Confining Applications running as root user
max bianco
maximilianbianco at gmail.com
Wed Aug 12 15:15:28 UTC 2009
On Tue, Aug 11, 2009 at 6:54 PM, Anamitra Dutta Majumdar
(anmajumd)<anmajumd at cisco.com> wrote:
>
>
> We are trying to migrate our existing security policies to SELinux. We
> are new to SELinux and hence are finding it difficult to map our
> existing policies.
>
I would recommend SELinux by Example since you will need to be
familiar with the policy language to properly make the transition. I
am not aware of any website that covers it in the same detail but if
you find one let me know.
> In our existing policy, all applications (including ones running as root
> user) with the exception of insmod and modprobe, are denied access to
> /lib directory. How would we go about writing such a policy without
> actually confining every application manually, since that would indeed
> be cumbersome?
Denied access completely? I'd think that might cause some problems but
there is still plenty I don't know so...
You were using AppArmor or something similar?
Interesting. I think a neverallow rule is probably your best bet here,
it will generate compiler error if you have any rules that violate it.
I don't specifically remember how the errors get reported i.e. does it
spit out the specific allow rules that cause the problem? Seems I need
another refpolicy refresher.
Anyway after I'd cleaned up the errors which might be a task and
two-thirds, I'd add my allow rules for insmod and modprobe which share
the same label, insmod_exec_t, so at least that would be easy :^)
Though the thing to consider is really do I need to completely deny
access to this directory. SELinux allows fine-grained access control
so depending on your security goals the restriction need not
necessarily require heavy modification of the policy,
Have you used the policy analysis tools? These should help you get a
better idea of the scope of things affected by restricting access to
lib_t , they take a little getting used to so be patient.
yum install setools
There is also a GUI policy dev tool, two of them actually. SLIDE is
the one I think you'd need to tackle this task. I haven't really used
it much, I like to beat my head against brick walls don't you know,
you can install it with yum but its separate from setools, yum install
slide?
http://oss.tresys.com/projects/slide
I highly recommend the book mentioned above, if your completely new to SELinux.
So that's how I'd start to go about it anyway, there are much more
experienced hands monitoring this list but they are busy folk. You
could try the IRC chat #selinux and #fedora-selinux for more direct
and immediate help.
dgrift is usually around there and is a good resource for these kinds
of questions.
Also you don't mention exactly what its for but there is a minimal
selinux policy you can load and that might cut down on a lot of the
work.
More information about the fedora-selinux-list
mailing list