LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-21-2008, 01:56 PM   #1
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Applying SE Linux to Pdnsd: create a working policy in 5 minutes.


I often wonder what agitprop or ignorance is concealed by those that link SE Linux with phrases like "over my dead body", "disable instantly" or "not for the faint-hearted". Here's a quick recipe for applying SE Linux to a service if there's no standard policy (AFAIK). Testbed: CentOS 5.2, vanilla 2.6.25 kernel with SE Linux enabled (Policy v.21), policycoreutils-gui, selinux-policy-devel and pdnsd. Pdnsd of course it the caching DNS server that, unlike ISC BIND, has an on-disk cache that survives restarts and reboots.

Step 0: run /usr/share/system-config-selinux/polgengui.py and work your way through the screens. Make sure you choose "Standard Init Daemon", TCP/53 and UDP/53, syslog and add the cache and log directory.

Step 1: review your filecontext, interface and Type Enforcement files. Should look something like this:

pdnsd.fc
Code:
/usr/sbin/pdnsd         --      gen_context(system_u:object_r:pdnsd_exec_t,s0)
/var/cache/pdnsd(/.*)?                  gen_context(system_u:object_r:pdnsd_rw_t,s0)
pdnsd.if
Code:
## <summary>policy for pdnsd</summary>

########################################
## <summary>
##      Execute a domain transition to run pdnsd.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`pdnsd_domtrans',`
        gen_require(`
                type pdnsd_t, pdnsd_exec_t;
        ')

        domain_auto_trans($1,pdnsd_exec_t,pdnsd_t)

        allow pdnsd_t $1:fd use;
        allow pdnsd_t $1:fifo_file rw_file_perms;
        allow pdnsd_t $1:process sigchld;
')

########################################
## <summary>
##      Search pdnsd rw directories.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`pdnsd_search_rw_dir',`
        gen_require(`
                type pdnsd_rw_t;
        ')

        allow $1 pdnsd_rw_t:dir search_dir_perms;
        files_search_rw($1)
')

########################################
## <summary>
##      Read pdnsd rw files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`pdnsd_read_rw_files',`
        gen_require(`
                type pdnsd_rw_t;
        ')

        allow $1 pdnsd_rw_t:file r_file_perms;
        allow $1 pdnsd_rw_t:dir list_dir_perms;
        files_search_rw($1)
')

########################################
## <summary>
##      Create, read, write, and delete
##      pdnsd rw files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`pdnsd_manage_rw_files',`
        gen_require(`
                type pdnsd_rw_t;
        ')

        allow $1 pdnsd_rw_t:file manage_file_perms;
        allow $1 pdnsd_rw_t:dir rw_dir_perms;
')
pdnsd.te
Code:
policy_module(pdnsd,1.0.0)

########################################
#
# Declarations
#

type pdnsd_t;
type pdnsd_exec_t;
domain_type(pdnsd_t)
init_daemon_domain(pdnsd_t, pdnsd_exec_t)

type pdnsd_rw_t;
files_type(pdnsd_rw_t)

########################################
#
# pdnsd local policy
#

# Init script handling
domain_use_interactive_fds(pdnsd_t)

## internal communication is often done using fifo and unix sockets.
allow pdnsd_t self:fifo_file rw_file_perms;
allow pdnsd_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(pdnsd_t)

libs_use_ld_so(pdnsd_t)
libs_use_shared_libs(pdnsd_t)

miscfiles_read_localization(pdnsd_t)

ifdef(`targeted_policy',`
        term_dontaudit_use_unallocated_ttys(pdnsd_t)
        term_dontaudit_use_generic_ptys(pdnsd_t)
')


allow pdnsd_t pdnsd_rw_t:file manage_file_perms;
allow pdnsd_t pdnsd_rw_t:dir create_dir_perms;
files_pid_filetrans(pdnsd_t,pdnsd_rw_t, { file dir })

sysnet_dns_name_resolve(pdnsd_t)
corenet_non_ipsec_sendrecv(pdnsd_t)

allow pdnsd_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(pdnsd_t)
corenet_tcp_sendrecv_all_nodes(pdnsd_t)
corenet_tcp_sendrecv_all_ports(pdnsd_t)
corenet_tcp_bind_all_nodes(pdnsd_t)
corenet_tcp_bind_dns_port(pdnsd_t)

allow pdnsd_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(pdnsd_t)
corenet_udp_sendrecv_all_nodes(pdnsd_t)
corenet_udp_sendrecv_all_ports(pdnsd_t)
corenet_udp_bind_all_nodes(pdnsd_t)
corenet_udp_bind_dns_port(pdnsd_t)
...and run the "pdnsd.sh" to create the binary policy representation (pdnsd.pp), load it and set default SELinux security contexts.

Step 2: If you run SE Linux in enforcing mode then stopping, starting, restarting and generally using Pdnsd will result in some sealerts. Add these to the pdnsd.te:
Code:
allow pdnsd_t dns_port_t:tcp_socket name_bind;
allow pdnsd_t dns_port_t:udp_socket name_bind;
allow pdnsd_t self:unix_dgram_socket create;
allow pdnsd_t self:unix_dgram_socket connect;
allow pdnsd_t self:unix_dgram_socket write;
allow pdnsd_t self:capability setgid;
allow pdnsd_t self:capability setuid;
allow pdnsd_t pdnsd_rw_t:sock_file create;
allow pdnsd_t pdnsd_rw_t:sock_file unlink;
and run the "pdnsd.sh" again.

Step 3: These lines should be added to your local policy:
Code:
allow pdnsd_t sysctl_t:dir search;
allow pdnsd_t devlog_t:sock_file write;
allow pdnsd_t syslogd_t:unix_dgram_socket sendto;
allow pdnsd_t sysctl_kernel_t:dir search;
allow pdnsd_t sysctl_kernel_t:file read;
and recompile your local policy file to finish things off.

That should be it.

Have fun.
 
Old 08-21-2008, 02:59 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,028
Blog Entries: 5

Rep: Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790Reputation: 790
My main ignorance in this thread was of the word "agitprop". I hadn't run across that one before.

Having recently posted about using SELinux and saying it wasn't for "the faint of heart" I noted your use of of that phrase and it made me wonder.

I said what I said not because I felt SELinux had no value (else I'd have left it out of my suggestions altogether) but rather because SELinux has in the past been poorly documented. When I first ran across it on a Fedora installation I was intrigued by the idea and dismayed to find so little information about its care and feeding even on the web site of the NSA which created it.

In fact these days RHEL (and I think Fedora) have SELinux configuration tools that might make things easier. However if you think the multiple steps you suggested are somehow as easy as configuring iptables I'd suggest that was agitprop on your part. I'm certain once you play with it enough and get comfortable with it that it is easy to use but then again so is dynamite. That does NOT however, mean that the average newbie that spends much of his time in the GUI Desktop is going to find it so. Often enough they seem to resist simple command line tools in favor of GUI ones.
 
Old 08-21-2008, 05:27 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Original Poster
Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Quote:
Originally Posted by jlightner View Post
In fact these days RHEL (and I think Fedora) have SELinux configuration tools that might make things easier.
Not "might". They do make it easier.



Quote:
Originally Posted by jlightner View Post
However if you think the multiple steps you suggested are somehow as easy as configuring iptables I'd suggest that was agitprop on your part.
Aren't you just a wee bit curious? Come on... Just try it.
 
  


Reply

Tags
selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Hugin: Create a panorama under Ubuntu within 2 minutes LXer Syndicated Linux News 0 04-23-2008 08:50 PM
Applying a Theme in Emerald (either not working or PEBKAC) adanedhel728 Linux - Newbie 0 03-10-2008 04:19 PM
LXer: VMX Builder: Create virtual machines in minutes LXer Syndicated Linux News 0 11-07-2006 02:54 PM
How to create centralized Password policy in RedHat makkays Linux - Security 1 10-09-2006 04:35 AM


All times are GMT -5. The time now is 10:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration