Re: SELinux on Squeeze?

To: russell@coker.com.au
Cc: debian-security@lists.debian.org
Subject: Re: SELinux on Squeeze?
From: Laurentiu Pancescu <lpancescu@googlemail.com>
Date: Tue, 03 Jan 2012 09:49:55 +0100
Message-id: <4F02C133.4080304@googlemail.com>
In-reply-to: <201112310015.30479.russell@coker.com.au>
References: <4EFD71F0.2040803@googlemail.com> <201112310015.30479.russell@coker.com.au>

Hello again,

I installed a fresh Squeeze in a VM and activated SELinux as the wikipage recommends. It works just fine (including DHCP - I tried thedefault packages in Squeeze, didn't try Russell's since everythingworked anyway), with just a few caveats:


- bootmisc.sh doesn't seem to contain anything related to motd anymore

- check-selinux-installation wrongly complains about postfix init scriptsyncing chroots

I'm not sure if the "multiple" is still needed in /etc/pam.d/login insqueeze (I attached the squeeze file), it now uses a differentstructure, with close and open, instead of the "required" expected bythe regular expression from the check-selinux-installation test. I letit untouched and it seems to work fine. Even more, paxtest is stoppedfrom doing anything except return-to-libc with the default SELinuxconfiguration - see attached log. I saw no difference running it asunconfined_u oder user_u, the generated logs are identical in bothcases. Impressive.

To convert from the targeted to the strict policy, one just has toremove the unconfined policy - did I understand this correctly? I tried"semodule -d unconfined", but this fails due to postfix needingunconfined_t.

In the mean time, Fedora has a SELinux User Manual on the documentationpage linked from the Debian Wiki, apparently for Fedora 13. Theirdocumentation is very good, and most things work in Debian just as well.


On 12/30/11 14:15 , Russell Coker wrote:

You will need to label those web server binaries as httpd_exec_t, use"semanage fcontext -a" to prevent a restorecon operation from undoingsuch changes. Also you might need to generate some extra policy withaudit2allow if they happen to do something different to Apache. Butthe potential policy changes should be quite small, there really isn'tmuch that Apache doesn't do. In many ways Apache could be regarded asthe most complex daemon that we support in Debian. According to SELinux policy the MTAs are the only competition for that. I have mademore than a few changes to my "unofficial" policy packages that arespecific to server operation, one that I recall is better support forNAGIOS.

I created /var/www, then restorecon -v /var/www. I stopped nginx,followed by "semodule -i /usr/share/selinux/default/apache.pp" and"semanage fcontext -a -t httpd_exec_t /usr/sbin/nginx" and started nginxagain and tested it - it just works. I'm only serving static files, notsure how it would work with php_cgi started with spawn_fcgi via runit (Idon't need this anyway).


Thanks,
Laurentiu

#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth       optional   pam_faildelay.so  delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#
# With the default control of this module:
#   [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die]
# root will not be prompted for a pasword on insecure lines.
# if an invalid username is entered, a password is prompted (but login
# will eventually be rejected)
#
# You can change it to a "requisite" module if you think root may mis-type
# her login and should not be prompted for a password in that case. But
# this will leave the system as vulnerable to user enumeration attacks.
#
# You can change it to a "required" module if you think it permits to
# guess valid user names of your system (invalid user names are considered
# as possibly being root on insecure lines), but root passwords may be
# communicated over insecure lines.
auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# SELinux needs to be the first session rule. This ensures that any 
# lingering context has been cleared. Without out this it is possible 
# that a module could execute code in the wrong domain.
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# 
# parsing /etc/environment needs "readenv=1"
session       required   pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session       required   pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). 
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user 
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session    optional   pam_mail.so standard

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context. Only sessions which are
# intended to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# When the module is present, "required" would be sufficient (When SELinux
# is disabled, this returns success.)

PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: blackhat
Linux debianse 2.6.32-5-686-bigmem #1 SMP Thu Nov 3 05:12:00 UTC 2011 i686 GNU/Linux

Executable anonymous mapping             : Killed
Executable bss                           : Killed
Executable data                          : Killed
Executable heap                          : Killed
Executable stack                         : Killed
Executable anonymous mapping (mprotect)  : Killed
Executable bss (mprotect)                : Killed
Executable data (mprotect)               : Killed
Executable heap (mprotect)               : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect)              : Killed
Anonymous mapping randomisation test     : 12 bits (guessed)
Heap randomisation test (ET_EXEC)        : 13 bits (guessed)
Heap randomisation test (ET_DYN)         : 16 bits (guessed)
Main executable randomisation (ET_EXEC)  : 10 bits (guessed)
Main executable randomisation (ET_DYN)   : 10 bits (guessed)
Shared library randomisation test        : 10 bits (guessed)
Stack randomisation test (SEGMEXEC)      : 19 bits (guessed)
Stack randomisation test (PAGEEXEC)      : 19 bits (guessed)
Return to function (strcpy)              : Vulnerable
Return to function (strcpy, RANDEXEC)    : Vulnerable
Return to function (memcpy)              : Vulnerable
Return to function (memcpy, RANDEXEC)    : Vulnerable
Executable shared library bss            : Killed
Executable shared library data           : Killed
Writable text segments                   : Killed

Reply to:

Prev by Date: Re: local authentication spoofing using libnss-ldap
Next by Date: Re: local authentication spoofing using libnss-ldap
Previous by thread: Re: local authentication spoofing using libnss-ldap
Next by thread: Re: [SECURITY] [DSA 2378-1] ffmpeg security update
Index(es):
- Date
- Thread