[ale] why I love windows

Jim Kinney jim.kinney at gmail.com
Tue Jan 31 13:57:03 EST 2012


On Tue, Jan 31, 2012 at 1:12 PM, Lightner, Jeff <JLightner at water.com> wrote:

>   SELinux on RHEL derived distros now has other tools to give you a clue
> about what is going wrong with things.   In the early days I turned it off
> completely because it really was not fun to figure out why it was having
> issues.
>

But, but.... schlogging through audit files was such fun!!!

type=SYSCALL msg=audit(1327510110.459:52543): arch=c000003e syscall=2
success=yes exit=61 a0=7f13fb6c5a18 a1=2c1 a2=180 a3=a items=0 ppid=1
pid=5051 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501
sgid=501 fsgid=501 tty=(none) ses=1 comm="firefox"
exe="/usr/lib64/firefox-3.6/firefox"
subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327510110.578:52544): avc:  denied  { remove_name }
for  pid=14074 comm="firefox" name="sessionstore-2.js" dev=dm-0
ino=21891097 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=dir
type=AVC msg=audit(1327510110.578:52544): avc:  denied  { rename } for
pid=14074 comm="firefox" name="sessionstore-2.js" dev=dm-0 ino=21891097
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file
type=AVC msg=audit(1327510110.578:52544): avc:  denied  { unlink } for
pid=14074 comm="firefox" name="sessionstore.js" dev=dm-0 ino=21889847
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:mozilla_home_t:s0 tclass=file
type=SYSCALL msg=audit(1327510110.578:52544): arch=c000003e syscall=82
success=yes exit=0 a0=7f13fb6c5a18 a1=7f13f9d3dce8 a2=0 a3=7f14289880c0
items=0 ppid=1 pid=14074 auid=500 uid=500 gid=501 euid=500 suid=500
fsuid=500 egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="firefox"
exe="/usr/lib64/firefox-3.6/firefox"
subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327510157.697:52545): avc:  denied  { open } for
pid=10995 comm="taskldr" name="help.dir" dev=dm-0 ino=21889305
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1327510157.697:52545): arch=40000003 syscall=5
per=400000 success=yes exit=21 a0=f15e1c7c a1=8000 a2=f15e1c7c a3=1 items=0
ppid=10107 pid=10995 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500
egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="taskldr"
exe="/opt/ibm/lotus/notes/taskldr"
subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1327510201.214:52546): user pid=14338 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0
msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=?
terminal=cron res=success'
type=CRED_ACQ msg=audit(1327510201.214:52547): user pid=14338 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0
msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=?
terminal=cron res=success'
type=LOGIN msg=audit(1327510201.214:52548): pid=14338 uid=0
subj=system_u:system_r:kernel_t:s0 old auid=4294967295 new auid=0 old
ses=4294967295 new ses=140
type=USER_START msg=audit(1327510201.214:52549): user pid=14338 uid=0
auid=0 ses=140 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=CRED_DISP msg=audit(1327510201.356:52550): user pid=14338 uid=0 auid=0
ses=140 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:setcred acct="root"
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1327510201.356:52551): user pid=14338 uid=0 auid=0
ses=140 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_close
acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
res=success'
type=AVC msg=audit(1327510440.709:52552): avc:  denied  { write } for
pid=16300 comm="remmina" name=".remmina" dev=dm-0 ino=22151728
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1327510440.709:52552): avc:  denied  { add_name } for
pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V"
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1327510440.709:52552): avc:  denied  { create } for
pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V"
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1327510440.709:52552): arch=c000003e syscall=2
success=yes exit=10 a0=1a6c080 a1=c2 a2=1b6 a3=3439303537323331 items=0
ppid=1 pid=16300 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500
egid=501 sgid=501 fsgid=501 tty=(none) ses=1 comm="remmina"
exe="/usr/bin/remmina"
subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1327510441.033:52553): avc:  denied  { remove_name }
for  pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V" dev=dm-0
ino=22151758 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=AVC msg=audit(1327510441.033:52553): avc:  denied  { rename } for
pid=16300 comm="remmina" name="1327509439248.remmina.P2G28V" dev=dm-0
ino=22151758 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=AVC msg=audit(1327510441.033:52553): avc:  denied  { unlink } for
pid=16300 comm="remmina" name="1327509439248.remmina" dev=dm-0 ino=22151751
scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


Makes PERFECT sense! :-)



> ****
>
> ** **
>
> Also if you want to be an RHCE you’ll have to learn SELinux.****
>
> ** **
>
>
>
>
>
>   ------------------------------
>
> *From:* ale-bounces at ale.org [mailto:ale-bounces at ale.org] *On Behalf Of *Jim
> Kinney
> *Sent:* Tuesday, January 31, 2012 1:04 PM
> *To:* Atlanta Linux Enthusiasts
> *Subject:* Re: [ale] why I love windows****
>
> ** **
>
> ** **
>
> On Tue, Jan 31, 2012 at 11:24 AM, mike at trausch.us <mike at trausch.us> wrote:
> ****
>
>
>
> Ultimately, I would like a system that enables me to do certain things
> without having to elevate my own privileges.  There is (to my knowledge)
> absolutely nothing to stop a program lurking in my userspace from
> starting up in the window system and watching for me to gain root access
> in a terminal window to do nasty things before I can stop it.
>
> But if I were allowed to “aptitude update && aptitude safe-upgrade” or
> “emerge --sync && emerge -DNua world” without invoking root privilege,
> by having helpers go and request that backends kick in and do their
> jobs, then I never have to run “sudo” or become root.  I can just type
> the commands and if I have the permission to run them, the backend will
> start up for me; if I do not have the permission to run them, the
> backend will return a permission denied error.  And all the while,
> nothing can lurk in my window system and try to take advantage of a root
> shell while it’s in a terminal window.****
>
>
>        --- Mike
> ****
>
> I don't understand what the advantage is of totally blurring the line
> between user and admin is. You can right now set up your non-root account
> to do root-ish things with no further work other than typing the command.
>
> The hard separation exists for a reason. It's better to learn the tool
> chains available before embarking on a new project to reinvent the wheel.
> SELinux and AppArmour are very similar in concept but different in
> operation and practice. As you use Debian derivatives, learn AppArmour. If
> you use RedHat derivatives, learn SELinux.
>
> FYI: PolicyKit is a native part of RHEL. It's purpose is to handle the
> process that allows a user with proper privileges to do gui-fied root-ish
> things. It is tied in nicely with SELinux. My laptop runs in permissive
> mode. My servers run in targeted mode. That means apache can read/write
> ONLY apache directories (i.e. have the type httpd_sys_content_t. I can as
> admin make any area of the filesystem have that type and apache will be
> able to use that space. If I want to, I can dig way deep and allow
> suexec_httpd to use particular spaces only and not be able to write to /tmp
> or whatever. Targeted policy is pretty easy. MLS/MCS can be the total
> brain-bender :-) Picture the following:
>
> Each user has multiple level of security. Each level can "read down" and
> "write up" a security level. A process called "polyinstantiation" was
> created so that each user has multiple $HOME with different security
> levels. There is a /tmp for each level in use AND it's tied to each user.
> So it's a private /tmp that kernel space understands as normal /tmp when a
> user app calls for an IO to /tmp. Each security level transition requires a
> login. The entire chain of logins is tracked back to the originating login.
> So a user can't use a local exploit to become root and then do anything
> because the system knows the transition path.
>
> Now add in MCS to further subdivide the system and processes into
> compartments that can each have multiple levels. So Fred works on two
> projects and at different levels on each. Each category can (and usually
> does) require a complete login process (not su) so that polyinstantiation
> wakes up and does it's job at each category and level.
>
> Once you know how to read the audit logs, you can track a user through
> what is done. By tricks such as dual logs and append-only partitions, a
> cracker has nearly no chance to both "do bad things" AND cover the tracks.
>
> I'll start working on the SELinux roadshow and holler when it's ready.****
>
>
> --
> --
> James P. Kinney III
>
> As long as the general population is passive, apathetic, diverted to
> consumerism or hatred of the vulnerable, then the powerful can do as they
> please, and those who survive will be left to contemplate the outcome.
> - *2011 Noam Chomsky
>
> http://heretothereideas.blogspot.com/*****
>
>
>
>
>
> Athena®, Created for the Cause™
>
> Making a Difference in the Fight Against Breast Cancer
>
>
>
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you
> are not the intended recipient, any disclosure, copying, distribution, or
> use of the contents of this information is prohibited and may be unlawful.
> If you have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> ----------------------------------****
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky

http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120131/1567c986/attachment-0001.html 


More information about the Ale mailing list