danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
I need Guinea pigs...
danwalsh
REPOSTING WITH SOME FIXES

One  of the problems I face, is trying to convince people to use new security products.   They say, "Sure just don't break anything".  The problem is I need Guinea pigs to find out what I break.  In the case of confining the user, I have a problem.  I believe this can be a big security step forward, but how do I get people to use it, if it is not fully tested out?  How do I test it out without getting people to use it?

Now I have taken some involuntary test subjects like my wife, and set her up with a confined user account and worked with her to fix problems in xguest.  I have also taken the Jonas Salk approach and tested on my self.  I have been running as the staff_u user for the entire run of Rawhide since Fedora 8.

So I am now beginning to Beg co-workers to try it out.  As people start to install Fedora 9, I want them to try out confined users.  The simplest user for an engineer to try is staff_u with a transition to unconfined_t when you become root.

This is how I set this up.

First you need to modify the SELinux user record to allow it to reach the unconfined_r.  You also want to allow it to reach the system_r since you might be restarting services which need to run as system_r.  The command is a little ugly but follow along

# semanage user -m -R"staff_r unconfined_r system_r" staff_u
This tells the system to modify the staff_u user and allow it to reach the staff_r, unconfined_r and system_r roles.

Now we need to modify the login account to login as the staff_u SELinux user.

We can either change the default, so all users by default will login as the staff_u user.

# semanage login -m -s staff_u __default__

Or we can add a record just for my Linux user "dwalsh"

# semanage login -a -s staff_u -r s0-s0:c0.c1023 dwalsh

Finally I want to setup a sudo to allow me to transition from staff_t to unconfined_t when running commands using sudo.

Add a record like to following using visudo

dwalsh  ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_r   ALL

Now logout and log back in and you should be running as staff_u:staff_r:staff_t,

Execute "sudo sh" and you should be running as staff_u:unconfined_r:unconfined_t.

One caveat for this environment is currently userhelper apps will not work (system-config-*) when executed from staff_t,  But you can run them from the sudo root account.

What does this buy you?  While running in staff_t you will not be allowed to run any setuid application that is not confined.  So if somehow you were tricked into running a setuid app on your machine to become root, it will fail.  You will automatically transition to nsplugin so  your firefox will have confinement.  The ONLY way to become root/unconfined_t is through sudo, which is a well studied application.  If you run attempt to run su, you will be denied.

So do I have any volunteers????

I am fixing a typo in the command above sorry about reposting.

Also if you want to reverse the changes listed above

You could execute

semanage login -d dwalsh

Will remove the record and put dwalsh back to the default.


# semanage login -m -s unconfined_u __default__


Would set the default logins to be unconfined_u (the default)

Re: staff_r role privileges

salimpathan

2008-08-14 12:34 pm (UTC)

Added following lines to my .te file :
userdom_role_change_template(staff, sysadm)
userdom_dontaudit_use_sysadm_terms(staff_t)

But when tried to make module, got following error:

[root@xyz ~]# checkmodule -M -m test.te -o test.mod
checkmodule: loading policy configuration from test.te
(unknown source)::ERROR 'syntax error' at token 'userdom_role_change_template' on line 42:
userdom_role_change_template(staff, sysadm)

checkmodule: error(s) encountered while parsing configuration

[root@xyz ~]# checkmodule -V
Module versions 4-6

I think checkmodule policy compiler is not recognizing "userdom_role_change_template".


any ideas why????

Re: staff_r role privileges

danwalsh

2008-08-14 12:40 pm (UTC)

You don't have the interface defined.

template(`userdom_role_change_template',`
gen_require(`
role $1_r, $2_r;
type $1_t, $2_t;
type $1_devpts_t, $2_devpts_t;
type $1_tty_device_t, $2_tty_device_t;
')

allow $1_r $2_r;
type_change $2_t $1_devpts_t:chr_file $2_devpts_t;
type_change $2_t $1_tty_device_t:chr_file $2_tty_device_t;
# avoid annoying messages on terminal hangup
dontaudit $1_t { $2_devpts_t $2_tty_device_t }:chr_file ioctl;
')

Re: staff_r role privileges

salimpathan

2008-08-18 09:23 am (UTC)

Aug 13 14:39:55 xyz kernel: audit(1218618595.898:5): avc: denied { transition } for pid=2058 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

audit2why on above avc gives:-

Was caused by:
Constraint violation.
Check policy/constraints.
Typically, you just need to add a type attribute to the domain to satisfy the constraint.


With correct interface file defined I added

userdom_role_change_template(staff, sysadm)
userdom_dontaudit_use_sysadm_terms(staff_t)

to my .te file and loaded the resultant policy.

Still I don't have any success... When I issue "sudo /sbin/reboot" as admin user, the terminal logout happens..(but no reboot!)

Re: staff_r role privileges

danwalsh

2008-08-18 10:12 am (UTC)

Are you seeing an additional AVC? Do you see anything in the log files?

Re: staff_r role privileges

salimpathan

2008-08-18 10:38 am (UTC)

Hi Dan,

The same avc is still coming: -

Aug 18 15:56:34 xyz kernel: audit(1219055194.331:6): avc: denied { transition } for pid=2128 comm="sudo" path="/usr/local/libexec/sesh" dev=hda9 ino=96888 scontext=admin_u:staff_r:staff_t:s0 tcontext=admin_u:sysadm_r:sysadm_t:s0 tclass=process

I'm wondering why the following type-enforcement rule is still not working????

allow staff_t sysadm_t:process { siginh rlimitinh transition noatsecure };





Re: staff_r role privileges

danwalsh

2008-08-18 11:28 am (UTC)

Well there is something wrong with your policy.

I just setup everything you are describing in Fedora 10 and it worked correctly.

I created an admin_u account.

# semanage user -a -R"staff_r sysadm_r" admin_u
# useradd -Z admin_u admin
# cp /etc/selinux/context/users/staff_u /etc/selinux/contexts/users/admin_u
# visudo
admin ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL

Login as admin
> id -Z
admin_u:staff_r:staff_t:s0
> sudo sh
[sudo] password for admin:
# id -Z
admin_u:sysadm_r:sysadm_t:s0

I would look at your definition of sysadm and see if it is missing some attribute. It might not see sysadm_t as a domain?

Since this is not a RHEL or Fedora policy please bring up discussion on the NSA list

You are viewing danwalsh