 |
Recent
Articles |
Mount --bind
Most Linux and Unix file systems don't allow hard links to directories (except for the . and .. entries that mkdir creates itself).
GNOME Released With New Search
Version 2.14 of GNOME's desktop for Linux or UNIX systems contains a new integration of a desktop search bar that can search the local machine or several search engines online...
Microsoft Open Port 25 To Hackers
For once, the correct definition of hackers applies here; the new Port 25 website from Microsoft offers communications from the company's Open Source Software Lab...
Tar Wild Card Interpretation
I had this email earlier this week..."I am trying
to restore a file "\GL050". I can see it on the
tape listing, but..."
Tomorrows's
Date
At How can I find tomorrow's or yesterday's date in a script?, some anonymous person left what I consider to be a stupid comment...
Red
Hat’s New Linux Software Development Tools
San Francisco based Linux dudes Red Hat announced a "Integrated Virtualization" strategy on Tuesday. This new tool should simplify deployment in a new virtualization environment. They claim this will allow customers to deploy resources at minimal cost while maximizing utilization...
Linux
Adds OpenIB InfiniBand
Novell's soon-to-be released Linux distribution
will pack with it open source OpenIB InfiniBandsoftware,
according to the OpenIB Alliance, now called The
OpenFabrics Alliance. The inclusion opens up a wider
availability of InfiniBand to IT professionals...
Developers,
Welcome To Fight Club
Programming for long hours under deadlines with an entire company's future sometimes hanging on every line of code leads to the kind of stress that can only be relieved by beating the stuffing out of someone else.
DreamWorks Imagines Linux Development SOA
Hewlett-Packard announced DreamWorks would implement a service-oriented architecture (SOA) solution based on Linux.
Linux Software Development Benefits Healthcare
A joint effort by WorldVistA and Windows-to-Linux developer firm CodeWeavers will bring a component of the VistA health records application to Linux systems.
Google, CodeWeavers Pair On Picasa Port
Linux users have been waiting impatiently for Google, a big internal user of Linux, to port its applications to the popular open source operating system.
Novell Develops Linux Graphics, Video
Novell announced on Tuesday significant enhancements to the Xgl (X over OpenGL) graphics subsystem. Xgl is new core rendering technology for the Linux desktop that takes advantage of widely available accelerated 3D rendering hardware.
The Return Of Google OS Rumors
May as well put a hockey mask on the face of the Google operating system stories that keep cropping up; another version of the story that will not die contends an internally developed version of the Ubuntu Linux distribution from Google is in the works...
Linux Developers Tackle GPL 3
Some developers in the Linux community have taken the discussion about the new General Public License terms to a contentious point: using it for the next Linux kernel, while a greater challenge over DRM looms.
Motorola Plugs Into Linux Developer
Motorola announced plans to add Kreatel Communications to their mix. The Swedish company develops IPTV-based digital set-top boxes that utilize Linux. This move by Motorola will keep them competitive as the IPTV market continues to take off.
|
|
|
|
05.17.06
Selinux On FC5
 By
A.P. Lawrence
Selinux can be confusing, but it's ordinary and default configuration is actually pretty simple. We'll examine it on Fedora Core 5.
By default, FC5 installs Selinux in "targeted" mode. You can see this in /etc/selinux/config:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
As the comments imply, only certain network daemons are affected by Selinux in this configuration. You can see which daemons are included and modify the security policies for them in a graphical tool ( System->Administration->Security Level and Firewall).
The idea here is that Selinux can prevent these daemons from misbehaving even if they escape from the ordinary permissions and controls that surround them. We'll use the httpd daemon to demonstrate this.
First, we need to turn httpd on if it isn't already:
# chkconfig httpd on
# /etc/init.d/httpd start
Next, I want to create a data directory:
# cd /var/www
# mkdir data
# chmod o+w data
Then we'll create a silly little cgi script to write something in that directory:
#!/usr/bin/perl
# this is /var/www/cgi-bin/se.pl
use CGI qw(:standard);
print header;
print "hello";
open(O, ">/var/www/data/foo");
print O "foo" or print "
Cannot $!";
print end_html;
Be sure to "chmod 755" that script. If you then visit "http://localhost/cgi-bin/se.pl", "hello" will apear on the browser screen and the file "foo" will be created in the data directory. You'd expect that, of course. But there's more going on underneath.
To see what that is, use the new "-Z" flag with "ls":
[root@localhost www]# ls -Z
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xrwx root root user_u:object_r:httpd_sys_content_t data
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
"-Z" shows Selinux context for files. We don't need to entirely understand what this all means yet; just accept that -Z shows the details. You can also use -Z with ps:
[root@localhost www]# ps auxwZ | grep httpd
user_u:system_r:httpd_t root 27529 0.0 3.7 22616 9732 ? Ss 19:59 0:00 /usr/sbin/httpd
This shows that httpd is running in a specific selinux context (user_u:system_r:httpd_t). Again, we don't need to understand the specifics of what that means at this point.
If we look at the file "foo" that our script created, we see that it also has a context:
-rw-r--r-- apache apache user_u:object_r:httpd_sys_content_t foo
By default, files inherit selinux context from their parent directories. That's why "foo" has "user_u:object_r:httpd_sys_content_t". However, we can change it:
# cd /var/www
# chcon system_u:object_r:httpd_sys_script_exec_t data
All I'm doing there is making "data" match the "cgi-bin" directory's context.Selinux wouldn't allow httpd to write into its cgi-bin directory, so I just used that as a pattern.
If we reload the "http://localhost/cgi-bin/se.pl", it still works. The file "foo" already exists, and still has "user_u:object_r:httpd_sys_content_t". However, if we remove foo, the se.pl will now fail and complain "Cannot Bad file descriptor". Nothing else has changed: the directory permissions still allow Apache to create the file, but Selinux does not because we gave the directory a security context that httpd is not allowed to write to.
Remember, these contexts only affect daemons targetted by Selinux. Nothing else is constrained: root can still do anything it likes. However, if Selinux were NOT running just targeted daemons, even root could not bypass its security. Setting up system like that can be a little tricky (Selinux has a well deserved reputation for complexity).
*Originally published at APLawrence.com
About the Author:
A.P. Lawrence provides SCO Unix and Linux consulting services.
|
