danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Polyinstatiation and MLS in RHEL5/FC6/Rawhide
danwalsh
One of the big new features of Red Hat Enterprise Linux 5 is MLS (Multi Level Security) policy.  This is third policy that we have added for SELinux, joining strict and targeted policy.    The goal with MLS is to allow us to get a certification of EAL4+ LSPP.  This allows SELinux to compete in the same world as the  other "Trusted"  OSs.  And allows us to sell to the Top Secret world of Government and Military sites.   MLS Policy allows us to enforce Roles Based Access Control, Bell And LaPadula and Type Enforcement Mandatory Access Control. 

SELinux and RHEL are different then other "Trusted" operating systems, in that all software components are the same whether you are running MLS, Strict or Targeted policy.  We are not shipping a RHEL5 and a Trusted RHEL5.  There is one Kernel, one set of user land packages.  The only difference is the Policy installed on the system, and the labels/contexts associated with the files.    The steps to switch from a targeted system to an MLS machine is:
  1. Install selinux-policy-mls
  2. vi /etc/selinux/config and change SELINUXTYPE to mls
  3. touch ./autorelabel; reboot
  4. When the machine is rebooting, put it in permissive mode by adding enforcing=0 to the boot line
  5. When the machine comes up login and setenforce 1
  6. The machine is now in MLS mode and will enforce all forms of MAC.

One key componant required to get LSPP is polyinstatiated file systems.   Polyinstatiation means that different login sessions looking at the same directory (/tmp) see different contents, depending on things like the username, role, sensitivity level.   This allows us to save Top Secret Documents and Secret Documents both in the virtual /tmp and apps running at Secret looking in /tmp see Secret files, Top Secret processes see Top Secret Documents.

So what is in it for those of you who don't use MLS, well polyinstatiation can actually help in a shared targeted machine.  If you allow multiple users to log on to a system.  You can give each one thier own /tmp and /var/tmp (Or share any other directory).  This prevents them from doing shared directory attacks.  Polyinstatiation is implemented via a change to the kernel that allows the creation of namespaces.   pam_namespace.so allows you to configure login sessions, to run in different namespace.  You can read the read man pam_namespace, man namespace.conf to find out how to set this up.  Russell Coker has an excellent paper describing pam_namespace also.

Polyinstatiation takes a while to get used to.  You can easily get confused.   When I experimented around with pam_namespace, I found a couple of problems, and a bug.  The first time I set it up I did not mark the directories as described in Russell's Paper.

mount --make-shared /
mount --bind /tmp /tmp
mount --make-private /tmp
mount --bind /var/tmp /var/tmp
mount --make-private /var/tmp

These lines should be added in a rc.local script or some init script.  Because if you setup the polyinstatioation and log in as a normal user, then execute one of these commands or the mount command, it will only effect your current namespace, when you log out, these mounts will be removed and will not effect other logged in sessions.  So you need this set on the initial namespace, IE Set at boot time.  So if you execute these commands and login later to mount a directory outside of /tmp or /var/tmp, all namespaces will see it.

I found a bug in pam_namespace also.  I setup namespaces to work for non root accounts.  Also I setup the pam_namespace to unmnt_only when I su to root.  But the code path in pam_namespace checked if the uid was polyinstatiated first and exited out before call the unmnt_only code path.  So this caused the /tmp, and /var/tmp directories to be still mounted when I was root.  Not what I wanted.  pam_namespace.so has been fixed in Rawhide, and there is a fix in pam-0.99.6.2-3.15.fc6 for FC6, is in testing as of this writing.  This fix should get into RHEL5 by Update 1.

In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.

Page 2 of 2
<<[1] [2] >>

Im New

(Anonymous)

2008-03-14 01:55 am (UTC)

Hello All
Im New...

aMBIXsCfUAS

(Anonymous)

2008-03-16 10:16 pm (UTC)

J5fFJp Hi from Russia!

slurix.net - latest hi tech news

opensource news - visit my website please

http://groups.google.us/group/jou-tubex
Here You Will Find The Web's Best Ever Sex Blog With Loads Of Free Porn Videos Updated Daily.
http://groups.google.us/group/animalporn-tube
They actually look at different directories using the same path.
danwalsh.
http://groups.google.us/group/animal-sex-tubex
2007-12-03 12:14 am UTC (link) Track This
So user a looking at /tmp see's a different directory then user b looking at /tmp.

Re: Latest Hi Tech News

sonia666

2008-05-06 03:37 pm (UTC)

http://groups.google.us/group/porno-shack
http://groups.google.us/group/freeviewmovies
http://groups.google.us/group/xnxx-a
http://groups.google.us/group/keezmovies
http://groups.google.us/group/shaggit
http://groups.google.us/group/penizbot---free-porn-video
http://groups.google.us/group/grayvee
http://groups.google.us/group/veqq
http://groups.google.us/group/humornsex
http://groups.google.us/group/yazum
http://groups.google.us/group/bluporn
http://groups.google.us/group/pornthunder
http://groups.google.us/group/xhamster
http://groups.google.us/group/ohslut
http://groups.google.us/group/deviantclip
http://groups.google.us/group/pornminded
http://groups.google.us/group/madthumbsx
http://groups.google.us/group/megaporndump
http://groups.google.us/group/duckyporn
http://groups.google.us/group/filthtube
http://groups.google.us/group/tiava
http://groups.google.us/group/elephantlist
http://groups.google.us/group/vidchicks
http://groups.google.us/group/gals4free
http://groups.google.us/group/teeniesxx
http://groups.google.us/group/qporno
http://groups.google.us/group/sublimedirectoryx
http://groups.google.us/group/sockshots
http://groups.google.us/group/bulldoglistx
http://groups.google.us/group/sexzool
http://groups.google.us/group/efukt
http://groups.google.us/group/pandamovies
http://groups.google.us/group/mrpeepers
http://groups.google.us/group/myhomeclip
http://groups.google.us/group/onetwoporn
http://groups.google.us/group/hothomemade
http://groups.google.us/group/fuzzlepop
http://groups.google.us/group/slutload
http://groups.google.us/group/bighomemoviesbighomemovies
http://groups.google.us/group/tehpron
http://groups.google.us/group/needbang
http://groups.google.us/group/bravoteens
http://groups.google.us/group/milfslist
http://groups.google.us/group/lustypuppy
http://groups.google.us/group/persiankittyx
http://groups.google.us/group/gaymoviedome
http://groups.google.us/group/teenstitsandass
http://groups.google.us/group/gexoa
http://groups.google.us/group/needtwax
http://groups.google.us/group/shufuni

http://groups.google.fr/group/animal-sex-tube-2008
These lines should be added in a rc.local script or some init script. Because if you setup the polyinstatioation and log in as a normal user, then execute one of these commands or the mount command, it will only effect your current namespace, when you log out, these mounts will be removed and will not effect other logged in sessions. So you need this set on the initial namespace, IE Set at boot time. So if you execute these commands and login later to mount a directory outside of /tmp or /var/tmp, all namespaces will see it.
http://groups.google.fr/group/free-animal-sex-tube
In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.
http://groups.google.fr/group/shockingtube
In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.
http://groups.google.fr/group/free-animal-porn-tubex
In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.
http://groups.google.fr/group/free-animal-porn-tubes
In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.
http://groups.google.fr/group/animals-x
In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.
http://groups.google.fr/group/zoo-tube-365-com
In conclusion, this tool has some use outside of MLS environments and might be something an Admin wants to play around with.
http://groups.google.fr/group/free-sextube-xx

http://www.google.de/notebook/public/07163973882367610070/BDQGMQgoQsJSllKUj


http://www.google.de/notebook/public/

http://www.google.de/notebook/public/13512680923324517184/BDQGMQgoQ6dCllKUj

http://www.google.de/notebook/public/17763714082918287743/BDShxQwoQ3fellKUj

http://www.google.de/notebook/public/05190034719765081043/BDQGMQgoQoaimlKUj

http://www.google.de/notebook/public/12181686488926427150/BDQcKQgoQpMymlKUj

http://www.google.de/notebook/public/02080935058455220358/BDSIKQgoQmO6mlKUj


http://www.google.de/notebook/public/09067856973045161749/BDQouQwoQi5GnlKUj

http://www.google.de/notebook/public/14608399339716821809/BDShxQwoQiranlKUj

http://www.google.de/notebook/public/10792530626771124415/BDShxQwoQpdqnlKUj

http://www.google.de/notebook/public/02411043570909167190/BDSMKQgoQ24OolKUj

http://www.google.de/notebook/public/07163973882367610070/BDSIKQgoQjbyqlKUj

http://www.google.de/notebook/public/16306058516501434546/BDSHDQwoQht6qlKUj


http://www.google.de/notebook/public/13512680923324517184/BDQGMQgoQy4OrlKUj

http://www.google.de/notebook/public/17763714082918287743/BDQaSQgoQqKWrlKUj

http://www.google.de/notebook/public/05190034719765081043/BDQ2NQgoQ0sarlKUj

http://www.google.de/notebook/public/12181686488926427150/BDSIKQgoQluirlKUj

http://www.google.de/notebook/public/07163973882367610070/BDSIKQgoQ4rS5lKUj

http://www.google.de/notebook/public/07163973882367610070/BDQouQwoQiM65lKUj


http://www.google.de/notebook/public/07163973882367610070/BDQ2NQgoQ5ue5lKUj

http://www.google.de/notebook/public/16306058516501434546/BDQcKQgoQkYy6lKUj

http://www.google.de/notebook/public/16306058516501434546/BDQouQwoQuqa6lKUj

http://www.google.de/notebook/public/16306058516501434546/BDQaSQgoQ7ti6lKUj

http://www.google.de/notebook/public/13512680923324517184/BDQaSQgoQ0Iq7lKUj

http://www.google.de/notebook/public/13512680923324517184/BDShxQwoQjMO7lKUj


http://www.google.de/notebook/public/13512680923324517184/BDQaSQgoQyfC7lKUj

http://www.google.de/notebook/public/17763714082918287743/BDQ2NQgoQn5u8lKUj

http://www.google.de/notebook/public/17763714082918287743/BDSMKQgoQ-sO8lKUj

http://www.google.de/notebook/public/17763714082918287743/BDSHDQwoQle-8lKUj

http://www.google.de/notebook/public/05190034719765081043/BDQ2NQgoQoY29lKUj

http://www.google.de/notebook/public/05190034719765081043/BDQaSQgoQ7q69lKUj


http://www.google.de/notebook/public/05190034719765081043/BDSMKQgoQidK9lKUj

http://www.google.de/notebook/public/12181686488926427150/BDQcKQgoQm_W9lKUj

http://www.google.de/notebook/public/12181686488926427150/BDQouQwoQ15a-lKUj

http://www.google.de/notebook/public/12181686488926427150/BDSHDQwoQp7m-lKUj

http://www.google.de/notebook/public/02080935058455220358/BDSIKQgoQstu-lKUj

http://www.google.de/notebook/public/02080935058455220358/BDQaSQgoQuv6-lKUj


http://www.google.de/notebook/public/02080935058455220358/BDShxQwoQ_aG_lKUj

http://www.google.de/notebook/public/09067856973045161749/BDQGMQgoQhc6_lKUj

http://www.google.de/notebook/public/09067856973045161749/BDSHDQwoQg-y_lKUj

http://www.google.de/notebook/public/09067856973045161749/BDSHDQwoQ05bAlKUj

http://www.google.de/notebook/public/14608399339716821809/BDSIKQgoQ-LjAlKUj

http://www.google.de/notebook/public/14608399339716821809/BDSIKQgoQ9drAlKUj

http://www.google.de/notebook/public/14608399339716821809/BDShxQwoQ4oTBlKUj

http://www.google.de/notebook/public/10792530626771124415/BDQaSQgoQgKTBlKUj

http://www.google.de/notebook/public/10792530626771124415/BDQouQwoQsb7BlKUj

http://www.google.de/notebook/public/10792530626771124415/BDQxVQwoQneDBlKUj

http://www.google.de/notebook/public/02411043570909167190/BDSHDQwoQmIPClKUj

http://www.google.de/notebook/public/02411043570909167190/BDSIKQgoQhKfClKUj


http://www.google.de/notebook/public/02411043570909167190/BDQouQwoQ58LClKUj

http://www.google.de/notebook/public/06140582148770122298/BDQGMQgoQ5ubClKUj

http://www.google.de/notebook/public/06140582148770122298/BDQaSQgoQw4nDlKUj

http://www.google.de/notebook/public/06140582148770122298/BDQaSQgoQuarDlKUj

http://www.google.de/notebook/public/00543312118353049939/BDQouQwoQm9HDlKUj

http://www.google.de/notebook/public/00543312118353049939/BDQouQwoQ1_XDlKUj


http://www.google.de/notebook/public/00543312118353049939/BDShxQwoQmZvElKUj

http://www.google.de/notebook/public/16229934959403344574/BDQ2NQgoQpMLElKUj

http://www.google.de/notebook/public/16229934959403344574/BDSMKQgoQnvHElKUj

http://www.google.de/notebook/public/16229934959403344574/BDShxQwoQh5rFlKUj

http://www.google.de/notebook/public/12832528532597887602/BDQaSQgoQy77FlKUj

http://www.google.de/notebook/public/12832528532597887602/BDQouQwoQi-DFlKUj


http://www.google.de/notebook/public/07163973882367610070/BDSHDQwoQpojKlKUj

http://www.google.de/notebook/public/07163973882367610070/BDQaSQgoQrLDKlKUj

http://www.google.de/notebook/public/16306058516501434546/BDShxQwoQzNLKlKUj

http://www.google.de/notebook/public/16306058516501434546/BDQouQwoQ2fXKlKUj

http://www.google.de/notebook/public/13512680923324517184/BDQxVQwoQ3pbLlKUj

http://www.google.de/notebook/public/13512680923324517184/BDQcKQgoQzL3LlKUj


http://www.google.de/notebook/public/17763714082918287743/BDSMKQgoQ9uTLlKUj

http://www.google.de/notebook/public/17763714082918287743/BDSIKQgoQyYjMlKUj

http://www.google.de/notebook/public/05190034719765081043/BDSHDQwoQja3MlKUj

http://www.google.de/notebook/public/05190034719765081043/BDShxQwoQ69HMlKUj

http://www.google.de/notebook/public/12181686488926427150/BDQcKQgoQi_TMlKUj


http://www.google.de/notebook/public/12181686488926427150/BDQcKQgoQ25XNlKUj

http://www.google.de/notebook/public/02080935058455220358/BDShxQwoQs7bNlKUj

http://www.google.de/notebook/public/02080935058455220358/BDQ2NQgoQpNjNlKUj

http://www.google.de/notebook/public/09067856973045161749/BDShxQwoQm_vNlKUj

http://www.google.de/notebook/public/09067856973045161749/BDQGMQgoQwpzOlKUj

http://www.google.de/notebook/public/14608399339716821809/BDSIKQgoQh8fOlKUj


http://www.google.de/notebook/public/14608399339716821809/BDQ2NQgoQwezOlKUj

http://www.google.de/notebook/public/10792530626771124415/BDQouQwoQ9I_PlKUj

http://www.google.de/notebook/public/10792530626771124415/BDQ2NQgoQ4LLPlKUj

http://www.google.de/notebook/public/02411043570909167190/BDQouQwoQjNnPlKUj

http://www.google.de/notebook/public/02411043570909167190/BDSHDQwoQ6vvPlKUj

http://www.google.de/notebook/public/06140582148770122298/BDQaSQgoQrJ7QlKUj


http://www.google.de/notebook/public/06140582148770122298/BDQ2NQgoQqMLQlKUj

http://www.google.de/notebook/public/00543312118353049939/BDQ2NQgoQmuTQlKUj

http://www.google.de/notebook/public/00543312118353049939/BDQouQwoQs4rRlKUj

http://www.google.de/notebook/public/16229934959403344574/BDQGMQgoQg63RlKUj

http://www.google.de/notebook/public/16229934959403344574/BDShxQwoQ4NDRlKUj

http://www.google.de/notebook/public/12832528532597887602/BDQ2NQgoQi_jRlKUj


http://www.google.de/notebook/public/12832528532597887602/BDQ2NQgoQ0qHSlKUj

http://www.google.de/notebook/public/14704385566941695525/BDSIKQgoQ5MPSlKUj

http://www.google.de/notebook/public/14704385566941695525/BDQaSQgoQn93SlKUj


Page 2 of 2
<<[1] [2] >>

You are viewing danwalsh