<br><br><div class="gmail_quote">On Tue, Jan 31, 2012 at 1:12 PM, Lightner, Jeff <span dir="ltr"><<a href="mailto:JLightner@water.com">JLightner@water.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div link="blue" vlink="blue" lang="EN-US">
<p></p>
<div>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10pt;font-family:Arial;color:navy">SELinux on RHEL derived distros now has other tools to give you a clue about what is going wrong with things. In the early days I turned
it off completely because it really was not fun to figure out why it was having issues.</span></font></p></div></div></blockquote><div><br>But, but.... schlogging through audit files was such fun!!!<br><br>type=SYSCALL msg=audit(1327510110.459:52543): arch=c000003e syscall=2 success=yes exit=61 a0=7f13fb6c5a18 a1=2c1 a2=180 a3=a items=0 ppid=1 pid=5051 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.6/firefox" subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)<br>
type=AVC msg=audit(1327510110.578:52544): avc: denied { remove_name } for pid=14074 comm="firefox" name="sessionstore-2.js" dev=dm-0 ino=21891097 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=dir<br>
type=AVC msg=audit(1327510110.578:52544): avc: denied { rename } for pid=14074 comm="firefox" name="sessionstore-2.js" dev=dm-0 ino=21891097 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file<br>
type=AVC msg=audit(1327510110.578:52544): avc: denied { unlink } for pid=14074 comm="firefox" name="sessionstore.js" dev=dm-0 ino=21889847 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file<br>
type=SYSCALL msg=audit(1327510110.578:52544): arch=c000003e syscall=82 success=yes exit=0 a0=7f13fb6c5a18 a1=7f13f9d3dce8 a2=0 a3=7f14289880c0 items=0 ppid=1 pid=14074 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="firefox" exe="/usr/lib64/firefox-3.6/firefox" subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)<br>
type=AVC msg=audit(1327510157.697:52545): avc: denied { open } for pid=10995 comm="taskldr" name="help.dir" dev=dm-0 ino=21889305 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file<br>
type=SYSCALL msg=audit(1327510157.697:52545): arch=40000003 syscall=5 per=400000 success=yes exit=21 a0=f15e1c7c a1=8000 a2=f15e1c7c a3=1 items=0 ppid=10107 pid=10995 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="taskldr" exe="/opt/ibm/lotus/notes/taskldr" subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)<br>
type=USER_ACCT msg=audit(1327510201.214:52546): user pid=14338 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=CRED_ACQ msg=audit(1327510201.214:52547): user pid=14338 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=LOGIN msg=audit(1327510201.214:52548): pid=14338 uid=0 subj=system_u:system_r:kernel_t:s0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=140<br>type=USER_START msg=audit(1327510201.214:52549): user pid=14338 uid=0 auid=0 ses=140 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=CRED_DISP msg=audit(1327510201.356:52550): user pid=14338 uid=0 auid=0 ses=140 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=USER_END msg=audit(1327510201.356:52551): user pid=14338 uid=0 auid=0 ses=140 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'<br>
type=AVC msg=audit(1327510440.709:52552): avc: denied { write } for pid=16300 comm="remmina" name=".remmina" dev=dm-0 ino=22151728 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir<br>
type=AVC msg=audit(1327510440.709:52552): avc: denied { add_name } for pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir<br>
type=AVC msg=audit(1327510440.709:52552): avc: denied { create } for pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V" scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file<br>
type=SYSCALL msg=audit(1327510440.709:52552): arch=c000003e syscall=2 success=yes exit=10 a0=1a6c080 a1=c2 a2=1b6 a3=3439303537323331 items=0 ppid=1 pid=16300 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="remmina" exe="/usr/bin/remmina" subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)<br>
type=AVC msg=audit(1327510441.033:52553): avc: denied { remove_name } for pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V" dev=dm-0 ino=22151758 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir<br>
type=AVC msg=audit(1327510441.033:52553): avc: denied { rename } for pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V" dev=dm-0 ino=22151758 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file<br>
type=AVC msg=audit(1327510441.033:52553): avc: denied { unlink } for pid=16300 comm="remmina" name="1327509439248.remmina" dev=dm-0 ino=22151751 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file<br>
<br><br>Makes PERFECT sense! :-)<br><br> <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div link="blue" vlink="blue" lang="EN-US"><div><p class="MsoNormal">
<font color="navy" face="Arial"><span style="font-size:10pt;font-family:Arial;color:navy"><u></u><u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10pt;font-family:Arial;color:navy">Also if you want to be an RHCE you’ll have to learn SELinux.<u></u><u></u></span></font></p>
<p class="MsoNormal"><font color="navy" face="Arial"><span style="font-size:10pt;font-family:Arial;color:navy"><u></u> <u></u></span></font></p>
<div>
<div class="MsoNormal" style="text-align:center" align="center"><font face="Times New Roman" size="3"><span style="font-size:12pt"></span></font></div>
</div>
</div>
<p></p>
<p> </p>
<p> </p>
<p></p>
<div>
<div>
<div class="MsoNormal" style="text-align:center" align="center"><font face="Times New Roman" size="3"><span style="font-size:12pt">
<hr align="center" size="2" width="100%">
</span></font></div>
<p class="MsoNormal"><b><font face="Tahoma"><span style="font-size:10pt;font-family:Tahoma;font-weight:bold">From:</span></font></b><font face="Tahoma"><span style="font-size:10pt;font-family:Tahoma"> <a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a> [mailto:<a href="mailto:ale-bounces@ale.org" target="_blank">ale-bounces@ale.org</a>]
<b><span style="font-weight:bold">On Behalf Of </span></b>Jim Kinney<br>
<b><span style="font-weight:bold">Sent:</span></b> Tuesday, January 31, 2012 1:04 PM<br>
<b><span style="font-weight:bold">To:</span></b> Atlanta Linux Enthusiasts<br>
<b><span style="font-weight:bold">Subject:</span></b> Re: [ale] why I love windows</span></font><u></u><u></u></p>
</div><div><div class="h5">
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12pt"><u></u> <u></u></span></font></p>
<p class="MsoNormal" style="margin-bottom:12pt"><font face="Times New Roman" size="3"><span style="font-size:12pt"><u></u> <u></u></span></font></p>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12pt">On Tue, Jan 31, 2012 at 11:24 AM,
<a href="mailto:mike@trausch.us" target="_blank">mike@trausch.us</a> <<a href="mailto:mike@trausch.us" target="_blank">mike@trausch.us</a>> wrote:<u></u><u></u></span></font></p>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12pt"><br>
<br>
Ultimately, I would like a system that enables me to do certain things<br>
without having to elevate my own privileges. There is (to my knowledge)<br>
absolutely nothing to stop a program lurking in my userspace from<br>
starting up in the window system and watching for me to gain root access<br>
in a terminal window to do nasty things before I can stop it.<br>
<br>
But if I were allowed to “aptitude update && aptitude safe-upgrade” or<br>
“emerge --sync && emerge -DNua world” without invoking root privilege,<br>
by having helpers go and request that backends kick in and do their<br>
jobs, then I never have to run “sudo” or become root. I can just type<br>
the commands and if I have the permission to run them, the backend will<br>
start up for me; if I do not have the permission to run them, the<br>
backend will return a permission denied error. And all the while,<br>
nothing can lurk in my window system and try to take advantage of a root<br>
shell while it’s in a terminal window.<u></u><u></u></span></font></p>
<div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12pt"><br>
--- Mike<br clear="all">
<u></u><u></u></span></font></p>
</div>
</div>
<div>
<p class="MsoNormal"><font face="Times New Roman" size="3"><span style="font-size:12pt">I don't understand what the advantage is of totally blurring the line between user and admin is. You can right now set up your non-root account to do root-ish things
with no further work other than typing the command.<br>
<br>
The hard separation exists for a reason. It's better to learn the tool chains available before embarking on a new project to reinvent the wheel. SELinux and AppArmour are very similar in concept but different in operation and practice. As you use Debian derivatives,
learn AppArmour. If you use RedHat derivatives, learn SELinux.<br>
<br>
FYI: PolicyKit is a native part of RHEL. It's purpose is to handle the process that allows a user with proper privileges to do gui-fied root-ish things. It is tied in nicely with SELinux. My laptop runs in permissive mode. My servers run in targeted mode. That
means apache can read/write ONLY apache directories (i.e. have the type httpd_sys_content_t. I can as admin make any area of the filesystem have that type and apache will be able to use that space. If I want to, I can dig way deep and allow suexec_httpd to
use particular spaces only and not be able to write to /tmp or whatever. Targeted policy is pretty easy. MLS/MCS can be the total brain-bender :-) Picture the following:<br>
<br>
Each user has multiple level of security. Each level can "read down" and "write up" a security level. A process called "polyinstantiation" was created so that each user has multiple $HOME with different security levels. There is a /tmp for each level in use
AND it's tied to each user. So it's a private /tmp that kernel space understands as normal /tmp when a user app calls for an IO to /tmp. Each security level transition requires a login. The entire chain of logins is tracked back to the originating login. So
a user can't use a local exploit to become root and then do anything because the system knows the transition path.
<br>
<br>
Now add in MCS to further subdivide the system and processes into compartments that can each have multiple levels. So Fred works on two projects and at different levels on each. Each category can (and usually does) require a complete login process (not su)
so that polyinstantiation wakes up and does it's job at each category and level.<br>
<br>
Once you know how to read the audit logs, you can track a user through what is done. By tricks such as dual logs and append-only partitions, a cracker has nearly no chance to both "do bad things" AND cover the tracks.<br>
<br>
I'll start working on the SELinux roadshow and holler when it's ready.<u></u><u></u></span></font></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><font face="Times New Roman" size="3"><span style="font-size:12pt"><br>
-- <br>
-- <br>
James P. Kinney III<br>
<br>
As long as the general population is passive, apathetic, diverted to consumerism or hatred of the vulnerable, then the powerful can do as they please, and those who survive will be left to contemplate the outcome.<br>
- <i><span style="font-style:italic">2011 Noam Chomsky<br>
<br>
<a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a></span></i><u></u><u></u></span></font></p>
</div></div></div>
<p></p>
<p><font face="Arial"><font color="fuchsia"><font style="font-family:Arial;font-size:10pt" size="2"></font></font></font> </p>
<p> </p>
<p><font face="Arial"><font color="fuchsia"><font style="font-family:Arial;font-size:10pt" size="2">Athena<font size="1">®</font>, Created for the Cause</font><font size="1">™
</font></font></font></p>
<p><font face="Arial">Making a Difference in the Fight Against Breast Cancer</font></p>
<p><span style="font-family:Arial;font-size:10pt"></span> </p>
<p><span style="font-family:Arial;font-size:10pt">---------------------------------<br>
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information
is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.<br>
----------------------------------</span><span style="font-family:'Courier New';font-size:9pt"><u></u><u></u></span></p>
<p> </p>
</div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><br>As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as
they please, and those who survive will be left to contemplate the
outcome.<br>- <i><i><i><i>2011 Noam Chomsky<br><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i><br>