لطفا منتظر باشید ...
9.6 Adding Permissions
At this
point in the development of SELinux, it's common for
policies to contain small bugs that cause operations to fail when
applications or programs are used in unusual ways unanticipated by
policy developers. As an SELinux administrator, one of the most
frequent SELinux policy customizations you're likely
to perform is adding permissions to coax the security engine into
accepting an operation. Let's consider an actual
situation based on Fedora Core 2's SELinux
implementation and see how it's resolved. The
procedure we'll follow isn't the
only procedure or best procedure. Creating new policies typically
entails a generous dollop of troubleshooting, which tends to be
relatively unstructured. So rather than see our procedure as the
universal norm, you should see it as merely an illustrative example.Though unfamiliar to many, the Nmap program is a popular tool among those
concerned with security that provides many useful functions. For
instance, using Nmap, you can determine the ports on which a network
host is listening and what service is running on each open port.Suppose you install and run Nmap and obtain the following error
message:
#nmap -sT 127.0.0.1It seems that Nmap is unable to read the nmap-services file.
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 17:23 UTC
Unable to find nmap-services! Resorting to /etc/services
Checking the system log, you find that SELinux recently logged eight
denial messages:
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=urandom dev=dm-0
ino=306563 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:urandom_
device_t tclass=chr_file
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=random dev=dm-0
ino=301298 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:random_
device_t tclass=chr_file
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=urandom dev=dm-0
ino=306563 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:urandom_
device_t tclass=chr_file
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=random dev=dm-0
ino=301298 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:random_
device_t tclass=chr_file
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=localtime dev=dm-0
ino=32810 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:locale_t
tclass=file
avc: denied { search } for pid=8682 exe=/usr/bin/nmap name=root dev=dm-0
ino=262145 scontext=root:sysadm_r:traceroute_t tcontext=root:object_r:staff_home_dir_
t tclass=dir
avc: denied { read } for pid=8682 exe=/usr/bin/nmap name=nmap-services dev=dm-4
ino=231156 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:usr_t
tclass=file
avc: denied { search } for pid=8682 exe=/usr/bin/nmap name=policy dev=dm-0
ino=49161 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:policy_src_t
tclass=dirNotice that Nmap runs in the domaintraceroute_t
; we'll use that
information later. For now, focus on the seventh message, which is
next to last. This message shows that the security engine denied read
access to the nmap-services file. However, the
message gives only the base filename, not the full path. You can find
the location of the file by using the locate
command:
#locate nmap-servicesNext, double check the security context of the file:
/usr/share/nmap/nmap-services
#ls -Z /usr/share/nmapThe security context, system_u:object_r:usr_t
-rw-r--r-- root root system_u:object_r:usr_t nmap-os-fingerprints
-rw-r--r-- root root system_u:object_r:usr_t nmap-protocols
-rw-r--r--+ root root system_u:object_r:usr_t nmap-rpc
-rw-r--r-- root root system_u:object_r:usr_t nmap-service-probes
-rw-r--r-- root root system_u:object_r:usr_t nmap-services
,
agrees with that shown in the log message. Apparently, the
traceroute_t
domain does not have permission to
read files in the security context
system_u:object_r:usr_t
, including the
nmap-services file.Now that we understand the problem, let's fix it. We
could give the traceroute_t
domain read access to
the system_u:object_r:usr_t
security context by
adding the following declaration to the SELinux policy:
allow traceroute_t usr_t:file { read };However, adding this declaration would enable access to files otherthan nmap-services and might compromise system
security. We need a more focused fix.Let's examine the FC file for the
traceroute_t
domain, file_contexts/program/traceroute.fc:
#tracerouteNotice that the only security context referenced in the FC file is
/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
/usr/bin/lft -- system_u:object_r:traceroute_exec_t
/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
system_u:object_r:traceroute_exec_t
. This context
is used to label the Nmap executable and other executable files. So,
it doesn't seem to be an appropriate security
context for the nmap-services file. However, it
does seem appropriate to label the file with a security context based
on the domain type traceroute_t
.
Let's add the following line to the FC file:
/usr/share/nmap.* system_u:object_r:traceroute_tThis line should cause the /usr/share/nmap
directory and the files it contains to be labeled with the security
context system_u:object_r:traceroute_t
. To
relabel the directory, issue the
commands:
#make loadNext, double check the result of the relabeling, which turned out
#setfiles file_contexts/file_contexts /usr/share/nmap
okay:
#ls -Z /usr/share/nmapNow, retry the command:
-rw-r--r-- root root system_u:object_r:traceroute_t nmap-os-fingerprints
-rw-r--r-- root root system_u:object_r:traceroute_t nmap-protocols
-rw-r--r--+ root root system_u:object_r:traceroute_t nmap-rpc
-rw-r--r-- root root system_u:object_r:traceroute_t nmap-service-probes
-rw-r--r-- root root system_u:object_r:traceroute_t nmap-services
#nmap -sT 127.0.0.1Again, the command fails. Checking the log, we find a relevant AVC
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 17:46 UTC
Unable to find nmap-services! Resorting to /etc/services
message:
avc: denied { search } for pid=8753 exe=/usr/bin/nmap name=nmap dev=dm-4 ino=100533
scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:traceroute_t tclass=dirWe've made progress, but we haven'tyet resolved the problem. Now, we've run afoul of
the traceroute_t
domain, lacking permission to
search the /usr/share/nmap directory. Often
it's convenient to avoid this sort of step-by-step
discovery of successive problems by running the system in permissive
mode. But since the system is attached to the Internet, we prefer to
continue running in enforcing mode. We could temporarily take the
system offline, but that could be inconvenient for some users. So we
choose to continue as we've begun.Let's authorize the traceroute_t
domain to search traceroute_t
directories. To do
so, add the following line to the
domains/program/traceroute.te file:
allow traceroute_t traceroute_t:dir { search };After adding the line, load the revised policy and retry Nmap, whichagain fails:
#make loadThis time, the log shows that Nmap was again prohibited from reading
#nmap -sT 127.0.0.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 17:46 UTC
Unable to find nmap-services! Resorting to /etc/services
the
nmap-services file but that the file is
correctly labeled with the new security context:
avc: denied { read } for pid=8822 exe=/usr/bin/nmap name=nmap-services dev=dm-4 ino=231156 scontext=root:sysadm_r:traceroute_t tcontext=system_u:object_r:traceroute_t tclass=fileApparently, the traceroute_tdomain
isn't authorized to read
traceroute_t
files. So we must add another line to
traceroute.te, one authorizing the
traceroute_t
domain to read its own files:
allow traceroute_t traceroute_t:file { read };Again, load the new policy and retry Nmap. This time, Nmap works asit should:
#nmap -sT 127.0.0.1This case study is typical of what you may encounter when running
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-01 18:02 UTC
Interesting ports on bill-a31 (127.0.0.1):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
Nmap run completed -- 1 IP address (1 host up) scanned in 0.467 seconds
programs with SELinux policies that are less than complete and error free.
