LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Quotes of the week

Quotes of the week

Posted Apr 20, 2006 20:58 UTC (Thu) by jeskritt (guest, #4092)
In reply to: Quotes of the week by nix
Parent article: Quotes of the week

I jsut put my boxes in permissive mode. Run them for a couple weeks like that, then dump the /var/log/audit/audit.log through the audit2allow program. This gives you the rules you need for your box to run. then:

1) Add them to your /etc/selinux/targeted/src/policy/domains/misc/local.te
2) then "make load" in the /etc/selinux/targeted/src/policy dir to load your new policy
3) file a bugzilla report with the new rules and why.

you'll need the policy sources installed

(Log in to post comments)

Quotes of the week

Posted Apr 21, 2006 9:37 UTC (Fri) by rwmj (subscriber, #5474) [Link]

When I need to configure my firewall, I first run my box in "permissive"
mode for a few weeks, connected to the internet without a firewall.
Then I look at /var/log/messages to see who's been attacking me.
Then I simply add those attackers to my firewall and go. It's so easy.

Rich.

Quotes of the week

Posted Apr 22, 2006 0:48 UTC (Sat) by erich (subscriber, #7127) [Link]

You're getting it wrong.
He's monitoring the *correct* behaviour of his system to obtain a whitelist, not monitoring *attackers* to filtert them via a firewall-like *blacklist*.

When you're talking iptables this would be using the LOG target with a rate limit, then adding approriate iptables rules for the good traffic - then setting OUTPUT to DROP by default...

Any whitelist based (read: reject by default, the only reliable approach to system security) system will need to learn what acceptable behaviour is.
AppArmor needs this kind of "training", too. Except that AFAIK they have a tool do that mostly automatically, whereas the SELinux reference policy is hand-written to make sure that only needed permissions are granted.
SELinux policy files are already very complete, they contain information for hundreds (literally, I just counted 197 policy modules) different services. And no, "ls" is not a service, it doesn't have a policy of it's own... we're talking large, mostly networking applications here.

However, not all features in all services have already been whitelisted. I guess you might not even want to whitelist all of them (thats why there are tuneables/booleans in SELinux). And every now and then you'll be using a local extension.

For example, my OpenVPN server does update the DNS server and it has a status file, which is then read by munin for statistics.

For obvious reasons, OpenVPN *by default* was not allowed to update my DNS or even write it's state file. Nor was munin allowed to read the status file (which has no common location, this is all my own scriptwork)

Quotes of the week

Posted May 14, 2006 5:50 UTC (Sun) by pimlott (guest, #1535) [Link]

You missed the joke. (Nicely done, rwmj.) He's not monitoring the *correct* behavior, he's monitoring whatever behavior his system happens to exhibit during the training period. While running in "permissive mode". So for all he knows, he's hacked six ways from Tuesday. And then he makes that behavior law. Brilliant.

He should at least put a notice on his web page: "Please don't attack me for a couple weeks. Thanks."

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds