I should fix sub program, segatex alert audit, which is a independent c program should pop up alert notice when violation occurs.
I wrote this one hoping to be like setroubleshoot.
But in fact, I have scarce knowledge on kernel which I found file-oriented alert program.
In a sense it's OK, but when it comes to the real world, it is not working well.
I make it pops up every several seconds or minutes when some file stamp which I created differs from former one.

So, I should re-write this totally to co-ordinate with kernel thing and alert properly.

Maybe I should ask kernel masters like Mr. J.M. or other people I respect.

Thanks to the help from them, I evolved from several years ago and now I can write c++ program allright, so maybe I will be happy to contribute more to the security world.

My job is security itself, you know that...

Almost all SELInux problems fall into one of the following three categories.  While this might be an over simplification, I think it is a good thing for a new user to understand.

1. SELinux is all about labeling
Every process and object on the machine has a label associated with it, if your files are not labeled correctly access might be denied. 

If a file is mislabeled a confined application might not be allowed access to the mislabeled file.  If an executable is mislabeled, it may not transition to the correct label when executing, causing access violations and potentially causing it to  mislabel files it creates.  Processes and objects on the machines have labels.  If the labeling is correct everything should work.  Sometimes an admin decides to change the default labeling on the system.  If an admin wants to store  apache web pages in a unusual location, /srv/myweb.  The admin needs to tell SELinux that the files stored there need to be accessible to the web server process.  He does this by setting the labeling correctly in the system.   The apache process is allowed to access files labeled httpd_sys_content_t.

# semanage fcontext -a -t httpd_sys_content_t '/srv/myweb(/.*)?'

This command tells the SELinux datastore that the /src/myweb directory and all files under it should be  labeled httpd_sys_content_t.  Tools like restorecon and rpm read this datastore when they are labeling or relabeling files.  Note, however that the semanage command will not change the actual labels on files on your machine.  You still need to execute restorecon to fix the labels.

# restorecon -R /srv/myweb

restorecon reads the SELinux datastore to determine how files under /srv/myweb  should be labeled and then fixes them.

# matchpathcon /srv/myweb

matchpathcon reads the SELinux datastore and prints the default label for the specified path

2. You have to tell SELinux about how a confined process is being run.
A confined process/application can be run in many different ways.   You need to tell SELinux about how you are configuring the application to run, so SELinux will allow it the proper access.  SELinux does not do this automatically,  SELinux has builtin if/then/else rules called booleans that allow you to tweak the predefined rules to allow different access.  If  you set up you apache web server to talk to a mysql server, you need to set a boolean to tell SELinux this is ok.  You can do this with the setsebool command.

# setsebool -P httpd_can_network_connect_db 1

Tools like system-config-selinux or getsebool -a will list all of the possible booleans.  On the latest Fedora systems you can run SELinux error messages (avc)  through audit2allow -w (audit2why).  This checks to see if any boolean could be set to allow the access.  setroubleshoot is also pretty good at diagnosing problems.

3.  SELinux rules are evolving and applications are sometimes broken

General errors in policy or applications can cause SELInux access denials.  Sometimes an application is just broken or the SELinux policy has never seen the confined application run the code path that it is running.  While the application is working correctly, SELinux is denying it access.  You can add custom policy to your system simply by piping the SELinux error messages through audit2allow.  Say a new version of postgresql comes out that SELinux is mistakenly denying access to a resource which it should be allowed to access.  You can use audit2allow to build a custom policy module that can be installed on your system to allow the access.

# grep postgresql /var/log/audit/audit.log | audit2allow -R -M mypostgresql

This command will generate a local policy module which will allow all accesses that are currently being denied..

# semodule -i mypostgresql.pp

This command installs the local policy modifications to your system.  You probably want to report the SELinux errors to bugzilla or a mailing list so your local modifications can be added to the distribution's policy or upstream.

公開された。 http://www.atmarkit.co.jp/fsecurity/special/127ottawa/ottawa01.html 金曜はCELFでオタワの様子を紹介予定です。意外とオタワ後のイベントが多いです。 http://tree.celinuxforum.org/CelfPubWiki/JapanTechnicalJamboree22

http://selinuxnews.org/wp/index.php/2008/08/21/opensuse-111-to-enable-selinux/ SuSEもSELinuxサポートを入れるらしい。 AppArmor、本格的に活動低下なのだろうか。。。。

http://www.atmarkit.co.jp/news/200808/25/redhat.html targetedポリシだったら、SSHのアカウント取られてログインされたら、SELinux使ってようと意味無かったりするし。。。

In a comment on my AppArmor is dead post [1] someone complained that SE Linux is not “Unixish“.

The security model in Unix is almost exclusively Discretionary Access Control (DAC) [2]. This means that any process that owns a resource can grant access to the resource to other processes without restriction. For example a user can run “chmod 777 ~” and grant every other user on the system the ability to access their files (and take over their account by modifying ~/.login and similar files). I say that it’s almost exclusively DAC because there are some things that a user can not give away, for example they can not permit a program running under a different non-root UID to ptrace their processes. But for file and directory access it’s entirely discretionary.

SE Linux is based around the concept of Mandatory Access Control (MAC) [3]. This means that the system security policy (as defined by the people who developed the distribution and the local sysadmin) can not be overridden by the user. When a daemon is prevented from accessing files in a user’s home directory by the SE Linux policy and the user is not running in the unconfined_t domain there is no possibility of them granting access.

SE Linux has separate measures for protecting integrity and confidentiality. An option is to use MultiLevel Security (MLS) [4], but a more user-friendly option is MCS (Multi-Category Security).

The design of SE Linux is based on the concept of having as much of the security policy as possible being loaded at boot time. The design of the Unix permissions model was based on the concept of using the minimal amount of memory at a time when 1M of RAM was a big machine. An access control policy is comprised of two parts, file labels (which is UID, GID, permissions, and maybe ACLs for Unix access controls and a “security context” for SE Linux) and a policy which determines how those file labels are used. The policy in the Unix system is compiled into the kernel and is essentially impossible to change. The SE Linux policy is loaded at boot time, and the most extreme changes to the policy will at most require a reboot.

The policy language used for SE Linux is based on the concept of deny by default (everything that is not specifically permitted is denied) and access controls apply to all operations. The Unix access control is mostly permissive and many operations (such as seeing more privileged processes in the output of “ps”) can not be denied on a standard Unix system.

So it seems that in many ways SE Linux is not “Unixish”, and it seems to me that any system which makes a Unix system reasonably secure could also be considered to be “not Unixish”. Unix just wasn’t designed for security, not that it is bad by the standards of modern server and desktop OSs.

Of course many of the compromises in the design of Unix (such as having all login sessions recorded in a single /var/run/utmp file and having all user accounts stored in a single /etc/passwd file) impact SE Linux systems. But some of them can be worked around, and others will be fixed eventually.

• [1] http://etbe.coker.com.au/2008/08/23/apparmor-is-dead/


• [2] http://en.wikipedia.org/wiki/Discretionary_Access_Control


• [3] http://en.wikipedia.org/wiki/Mandatory_access_control


• [4] http://en.wikipedia.org/wiki/Multilevel_security

Share This

From the 13th to the 14th of August my Play Machine [1] was offline. There was a power failure for a few seconds and the machine didn’t boot correctly. As I had a lot of work to do I left it offline for a day before fixing it. The reason it didn’t boot was that due to an issue with the GRUB package it was trying to boot a non-Xen kernel with Xen, this would cause the Xen Dom0 load to abort and it would then reboot after 5 seconds - and automatically repeat the process. The problem is that update-grub in Lenny will generate boot entries for Xen kernels to boot without Xen and for non-Xen kernels to boot with Xen.

Two days ago someone launched a DOS attack on my Play Machine and I’ve only just put it back online. I’ve changed the ulimit settings a bit, that won’t make DOS attacks impossible, just force the attacker to use a little bit more effort.

• [1] http://www.coker.com.au/selinux/play.html

Share This

For some time there have been two mainstream Mandatory Access Control (MAC) [1] systems for Linux. SE Linux [2] and AppArmor [3].

In late 2007 Novell laid off almost all the developers of AppArmor [4] with the aim of having the community do all the coding. Crispin Cowan (the founder and leader of the AppArmor project) was later hired by Microsoft, which probably killed the chances for ongoing community development [5]. Crispin has an MSDN blog, but with only one post so far (describing UAC) [6], hopefully he will start blogging more prolifically in future.

Now SUSE is including SE Linux support in OpenSUSE 11.1 [7]. They say that they will not ship policies and SE Linux specific tools such as “checkpolicy”, but instead they will be available from “repositories”. Maybe this is some strange SUSE thing, but for most Linux users when something is in a “repository” then it’s shipped as part of the distribution. The SUSE announcement also included the line “This is particularly important for organizations that have already standardized on SELinux, but could not even test-drive SUSE Linux Enterprise before without major work and changes“. The next step will be to make SE Linux the default and AppArmor the one that exists in a repository, and the step after that will be to remove AppArmor.

In a way it’s a pity that AppArmor is going away so quickly. The lack of competition is not good for the market, and homogenity isn’t good for security. But OTOH this means more resources will be available for SE Linux development which will be a good thing.

• [1] http://en.wikipedia.org/wiki/Mandatory_access_control


• [2] http://www.nsa.gov/selinux/


• [3] http://en.wikipedia.org/wiki/Apparmor


• [4] http://news.cnet.com/8301-13580_3-9796140-39.html


• [5] http://blogs.msdn.com/michael_howard/archive/2008/01/17/crispin-cowan-joins-the-windows-security-team.aspx


• [6] http://blogs.msdn.com/crispincowan/default.aspx


• [7] http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/

Share This

Foi anunciado na lista opensuse.devel que o SELinux será disponibilizado a partir da versão 11.1 do openSUSE Linux. O AppArmor ainda será a opção default.

Link para o anúncio:

http://article.gmane.org/gmane.linux.suse.opensuse.devel/16096

先日のオタワの土産話をしてきた。国際会議にチャレンジしたい気分な人が増えればと思います。 会場の楽天さんはとても立派かつスタッフの方々も沢山手伝ってくれていた。楽天さん凄い。 KaiGaiさんの話 ピザの前後、KaiGaiさんが話をしていたが、お腹が空いていて、 かれいにスルーしてしまいました。ごめんなさい。 PHPのスレッドごとにドメインを割り当て、SQLインジェクションの被害を防げるらしい。 KaiGaiさんの話を試せるサイト： http://kaigai.myhome.cx/index.php ...

How to build libvirt from git on Fedora:

mkdir ~/rpmbuild

(cd ~/rpmbuild && mkdir BUILD BUILDROOT RPMS SOURCES SPECS SRPMS)

git clone git://git.et.redhat.com/libvirt.git

cd libvirt

git checkout -b mystuff

export AUTOBUILD_INSTALL_ROOT=$HOME/builder

./autobuild.sh

The above will clone the tree, checkout a branch to hack on, build and test the code, then generate source and binary RPMS. You'll also be set then to do local manual builds.

Thanks to danpb for clues.

At the moment there are ongoing security issues related to web based services and DNS hijacking. the Daily Ack has a good summary of the session hijacking issue [1].

For a long time it has been generally accepted that you should configure a DNS server to not allow random machines on the Internet to copy the entire zone. Not that you should have any secret data there anyway, but it’s regarded as just a precautionary layer of security by obscurity.

Dan Kaminsky (who brought the current DNS security issue to everyone’s attention) has described some potential ways to alleviate the problem [2]. One idea is to use random case in DNS requests (which are case insensitive but case preserving), so if you were to lookup wWw.cOkEr.CoM.aU and the result was returned with different case then you would know that it was forged.

Two options which have been widely rejected are using TCP for DNS (which is fully supported for the case where an answer can not fit in a single UDP packet) and sending requests twice (to square the number of combinations that would need to be guessed). They have been rejected due to the excessive load on the servers (which are apparently already near capacity).

One option that does not seem to get mentioned is the possibility to use multiple source IP addresses, so instead of merely having 2^16 ports to choose from you could multiply that by as many IP addresses as you have available. In the past I’ve worked for ISPs that could have dedicated a /22 (1024 IP addresses) to their DNS proxy if it would have increased the security of their customers - an ISP of the scale that has 1024 spare IP addresses available is going to be a major target of such attacks! Also with some fancy firewall/router devices it would not be impossible to direct all port 53 traffic through the DNS proxies. That would mean that an ISP with 200,000 broadband customers online could use a random IP address from that pool of 200,000 IP addresses for every DNS request. While attacking a random port choice out of 65500 ports is possible, if it was 65500 ports over a pool of 200,000 IP addresses it would be extremely difficult (I won’t claim it to be impossible).

One problem with the consideration that has been given to TCP is that it doesn’t account for the other uses of TCP, such as for running DNS secondaries.

In Australia we have two major ISPs (Telstra and Optus) and four major banks (ANZ, Commonwealth, NAB, and Westpac). It shouldn’t be difficult for arrangements to be made for the major ISPs to have their recursive DNS servers (the caching servers that their customers talk to) act as slaves for the DNS zones related to those four banks (which might be 12 zones or more given the use of different zones for stock-broking etc). If that was combined with a firewall preventing the regular ISP customers (the ones who are denied access to port 25 to reduce the amount of spam) from receiving any data from the Internet with a source port of 53 then the potential for attacks on Australian banks would be dramatically decreased. I note that the Westpac bank has DNS secondaries run by both Optus and Telstra (which makes sense for availability reasons if nothing else), so it seems that the Telstra and Optus ISP services could protect their customers who use Westpac without any great involvement from the bank.

Banks have lots of phone lines and CTI systems. It would be easy for each bank to have a dedicated phone number (which is advertised in the printed phone books, in the telephone “directory assistance” service, and in brochures available in bank branches - all sources which are more difficult to fake than Internet services) which gave a recorded message of a list of DNS zone names and the IP addresses for the master data. Then every sysadmin of every ISP could mirror the zones that would be of most use to their customers.

Another thing that banks could do would be to create a mailing list for changes to their DNS servers for the benefit of the sysadmins who want to protect their customers. Signing mail to such a list with a GPG key and having the fingerprint available from branches should not be difficult to arrange.

Another possibility would be to use the ATM network to provide security relevant data. Modern ATMs have reasonably powerful computers which are used to display bank adverts when no-one is using them. Having an option to press a button on the ATM to get a screen full of Internet banking security details of use to a sysadmin should be easy to implement.

For full coverage (including all the small building societies and credit unions) it would be impractical for every sysadmin to have a special case for every bank. But again there is a relatively easy solution. A federal agency that deals with fraud could maintain a list of zone names and master IP addresses for every financial institution in the country and make it available on CD. If the CD was available for collection from a police station, court-house, the registry of births, deaths, and marriages, or some other official government office then it should not have any additional security risks. Of course you wouldn’t want to post such CDs, even with public key signing (which many people don’t check properly) there would be too much risk of things going wrong.

In a country such as the US (which has an unreasonably large number of banks) it would not be practical to make direct deals between ISPs and banks. But it should be practical to implement a system based on a federal agency distributing CDs with configuration files for BIND and any other DNS servers that are widely used (is any other DNS server widely used?).

Of course none of this would do anything about the issue of Phishing email and typo domain name registration. But it would be good to solve as much as we can.

• [1] http://www.dailyack.com/2008/08/cookie-hijacking.html


• [2] http://www.doxpara.com/?p=1215

Share This