Planet SELinux

interface rtkit_daemon_system_domain · Fedora table at the FOSS expo area.

allow rtkit_daemon_t initrc_t:process setsched;   

# yum install netlabel_tools

# semanage interface -a -t foo_netif_t eth2

# semanage interface -l
SELinux Interface              Context
eth2                           system_u:object_r:foo_netif_t:s0

# netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 label:system_u:object_r:foo_peer_t:s0
# netlabelctl unlbl add interface:eth2 address:::/0 label:system_u:object_r:foo_peer_t:s0

# netlabelctl -p unlbl list
Accept unlabeled packets : on
Configured NetLabel address mappings (2)
 interface: eth2
   address: 0.0.0.0/0
    label: "system_u:object_r:foo_peer_t:s0"
   address: ::/0
    label: "system_u:object_r:foo_peer_t:s0"

CVE-2009-3940

CVE-2009-3692 for popen()
CVE-2009-3704 for strncpy().

# default: off
# description: The git dæmon allows git repositories to be exported using \
#       the git:// protocol.

service git
{
        disable         = no
        socket_type     = stream
        type            = UNLISTED
        port            = 9418
        wait            = no
        user            = nobody
#        server          = /usr/bin/git
#        server_args     = daemon --base-path=/srv/git --export-all
--user-path=public_git --syslog --inetd --verbose
        server          = /usr/libexec/git-core/git-daemon
        server_args     = --base-path=/srv/git --export-all
--user-path=public_git --syslog --inetd --verbose
        log_on_failure  += USERID
# xinetd doesn't do this by default. bug #195265
        flags           = IPv6
}
[/code]

Basically the selinux policy has 3 parts. one part is for the gitd system inetd server. the second part is for running gitd as a unprivileged user, and the third part is policy for the system wide git-shell environment.
So we secure the system wide gitd process, gitd process that users run and the git-shell process that is used to push pull to shared repositories.

When you compile git-daemon, configured it like above and install the selinux module, restore the contexts of the paths in gitd.fc. then start xinetd: youll notice that inetd_t is not allowed to bind to gitd_port_t.
You can simply use audit2allow with the -M option to allow inetd_t to bind to gitd_port on behalf of gitd_system_t

I use DAC to give usergroups access to the particular repositories and i use git ACL to restrict access to branches, tags etc.

I used this great web site do implement this:

http://www.kernel.org/pub/software/scm/git/docs/everyday.html

I wrote two simple scripts:

1. to add new users
2. to add new repostiries

create_repository:

crepo.sh:
[code]
#!/bin/bash

# crepo.sh 

groupadd $1 || exit 1;
usermod -a -G $1 badabing || exit 1;

mkdir /srv/git/$1.git || exit 1;
chmod -R +t /srv/git/$1.git || exit 1;
cd /srv/git/$1.git && git --bare init || exit 1;

cp /home/dgrift/create_repository/update /srv/git/$1.git/hooks/ || exit 1;
cp /home/dgrift/create_repository/allowed-users /srv/git/$1.git/info/ || exit 1;

chown -R nobody:$1 /srv/git/$1.git || exit 1;

chmod -R g+s /srv/git/$1.git/branches || exit 1;
chmod -R g+s /srv/git/$1.git/hooks || exit 1;
chmod -R g+s /srv/git/$1.git/info || exit 1;
chmod -R g+s /srv/git/$1.git/objects || exit 1;
chmod -R g+s /srv/git/$1.git/refs || exit 1;
chmod -R g+w /srv/git/$1.git || exit 1;

exit 0;

#EOF
[/code]

This script installs the git ACL files update and allowed-users:

update:
[code]
http://www.kernel.org/pub/software/scm/git/docs/howto/update-hook-example.txt
[/code]

allowed-users:
[code]
refs/heads/master       badabing
+refs/heads/pu          badabing
refs/heads/bw/.*        badabing
refs/heads/tmp/.*       .*
refs/tags/v[0-9].*      badabing
[/code]

I also created a script to do part of what is required to add new users (i havent tested this script yet:

[code]
#!/bin/bash

# agits.sh  

useradd -Z gits_u -s /usr/bin/git-shell $1 || exit 1;
usermod -a -G sshusers,$2 $1 || exit 1;

echo "Do not forget to set a password!"
echo "Manually add entries for $1 in /etc/security/namespace.conf!"
echo "You may need to edit /srv/git/$2.git/info/allowed-users!"

# TODO: usrquota

exit 0;
[/code]

By the way xinetd and selinux dont play nice so you may need to edit the xinetd init script:

[code]
https://bugzilla.redhat.com/show_bug.cgi?id=529681
[/code]

So that is basically it.
The SELinux policy for the git system service should work by default. Additionally there are some booleans to to toggle for example to allow the git system service to also host personal repositories in ~/public_git, allow git to use any unreserved port for mass git repostory hosting. enable disable transition to git_session_t which is the user daemon.
For this to work you must also enable git policy for users by creating a module:

for example if you want unconfined users to transition to git domain if they run git daemon ...>

myunconfined.te:
[code]
policy_module(myunconfined, 0.0.1)
optional_policy(`
gen_require(`
 type unconfined_t;
')

git_session_role(unconfined_r, unconfined_t)
[/code]

build and install that:

make -f /usr/share/selinux/devel/Makefile
sudo semodule -i myunconfined.pp

That should work and make unconfined_t users transition to git_session_t when they run git daemon ...>

For me this setup works, but i have not thoroughly tested the git_session_t domain yet.

Would be nice to get some feedback so that i can improve this.

The git selinux policy is malformed above use the command below to pull the current gitd policy from my git repository

git clone git://82.197.205.60/selinux-modules.git

http://git.kernel.org/linus/9c0d90103c7e0eb6e638e5b649e9f6d8d9c1b4b3
http://git.kernel.org/linus/8cf948e744e0218af604c32edecde10006dc8e9e
http://git.kernel.org/linus/788084aba2ab7348257597496befcbccabdc98a3
http://git.kernel.org/linus/1d9959734a1949ea4f2427bd2d8b21ede6b2441c
This year's event will be divided into two main sessions.

The first will be for traditional conference presentations which
were accepted via the CfP:

  * Labeled NFS Community Involvement - Dave Quigley (NSA)
  * Update on Flask/TE Support for X - Eamon Walsh (NSA)
  * Work on a Higher-Level Policy Language - James Carter (NSA)
  * Video Streaming in Policy Confined Environments - Philip Tricca (USAF)
  * A New Policy Infrastructure for SELinux Joshua Brindle (Tresys)
  * Policy Distribution Joshua Brindle (Tresys)
  * Refpolicy and Userspace Joshua Brindle (Tresys)
  * Analysis of Flask Policies in VM Systems Trent Jaeger (PSU) 

Aside from Josh's talks (which are combined into one 60-minute slot),
these are 30-minute slots.  For speakers, the recommended format is
20-minutes of presenting and 10-minutes of Q&A.

The second main session, after lunch, is intended to be fully
collaborative in that everyone in attendance may (and should) participate.
This is divided into three sections:

  * Lightning talks, 5 minutes each.  Any attendee may propose a lightning
    talk via the wiki or on the day.

  * Development sessions.  This is a flexible format where developers can
    work in small self-organized groups on specific tasks, taking
    advantage of the fact that we're all in the same place for the day.
    We'll discuss this further on the event mailing list -- it's important
    to identify tasks, teams and goals beforehand, and also to make sure
    everyone is set up to get straight to work on the day.

  * General project discussion.  We'll spend about an hour discussing
    project and development issues.  Candidate agenda items should
    first be posted to the event mailing list, and the agenda will be
    finalized immediately prior to the event.

For attendees who are yet to do so, ensure you are registered for
LinuxCon, which is co-hosting the event for us:

http://events.linuxfoundation.org/events/linuxcon

LinuxCon registration is a requirement for attending the SELinux Developer
Summit.  The current discounted registration rate ends on August 15th.
From Eugene Teo (Security Response Team)  2009-07-17 07:23:57 EDT

The Red Hat Security Response Team is aware of the Linux kernel local privilege
escalation exploit that is published in a number of security mailing lists and
websites. The flaw identified by CVE-2009-1897 is a null pointer dereference
vulnerability in the tun_chr_poll() function of the Linux kernel, introduced
via the upstream git commit 33dccbb0. This flaw affects kernel versions between
2.6.30-rc1 and 2.6.30-rc3 2.6.31-rc3 , and was addressed via the upstream
git commit 3c8a9c63.

The flaw affects only the Red Hat Enterprise Linux 5.4 beta kernel as the
upstream git commit 33dccbb0 was backported to the kernel as a normal bug fix.
We will be addressing this flaw in a future update to the beta kernel. It is
also possible to mitigate this flaw by ensuring that the permissions for
/dev/net/tun is restricted to root only.

The default SELinux policy, in Red Hat Enterprise Linux 5, allows processes in
the unconfined domains to map low memory in the kernel. The exploit did not
bypass the null pointer dereference protection in the Linux kernel. However, we
are updating the selinux-policy package to change this default configuration,
so that it prevents the unconfined processes from being able to map the low
memory. See bug 511143 for more information.

This issue does not affect any other released kernel in any Red Hat product.

In addition, future updates to Red Hat Enterprise Linux kernels may include the
'-fno-delete-null-pointer-checks' gcc CFLAGS. See:
http://git.kernel.org/linus/a3ca86aea507904148870946d599e07a340b39bf

We would like to thank Brad Spengler for bringing these issues to our
attention.
/dev/net/tun

bootloader_t	devicekit_power_t	ldconfig_t	unconfined_cronjob_t	unconfined_sendmail_t
setfiles_mac_t	initrc_t	ada_t	fsadm_t	kudzu_t
lvm_t	mdadm_t	mono_t	rpm_t	wine_t
unconfined_mount_t	prelink_t	anaconda_t	rpm_script_t	system_cronjob_t
tmpreaper_t	samba_unconfined_net_t	unconfined_notrans_t	unconfined_execmem_t	devicekit_disk_t
firstboot_t	samba_unconfined_script_t	unconfined_java_t	unconfined_mono_t	httpd_unconfined_script_t
depmod_t	insmod_t	kernel_t	livecd_t	apmd_t
clvmd_t	crond_t	inetd_t	init_t	udev_t	virtd_t
xend_t	nagios_unconfined_plugin_t	devicekit_t	remote_login_t	inetd_child_t
qemu_unconfined_t	unconfined_t	ricci_modcluster_t	useradd_t	xserver_t

unconfined_sendmail_t	rpm_t	unconfined_mount_t	anaconda_t	rpm_script_t
unconfined_notrans_t	unconfined_execmem_t	firstboot_t	unconfined_java_t	unconfined_mono_t
kernel_t	livecd_t	qemu_unconfined_t	unconfined_t

gitd_session_t	smoltclient_t	kdumpgui_t	sandbox_xserver_t	prelink_cron_system_t
abrt_helper_t	firewallgui_t	corosync_t	asterisk_t	dnsmasq_t
plymouth_t	chrome_sandbox_t	nut_upsd_t	plymouthd_t	ksmtuned_t
nagios_checkdisk_plugin_t	nagios_services_plugin_t	abrt_t	clogd_t	gitd_t
kdump_t	tgtd_t	tuned_t	nagios_system_plugin_t	nut_upsmon_t
rgmanager_t	certmonger_t	sectoolm_t	chronyd_t	nut_upsdrvctl_t
vhostmd_t

Name	Virtual Machine Process label	Virtual Machine Image Label
Virtual Machine 1	system_u:system_r:svirt_t:s0:c0,c10	system_u:object_r:svirt_image_t:s0:c0,c10
Virtual Machine 2	system_u:system_r:svirt_t:s0:c101,c230	system_u:object_r:svirt_image_t:s0:c101,c230

Name	SELinux Context	Description
Virtual Machine Processes	system_u:system_r:svirt_t:MCS1	MCS1 is a randomly selected MCS field. Currently we support ~500,000 labels.
Virtual Machine Image	system_u:object_r:svirt_image_t:MCS1	Only svirt_t processes with the same MCS fields are able to read/write these image files and devices.
Virtual Machine Shared Read/Write content	system_u:object_r:svirt_image_t:s0	All svirt_t processes are allowed to write to the svirt_image_t:s0 files and devices.
Virtual Machine Shared Shared Read Only content	system_u:object_r:svirt_content_t:s0	All svirt_t processes are able to read files/devices with this label.
Virtual Machine images	system_u:object_r:virt_content_t:s0	When a virtual machine exits, its image file is relabeled to the system default, which usually is virt_content_t:s0, No svirt_t virtual processes are allowed to read files/devices with this label.

Planet SELinux

Russell Coker (security): Designing a Secure Linux System

The Threat

The BIOS and the Bootloader

How to run User Space

Maintaining the Virtual Machine Image

Would this be Accepted?

Russell Coker (security): Opera and Trusting Applications vs Trusting Servers

The Opera-Mini Dispute

Causes of Software Security Problems

Should We Trust a Proprietary Application or an Internet Server?

The Scope of the Problem

Thomas Biege (Security): New RESTful Fuzzer and RoR Code-Scanner on Gitorious

KaiGai Kohei: バンクーバレポート

KaiGai Kohei: バンクーバレポート（その９／帰国編）

KaiGai Kohei: バンクーバレポート（その８／対デンマーク戦編）

KaiGai Kohei: バンクーバレポート（その０／出発編）

KaiGai Kohei: バンクーバレポート（その７／対スウェーデン戦編）

KaiGai Kohei: バンクーバレポート（その６／Vancouver Curling Club編）

KaiGai Kohei: バンクーバレポート（その５／対スイス戦編）

KaiGai Kohei: その４（対ドイツ編）

KaiGai Kohei: バンクーバレポート（その３／市内観光編）

KaiGai Kohei: バンクーバレポート（その２／対ロシア戦）

KaiGai Kohei: バンクーバレポート（その１／男子カーリング編）

Dan Walsh: audit2allow ? Why not audit2dontaudit?

Thomas Biege (Security): The harder you fight the weaker you are.

Dominick Grift: About apache_content_template

Shintaro Fujiwara: segatex-7.791 released !!

Dan Walsh: Another blog on writing SELinux Policy - Icecast

Jeronimo Zucco (selinux): Vídeo da apresentação sobre SELinux no FISL 10

Paul Moore: Enabling the Network Ingress/Egress Controls

Paul Moore: LinuxCon NetLabel Presentation

Dan Walsh: Why doen't SELinux give me the full path in an error message?

Andrey Markelov (SELinux): AppArmor от Novell больше "не от Novell"?

Dan Walsh: If only there was a tool that could sandbox the reading of random pdf files...

Spear-Phishing Attacks Out Of China Targeted Source Code, Intellectual Property

Dominick Grift: Test Git daemon policy.

Dan Walsh: I am now syndicated on the FedoraProject security planet.

Dan Walsh: More on guestfish and SELinux

Dan Walsh: SELinux and guestfish

Dan Walsh: Confined processes statistics in Fedora 12?

Thomas Biege (Security): ODF Fuzzer

Dan Walsh: Whats new with Sandbox in Fedora 12?

Thomas Biege (Security): Command-Line Tool Fuzzer Beta 2

Russell Coker (security): Play Machine Online Again

James Morris: FOSS.IN/2009 – great conference, or greatest conference?

KaiGai Kohei: データベース管理者ロールを考える

Thomas Biege (Security): Windows Mobile Phones keep Data after cleaning the Storage

Russell Coker (security): Play Machine Offline for 2 Weeks

KaiGai Kohei: [OSS/Linux] PostgreSQL Conference 2009 Japan

Thomas Biege (Security): VirtualBox OSE: Guest can trigger Denial-of-Service at Host System

Thomas Biege (Security): X-MAS Wish List for the SuSE Security-Team

Thomas Biege (Security): Common Vulnerability Scoring System, CVSS

Russell Coker (security): Debian SSH and SE Linux

Thomas Biege (Security): HDD encryption vs. secure deleting

Thomas Biege (Security): Command-Line Tool Fuzzer

Jeronimo Zucco (selinux): Secure Virtualization with SELinux - sVirt

Russell Coker (security): New Play Machine

Joshua Brindle: The SELinux Documentation Project

Joshua Brindle: SELinux and RPM

James Morris: SELinux Sandbox slides available, et cetera

Thomas Biege (Security): Local root via VBoxNetAdpCtl

Dominick Grift: Git daemon, SELinux and Fedora 12 Beta.

Jeronimo Zucco (selinux): Vídeos sobre SELinux da Linux Plumbers Conference 2009

James Morris: Videos from the LPC security track

Dan Walsh: chomium-sandbox Policy.

Dominick Grift: My view on domains, domain types, roles, domain transitions and more.

Dan Walsh: Writing SELinux policy just got easier.

Dan Walsh: Who says the NSA does not have a sense of humor?

Dan Walsh: sandbox -X internals.

James Morris: Portland Roundup

Dan Walsh: sVirt presentation at the Red Hat Summit

Dan Walsh: How do I use sandbox -X

Dominick Grift: AVC Denials: Example

Dominick Grift: A perspective on SELinux

Dan Walsh: Cool things with SELinux... Introducing sandbox -X

Dan Walsh: SELinux four things

Dominick Grift: Some SELinux experiences that i want to share with you:

Russell Coker (security): Ownership of Laptops for Work

Paul Moore: NetLabel Presentation and Tutorial at LinuxCon