LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Security

SELinux permissive domains

By Jake Edge
October 15, 2008

Readers of this page—along with the kernel page—will not find it surprising that SELinux is a complex beast. It is, however, the dominant security framework for Linux, pushed hard by Red Hat, but also being adopted, slowly, by SUSE, Ubuntu, and others. Over the years, through lots of hard work, it has become somewhat less complex, at least for administrators; a new feature, called permissive domains will help further ease the administration of SELinux-enabled systems.

These days, SELinux has two modes, the aptly named enforcing and permissive modes. When in enforcing mode, SELinux will not allow operations that are not permitted by the policy, whereas in permissive mode, a violation is just logged and the operation is allowed to continue. Administrators trying to track down an SELinux problem with an application—whether a real security issue or just a problem with the policy—can put the system into permissive mode, then study the logs to determine what policies are being violated. Or they can use audit2allow to make those policy changes for them.

Until permissive domains, though, the choice between permissive and enforcing was binary for the entire system. By putting a system into permissive mode, various attacks that SELinux might normally stop on other applications would instead just be logged. With permissive domains, a single process, or group of related processes, can be marked as permissive, while the rest of the system stays in enforcing mode.

Red Hat SELinux hacker Dan Walsh, describes permissive domains on his blog. One of the motivations is to help third-party software developers feel more comfortable about shipping SELinux policy with their application:

Another problem SELinux has is that third party software companies want to ship with SELinux policy for their software but do not trust that they have tested it well enough to run their confined applications in enforcing mode. I have talked to developers of stock market software that wanted to write policy for an application, distribute it to a live environment of several hundred machines, and then gather the AVCs as they happen, using this information to fine-tune their policy. After a long period of time, where they saw no AVCs, they might be willing to put their policy in enforcing mode. In RHEL5 they need to put the entire machine in permissive mode, but permissive domains solve this problem.

Permissive domains are available in recently updated Fedora 9 systems and will come standard with Fedora 10. As Walsh shows, enabling permissive mode for a domain is trivial: 

    # semanage permissive -a httpd_sys_script_t
which would put all CGI scripts into permissive mode. And: 
    # semanage permissive -d httpd_sys_script_t
to remove permissive mode for the CGI script domain (httpd_sys_script_t).

This is definitely a nice step forward for assisting with policy development, but there is still a lingering problem with the recommended way to generate SELinux policies. Walsh describes how that is done:

Finally, when someone wants to write policy for a new confined domain, we tell the policy writer to build a minimal policy using tools like system-config-selinux. Then we advise them to put the machine in permissive mode, run the confined application, collect the AVC messages, use audit2allow to generate new policy, and try again. Lather, rinse, repeat. This puts the entire machine at risk, since it is no longer protected by SELinux. With permissive domains, you can mark the new domain as permissive and avoid putting the machine at risk.

The problem, of course, is that blindly using audit2allow is extremely dangerous. It assumes that the application has no security problems, that all of its accesses should be permitted—if that can be assumed, what is SELinux for? By taking all of the violations and turning them into policy changes, the application, rather than the policy developer, decides on the access it requires. Using audit2allow correctly is much more complex, requiring a good understanding of SELinux and the existing policies and domains.

To be fair to Walsh, in a related post, he does warn:

Whenever you generate policy in this way you should really examine the te file for what rules audit2allow has generated and try [to] make sure they make sense, and don't open a security [hole]. It is always good to ask if the policy is good on a list like fedora-selinux. If you believe this is a bug in policy, please open a bugzilla. Then we can fix the policy for others.

The audit2allow manpage is even more explicit:

Care must be exercised while acting on the output of this utility to ensure that the operations being permitted do not pose a security threat. Often it is better to define new domains and/or types, or make other structural changes to narrowly allow an optimal set of operations to succeed, as opposed to blindly implementing the sometimes broad changes recommended by this utility. Certain permission denials are not fatal to the application, in which case it may be preferable to simply suppress logging of the denial via a dontaudit rule rather than an allow rule.

Using audit2allow is, unfortunately, the way that most SELinux policy is developed. There aren't enough SELinux experts—there may never be enough—to actually look at the code for applications and determine a priori what the policy should look like. So, testing applications by running them to determine what permissions they require is the only sane way to do it, error-prone though it may be.

Comments (4 posted)

New vulnerabilities

cups: several vulnerabilities

Package(s):cups CVE #(s):CVE-2008-3639 CVE-2008-3640 CVE-2008-3641
Created:October 10, 2008 Updated:February 20, 2009
Description: From the Red Hat advisory:

A buffer overflow flaw was discovered in the SGI image format decoding routines used by the CUPS image converting filter "imagetops". An attacker could create a malicious SGI image file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3639)

An integer overflow flaw leading to a heap buffer overflow was discovered in the Text-to-PostScript "texttops" filter. An attacker could create a malicious text file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3640)

An insufficient buffer bounds checking flaw was discovered in the HP-GL/2-to-PostScript "hpgltops" filter. An attacker could create a malicious HP-GL/2 file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3641)

Alerts:
CentOS CESA-2009:0308 2009-02-19
Red Hat RHSA-2009:0308-01 2009-02-19
rPath rPSA-2008-0338-1 2008-12-19
Gentoo 200812-11 2008-12-10
Slackware SSA:2008-312-01 2008-11-07
Debian DSA-1656-1 2008-10-20
SuSE SUSE-SR:2008:021 2008-10-17
Ubuntu USN-656-1 2008-10-15
Fedora FEDORA-2008-8844 2008-10-16
Fedora FEDORA-2008-8801 2008-10-16
Mandriva MDVSA-2008:211 2007-10-10
CentOS CESA-2008:0937 2008-10-10
Red Hat RHSA-2008:0937-01 2008-10-10
SuSE SUSE-SR:2009:002 2009-01-19

Comments (none posted)

dbus: denial of service

Package(s):dbus CVE #(s):CVE-2008-3834
Created:October 10, 2008 Updated:May 3, 2011
Description: From the CVE entry: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
Alerts:
SUSE SUSE-SR:2011:008 2011-05-03
Red Hat RHSA-2010:0018-01 2010-01-07
CentOS CESA-2010:0018 2010-01-08
Mandriva MDVSA-2009:256 2009-10-06
CentOS CESA-2009:0008 2009-01-08
SuSE SUSE-SR:2008:027 2008-12-09
Gentoo 200901-04 2009-01-11
Red Hat RHSA-2009:0008-01 2009-01-07
Debian DSA-1658-1 2008-10-22
Mandriva MDVSA-2008:213 2008-10-15
Ubuntu USN-653-1 2008-10-14
Fedora FEDORA-2008-8764 2008-10-09
openSUSE openSUSE-SU-2012:1418-1 2012-10-31

Comments (none posted)

exiv2: denial of service

Package(s):exiv2 CVE #(s):CVE-2008-2696
Created:October 15, 2008 Updated:October 31, 2008
Description:

From the Ubuntu advisory:

Joakim Bildrulle discovered that exiv2 did not correctly handle Nikon lens EXIF information. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexiv2 to crash, leading to a denial of service. (CVE-2008-2696)

Alerts:
SuSE SUSE-SR:2008:023 2008-10-31
Ubuntu USN-655-1 2008-10-15

Comments (none posted)

kernel: several vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2008-1514 CVE-2008-3833 CVE-2008-4210 CVE-2008-4302
Created:October 14, 2008 Updated:January 8, 2009
Description: From the Debian advisory:

Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. (CVE-2008-1514)

The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. (CVE-2008-3833)

David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. (CVE-2008-4210)

A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash. (CVE-2008-4302)

Alerts:
Red Hat RHSA-2008:0787-01 2009-01-05
CentOS CESA-2008:0973 2008-12-17
Red Hat RHSA-2008:0973-03 2008-12-16
SuSE SUSE-SA:2008:057 2008-12-04
SuSE SUSE-SA:2008:056 2008-12-03
Ubuntu USN-679-1 2008-11-27
Mandriva MDVSA-2008:220-1 2008-11-19
CentOS CESA-2008:0972 2008-11-20
Red Hat RHSA-2008:0972-01 2008-11-19
SuSE SUSE-SR:2008:025 2008-11-14
Red Hat RHSA-2009:0001-01 2009-01-08
CentOS CESA-2008:0957 2008-11-05
Red Hat RHSA-2008:0957-02 2008-11-04
Mandriva MDVSA-2008:220 2008-10-29
SuSE SUSE-SA:2008:051 2008-10-21
Debian DSA-1655-1 2008-10-16
Debian DSA-1653-1 2008-10-13

Comments (none posted)

mon: insecure temp files

Package(s):mon CVE #(s):CVE-2008-4477
Created:October 9, 2008 Updated:October 17, 2008
Description: mon has an insecure temporary file creation vulnerability. From the Debian alert:

Dmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.

Alerts:
Mandriva MDVSA-2008:214 2008-10-16
Debian DSA-1648-1 2008-10-08

Comments (none posted)

portage: privilege escalation

Package(s):portage CVE #(s):CVE-2008-4394
Created:October 10, 2008 Updated:October 15, 2008
Description: From the Gentoo advisory: A search path vulnerability in Portage allows local attackers to execute commands with root privileges if emerge is called from untrusted directories.
Alerts:
Gentoo 200810-02 2008-10-09

Comments (none posted)

ruby: multiple vulnerabilities

Package(s):ruby CVE #(s):CVE-2008-3905 CVE-2008-3790 CVE-2008-3443
Created:October 10, 2008 Updated:January 5, 2009
Description: From the CVE entries:

CVE-2008-3905 - resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.

CVE-2008-3790 - The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."

CVE-2008-3443 - The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.

Alerts:
Debian DSA-1695-1 2009-01-02
Gentoo 200812-17 2008-12-16
Ubuntu USN-691-1 2008-12-16
Mandriva MDVSA-2008:226 2008-11-06
CentOS CESA-2008:0897 2008-10-24
CentOS CESA-2008:0896 2008-10-21
Red Hat RHSA-2008:0897-01 2008-10-21
Red Hat RHSA-2008:0896-01 2008-10-21
Red Hat RHSA-2008:0895-02 2008-10-21
Debian DSA-1652-1 2008-10-12
Debian DSA-1651-1 2008-10-12
Ubuntu USN-651-1 2008-10-10
Fedora FEDORA-2008-8736 2008-10-09
Fedora FEDORA-2008-8738 2008-10-09

Comments (none posted)

Events

OWASP Summit set for November in Portugal

The Open Web Application Security Project is announcing its European summit to be held November 4-7 in Algarve, Portugal. The theme of the conference is "Setting the AppSec [Application Security] agenda for 2009". "This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today." Click below for the full announcement.

Full Story (comments: none)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds