User: Password:
|
|
Subscribe / Log in / New account

Security

SELinux permissive domains

By Jake Edge
October 15, 2008

Readers of this page—along with the kernel page—will not find it surprising that SELinux is a complex beast. It is, however, the dominant security framework for Linux, pushed hard by Red Hat, but also being adopted, slowly, by SUSE, Ubuntu, and others. Over the years, through lots of hard work, it has become somewhat less complex, at least for administrators; a new feature, called permissive domains will help further ease the administration of SELinux-enabled systems.

These days, SELinux has two modes, the aptly named enforcing and permissive modes. When in enforcing mode, SELinux will not allow operations that are not permitted by the policy, whereas in permissive mode, a violation is just logged and the operation is allowed to continue. Administrators trying to track down an SELinux problem with an application—whether a real security issue or just a problem with the policy—can put the system into permissive mode, then study the logs to determine what policies are being violated. Or they can use audit2allow to make those policy changes for them.

Until permissive domains, though, the choice between permissive and enforcing was binary for the entire system. By putting a system into permissive mode, various attacks that SELinux might normally stop on other applications would instead just be logged. With permissive domains, a single process, or group of related processes, can be marked as permissive, while the rest of the system stays in enforcing mode.

Red Hat SELinux hacker Dan Walsh, describes permissive domains on his blog. One of the motivations is to help third-party software developers feel more comfortable about shipping SELinux policy with their application:

Another problem SELinux has is that third party software companies want to ship with SELinux policy for their software but do not trust that they have tested it well enough to run their confined applications in enforcing mode. I have talked to developers of stock market software that wanted to write policy for an application, distribute it to a live environment of several hundred machines, and then gather the AVCs as they happen, using this information to fine-tune their policy. After a long period of time, where they saw no AVCs, they might be willing to put their policy in enforcing mode. In RHEL5 they need to put the entire machine in permissive mode, but permissive domains solve this problem.

Permissive domains are available in recently updated Fedora 9 systems and will come standard with Fedora 10. As Walsh shows, enabling permissive mode for a domain is trivial:

    # semanage permissive -a httpd_sys_script_t
which would put all CGI scripts into permissive mode. And:
    # semanage permissive -d httpd_sys_script_t
to remove permissive mode for the CGI script domain (httpd_sys_script_t).

This is definitely a nice step forward for assisting with policy development, but there is still a lingering problem with the recommended way to generate SELinux policies. Walsh describes how that is done:

Finally, when someone wants to write policy for a new confined domain, we tell the policy writer to build a minimal policy using tools like system-config-selinux. Then we advise them to put the machine in permissive mode, run the confined application, collect the AVC messages, use audit2allow to generate new policy, and try again. Lather, rinse, repeat. This puts the entire machine at risk, since it is no longer protected by SELinux. With permissive domains, you can mark the new domain as permissive and avoid putting the machine at risk.

The problem, of course, is that blindly using audit2allow is extremely dangerous. It assumes that the application has no security problems, that all of its accesses should be permitted—if that can be assumed, what is SELinux for? By taking all of the violations and turning them into policy changes, the application, rather than the policy developer, decides on the access it requires. Using audit2allow correctly is much more complex, requiring a good understanding of SELinux and the existing policies and domains.

To be fair to Walsh, in a related post, he does warn:

Whenever you generate policy in this way you should really examine the te file for what rules audit2allow has generated and try [to] make sure they make sense, and don't open a security [hole]. It is always good to ask if the policy is good on a list like fedora-selinux. If you believe this is a bug in policy, please open a bugzilla. Then we can fix the policy for others.

The audit2allow manpage is even more explicit:

Care must be exercised while acting on the output of this utility to ensure that the operations being permitted do not pose a security threat. Often it is better to define new domains and/or types, or make other structural changes to narrowly allow an optimal set of operations to succeed, as opposed to blindly implementing the sometimes broad changes recommended by this utility. Certain permission denials are not fatal to the application, in which case it may be preferable to simply suppress logging of the denial via a dontaudit rule rather than an allow rule.

Using audit2allow is, unfortunately, the way that most SELinux policy is developed. There aren't enough SELinux experts—there may never be enough—to actually look at the code for applications and determine a priori what the policy should look like. So, testing applications by running them to determine what permissions they require is the only sane way to do it, error-prone though it may be.

Comments (4 posted)

New vulnerabilities

cups: several vulnerabilities

Package(s):cups CVE #(s):CVE-2008-3639 CVE-2008-3640 CVE-2008-3641
Created:October 10, 2008 Updated:February 20, 2009
Description: From the Red Hat advisory:

A buffer overflow flaw was discovered in the SGI image format decoding routines used by the CUPS image converting filter "imagetops". An attacker could create a malicious SGI image file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3639)

An integer overflow flaw leading to a heap buffer overflow was discovered in the Text-to-PostScript "texttops" filter. An attacker could create a malicious text file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3640)

An insufficient buffer bounds checking flaw was discovered in the HP-GL/2-to-PostScript "hpgltops" filter. An attacker could create a malicious HP-GL/2 file that could, possibly, execute arbitrary code as the "lp" user if the file was printed. (CVE-2008-3641)

Alerts:
CentOS CESA-2009:0308 cups 2009-02-19
Red Hat RHSA-2009:0308-01 cups 2009-02-19
rPath rPSA-2008-0338-1 cups 2008-12-19
Gentoo 200812-11 cups 2008-12-10
Slackware SSA:2008-312-01 cups 2008-11-07
Debian DSA-1656-1 cupsys 2008-10-20
SuSE SUSE-SR:2008:021 cups, hplip, apache2-mod_php5, openldap2 2008-10-17
Ubuntu USN-656-1 cupsys 2008-10-15
Fedora FEDORA-2008-8844 cups 2008-10-16
Fedora FEDORA-2008-8801 cups 2008-10-16
Mandriva MDVSA-2008:211 cups 2007-10-10
CentOS CESA-2008:0937 cups 2008-10-10
Red Hat RHSA-2008:0937-01 cups 2008-10-10
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19

Comments (none posted)

dbus: denial of service

Package(s):dbus CVE #(s):CVE-2008-3834
Created:October 10, 2008 Updated:May 3, 2011
Description: From the CVE entry: The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error.
Alerts:
openSUSE openSUSE-SU-2012:1418-1 dbus 2012-10-31
SUSE SUSE-SR:2011:008 java-1_6_0-ibm, java-1_5_0-ibm, java-1_4_2-ibm, postfix, dhcp6, dhcpcd, mono-addon-bytefx-data-mysql/bytefx-data-mysql, dbus-1, libtiff/libtiff-devel, cifs-mount/libnetapi-devel, rubygem-sqlite3, gnutls, libpolkit0, udisks 2011-05-03
Red Hat RHSA-2010:0018-01 dbus 2010-01-07
CentOS CESA-2010:0018 dbus 2010-01-08
Mandriva MDVSA-2009:256 dbus 2009-10-06
CentOS CESA-2009:0008 dbus 2009-01-08
SuSE SUSE-SR:2008:027 squirrelmail, gnutls, rubygem-activerecord, rubygem-actionpack, samba, dbus-1, pdns, php5, pam_krb5 2008-12-09
Gentoo 200901-04 dbus 2009-01-11
Red Hat RHSA-2009:0008-01 dbus 2009-01-07
Debian DSA-1658-1 dbus 2008-10-22
Mandriva MDVSA-2008:213 dbus 2008-10-15
Ubuntu USN-653-1 dbus 2008-10-14
Fedora FEDORA-2008-8764 dbus 2008-10-09

Comments (none posted)

exiv2: denial of service

Package(s):exiv2 CVE #(s):CVE-2008-2696
Created:October 15, 2008 Updated:October 31, 2008
Description:

From the Ubuntu advisory:

Joakim Bildrulle discovered that exiv2 did not correctly handle Nikon lens EXIF information. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could cause the application linked against libexiv2 to crash, leading to a denial of service. (CVE-2008-2696)

Alerts:
SuSE SUSE-SR:2008:023 graphviz, libexiv2, exiv2, tomcat5, apache-jakarta-tomcat-connectors, libgadu, opera 2008-10-31
Ubuntu USN-655-1 exiv2 2008-10-15

Comments (none posted)

kernel: several vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2008-1514 CVE-2008-3833 CVE-2008-4210 CVE-2008-4302
Created:October 14, 2008 Updated:January 8, 2009
Description: From the Debian advisory:

Jan Kratochvil reported a local denial of service vulnerability in the ptrace interface for the s390 architecture. Local users can trigger an invalid pointer dereference, leading to a system panic. (CVE-2008-1514)

The S_ISUID/S_ISGID bits were not being cleared during an inode splice, which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. Mark Fasheh reported this issue. (CVE-2008-3833)

David Watson reported an issue in the open()/creat() system calls which, under certain conditions, can be exploited by local users to obtain the privileges of a group for which they are not a member. (CVE-2008-4210)

A coding error in the splice subsystem allows local users to attempt to unlock a page structure that has not been locked, resulting in a system crash. (CVE-2008-4302)

Alerts:
Red Hat RHSA-2008:0787-01 kernel 2009-01-05
CentOS CESA-2008:0973 kernel 2008-12-17
Red Hat RHSA-2008:0973-03 kernel 2008-12-16
SuSE SUSE-SA:2008:057 kernel 2008-12-04
SuSE SUSE-SA:2008:056 kernel 2008-12-03
Ubuntu USN-679-1 linux, linux-source-2.6.15/22 2008-11-27
Mandriva MDVSA-2008:220-1 kernel 2008-11-19
CentOS CESA-2008:0972 kernel 2008-11-20
Red Hat RHSA-2008:0972-01 kernel 2008-11-19
SuSE SUSE-SR:2008:025 apache2, ipsec-tools, kernel-bigsmp, flash-player, mysql, ktorrent 2008-11-14
Red Hat RHSA-2009:0001-01 kernel 2009-01-08
CentOS CESA-2008:0957 kernel 2008-11-05
Red Hat RHSA-2008:0957-02 kernel 2008-11-04
Mandriva MDVSA-2008:220 kernel 2008-10-29
SuSE SUSE-SA:2008:051 kernel 2008-10-21
Debian DSA-1655-1 linux-2.6.24 2008-10-16
Debian DSA-1653-1 linux-2.6 2008-10-13

Comments (none posted)

mon: insecure temp files

Package(s):mon CVE #(s):CVE-2008-4477
Created:October 9, 2008 Updated:October 17, 2008
Description: mon has an insecure temporary file creation vulnerability. From the Debian alert:

Dmitry E. Oboukhov discovered that the test.alert script used in one of the alert functions in mon, a system to monitor hosts or services and alert about problems, creates temporary files insecurely, which may lead to a local denial of service through symlink attacks.

Alerts:
Mandriva MDVSA-2008:214 mon 2008-10-16
Debian DSA-1648-1 mon 2008-10-08

Comments (none posted)

portage: privilege escalation

Package(s):portage CVE #(s):CVE-2008-4394
Created:October 10, 2008 Updated:October 15, 2008
Description: From the Gentoo advisory: A search path vulnerability in Portage allows local attackers to execute commands with root privileges if emerge is called from untrusted directories.
Alerts:
Gentoo 200810-02 portage 2008-10-09

Comments (none posted)

ruby: multiple vulnerabilities

Package(s):ruby CVE #(s):CVE-2008-3905 CVE-2008-3790 CVE-2008-3443
Created:October 10, 2008 Updated:January 5, 2009
Description: From the CVE entries:

CVE-2008-3905 - resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.

CVE-2008-3790 - The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."

CVE-2008-3443 - The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infinite loop and crash) via multiple long requests to a Ruby socket, related to memory allocation failure, and as demonstrated against Webrick.

Alerts:
Debian DSA-1695-1 ruby 2009-01-02
Gentoo 200812-17 ruby 2008-12-16
Ubuntu USN-691-1 ruby1.9 2008-12-16
Mandriva MDVSA-2008:226 ruby 2008-11-06
CentOS CESA-2008:0897 ruby 2008-10-24
CentOS CESA-2008:0896 ruby 2008-10-21
Red Hat RHSA-2008:0897-01 ruby 2008-10-21
Red Hat RHSA-2008:0896-01 ruby 2008-10-21
Red Hat RHSA-2008:0895-02 ruby 2008-10-21
Debian DSA-1652-1 ruby1.9 2008-10-12
Debian DSA-1651-1 ruby1.8 2008-10-12
Ubuntu USN-651-1 ruby1.8 2008-10-10
Fedora FEDORA-2008-8736 ruby 2008-10-09
Fedora FEDORA-2008-8738 ruby 2008-10-09

Comments (none posted)

Events

OWASP Summit set for November in Portugal

The Open Web Application Security Project is announcing its European summit to be held November 4-7 in Algarve, Portugal. The theme of the conference is "Setting the AppSec [Application Security] agenda for 2009". "This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today." Click below for the full announcement.

Full Story (comments: none)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds