new to selinux

new to selinux

[Bryan Harris]

Hello,

I'm wondering if it is possible to use selinux network & process labeling, iptables, and something like /usr/bin/script to create an environment where we can enforce session recording for ssh sessions.

We will soon have a requirement to record our actions on customer environments, but at the same time we also need to block users who have not activated the recording.  Is selinux policy an appropriate way to accomplish these requirements?  I'd like to search for the details and learn more, but if I'm taking the wrong approach I'd like to know that before starting out.

Any guidance is greatly appreciated.  Thanks in advance.

V/r,
Bryan

Re: new to selinux

[Ilya Frolov]

[-- Attachment #1: Type: text/plain, Size: 1448 bytes --]

On Fri, Jan 10, 2014 at 1:16 PM, Bryan Harris <bryanlharris@me.com> wrote:

> Hello,
>
> I'm wondering if it is possible to use selinux network & process labeling,
> iptables, and something like /usr/bin/script to create an environment where
> we can enforce session recording for ssh sessions.
>
> We will soon have a requirement to record our actions on customer
> environments, but at the same time we also need to block users who have not
> activated the recording.  Is selinux policy an appropriate way to
> accomplish these requirements?  I'd like to search for the details and
> learn more, but if I'm taking the wrong approach I'd like to know that
> before starting out.
>
> Any guidance is greatly appreciated.  Thanks in advance.
>
> V/r,
> Bryan
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>

Hello Bryan,

have a look at ttyrec -- you can set it as shell to do ssh session
recording per-user and without fiddling in kernel space, and you can
enforce it that way even without selinux for non-root users.

If you are interested in restricting root user and maybe play with the live
system -- feel free to contact me offlist, i've done the similar things for
my selinux playbox, and (i'll check now) i think its still alive.


regards,
ilya

[-- Attachment #2: Type: text/html, Size: 2184 bytes --]

Re: new to selinux

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/2014 04:33 AM, Ilya Frolov wrote:
> On Fri, Jan 10, 2014 at 1:16 PM, Bryan Harris <bryanlharris@me.com 
> <mailto:bryanlharris@me.com>> wrote:
> 
> Hello,
> 
> I'm wondering if it is possible to use selinux network & process labeling, 
> iptables, and something like /usr/bin/script to create an environment
> where we can enforce session recording for ssh sessions.
> 
> We will soon have a requirement to record our actions on customer 
> environments, but at the same time we also need to block users who have
> not activated the recording.  Is selinux policy an appropriate way to
> accomplish these requirements?  I'd like to search for the details and
> learn more, but if I'm taking the wrong approach I'd like to know that
> before starting out.
> 
> Any guidance is greatly appreciated.  Thanks in advance.
> 
> V/r, Bryan _______________________________________________ Selinux mailing
> list Selinux@tycho.nsa.gov <mailto:Selinux@tycho.nsa.gov> To unsubscribe,
> send email to Selinux-leave@tycho.nsa.gov 
> <mailto:Selinux-leave@tycho.nsa.gov>. To get help, send an email containing
> "help" to Selinux-request@tycho.nsa.gov
> <mailto:Selinux-request@tycho.nsa.gov>.
> 
> 
> Hello Bryan,
> 
> have a look at ttyrec -- you can set it as shell to do ssh session
> recording per-user and without fiddling in kernel space, and you can
> enforce it that way even without selinux for non-root users.
> 
> If you are interested in restricting root user and maybe play with the
> live system -- feel free to contact me offlist, i've done the similar
> things for my selinux playbox, and (i'll check now) i think its still
> alive.
> 
> 
> regards, ilya
> 
> 
> 
> _______________________________________________ Selinux mailing list 
> Selinux@tycho.nsa.gov To unsubscribe, send email to
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing "help"
> to Selinux-request@tycho.nsa.gov.
> 
You might want to look at pam_tty_audit also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLP+eoACgkQrlYvE4MpobMrGgCbBYR6SKD+9jMAi55fWDZ7t9gE
H/oAoJ+qhVbE4go/k59SBwyJCA/ViUoR
=GPVQ
-----END PGP SIGNATURE-----

Re: new to selinux

[Stephen Smalley]

On 01/10/2014 04:16 AM, Bryan Harris wrote:
> Hello,
> 
> I'm wondering if it is possible to use selinux network & process labeling, iptables, and something like /usr/bin/script to create an environment where we can enforce session recording for ssh sessions.
> 
> We will soon have a requirement to record our actions on customer environments, but at the same time we also need to block users who have not activated the recording.  Is selinux policy an appropriate way to accomplish these requirements?  I'd like to search for the details and learn more, but if I'm taking the wrong approach I'd like to know that before starting out.
> 
> Any guidance is greatly appreciated.  Thanks in advance.

I think linux-audit is where you want to be,
https://www.redhat.com/mailman/listinfo/linux-audit

new to selinux

[nitin kanaskar]

hi all...
i ve started reading selinux papers
and am interested in contributing
in any area listed in the section
'remaining work' of the site.
Could anybody provide any suggestions?

Regards
Nitin

_________________________________________________________________
Logon to MSN Games http://www.msngamez.com/in/gamezone/ Enjoy unlimited 
action


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: new to selinux

[Stephen Smalley]

On Wed, 2005-08-10 at 21:18 +0530, nitin kanaskar wrote:
> hi all...
> i ve started reading selinux papers
> and am interested in contributing
> in any area listed in the section
> 'remaining work' of the site.
> Could anybody provide any suggestions?

Depends on your skills and interests, naturally.  That page is only
updated periodically, and is fairly generic - it is likely better to
scan the recent mailing list archives
(http://marc.theaimsgroup.com/?l=selinux is more up-to-date than the
only periodically updated ones on nsa.gov) for areas of current
activity.  A natural first step is just getting a SELinux system up and
running and gain some familiarity with using and configuring it.  Some
resources are listed at http://selinux.sf.net.  Some possible areas
where you might contribute include:

- Testing and expanding the reference policy.  See
http://serefpolicy.sourceforge.net/.

- Contribute to ongoing work to improve libsepol and create a management
infrastructure.  See 
http://marc.theaimsgroup.com/?l=selinux&m=112265972617608&w=2
as well as other discussions on the list about that work.
Note that you need to work relative to the CVS tree of the sourceforge
selinux site for any such development, see
http://sourceforge.net/cvs/?group_id=21266

- Add testcases to the SELinux testsuite in the LTP.  See
http://marc.theaimsgroup.com/?l=selinux&m=112230493816120&w=2

- Test and contribute to the ongoing polyinstantiation support
development.  See
http://marc.theaimsgroup.com/?l=selinux&m=112169238725927&w=2

- Test and contribute to various externally developed policy tools to
make them more useable.  See
http://www.tresys.com/selinux/selinux_policy_tools.html
http://www.mitre.org/tech/selinux/
http://seedit.sourceforge.net/

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New to SELinux

[M. H.]

>For example, the next NSA release should include the new sock
>hooks, a reliable accept_secure implementation

When is the next release expected to come out?

Thanks,

M.H.

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: New to SELinux

[Westerman, Mark]

on Monday, August 19, 2002 3:47 PM, Russell Coker wrote:

> They always have new releases long before the NSA does. Steve often
releases 
> patches that will apply on top of the LSM release or the NSA release to
add 
> new SE Linux support.  I include these patches in my Debian package, so
the 
> Debian packages I release are the most current single release  files you
can 
> get.  I have them on my web site at 
> http://www.coker.com.au/selinux/kern/ .
> 
The Sourceforge cvs tree is up to date. Every patch for SELinux Steve
updates, he
updates the sourceforge CVS tree.  The sourceforge cvs tree is the updated
NSA release.
When the NSA Releases a new release the sourceforge will be updated at about
the same
time. If you wish to follow close to the NSA releases use the sourceforge
cvs tree,
it only contains patches that have been applied to the SELinux project. 

http://sourceforge.net/projects/selinux/

Mark

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: New to SELinux

[Stephen Smalley]

On Mon, 19 Aug 2002, Westerman, Mark wrote:

> The Sourceforge cvs tree is up to date. Every patch for SELinux Steve
> updates, he updates the sourceforge CVS tree.  The sourceforge cvs tree
> is the updated NSA release.
> When the NSA Releases a new release the sourceforge will be updated at about
> the same time. If you wish to follow close to the NSA releases use the
> sourceforge cvs tree, it only contains patches that have been applied
> to the SELinux project.
>
> http://sourceforge.net/projects/selinux/

Just to clarify, while the sourceforge CVS tree may contain bug fixes and
minor enhancements committed between public releases, we typically do not
merge new base kernel versions into it until after making a new public
release.  Hence, it does not contain a 2.4.19-based kernel yet, and will
not contain a 2.4.19-based kernel until after a new public release is made
with that kernel.

For CVS access, you can use the following:
cvs -d:pserver:anonymous@cvs.selinux.sourceforge.net:/cvsroot/selinux \
-z3 co nsa

The NSA public releases of SELinux are imported on the vendor branch,
tagged "nsa".  Bug fixes and minor enhancements may be committed on the
head between releases.  The corresponding patches are posted on the
selinux list, or at least an announcement regarding the patch is posted
depending on the extent of the patch.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

New to SELinux

[Jeremy Kusnetz]

I've been reading SELinux documentation and getting ready to try to deploy
it on a system.

A couple of questions.  Are there any up to date archives of this mailing
list other then what's on NSA's site, since it doesn't get updated daily
(last update on July 3rd)?

Second, I got a scared and read a slashdot article from today saying that
NSA is no longer developing SELinux due to lobbying from  Microsoft because
the government is competing against private American companies.  Is this
true?  Is SELinux still being developed?  Is it still being developed by
NSA, or someonen else now.

If it is still being developed, is there an SELinux patch to the 2.4.19
kernel?  I can only find patches to 2.4.18.  I see LSM has a patch to 2.4.19
but I read somewhere that I should only use SELinux LSM patches.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New to SELinux

[Russell Coker]

On Mon, 19 Aug 2002 22:33, Jeremy Kusnetz wrote:
> I've been reading SELinux documentation and getting ready to try to deploy
> it on a system.
>
> A couple of questions.  Are there any up to date archives of this mailing
> list other then what's on NSA's site, since it doesn't get updated daily
> (last update on July 3rd)?

Other people are maintaining archives that are more current.  Check google.

> Second, I got a scared and read a slashdot article from today saying that
> NSA is no longer developing SELinux due to lobbying from  Microsoft because
> the government is competing against private American companies.  Is this
> true?  Is SELinux still being developed?  Is it still being developed by
> NSA, or someonen else now.

Don't believe slashdot.

AFAIK it's business as usual.  Lots of new things are being planned for SE 
Linux...

> If it is still being developed, is there an SELinux patch to the 2.4.19
> kernel?  I can only find patches to 2.4.18.  I see LSM has a patch to
> 2.4.19 but I read somewhere that I should only use SELinux LSM patches.

Get the patch for 2.4.19 and recent 2.5.x kernels from 
http://lsm.immunix.org/ .

They always have new releases long before the NSA does.  Steve often releases 
patches that will apply on top of the LSM release or the NSA release to add 
new SE Linux support.  I include these patches in my Debian package, so the 
Debian packages I release are the most current single release files you can 
get.  I have them on my web site at http://www.coker.com.au/selinux/kern/ .

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New to SELinux

[Stephen Smalley]

On Mon, 19 Aug 2002, Jeremy Kusnetz wrote:

> I've been reading SELinux documentation and getting ready to try to deploy
> it on a system.
>
> A couple of questions.  Are there any up to date archives of this mailing
> list other then what's on NSA's site, since it doesn't get updated daily
> (last update on July 3rd)?

Try http://marc.theaimsgroup.com/?l=selinux.  Or you can simply send email
to majordomo@tycho.nsa.gov to get the archives via the index and get
commands.  The NSA web site's hypermail archives are only updated when a
new release is made.

> Second, I got a scared and read a slashdot article from today saying that
> NSA is no longer developing SELinux due to lobbying from  Microsoft because
> the government is competing against private American companies.  Is this
> true?  Is SELinux still being developed?  Is it still being developed by
> NSA, or someonen else now.

Yes, SELinux is still being actively developed by the NSA, by us, and by
others.

> If it is still being developed, is there an SELinux patch to the 2.4.19
> kernel?  I can only find patches to 2.4.18.  I see LSM has a patch to 2.4.19
> but I read somewhere that I should only use SELinux LSM patches.

There should be a new NSA public release available soon with a
2.4.19-based kernel.  As you noted, you should typically use the LSM
patch available from the NSA site when using SELinux, because it may
contain further changes to the LSM patch and/or to the SELinux
kernel module that were made after the latest LSM snapshot patch was
generated.  For example, the next NSA release should include the new sock
hooks, a reliable accept_secure implementation, a bug fix to the
ipc_permission hook, and configurable sysctl labeling, none of which made
it into the 2.4.19-lsm1 snapshot patch.  However, if you need to use
2.4.19 immediately with SELinux, you can use the LSM snapshot patch until
the new NSA release is available - I don't think that there are any
compatibility issues at present.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.