16:58:06 #startmeeting 16:58:06 Meeting started Sun Jan 30 16:58:06 2011 UTC. The chair is tflink. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:58:06 Useful Commands: #action #agreed #halp #info #idea #link #topic. 16:59:25 ==> waiting for the next meeting to start - Writing SELinux Policy 17:02:44 there aren't many people in the world who actuallyl write SELinux policy 17:02:52 I bet most of you won't actually write policy 17:03:00 what is the goal of policy writer? 17:03:08 to make things work securly 17:03:25 for example, if I was writing apache policy, I would want to be able to run CGIs, read files etc. 17:03:36 SELinux policy is written in M4 macros 17:03:45 every policy is in a module and every module has a name 17:03:59 the policy we're going to be writing is for rwhod 17:04:38 now we get into the most important part of SELInux which is a type enforcement language 17:04:41 so we need to find types 17:04:54 everything on a selinux system has a type - processes, files, etc. 17:05:05 you can't put a process label on a file, or a file type on a process 17:05:36 the way that I lok at types when I'm writing a policy, its kind of like C, defining your types that you;re going go use in the policy 17:06:16 or if you are going to use external tpes, use gen_require() macro that requires the type to be installed on a system for the module to be installed 17:06:34 I think this sucks, since the compiler should figure thsi out for you, but that isn't the way it was written 17:06:49 msot of you have probably seen the alow rule (which is the most common) 17:07:10 a group could be one of COMMAND< SOURCETYPE TARGETTYTPE:CLASS PERMS; 17:07:25 neverallow is not a deny 17:07:55 if you use neverallow and write something to allow it, the compiler would blow up 17:08:03 most are allow or dontaudit 17:09:39 auditallow - alls access but message is allowed (shouldn't use this in general, most systems have more power than that) 17:10:09 allow user_t etc_t:fine {} 17:10:30 * he is going through some examples on a slide 17:11:01 There are many different classes like dil, dir, sock_file etc. 17:11:41 #addchair tflink 17:11:45 you can do some macros to save typing (read_file_perms is one) 17:12:08 #chair tflink 17:12:08 Current chairs: nb tflink 17:12:08 but all of the SELinux policy gets installed 17:12:26 an attribute is a way to groupe policy rules 17:12:38 it is a way of grouping a lot of types together 17:12:51 so you can add an attribute after a policy 17:13:04 the next one that you see a lot is interfaces 17:13:14 they are policy function calls 17:13:51 its sort of like a function acall so that instead of writing all of the policies for apache to do the stuff that pam does, we can write them once and use them both like function calls from both pam and apache 17:14:13 * he is explaining some likes of SELinux 17:14:38 so where are all of these things defined? in the include directory 17:14:52 slide is a SELinux policy generation tool for eclipse 17:15:03 but everything is under /usr/share/selinux/include 17:15:22 that is a very quick overview of what you can put in policies 17:15:43 there is a lot more but you would get more confused if you aren't already 17:16:13 policies are kind of like kernel modules in that when you install a module, everyhting is recompiled before it is loaded 17:16:18 which is why adding a module takes so long 17:16:32 there are three components to a policy module 17:16:46 type enforcement (TE) file - contains all of the rules used to confine your application 17:17:02 the file context (FC) file - contains the reg expression mappings for on disk file contexts 17:17:24 Interface (if) files - contains the inferfaces defined for other confined applications, to interact with you confined application 17:17:36 when everything is bundled up, you end up with a policy package (pp) 17:18:03 when you're installing policy packages, you can use a makfile (there is another command but its not easy to remember) 17:18:13 make -f /usr/share/selinux/devel/Makefile 17:18:39 to install the policy , use seallow joke: a lot ofwhat you need to do with computers can be learned from shampoo 17:19:10 "Lather, Rinse, Re;eat" 17:19:34 same is true with SELinux = test, generate avg messages 17:19:52 you can use Audit2allow to inspect the selinux messages 17:20:06 *q - and this thing is smart enough to use file attributes and such? 17:20:25 yes, most things, you have to look at the output and decide whether it is working correctly 17:20:50 if you don't write enough interfaces, it is going to find the least privaleged one 17:20:58 * when we write types, we usually use permissive mode 17:21:40 for example, stuff in rawhide will generally be permissive so that log messages would be generated but nothing is being enforced yet 17:22:24 fedora ends up being a guinea pig so that when we hit F16, we can start enforcing them 17:22:53 if you enforce too early, you end up with too mcuh lather, rince releat 17:23:20 *q - audit2allow genearlly builds rules based on types 17:23:40 it looks at the error messages and trys to generate rules based on the types of the actors involved in the selinux error messages 17:24:04 *q - couldn't you just grep audit logs 17:24:50 I usually look at the output from avc, and if something doesn't look right I'll look at the audit logs 17:25:06 you can try doing this yourself, or ping someone on IRC 17:25:17 just make sure taht you have a unique name if you generate modules 17:25:35 *q - so this is kind of like 17:25:45 yeah, its kind of like 2 rpm packages of the same name 17:26:19 *q - so what happens when I have something like http not serving files because boolean is not set? 17:26:40 audit2allow is smarter than it used to be, trying to make it smart enough to detect unset booleans 17:26:51 the hardest thing about selinux policy is remembering all of this stuff 17:27:03 what do I need to type? how do it? 17:27:25 the US governement paid MITRE corp to write a bunch of policy but it didn't quite work 17:28:19 back in RHEL5, FC6 timeline, you got ght selinux-polgengui that generates all of the interfaces needed for an application to make the process a lot easier 17:28:37 the gui generates 4 files - te, fc, if file 17:28:47 sh file used to compile/load/set file context 17:28:53 but polgengui is not an editor 17:29:03 therequired fields are name, executable and application type 17:29:25 what are you trying to do? trying to prevent an application from affecting another application 17:29:43 so you may want to create a new type when you're writing a new policy 17:30:08 the gui will ask you which files you would write to and probably try to generate a new type so that each application owns its own content 17:30:24 I used the old gui, but found that it was too much work 17:30:29 so I wrote sepolgen 17:30:43 which looks at rpm for verious data 17:31:03 based on which executable given to sepolgen 17:31:14 sepolgen is actually run by the gui 17:31:24 *q - does it recall some of the decisions you made? 17:31:42 pretty much all its doing is searching through the RPM output for the file you are searching for 17:31:59 looking for upstream policies on that particular file 17:32:13 * screenshot of the slide editor in Eclipse 17:32:26 Slide is packaged up inside of frdora 17:32:34 *q - is this tool in fedora 17:32:38 yes, yum install slide 17:32:47 *q - does it do any syntax checking? 17:33:05 I don't really know, I don't use it. THere are people who use it but I stick with my emacs 17:33:34 ==> starting with example at terminal and the gui 17:34:50 one of the things that the GUI does that the other tools dont is ask for the different TCP/UDP ports used by the application 17:35:37 the gui will do some simple stuff, examinig the code like "writes to syslogd" to add those types of activities into the policy that is generated 17:36:06 the tool is kind of stupid, asks you whether the location is a file or a directory 17:36:14 since they don't have to exist at the time that policy is created 17:36:57 the selinux policy gui will change depend on what you're trying to do with it 17:37:42 once the tool is done, the policy will be in the /tmp dir (at least that is where it is being read from during example) 17:38:05 ==> going through the generated policy from the gui 17:38:42 the gui will make policies permissive by default, if you want it enforced, need to modify the policy file 17:39:47 we always allow processes to talk to themselfs via fifo files 17:39:53 which really isn't a security issue 17:40:38 *q - so that filetrans means that when a new file gets created in a dir, it would be of a certain type 17:40:47 yes, you can set it up that way 17:41:45 *q - you use the specific generated type, do you use the self type 17:41:54 no, that can only be the second parameter 17:42:35 * still going through the generated files from the rwhod example 17:43:16 one of the things that you can do with policies and interfaces is to have different interfaces for admins than for regular users 17:43:36 which is a rather advanced topic that we won't be covering here 17:44:42 *q - using -- in a .fc file is a file? why --? 17:44:51 not sure but -d is dir, -s is socket, -- is file 17:45:34 * missed a question about ports 17:45:54 *q - so the rlogind is actually bound to port 513 in selinux policy 17:46:16 we generally try to bind services and make them enforced 17:46:50 * looking at the generated shell script for convenience methods (compile, install etc.) 17:47:23 *q - you said that if you do semodule -i it is persistant? 17:47:30 yeah, it sticks around until you remove it 17:47:42 *q - 17:47:58 *q - how does this tool work if your app isn't a single binary? 17:48:19 all I care about is what the initial program that you are going to run 17:48:38 if you are going to do something complicated, you will need more than this presentation 17:48:52 17:49:03 the .pp is the package that you want to ship to other people 17:49:16 *q - where would we put the .pp? 17:49:23 there is a directory under /usr/include 17:50:07 we started the program and generated errors 17:50:14 * found the errors using the aud command 17:50:31 * analyzing the errors using the sudsearch command 17:50:56 here we have an avc generated by the policy (I find them hard to read) 17:51:23 * example is trying to lock a file that isn't allowed 17:52:08 aud is a script with 'audit2allow -l -a $*' 17:52:27 * still going through example of writing policy 17:53:56 * piping errors from audit.log into audit2allow to get suggestions on how to remove issues 17:54:08 grep "sth" audit.log | audit2allow 17:54:21 *q - so you're adding these rules to the policy that you already generated? 17:54:41 yeah, when it works, I'll fix it up to look like what upstream wants but thats what I'm doing 17:54:55 now there are no errors 17:55:00 things taht I didn't cover: 17:55:38 sometimes when you generate more complex policies, you need domain transition (rwhod -> MTA etc.) 17:56:07 if you're writing for lots of domains that do different things, you might want multiple types and transition between the domains 17:56:24 postfix is a good example, there are a lots of domains and you transition between the two 17:56:42 it all depends on your security goals, as your application becomes more complex you might want more types 17:57:21 so, to write the same policy the way that I would do it ... 17:57:25 * uses sepolgen 17:57:35 * showing the generated files 17:57:49 it isn't as complete as the stuff from the gui, this doesn't have the ports 17:57:56 the idea is to get you off the ground 17:58:18 but you're probably going to do this once and never again unless you do this all of the time 17:58:44 another note -> when you're writing policy, it is ALWAYS a good idea to get someone better than you to review the policy 17:58:58 check out the selinux IRC channel for help 17:59:04 ===> end of presentation 17:59:08 #endmeeting