April 6th, 2006

SELinux for Dummies - Why don't people read my man pages?

I was at Linux World this week, participating in an SELinux panel discussion on the current state of SELinux.

The participants were the following:
Doc Shankar, Certified Executive IT Architect, Linux Technology Center, IBM.
Stephen Smalley, Research Scientist, National Security Agency.
Marc Hocking, Technical Architect, UK Cabinet Office,e-Government Unit.
Karl MacMillan, Technical Director, Tresys Technologies, LLC.
Daniel Walsh, Principal Software Engineer, Red Hat, Inc.
Chad Hanson, Manager, Trusted Operating Systems Development Lab, Trusted Computer Solutions, Inc.

I am attending fudcon, http://fedoraproject.org/wiki/FUDCon, this Friday April 7th. If you are in the Boston area, this is a great show and you should attend. Plus it is free. :^)

So now that I put out the excuse of why I did not post the last few days...

One of the things that proves I am an old fart is how often, I am surprised that people do not look in man pages. :^(

We have several man pages written for policy packages. These pages attempt to explain different ways of setting booleans and file context for a particular policy. They have the domain type followed by selinux.
You can get a list of all man pages that talk about selinux by typing "man -k selinux".

So if you type "man httpd_selinux" you will see how you could setup your httpd to be able to connect to the network, or how you can share files with both ftpd and http.

But we need a better mechanism to get this information out to the users. Man pages are not the solution. I have begun working on a tool that will translate AVC messages into a human readable format. The goal would be to report to the user something like the following:

SELinux logs an AVC message that looks like the following

time->Wed Apr 5 14:38:38 2006 type=AVC_PATH msg=audit(1144262318.922:237):
path="/usr/lib/flash-plugin/libflashplayer.so" type=SYSCALL msg=audit(1144262318.922:237): arch=40000003 syscall=125 success=no exit=-13 a0=20f0000 a1=1fd000 a2=5 a3=bfca1260 items=0 pid=2714 auid=3267 uid=3267 gid=3267 euid=3267 suid=3267 fsuid=3267 egid=3267 sgid=3267 fsgid=3267 tty=(none) comm="firefox-bin"
exe="/usr/lib/firefox-" subj=user_u:system_r:unconfined_t:s0-s0:c0.c255
type=AVC msg=audit(1144262318.922:237): avc: denied { execmod } for pid=2714 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=2803062 scontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:lib_t:s0 tclass=file

Hard to believe users find that hard to understand. :^)

But the tool will present the following to the user:

An application "firefox-bin" on your system attempted to load a library "libflashplayer.so" that requires text relocation. This is a potential security problem. Most libraries should not need this permission. Libraries are sometimes coded incorrectly and request this permission. You can configure SELinux temporarily to allow this to happen as a workaround until the library is fixed, but please file a bugzilla against package flash-plugin-7.0.63-1 to get the library corrected. Execute the following command, "chcon -t textrel_shlib_t /usr/lib/flash-plugin/libflashplayer.so" if you want to allow the application to continue.

I want to build a bunch of plugins that cover the known SELinux AVC messages and translate them. This package will then be translated into all the languages supported by Fedora/RHEL. The plugins are fairly easy python code, and I will create a bunch of them as examples. Hopefully others will submit them so we can build up a knowledge base of known AVC signatures.

I have begun a list of known signatures on "http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions"

We shoudl have one plugin for every boolean within SELinux.

We plan on then building tools that would generate this report to be either emailed to the administrator or have a "bugbuddy" application report AVC messages instantly to the administrator on his desktop.