fudcon-room-1
LOGS
16:58:06 <tflink> #startmeeting
16:58:06 <zodbot> Meeting started Sun Jan 30 16:58:06 2011 UTC.  The chair is tflink. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:58:06 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
16:59:25 <tflink> ==> waiting for the next meeting to start - Writing SELinux Policy
17:02:44 <tflink> there aren't many people in the world who actuallyl write SELinux policy
17:02:52 <tflink> I bet most of you won't actually write policy
17:03:00 <tflink> what is the goal of policy writer?
17:03:08 <tflink> to make things work securly
17:03:25 <tflink> for example, if I was writing apache policy, I would want to be able to run CGIs, read files etc.
17:03:36 <tflink> SELinux policy is written in M4 macros
17:03:45 <tflink> every policy is in a module and every module has a name
17:03:59 <tflink> the policy we're going to be writing is for rwhod
17:04:38 <tflink> now we get into the most important part of SELInux which is a type enforcement language
17:04:41 <tflink> so we need to find types
17:04:54 <tflink> everything on a selinux system has a type - processes, files, etc.
17:05:05 <tflink> you can't put a process label on a file, or a file type on a process
17:05:36 <tflink> the way that I lok at types when I'm writing a policy, its kind of like C, defining your types that you;re going go use in the policy
17:06:16 <tflink> or if you are going to use external tpes, use gen_require() macro that requires the type to be installed on a system for the module to be installed
17:06:34 <tflink> I think this sucks, since the compiler should figure thsi out for you, but that isn't the way it was written
17:06:49 <tflink> msot of you have probably seen the alow rule (which is the most common)
17:07:10 <tflink> a group could be one of COMMAND< SOURCETYPE TARGETTYTPE:CLASS PERMS;
17:07:25 <tflink> neverallow is not a deny
17:07:55 <tflink> if you use neverallow and write something to allow it, the compiler would blow up
17:08:03 <tflink> most are allow or dontaudit
17:09:39 <tflink> auditallow - alls access but message is allowed (shouldn't use this in general, most systems have more power than that)
17:10:09 <tflink> allow user_t etc_t:fine {<access types>}
17:10:30 <tflink> * he is going through some examples on a slide
17:11:01 <tflink> There are many different classes like dil, dir, sock_file etc.
17:11:41 <nb> #addchair tflink
17:11:45 <tflink> you can do some macros to save typing (read_file_perms is one)
17:12:08 <nb> #chair tflink
17:12:08 <zodbot> Current chairs: nb tflink
17:12:08 <tflink> but all of the SELinux policy <missed?> gets installed
17:12:26 <tflink> an attribute is a way to groupe policy rules
17:12:38 <tflink> it is a way of grouping a lot of types together
17:12:51 <tflink> so you can add an attribute after a policy
17:13:04 <tflink> the next one that you see a lot is interfaces
17:13:14 <tflink> they are policy function calls
17:13:51 <tflink> its sort of like a function acall so that instead of writing all of the policies for apache to do the stuff that pam does, we can write them once and use them both like function calls from both pam and apache
17:14:13 <tflink> * he is explaining some likes of SELinux
17:14:38 <tflink> so where are all of these things defined? in the include directory
17:14:52 <tflink> slide is a SELinux policy generation tool for eclipse
17:15:03 <tflink> but everything is under /usr/share/selinux/include
17:15:22 <tflink> that is a very quick overview of what you can put in policies
17:15:43 <tflink> there is a lot more but you would get more confused if you aren't already
17:16:13 <tflink> policies are kind of like kernel modules in that when you install a module, everyhting is recompiled before it is loaded
17:16:18 <tflink> which is why adding a module takes so long
17:16:32 <tflink> there are three components to a policy module
17:16:46 <tflink> type enforcement (TE) file - contains all of the rules used to confine your application
17:17:02 <tflink> the file context (FC) file - contains the reg expression mappings for on disk file contexts
17:17:24 <tflink> Interface (if) files - contains the inferfaces defined for other confined applications, to interact with you confined application
17:17:36 <tflink> when everything is bundled up, you end up with a policy package (pp)
17:18:03 <tflink> when you're installing policy packages, you can use a makfile (there is another command but its not easy to remember)
17:18:13 <tflink> make -f /usr/share/selinux/devel/Makefile
17:18:39 <tflink> to install the policy , use seallow <missed the last part"
17:19:03 <tflink> joke: a lot ofwhat you need to do with computers can be learned from shampoo
17:19:10 <tflink> "Lather, Rinse, Re;eat"
17:19:34 <tflink> same is true with SELinux = test, generate avg messages
17:19:52 <tflink> you can use Audit2allow to inspect the selinux messages
17:20:06 <tflink> *q - and this thing is smart enough to use file attributes and such?
17:20:25 <tflink> yes, most things, you have to look at the output and decide whether it is working correctly
17:20:50 <tflink> if you don't write enough interfaces, it is going to find the least privaleged one
17:20:58 <tflink> * <missed question
17:21:14 <tflink> when we write types, we usually use permissive mode
17:21:40 <tflink> for example, stuff in rawhide will generally be permissive so that log messages would be generated but nothing is being enforced yet
17:22:24 <tflink> fedora ends up being a guinea pig so that when we hit F16, we can start enforcing them
17:22:53 <tflink> if you enforce too early, you end up with too mcuh lather, rince releat
17:23:20 <tflink> *q - audit2allow genearlly builds rules based on types
17:23:40 <tflink> it looks at the error messages and trys to generate rules based on the types of the actors involved in the selinux error messages
17:24:04 <tflink> *q - couldn't you just grep audit logs
17:24:50 <tflink> I usually look at the output from avc, and if something doesn't look right I'll look at the audit logs
17:25:06 <tflink> you can try doing this yourself, or ping someone on IRC
17:25:17 <tflink> just make sure taht you have a unique name if you generate modules
17:25:35 <tflink> *q - so this is kind of like <missed>
17:25:45 <tflink> yeah, its kind of like 2 rpm packages of the same name
17:26:19 <tflink> *q - so what happens when I have something like http not serving files because boolean is not set?
17:26:40 <tflink> audit2allow is smarter than it used to be, trying to make it smart enough to detect unset booleans
17:26:51 <tflink> the hardest thing about selinux policy is remembering all of this stuff
17:27:03 <tflink> what do I need to type? how do it?
17:27:25 <tflink> the US governement paid MITRE corp to write a bunch of policy but it didn't quite work
17:28:19 <tflink> back in RHEL5, FC6 timeline, you got ght selinux-polgengui that generates all of the interfaces needed for an application to make the process a lot easier
17:28:37 <tflink> the gui generates 4 files - te, fc, if file
17:28:47 <tflink> sh file used to compile/load/set file context
17:28:53 <tflink> but polgengui is not an editor
17:29:03 <tflink> therequired fields are name, executable and application type
17:29:25 <tflink> what are you trying to do? trying to prevent an application from affecting another application
17:29:43 <tflink> so you may want to create a new type when you're writing a new policy
17:30:08 <tflink> the gui will ask you which files you would write to and probably try to generate a new type so that each application owns its own content
17:30:24 <tflink> I used the old gui, but found that it was too much work
17:30:29 <tflink> so I wrote sepolgen
17:30:43 <tflink> which looks at rpm for verious data
17:31:03 <tflink> based on which executable given to sepolgen
17:31:14 <tflink> sepolgen is actually run by the gui
17:31:24 <tflink> *q - does it recall some of the decisions you made?
17:31:42 <tflink> pretty much all its doing is searching through the RPM output for the file you are searching for
17:31:59 <tflink> looking for upstream policies on that particular file
17:32:13 <tflink> * screenshot of the slide editor in Eclipse
17:32:26 <tflink> Slide is packaged up inside of frdora
17:32:34 <tflink> *q - is this tool in fedora
17:32:38 <tflink> yes, yum install slide
17:32:47 <tflink> *q - does it do any syntax checking?
17:33:05 <tflink> I don't really know, I don't use it. THere are people who use it but I stick with my emacs
17:33:34 <tflink> ==> starting with example at terminal and the gui
17:34:50 <tflink> one of the things that the GUI does that the other tools dont is ask for the different TCP/UDP ports used by the application
17:35:37 <tflink> the gui will do some simple stuff, examinig the code like "writes to syslogd" to add those types of activities into the policy that is generated
17:36:06 <tflink> the tool is kind of stupid, asks you whether the location is a file or a directory
17:36:14 <tflink> since they don't have to exist at the time that policy is created
17:36:57 <tflink> the selinux policy gui will change depend on what you're trying to do with it
17:37:42 <tflink> once the tool is done, the policy will be in the /tmp dir (at least that is where it is being read from during example)
17:38:05 <tflink> ==> going through the generated policy from the gui
17:38:42 <tflink> the gui will make policies permissive by default, if you want it enforced, need to modify the policy file
17:39:47 <tflink> we always allow processes to talk to themselfs via fifo files
17:39:53 <tflink> which really isn't a security issue
17:40:38 <tflink> *q - so that filetrans means that when a new file gets created in a dir, it would be of a certain type
17:40:47 <tflink> yes, you can set it up that way
17:41:45 <tflink> *q - you use the specific generated type, do you use the self type
17:41:54 <tflink> no, that can only be the second parameter
17:42:35 <tflink> * still going through the generated files from the rwhod example
17:43:16 <tflink> one of the things that you can do with policies and interfaces is to have different interfaces for admins than for regular users
17:43:36 <tflink> which is a rather advanced topic that we won't be covering here
17:44:42 <tflink> *q - using -- in a .fc file is a file? why --?
17:44:51 <tflink> not sure but -d is dir, -s is socket, -- is file
17:45:34 <tflink> * missed a question about ports
17:45:54 <tflink> *q - so the rlogind is actually bound to port 513 in selinux policy
17:46:16 <tflink> we generally try to bind services and make them enforced
17:46:50 <tflink> * looking at the generated shell script for convenience methods (compile, install etc.)
17:47:23 <tflink> *q - you said that if you do semodule -i it is persistant?
17:47:30 <tflink> yeah, it sticks around until you remove it
17:47:42 <tflink> *q - <can't hear>
17:47:58 <tflink> *q - how does this tool work if your app isn't a single binary?
17:48:19 <tflink> all I care about is what the initial program that you are going to run
17:48:38 <tflink> if you are going to do something complicated, you will need more than this presentation
17:48:52 <tflink> <missing question>
17:49:03 <tflink> the .pp is the package that you want to ship to other people
17:49:16 <tflink> *q - where would we put the .pp?
17:49:23 <tflink> there is a directory under /usr/include
17:50:07 <tflink> we started the program and generated errors
17:50:14 <tflink> * found the errors using the aud command
17:50:31 <tflink> * analyzing the errors using the sudsearch command
17:50:56 <tflink> here we have an avc generated by the policy (I find them hard to read)
17:51:23 <tflink> * example is trying to lock a file that isn't allowed
17:52:08 <tflink> aud is a script with 'audit2allow -l -a $*'
17:52:27 <tflink> * still going through example of writing policy
17:53:56 <tflink> * piping errors from audit.log into audit2allow to get suggestions on how to remove issues
17:54:08 <tflink> grep "sth" audit.log | audit2allow
17:54:21 <tflink> *q - so you're adding these rules to the policy that you already generated?
17:54:41 <tflink> yeah, when it works, I'll fix it up to look like what upstream wants but thats what I'm doing
17:54:55 <tflink> now there are no errors
17:55:00 <tflink> things taht I didn't cover:
17:55:38 <tflink> sometimes when you generate more complex policies, you need domain transition (rwhod -> MTA etc.)
17:56:07 <tflink> if you're writing for lots of domains that do different things, you might want multiple types and transition between the domains
17:56:24 <tflink> postfix is a good example, there are a lots of domains and you transition between the two
17:56:42 <tflink> it all depends on your security goals, as your application becomes more complex you might want more types
17:57:21 <tflink> so, to write the same policy the way that I would do it ...
17:57:25 <tflink> * uses sepolgen
17:57:35 <tflink> * showing the generated files
17:57:49 <tflink> it isn't as complete as the stuff from the gui, this doesn't have the ports
17:57:56 <tflink> the idea is to get you off the ground
17:58:18 <tflink> but you're probably going to do this once and never again unless you do this all of the time
17:58:44 <tflink> another note -> when you're writing policy, it is ALWAYS a good idea to get someone better than you to review the policy
17:58:58 <tflink> check out the selinux IRC channel for help
17:59:04 <tflink> ===> end of presentation
17:59:08 <tflink> #endmeeting