Following up on a previous overview of Security Enhanced Linux (SELinux), this article looks more closely at the implementation of Security Enhanced Linux (SELinux) in Fedora Core 3 test2 (FC3).
FC3 provides two separate SELinux policies, a default "targeted" policy and the more restrictive "strict" policy. The targeted policy focuses on a handful of specific system daemons and locks down their access while allowing the rest of the system to run using the standard Linux security mechanisms. The FC3 SELinux FAQ describes the reasoning behind the targeted policy:
There are 9 daemons currently handled by the targeted policy, all network services of various sorts (httpd, named, snmpd, etc.) and more daemons will be added to the policy in the future.
The top-level configuration file (/etc/selinux/config) for SELinux on FC3 allows one to choose which of the policies to use and also what enforcement level to use. In particular, the "permissive" level is useful for finding problems in the policy for a specific installation as it just warns when the policy has been violated. Once the policy has been adjusted, the level can be set to "enforcing," which will cause SELinux to enforce the policies. In addition, the enforcement level can be set to "disabled" which effectively turns off SELinux. Any changes made to the configuration file require a reboot to take effect, but the enforcement level can be changed in a running system using the setenforce command.
While changing the enforcement level is painless, the same is not true for changing policies. SELinux uses the extended attributes in Linux filesystems to permanently associate a security context with each file and when changing policies, the attributes of many files in the filesystem must also be changed. The fixfiles command is available to traverse the filesystem and make the required changes based on the information provided in the file_contexts file associated with the policy. file_contexts maps a regular expression describing some subtree of the filesystem (possibly down to an individual file) to a security context and fixfiles (and the related setfiles command) parse this file and set the attributes appropriately. FC3 puts the SELinux configuration in the /etc/selinux directory and the specifics for each policy in /etc/selinux/<policyname>. For example: /etc/selinux/targeted/contexts/file_contexts provides the security context configuration for files in the targeted policy.
To support examining the security context of various entities in the SELinux system, the -Z command line parameter has been added to several standard utilities. The ls, ps, and id commands have been modified to display the security context of files, processes and users respectively and are very useful when diagnosing policy issues.
To get a sense of what goes into the policy configuration and how complex it is, we examined the targeted policy configuration for the ntpd program. Once the selinux-policy-targeted-sources package is installed, the configuration file for ntpd can be found in /etc/selinux/targeted/src/policy/domains/program/ntpd.te. This file specifies the access that the daemon will be allowed to have and should specify all of the system entities (files, sockets, etc.) that the program needs to access for correct operation. The level of detail required in this file is rather eye opening:
|Created:||October 5, 2004||Updated:||October 14, 2004|
|Description:||CUPS has an information leakage problem when printing to SMB shares requiring authentication.|
|Created:||September 30, 2004||Updated:||October 6, 2004|
|Description:||freenet6 has a protection problem which allows the username and password to be read from a configuration file.|
|Created:||October 6, 2004||Updated:||October 6, 2004|
|Description:||Net-acct (an IP accounting daemon) version 0.71 suffers from a temporary file vulnerability.|
|Created:||October 4, 2004||Updated:||March 28, 2005|
|Description:||Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).|
|Created:||October 6, 2004||Updated:||October 6, 2004|
|Description:||Versions of PHP prior to 4.3.9 suffer from vulnerabilities which can disclose the contents of random memory to an attacker and allow uploads of files to any location writable by the web server.|
|Package(s):||rp-pppoe, pppoe||CVE #(s):||CAN-2004-0564|
|Created:||October 4, 2004||Updated:||November 15, 2005|
|Description:||Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.|
|Created:||October 1, 2004||Updated:||October 14, 2004|
|Description:||A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and
Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files
which exist outside of the share's defined path. Such files must still be
readable by the account used for the connection.
According to this errata only Samba 3.0.x <= 3.0.2a contains the exploitable code.
|Created:||October 1, 2004||Updated:||April 26, 2005|
|Description:||sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.|
Page editor: Jonathan Corbet
Next page: Kernel development>>
Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds