Let's consider direct reads of files by the 
application.

Say for example that you have a text file with a MySQL password that is read 
by PHP code to connect to the database and you don't want some PHP code that 
has been exploited to read it and provide it to an attacker.  There is 
nothing we can do about this as all PHP code is run in the same process 
context.

One thing I would like to see is a PHP equivalent to Tomcat.  There is a 
cgi-bin version of PHP but that delivers less performance and also didn't 
provide equal functionality last time I tested (I tried to run Imp on it and 
failed for an unknown reason).  If PHP code ran in a separate process then 
Apache could connect to that process via HTTP and then the PHP server could 
run in a different SE Linux domain and different UID to the main Apache 
process.  But this still wouldn't solve your problem as all PHP scripts would 
run in the same context and one cracked PHP script could access all data 
that's available to any PHP script.

Of course ideally you could have multiple PHP servers on one machine and have 
them run with different privs.

> And what's more?
>
> I am writing this because SElinux isn't available with my favorite
> reiserfs.   I need to use xfs or jfs to use SELinux (I don't like
> ext2/3).  If reiserfs is compatible with SELinux, I'm sure I use
> SELinux....or I am wondering I should move to jfs...(xfs is too slow.)

Last time I tried ReiserFS an install of Fedora with SE Linux on a ReiserFS 
root would fail badly (the install would be corrupted and it wouldn't work 
without SE Linux either).  But when I installed on ReiserFS without SE Linux 
and then converted the machine to SE Linux then it worked OK.

It seems that recent kernel changes broke ReiserFS again, I just did a test on 
the latest rawhide kernel with a policy modified to support labelling on 
ReiserFS (the policy in rawhide labels all ReiserFS objects as nfs_t as 
ReiserFS is known to be broken) and created files got the label file_t.

I believe that JFS is in maintenance mode which makes it less desirable for 
future use.  While it apparently performs reasonably under extremely high 
load it's performance in most situations lags behind the other filesystems.  
XFS works for me, I have some Cobalt machines that won't boot from an ext2/3 
filesystem that is used by SE Linux and XFS works well on them.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Russell Coker]

On Friday 19 May 2006 17:08, Valdis.Kletnieks@vt.edu wrote:
> (Aside for the list - anybody know why ftp.te in the 2.2.40 strict policy
> has:
>
> corecmd_exec_bin(ftpd_t)
> corecmd_exec_sbin(ftpd_t)
> # Execute /bin/ls (can comment this out for proftpd)
> # also may need rules to allow tar etc...
> corecmd_exec_ls(ftpd_t)
>
> I know why ftpd's traditionally need /bin/ls - what are exec_bin and
> exec_sbin there for?)

Traditionally ftp servers (IE the wuftpd) has supported "get file.gz" and
"get directory.tar.gz" and the FTP server would have to execute programs 
from /bin and /usr/bin accordingly.  This means that for the full ftpd 
functionality corecmd_exec_bin is required.

As for sbin, I'm not sure about that.

Incidentally I still don't think that we need separation of sbin_t and bin_t.  
The choice of which programs go in which directories is rather arbitrary and 
is not based on security criteria.  We have no expectation that sbin_t and 
bin_t will have different integrity (the system integrity entirely depends on 
the integrity of both those types) and we also expect that there is no secret 
data labeled with either of those types.  So it seems to me that making 
sbin_t and ls_exec_t both aliases for bin_t would be the correct thing to do.


PS  Valdis, if you want to send email to me directly then you need to send it 
through a mail server on a fixed IP address.  My mail server will reject 
connections from any machine that is in a dialup range.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Tetsuji Maverick Rai]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks@vt.edu wrote:
> On Fri, 19 May 2006 05:05:17 +0900, Tetsuji Maverick Rai said:
> 
>> What if apache's permission is set so that it isn't allowed to execute
>> most commands?    But actually most commands (i.e. even cat, ls) can be
>> dangerous, because it will display files containing mysql password.   So
>> does SELinux exist to prevent attackers from executing these "usual"
>> programs with http server's permissions(role)?   If so, I can understand
>> a bit....actually I understand this is secure.
> 
> Remember - the design of SELinux is that *nothing* is permitted, unless
> there's something in the policy that specifically says it's allowed.
> So Apache can't even run /bin/cat unless there is a rule that says something
> in httpd_t context (apache) is allowed to run bin_t binaries (bin_t includes
> most common binaries).  However, /bin/ls *isn't* a bin_t, there's a separate
> ls_exec_t for it, so things like ftpd can be restricted to be able to
> run /bin/ls, but not other things in /bin.
> 

Thank you for clarifying that.  I understand it's very secure in
invoking other commands from PHP.  Then how about this situation?   PHP
itself has several functions manipulate files and mysql databases (of
course there are much more, but I use mainly mysql).  I guess *if* PHP
is hacked, arbitrary mysql functions (and others) are executed freely,
and my mydql database can be damaged.  Is it right?

- -Tetsuji
- --
Tetsuji 'Maverick' Rai
Main http://maverick6664.bravehost.com/
Profile:
http://setiweb.ssl.berkeley.edu/beta/view_profile.php?userid=123
pubkey http://mav.atspace.com/tmr_at_gmail.txt
PGP Key ID: 82335CD9
Key fingerprint = 41CA 94B4 2A89 3FF1 5B11  BC37 D597 E667 8233 5CD9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEbgG61ZfmZ4IzXNkRArJtAJ0QmZpWAAIVEquf6yHJh8YYLYdZ4QCdHWMn
nhej+ZdMkjKDXsj+mxiiIlk=
=niUJ
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Christopher J. PeBenito]

On Fri, 2006-05-19 at 23:54 +1000, Russell Coker wrote:
> Incidentally I still don't think that we need separation of sbin_t and bin_t.  
> The choice of which programs go in which directories is rather arbitrary and 
> is not based on security criteria.  We have no expectation that sbin_t and 
> bin_t will have different integrity (the system integrity entirely depends on 
> the integrity of both those types) and we also expect that there is no secret 
> data labeled with either of those types.  So it seems to me that making 
> sbin_t and ls_exec_t both aliases for bin_t would be the correct thing to do.

I agree.  The file contexts would need to be updated, and the interfaces
that deal with sbin_t and ls_exec_t would need a m4 errprint() to warn
that the interfaces are deprecated and say what the new interface to
use, in addition to the alias.  Care to make a patch Russell?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Christopher J. PeBenito]

On Fri, 2006-05-19 at 14:03 -0400, Christopher J. PeBenito wrote:
> The file contexts would need to be updated, and the interfaces
> that deal with sbin_t and ls_exec_t would need a m4 errprint() to warn
> that the interfaces are deprecated and say what the new interface to
> use, in addition to the alias.

Also the callers of the deprecated interfaces should be fixed.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is SELinux appropriate for my use?

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 2165 bytes --]

On Fri, 19 May 2006 23:54:27 +1000, Russell Coker said:
> On Friday 19 May 2006 17:08, Valdis.Kletnieks@vt.edu wrote:
> > (Aside for the list - anybody know why ftp.te in the 2.2.40 strict policy
> > has:
> >
> > corecmd_exec_bin(ftpd_t)
> > corecmd_exec_sbin(ftpd_t)
> > # Execute /bin/ls (can comment this out for proftpd)
> > # also may need rules to allow tar etc...
> > corecmd_exec_ls(ftpd_t)
> >
> > I know why ftpd's traditionally need /bin/ls - what are exec_bin and
> > exec_sbin there for?)
> 
> Traditionally ftp servers (IE the wuftpd) has supported "get file.gz" and
> "get directory.tar.gz" and the FTP server would have to execute programs 
> from /bin and /usr/bin accordingly.  This means that for the full ftpd 
> functionality corecmd_exec_bin is required.

OK.. so exec_bin is there because nobody has done the work to tag tar/zcat
similar to the existing tagging of /bin/ls.

> Incidentally I still don't think that we need separation of sbin_t and bin_t.  
> The choice of which programs go in which directories is rather arbitrary and 
> is not based on security criteria.  We have no expectation that sbin_t and 
> bin_t will have different integrity (the system integrity entirely depends on 
> the integrity of both those types) and we also expect that there is no secret 
> data labeled with either of those types.  So it seems to me that making 
> sbin_t and ls_exec_t both aliases for bin_t would be the correct thing to do.

I agree that sbin_t and bin_t should be merged - the original bin vs sbin
distinction was that "user stuff in bin, stuff used by admins in sbin". But
then stuff like 'ping' ended up in sbin and blurred things.

I'm not sure if ls_exec_t should go - the alternative is to also tag 'tar'
and 'zcat' and whatever else is needed by FTP servers that support the
automagic .tar.gz stuff.

> PS  Valdis, if you want to send email to me directly then you need to send it 
> through a mail server on a fixed IP address.  My mail server will reject 
> connections from any machine that is in a dialup range.

Darn.  I thought I taught my laptop to DTRT if it realized it was at home
on DSL.   Wonder what I busticated.

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Is SELinux appropriate for my use?

[Russell Coker]

On Sunday 21 May 2006 13:47, Valdis.Kletnieks@vt.edu wrote:
> > > I know why ftpd's traditionally need /bin/ls - what are exec_bin and
> > > exec_sbin there for?)
> >
> > Traditionally ftp servers (IE the wuftpd) has supported "get file.gz" and
> > "get directory.tar.gz" and the FTP server would have to execute programs
> > from /bin and /usr/bin accordingly.  This means that for the full ftpd
> > functionality corecmd_exec_bin is required.
>
> OK.. so exec_bin is there because nobody has done the work to tag tar/zcat
> similar to the existing tagging of /bin/ls.

I don't think that we want to go down that path.  Having separate rules for 
every program that wants to call tar or gzip will be painful and cause 
pointless increases in policy size.

> > Incidentally I still don't think that we need separation of sbin_t and
> > bin_t. The choice of which programs go in which directories is rather
> > arbitrary and is not based on security criteria.  We have no expectation
> > that sbin_t and bin_t will have different integrity (the system integrity
> > entirely depends on the integrity of both those types) and we also expect
> > that there is no secret data labeled with either of those types.  So it
> > seems to me that making sbin_t and ls_exec_t both aliases for bin_t would
> > be the correct thing to do.
>
> I agree that sbin_t and bin_t should be merged - the original bin vs sbin
> distinction was that "user stuff in bin, stuff used by admins in sbin". But
> then stuff like 'ping' ended up in sbin and blurred things.

Ping is in /bin on my system, ping would not blur things in the case of SE 
Linux because it has it's own type for other (and better) reasons.

> I'm not sure if ls_exec_t should go - the alternative is to also tag 'tar'
> and 'zcat' and whatever else is needed by FTP servers that support the
> automagic .tar.gz stuff.

If bin_t and sbin_t should be merged (as I believe they should) then ls_exec_t 
should definitely go!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.