append only file system - selinux?

Colin Walters walters at redhat.com
Fri Mar 25 15:47:36 UTC 2005 

On Thu, 2005-03-24 at 15:58 -0500, Chris Stankaitis wrote:

> If there is no 2.4 kernel solution, is there a 2.6/selinux solution to 
> my problem? that would not allow anyone (even root) to do anything but 
> append to logs?

Yes, definitely.  SELinux provides a fine-grained "append" permission
for files that one can grant to specific domains for specific file types
(such as log files).

How exactly you implement this depends on which threats you are trying
to counter.  If you are simply trying to prevent a compromised daemon
program which runs as uid 0 from changing logs, you could probably stick
with the default Fedora "targeted" policy, which for a number of daemons
such as Apache HTTPD already enforces this restriction.  If you have
daemons outside the targeted set, it is typically not too difficult to
pull in the relevant policy from the "strict" into targeted, although
there are a few gotchas which we can help with on fedora-selinux-list.

In order to confine user logins (e.g. someone logging in as root via
sshd), you will need to use the "strict" policy.  You then have to make
a decision on exactly what permissions to grant to the login.  One
option is to simply place root into the user_r role (i.e. not sysadm_r).
There, the login is restricted in a way similar in effect to a Linux
non-zero uid.  However, system administration such as restarting daemons
is not possible.

It is theoretically possible to have a role similar to sysadm_r/sysadm_t
but that prevents direct access to log files.  However, it seems very
likely to me that someone with privileges similar to sysadm_t could
indirectly influence log files in other ways; e.g. by simply installing
a malicious version of a daemon package.  I imagine the same is true of
the BSD securitylevel, of course.

One nice thing about SELinux though is that you can use a tool such as
"apol" to find all of those means of influence; i.e. what is the
information flow from user_t to httpd_log_t.  With BSD security levels
you don't have any such assurance.

If you have more questions about SELinux, please ask on
fedora-selinux-list.

More information about the fedora-selinux-list mailing list