Re: SELinux survey (was RE: Stupid F7 boot loop)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, 2007-08-29 at 17:09 +0100, Alan Cox wrote:
> > Would any of you out there care to share with me any of your personal
> > experiences with SELinux being useful to you (in any way whatsoever), on
> > a single-user workstation?
> I leave it on and haven't had any problems with it for the past few
> releases. It makes a large subset of potentially exploitable holes turn
> into rather unexploitable ones and that to me is of value.

I leave it on.

I am notified by setroubleshoot when it stops something.

If I think all the errors reported by setroubleshoot are not errors,
I run a script to permit those accesses.

I got the list of commands for the script from a previous thread:


mkdir -p /root/selinux

pushd /root/selinux

declare name="${1:-local}"

declare rebuild="${2}"

if [ -z "${rebuild}" ]
    declare origname="${name}"

    declare -i index=1

    while [ -e "${name}.te" ]
      let index++

    audit2allow -m ${name} -l -i /var/log/audit/audit.log > ${name}.te

    checkmodule -M -m -o ${name}.mod ${name}.te
    semodule_package -o ${name}.pp -m ${name}.mod
    semodule -i ${name}.pp

    declare -i index=1

    for i in ${name}*.te
      checkmodule -M -m -o ${i}.mod ${i}.te
      semodule_package -o ${i}.pp -m ${i}.mod
      semodule -i ${i}.pp


My list of exceptions is kept in the directory /root/selinux.

Each time selinux or the target policy for selinux gets updated I remove
the /root/selinux directory and create a new list of exceptions when
setroubleshoot notifies me.

What I am doing requires I look at each notification message and decide
if the message really is bogus.  If I guess wrong, I will be creating a
security hole.  My hope is the list of notifications remain minimal.

At this moment, I have one file, generated by the
script, /root/selinux/local.te, which contains:

module local 1.0;

require {
        type var_lib_nfs_t;
        type httpd_t;
        type system_dbusd_t;
        class dbus send_msg;
        class dir search;

#============= httpd_t ==============
allow httpd_t system_dbusd_t:dbus send_msg;
allow httpd_t var_lib_nfs_t:dir search;

I do not claim to know what these exception actually do.

I feel comfortable with these exception because I use iptables to white
list IP addresses that may access my computer.  If your IP address is
not on my list, for the service I want you to access, iptables is set to
drop the incoming packet from you.

Disclaimer: I want to leave selinux on.  I do not pretend to understand
how to properly control/configure selinux.  I created the script by
reading threads on this mailing list.  If the script does not work or
does something bad, please communicate problems to the mailing list.
This mailing list, or other mailing lists, will be able to give help
with selinux.  Any help from me will be the blind leading the blind.

I would appreciate comments from people who do understand selinux on
what I have done.

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux