danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Confining the User with SELinux
danwalsh
When I first started working on SELinux about a couple of hundred years ago, or so it seems, SELinux was used to confined "logged in" users.  I define a "logged in" user as a user who has used credentials (Username/Password) to login to a system via a login program like login, xdm or sshd.
   
When we first shipped SELinux in Fedora Core 2, we went out with the example policy from NSA, later renamed "strict" policy, and it was a disaster.  Hundreds of bugs per day, and everyone was clamoring how to turn off SELinux.   Fedora Core for the most part is a single user OS and that user does not want to be confined.   Also  much to my chagrin  people all over the world did not want to setup their machines the way Dan Walsh wanted them to.  :^(  Strict policy and confining of users requires file context to be setup correctly in the users home directories.  Labeling for these home directories proved to be very difficult to maintain.   Finally using SELinux to confine something requires a "security policy", by this I mean you need to define what access you want an application/user to have.  

For example; everyone wants to confine the web browser.  But no one agrees on how the web browser should be confined.  Should it only be allowed to view web pages?  Should it be allowed to run helper applications?  If I launch OpenOffice from inside the web browser, should I allow a transition from firefox_t to ooffice_t?  Or stay in firefox_t?  If still in firefox_t, and the user uses the open button in ooffice, what should happen?   When the web browser downloads a file to disk should it be able to place it anywhere?  Should it be able to upload files from anywhere on the system?  On the modern desktop, applications like the mail program have embedded web browsers, how should they react?  How should applications interact?

Since almost no one agrees on these, it quickly became apparent that confining "logged in users" was not going to work on a general purpose OS.  This is when we decided to re-look at policy and "Target" the domains that we wanted and new how to confine.  Targeted policy was born.

SELinux has all this power that we were not taking advantage of...

So now as we ship Red Hat Enterprise Linux 5 and Fedora 7 (No more core), I have begun to look into how we can start to confined certain types of "logged in users" in a targeted policy system

A little background:

SELinux has a feature called RBAC which stands for Roles Based Access Control.  The idea here is to control what a user can do by the roles that he is assigned.  SELinux uses type enforcement to control the "transitioning" from one role to another.  In Strict and MLS policy you would use the newrole command to switch from one role to another.  The newrole package is available in policycoreutils-newrole.

During the past few months I have been noticing a discussion of handling a "guest" account.  The kernel policy source repository system uses "git" and "git" requires a account on the server to be able to manipulate the repository.  So if you want to allow a kernel maintainer to update the source code repository you need to set him up an ssh account.  Similarly at "Red Hat", most of engineering has small accounts on people.redhat.com, where we can upload files and make them available to the public.  http://people.redhat.com/dwalsh is my home page at Red Hat.  I ssh into this account and can change my directory.  Terminal servers and other shared home/directory servers are other examples. 
The users on these systems need to be able to log onto the system, run a few commands and that is about it.  They probably should never run a setuid app.  They probably don't need to network out of the box.

I have been experimenting with the guest policy. http://people.redhat.com/dwalsh/SELinux/users/guest.te

You can copy this policy file onto your machine, and execute the following commands to set it up.

Copy guest.te to its own directory.  In that directory execute

# Compile and load the policy
make -f /usr/share/selinux/devel/Makefile
semodule -i guest.pp
# Setup guest_u SELinux user
semanage user -a -P guest -R guest_r guest_u
# add user with this SELinux mapping
useradd -Z guest_u guest
# In FC6 useradd -Z is not supported
# semanage login -a -s guest_u guest
# restorecon -R -v ~guest
# set the guest password
passwd guest
# Now there are a couple of files that you need to edit to tell the login programs that guest_r:guest_t are valid logins.
echo "guest_r:guest_t" >> /etc/selinux/targeted/contexts/default_type
echo """
system_r:sshd_t:s0    guest_r:guest_t:s0
system_r:local_login_t:s0    guest_r:guest_t:s0
""" > /etc/selinux/targeted/contexts/users/guest_u
# If you only want ssh access don't add the local_login line.  The guest user would not be able to login via xdm.

Now you should be able to login to the system as the guest user and have very limited access.  Beware
as you attempt to do certain activities you will be generating AVC messages that will trigger setroubleshoot.  But try it out and let me know what you think.  I will be posting other policies for confining user space in future blogs.

I have not upstreamed this policy but plan on working with upstream to make creating a new "logged in user type"  as

userdom_unpriv_login_user(myuser)

Then if you want to add additional privs to this user you would just add additional interfaces.
For example adding networking would just be

userdom_basic_networking_template(myuser)



Yeah that could be very helpful! Often I have to give access to my boxes away and via SELinux and this policy I could limit the access to only some commands.

Another policy would be very helpful, too: Limit the user to read and write only into his $HOME like a chroot. Is something like this possible?

cheers

This is somewhat vague and difficult

danwalsh

2007-05-30 04:50 pm (UTC)

A logged in user will probably need to be able to read a lot of files under /usr, /etc, and /var. They will be isolated from reading files in other "user" directories by DAC (Ownership/rwx). Also SELinux will prevent the guest_t from reading user_home_t which would be used by a privileged logged in user. If you want to prevent access to /tmp you can use pam_namespace.

Most other directories this user would not have access to.

RBAC goodness

(Anonymous)

2007-06-04 05:51 pm (UTC)

It's great to see that SELinux has come so far since Core 2. I could really use some of this RBAC goodness you describe to confine accounts I have for a few "friends" on my file server. I do everything over ssh and it works great except for a few of those "friends" that keep using my file server to port forward their network traffic (probably to dodge their employers network monitoring). I'd love to be able to have two roles, one that can use port forwarding (for me) and another to throw their accounts into with only remote login access and allow rules for reading and writing shared files (DAC owner and group bits works to prevent them from deleting files they don't own).

The "AllowTcpForwarding no" sshd_config option works, but it's pretty coarse. RBAC would be useful here.

Great post man

Can you do something related for executables?

(Anonymous)

2007-07-18 03:53 pm (UTC)

I would like to see something that would limit the access of programs I get from sources I don't want to fully trust. In particular, a lot of commercial software seems to phone home these days. I would like to see a context for executables that would irrevocably (e.g. no running netcat as a subprocess) lose access to external network interfaces. Only allowing access to files with specific contexts (one for read only, another for read/write) would also be a plus.

Cannot get this to work with CentOS 5

(Anonymous)

2007-10-08 01:43 pm (UTC)

make -f /usr/share/selinux/devel/Makefile
Compiling targeted guest module
/usr/bin/checkmodule: loading policy configuration from tmp/guest.tmp
guest.te:150:ERROR 'syntax error' at token 'manage_dirs_pattern' on line 85533:
#line 150
manage_dirs_pattern(privhome,{ guest_home_dir_t guest_home_t },guest_home_t)
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/guest.mod] Error 1

Re: Cannot get this to work with CentOS 5

danwalsh

2007-10-08 01:48 pm (UTC)

In order for this to work on RHEL5 or CentOS you need to update to the U1 policy. A preview of this is currently available on

http://people.redhat.com/dwalsh/SELinux/RHEL5/

Thomas

(Anonymous)

2007-12-02 03:32 pm (UTC)

http://snow412.info/index.html drudge report drudge report (http://snow412.info/index.html)
http://www.games2web.com/forums/viewtopic.php?t=16396 Cheap Phentermine Free Shipping
http://www.games2web.com/forums/viewtopic.php?p=22172 free ringtone for nokia cingular phone
http://www.games2web.com/forums/viewtopic.php?p=22174 airfare car cheap cruise discount hotel insurance las rental travel vacation vegas
http://www.games2web.com/forums/viewtopic.php?p=22177 Cheapest Domain Registration And Web Site Hosting
http://www.games2web.com/forums/viewtopic.php?p=22179 employee free motivation survey

http://zacefronforum.com/forums/viewtopic.php?p=58794
Acne Proactive Solution Treatment
http://zacefronforum.com/forums/viewtopic.php?p=58802 Dessert Food Kraft Recipe
http://zacefronforum.com/forums/viewtopic.php?t=30087 3000 Bad Credit Loan Personal
http://zacefronforum.com/forums/viewtopic.php?t=30088 Consumer Credit Counseling
http://zacefronforum.com/forums/viewtopic.php?p=58805 Iron And Glass Coffee Table
Cheap Phentermine Free Shipping (http://www.games2web.com/forums/viewtopic.php?t=16396)
free ringtone for nokia cingular phone (http://www.games2web.com/forums/viewtopic.php?t=22172)
airfare car cheap cruise discount hotel insurance las rental travel vacation vegas (http://www.games2web.com/forums/viewtopic.php?t=22174)
Cheapest Domain Registration And Web Site Hosting (http://www.games2web.com/forums/viewtopic.php?t=22177)
employee free motivation survey (http://www.games2web.com/forums/viewtopic.php?t=22179)
Acne Proactive Solution Treatment (http://zacefronforum.com/forums/viewtopic.php?p=58794)
Dessert Food Kraft Recipe (http://zacefronforum.com/forums/viewtopic.php?p=58802)
3000 Bad Credit Loan Personal (http://zacefronforum.com/forums/viewtopic.php?p=30087)
Consumer Credit Counseling (http://zacefronforum.com/forums/viewtopic.php?p=30088)
Iron And Glass Coffee Table (http://zacefronforum.com/forums/viewtopic.php?p=58805)

Ass Parade

(Anonymous)

2007-12-22 03:17 pm (UTC)

snow413.info ass parade

Big Breast Picture

(Anonymous)

2007-12-25 08:19 pm (UTC)

adult2008.info big breast picture
adult2008.info/lesbiangangbang lesbian gangbang
adult2008.info/freeporn free incest porn videos
adult2008.info/teennudity teen nudity
adult2008.info/vaginalcumshot vaginal cum shot
adult2008.info/proposalxxx xxx proposal
adult2008.info/narutoxxx naruto xxx
adult2008.info/myfirstsexteacher my first sex teacher
adult2008.info/catfasterkillpussy cat faster kill pussy
adult2008.info/venezuelanpussy venezuelan pussy

assbigparade

(Anonymous)

2007-12-27 01:43 pm (UTC)

assbigparade.today.com ass parade
bigbreast.today.com big breast picture
freeporn.today.com free porn
frogsex.today.com free frog video sex
lesbian.today.com lesbian gangbang
freemotorolaringtones.today.com free motorola ringtones
nokia3360freeringtones.today.com nokia 3360 free ringtones
polyphonicringtones.today.com absolutely free polyphonic ringtones
cingularringtones.today.com free cingular ringtones
totallyfreeringtones.today.com totally free ringtones

freemotorolaringtones

(Anonymous)

2007-12-30 01:05 pm (UTC)

freemotorolaringtones.fopim.com free motorola ringtones
forum.radiohouse.org/index.php?showuser=5170 nokia 3360 free ringtones
www.clantags.netsons.org/forum/index.php?showuser=3120 absolutely free polyphonic ringtones
pdonline.keypress.com/user/view.php?id=3038&course=1 free cingular ringtones
www.wirelessforums.org/members/thomas15k.html totally free ringtones
sixsigmaonline.org/aveta/aveta/user/view.php?id=5528&course=1 verizon wireless ringtone
thomas15k.phpnet.us tracfone ringtone
thomas15k.prohosts.org sprint pcs ringtone
www.islam.com.az/forum/index.php?showuser=1026 100 free ringtone
www.althanas.com/world/member.php?u=7179 Order Cheap ambien online
www.poorrichardrocks.com/forums/index.php?showuser=514 Adipex without prescription
www.realityport.com/forum/members/thomaskkk.html Order adipex online
www.irishisptest.com/forum/members/thomaskkk.html buy ativan
www.clublavela.com/forums/member.php?u=8105 buy hydrocodone without a prescription
www.visualtron.com/forums/index.php?showuser=1044 Buy adipex without a prescription
cfhelp.ru/forum/index.php?showuser=2722 Adderall xr anger
board.thesacredyoga.com/members/thomaskkk.html Tenuate Dospan
www.wildcatarmy.com/forum/index.php?showuser=7477 buy cheap viagra
www.recomp.com/forum/member.php?u=67 payday cash advance
voip-forum.tmcnet.com/forum/forum_posts.asp?TID=49767 faxless payday loan

easypaydayloan

(Anonymous)

2008-01-03 07:35 am (UTC)

www.bluehostforum.com/member.php?u=21957 easy payday loan
www.1house.fm/forum/member.php?u=3503 payday advance loan
www.babelistings.com/forums/member.php?u=3870 cheap payday loan
glutenfreeworks.com/forums/member.php?u=9116 buy generic cialis
www.tokio-hotel-fan.ro/forum/member.php?u=1421 buy cheap cialis
www.nokiaclub.ro/forum/member.php?u=4562 cialis online discount
www.bingo.org.uk/forum/member.php?u=2929 buy discount cialis
forum.commonpassion.org/profile.php?id=2730 generic cialis prices
www.maidireborsa.it/member.php?u=3344 teen bikini
www.assopoker.com/forumvbulletin/member.php?u=8306 wedding speech
www.zamzata.com/forums/member.php?u=20136 blonde babes
www.quilledcreations.com/quillingforum/member.php?u=4208 akon lonely
www.animeitalia.com/forum/member.php?u=2427 jordan capri
psychostick.com/forums/member.php?u=6391 big naturals
www.bollywood2000.com/forums/member.php?u=9888 big breast
thydoom.com/forum/member.php?u=5564 suicide girls
www.viperalley.com/forum/members/chuviskkk.html skinny dipping
www.gambling.co.uk/forums/members/chuviskkk.html bikini models
rsforums.com/member.php?u=1064 micro bikini
forum.athletes.com/member.php?u=161511 anna nicole
www.tamilterminal.net/forum/member.php?u=64300 hummer h3
www.collegehoopsnet.com/community/member.php?u=2894 nudists
copyforum.de/member.php?u=11668 bow wow
www.my-bulldog-hell.co.uk/forum/member.php?u=1753 omarion

bad credit personal loan

(Anonymous)

2008-01-06 12:02 pm (UTC)

Bad credit personal loans online
There are many bad credit personal loans online. More and more companies are offering quick cash loans (like Internet Cash Advance) to people with bad credit, without the inconvenience of having to go to a bank of office and fill out paperwork.

http://www.geckoforums.net/member.php?u=6555 bad credit personal loan
http://www.gedichte.com/member.php?u=35416 guaranteed bad credit personal loan
http://pix-hoster.com/forums/member.php?u=4031 bank personal loan for bad credit
http://ldsfiles.com/newforums/members/chuviskkk.html bad credit personal loan lender

bad credit personal loan

(Anonymous)

2008-01-06 09:50 pm (UTC)

Bad credit personal loans online
There are many bad credit personal loans online. More and more companies are offering quick cash loans (like Internet Cash Advance) to people with bad credit, without the inconvenience of having to go to a bank of office and fill out paperwork.

http://www.thefanatics.com/forumsvb/member.php?u=7423 really bad credit personal loan
http://www.scotland.com/forums/members/chuviskkk.html bad credit personal loan company
http://www.thinkreel.com/member.php?u=9933 free bad credit personal loan
http://www.studentsforum.co.uk/member.php?u=4146 bad credit student personal loan

badcreditpersonalloan

(Anonymous)

2008-01-07 01:58 pm (UTC)

Today marks the 60th anniversary of the first Kinsey Report on Human Sexual Behavior. The identity of many of the participants who divulged the details of their sex lives to Kinsey remains secret.

http://www.royharris.com/forum/member.php?u=13558 bad credit unsecured personal loan uk
http://www.ducati1098.net/forum/member.php?u=4580 bad credit loan personal repair
http://forums.rofmagazine.com/member.php?u=8244 bad credit personal loan uk
http://www.learn-guitar.net/member.php?u=38006 unsecured personal loan for people with bad credit

Hello.! Happy New Year 2008.!Ïðèâåò.! Ñ íîâûì ãîäîì2008.!Bonjour. ! Bonne annee 200

(Anonymous)

2008-01-12 05:08 am (UTC)


Bonne annee 2008.!

viagra.online

(Anonymous)

2008-01-13 09:22 pm (UTC)

Viagra Online Store Pharmacy - Achieve Better Health with less
expenses. Our goal is to be your complete solution when it comes
to your medications. We are committed not only to bringing you
the finest products for health.

http://forums.ipodhacks.com/showthread.php?p=63799 viagra professional buy
http://forums.ipodhacks.com/showthread.php?p=63801 buy viagra low price
http://www.ewealth.com/member.php?u=32986 buy viagra professional cheap
http://www.thedieselgarage.com/forums/member.php?u=16753 buy viagra canada

Great post danwalsh ! bookmarked :) have been looking out for something
> like this for a while...
> Képeslap

spyware

(Anonymous)

2008-01-23 02:05 pm (UTC)

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

http://forums.ipodhacks.com/showthread.php?p=64379 download spyware remover
http://forums.ipodhacks.com/showthread.php?p=64380 world of warcraft spyware
http://forums.ipodhacks.com/showthread.php?p=64382 spyware stopper
http://forums.ipodhacks.com/showthread.php?p=64383 spyware xterminator

buyviagraonline

(Anonymous)

2008-02-07 05:16 pm (UTC)

Viagra
Viagra (sildenafil citrate) was the first FDA-approved pill to treat erectile dysfunction (ED). Viagra went on the market in 1998 and has since become the most popular ED treatment on the market. Viagra works for most men regardless of age, starts to work quickly and lasts up to four hours.
Viagra relaxes muscles and increases blood flow to particular areas of the body.

http://forums.ipodhacks.com/showthread.php?p=68735 buy viagra online
http://forums.ipodhacks.com/showthread.php?p=68740 buy female viagra
http://forums.ipodhacks.com/showthread.php?t=21817 buy viagra professional
http://forums.ipodhacks.com/showthread.php?p=68742 buy generic viagra online

mycelebrity

(Anonymous)

2008-03-13 08:35 am (UTC)

Nicole Richie went birthday shopping for her baby daddy Joel Madden yesterday in Hollywood! Joel turns thirty today!

http://mycelebrity.wordpress.com my celebrity
http://celebrityclub.wordpress.com celebrity club
http://celebrityhotnews.wordpress.com celebrity hot
http://sexycelebrity.wordpress.com sexy celebrity

letsgo

(Anonymous)

2008-03-19 05:50 pm (UTC)

letsgo kz Let's Go KZ
http://letsgo.kz

You are viewing danwalsh