User: Password:
Subscribe / Log in / New account


Inside SELinux on Fedora Core 3

October 6, 2004

This article was contributed by Jake Edge.

Following up on a previous overview of Security Enhanced Linux (SELinux), this article looks more closely at the implementation of Security Enhanced Linux (SELinux) in Fedora Core 3 test2 (FC3).

FC3 provides two separate SELinux policies, a default "targeted" policy and the more restrictive "strict" policy. The targeted policy focuses on a handful of specific system daemons and locks down their access while allowing the rest of the system to run using the standard Linux security mechanisms. The FC3 SELinux FAQ describes the reasoning behind the targeted policy:

Initially, when SELinux was included in Fedora Core, the NSA strict policy was enforced. For testing purposes, this helped to find hundreds of problems in the strict policy. In addition, it became obvious that applying a single strict policy to the many environments of Fedora users was not feasible. Managing a single strict policy for anything other than default installation was going to require local expertise.

There are 9 daemons currently handled by the targeted policy, all network services of various sorts (httpd, named, snmpd, etc.) and more daemons will be added to the policy in the future.

The top-level configuration file (/etc/selinux/config) for SELinux on FC3 allows one to choose which of the policies to use and also what enforcement level to use. In particular, the "permissive" level is useful for finding problems in the policy for a specific installation as it just warns when the policy has been violated. Once the policy has been adjusted, the level can be set to "enforcing," which will cause SELinux to enforce the policies. In addition, the enforcement level can be set to "disabled" which effectively turns off SELinux. Any changes made to the configuration file require a reboot to take effect, but the enforcement level can be changed in a running system using the setenforce command.

While changing the enforcement level is painless, the same is not true for changing policies. SELinux uses the extended attributes in Linux filesystems to permanently associate a security context with each file and when changing policies, the attributes of many files in the filesystem must also be changed. The fixfiles command is available to traverse the filesystem and make the required changes based on the information provided in the file_contexts file associated with the policy. file_contexts maps a regular expression describing some subtree of the filesystem (possibly down to an individual file) to a security context and fixfiles (and the related setfiles command) parse this file and set the attributes appropriately. FC3 puts the SELinux configuration in the /etc/selinux directory and the specifics for each policy in /etc/selinux/<policyname>. For example: /etc/selinux/targeted/contexts/file_contexts provides the security context configuration for files in the targeted policy.

To support examining the security context of various entities in the SELinux system, the -Z command line parameter has been added to several standard utilities. The ls, ps, and id commands have been modified to display the security context of files, processes and users respectively and are very useful when diagnosing policy issues.

To get a sense of what goes into the policy configuration and how complex it is, we examined the targeted policy configuration for the ntpd program. Once the selinux-policy-targeted-sources package is installed, the configuration file for ntpd can be found in /etc/selinux/targeted/src/policy/domains/program/ntpd.te. This file specifies the access that the daemon will be allowed to have and should specify all of the system entities (files, sockets, etc.) that the program needs to access for correct operation. The level of detail required in this file is rather eye opening:

  • Types are defined for the drift file and for the network port used by ntpd
  • All of the file and directory types that are used by the daemon are also specified with what access is granted for each
  • Read access is granted for the urandom device
  • Network access is granted
  • Access to bind to the udp port that it uses and socket creation access for datagram and stream sockets is granted
  • Capabilities allowing it to use the nice() system call are granted
  • etc.
It would appear that a fair amount of work went into figuring out all of the various pieces that go into this configuration for what, at first blush, would seem a fairly simple system daemon. Multiply this level of complexity by the number of daemons in a typical system and one can see why some critics of SELinux call it too complicated to be useful. On the other hand, SELinux does provide very fine grained control over access to system resources and in certain applications, that control is very desirable.

Comments (8 posted)

New vulnerabilities

cups: information leak

Package(s):cups CVE #(s):CAN-2004-0923
Created:October 5, 2004 Updated:October 14, 2004
Description: CUPS has an information leakage problem when printing to SMB shares requiring authentication.
Debian DSA-566-1 cupsys 2004-10-14
Gentoo 200410-06 cups 2004-10-09
Fedora FEDORA-2004-331 cups 2004-10-05

Comments (none posted)

freenet6: file protection problem

Package(s):freenet6 CVE #(s):CAN-2004-0563
Created:September 30, 2004 Updated:October 6, 2004
Description: freenet6 has a protection problem which allows the username and password to be read from a configuration file.
Debian DSA-555-1 freenet6 2004-09-30

Comments (none posted)

net-acct: temporary file vulnerability

Package(s):net-acct CVE #(s):CAN-2004-0851
Created:October 6, 2004 Updated:October 6, 2004
Description: Net-acct (an IP accounting daemon) version 0.71 suffers from a temporary file vulnerability.
Debian DSA-559-1 net-acct 2004-10-06

Comments (none posted)

netkit-telnet: invalid free pointer

Package(s):netkit-telnet CVE #(s):CAN-2004-0911
Created:October 4, 2004 Updated:March 28, 2005
Description: Michal Zalewski discovered a bug in the netkit-telnet server (telnetd) whereby a remote attacker could cause the telnetd process to free an invalid pointer. This causes the telnet server process to crash, leading to a straightforward denial of service (inetd will disable the service if telnetd is crashed repeatedly), or possibly the execution of arbitrary code with the privileges of the telnetd process (by default, the 'telnetd' user).
Ubuntu USN-101-1 netkit-telnet 2005-03-28
Debian DSA-556-2 netkit-telnet 2004-10-18
Debian DSA-569-1 netkit-telnet-ssl 2004-10-18
Debian DSA-556-1 netkit-telnet 2004-10-02

Comments (none posted)

php: information disclosure and file upload vulnerabilities

Package(s):php CVE #(s):
Created:October 6, 2004 Updated:October 6, 2004
Description: Versions of PHP prior to 4.3.9 suffer from vulnerabilities which can disclose the contents of random memory to an attacker and allow uploads of files to any location writable by the web server.
Gentoo 200410-04 php 2004-10-06

Comments (none posted)

rp-pppoe, pppoe: missing privilege dropping

Package(s):rp-pppoe, pppoe CVE #(s):CAN-2004-0564
Created:October 4, 2004 Updated:November 15, 2005
Description: Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet driver from Roaring Penguin. When the program is running setuid root (which is not the case in a default Debian installation), an attacker could overwrite any file on the file system.
Fedora-Legacy FLSA:152794 rp-pppoe 2005-11-14
Mandrake MDKSA-2004:145 rp-pppoe 2004-12-06
Debian DSA-557-1 rp-pppoe 2004-10-04

Comments (none posted)

samba: unauthorized file access

Package(s):samba CVE #(s):CAN-2004-0815
Created:October 1, 2004 Updated:October 14, 2004
Description: A security vulnerability has been located in Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5. A remote attacker may be able to gain access to files which exist outside of the share's defined path. Such files must still be readable by the account used for the connection.

According to this errata only Samba 3.0.x <= 3.0.2a contains the exploitable code.

Conectiva CLA-2004:873 samba 2004-10-14
Fedora-Legacy FLSA:2102 samba 2004-10-13
Debian DSA-600-1 samba 2004-10-07
SuSE SUSE-SA:2004:035 samba 2004-10-05
Red Hat RHSA-2004:498-01 samba 2004-10-04
Mandrake MDKSA-2004:104 samba 2004-10-01
Trustix TSLSA-2004-0051 samba 2004-10-01

Comments (none posted)

sharutils: arbitrary code execution

Package(s):sharutils CVE #(s):CAN-2004-1772
Created:October 1, 2004 Updated:April 26, 2005
Description: sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer overflow in shar.c, where the length of data returned by the wc command is not checked. Florian Schilhabel discovered another buffer overflow in unshar.c. An attacker could exploit these vulnerabilities to execute arbitrary code as the user running one of the sharutils programs.
Red Hat RHSA-2005:377-01 sharutils 2005-04-26
Fedora FEDORA-2005-281 sharutils 2005-04-01
Fedora FEDORA-2005-280 sharutils 2005-04-01
Ubuntu USN-102-1 sharutils 2005-03-29
Fedora-Legacy FLSA:2155 sharutils 2005-03-24
Gentoo 200410-01 sharutils 2004-10-01

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds