One of the great strengths of SELinux and other MAC architectures is that applications do not have to be modified to be protected by SELinux. This allows us to write policy for a great many services without going through the process of modifying code and getting upstream acceptance. It also allows flexibility in that different vendors or different users can have different security profiles for an application without having to modify the application.
While this is a great benefit to the developers it is not necessarily a great benefit to usability. Since applications do not understand what SELinux is doing, they can not report that SELinux is preventing them from doing something. As an example if you are running an Apache Web Server and SELinux denies access to a file, the apache web server reports permission denied. Users of Unix and other operating systems have gained experience through the years, understand that permission denied means that there is a problem with either the files ownership or file permissions (DAC). But when they go look at the file they see that apache has ownership and can read it. This leads them to scratching their heads. They go back to the log file and all it says is permission denied.
Some may suspect that SELinux is the problem, but how do they tell? If they figure that SELinux is causing the denial, how do they fix it? Could this be a security violation attempt? Could this be a configuration problem? Is the file mislabeled?
We have created a new tool in FC6 and RHEL5 called the SELinux Troubleshooter. (setroubleshoot). This tool watches the
audit log files for AVC messages. When an AVC messages arrives the tool runs through the SELinux plugins database
looking for a match and then sends a message to the user with a description, and a suggested fix.
As an example, say you create a file index.html in your homedir and mv it to /var/html/www directory. If you try to access this file via a web browser you will receive an avc message that looks like:
type=AVC msg=audit(1155056960.933:208967): avc: denied { getattr } for pid=12321 comm="httpd" name="index.html" dev=dm-0 ino=6260297 scontext=user_u:system_r:httpd_t:s0-s0:c1,c2 tcontext=system_u:object_r:user_home_t:s0 tclass=file
Obviously this tells you that apache web server is not allowed to look at files labeled with the users home directory label.:^)
With setroubleshoot you receive a message like the following:
SELinux image showing alert message
You can also configure the setroubleshoot daemon to send mail when it receives an AVC. So you will get them even on servers or when
not logged in.
There are currently 56 Plugins which map to all of the booleans along with several known situations that come up. There is also
a catchall plugin (disable_trans) which will look for avc's with no match and will suggest either writing a loadable policy module or
disable trans.
You can read more about this tool at
http://fedoraproject.org/wiki/SELinux/setroubleshoot
The Plugin code to generate the above message is fairly simple and looks like this:
from setroubleshoot.util import *
from setroubleshoot.Plugin import Plugin
from rhpl.translate import _
import re
class plugin(Plugin):
summary =_('''
SELinux is preventing the http daemon from using potentially mislabeled files ($
TARGET_PATH).
''')
problem_description = _('''
SELinux has denied the http daemon access to potentially
mislabeled files ($TARGET_PATH). This means that SELinux will not
allow http to use these files. It is common for users to edit
files in their home directory or tmp directories and then move
(mv) them to the httpd directory tree. The problem is that they
end up with a file context which http is not allowed to access.
''')
fix_description = _('''
If you want the http daemon to access this files, you need to
relabel them using restorecon if they are under the standard
httpdirectory tree, or use chcon -t http_sys_content_t. You can
look at the httpd_selinux man page for addtional information.
''')
def __init__(self):
Plugin.__init__(self,__name__)
def analyze(self):
if self.avc.sourceTypeMatch("httpd_t httpd_sys_script_t httpd_user_script_t
httpd_staff_script_t") and \
self.avc.targetTypeMatch("user_home_t staff_home_t user_tmp_t staff_t
mp_t tmp_t"):
return True
return False
Now if you are interested in helping in this effort. We could use help:
* proof reading thes plugins. They are in /usr/share/setroubleshoot/plugins directory.
* If you have ideas about additional plugins, bring them up on the fedora-selinux list. Patches Welcome.
* Testing.
This tool is a work in progress.
There are some gotchas in this tool and it has been known to go into an infinite loop. Usually when it reports bugs about itself.
Via DanWalsh
Thursday, April 19, 2007
Friday, April 13, 2007
Apple WiFi iPod plans
Apple WiFi iPod plans
A report claims WiFi-enabled iPods will ship later this year
Jonny Evans
Apple's iPod has attracted its latest rumour – that a WiFi-enabled iPod will ship in the second half of 2007.
A report on DigiTimes claims Universal Scientific Industrial (USI) and Foxconn have been contracted to manufacture the new devices, with USI delivering the first batch of WiFi modules later this month.
The report claims Foxconn – which will provide the final assembly of the devices – will begin shipping the products in the third quarter.
While other manufacturers are moving to embrace WiFi in their players, it is already known that Apple plans to include wireless technology in its soon-to-ship (in the US) iPhone.
Via - MacWorld
A report claims WiFi-enabled iPods will ship later this year
Jonny Evans
Apple's iPod has attracted its latest rumour – that a WiFi-enabled iPod will ship in the second half of 2007.
A report on DigiTimes claims Universal Scientific Industrial (USI) and Foxconn have been contracted to manufacture the new devices, with USI delivering the first batch of WiFi modules later this month.
The report claims Foxconn – which will provide the final assembly of the devices – will begin shipping the products in the third quarter.
While other manufacturers are moving to embrace WiFi in their players, it is already known that Apple plans to include wireless technology in its soon-to-ship (in the US) iPhone.
Via - MacWorld
Apple Delays Leopard to October
Apple Delays Leopard to October: "SuperMog2002 writes 'Apple Insider has the sad news that Mac OS X Leopard has been delayed until October. Apparantly software engineers and QA had to be reassigned to the iPhone in order to get it out on time, costing Leopard its release at WWDC. For now the original press release from Apple can be found on the 'Hot News' part of their site, though Apple did not provide a permanent link to the story. 'While Leopard's features will be complete by June, the Cupertino-based company said it cannot deliver the quality release expected by its customers within that time. Apple now plans to show its developers a near final version of Leopard at the conference, give them a beta copy to take home so they can do their final testing, and ship the software in October.''
"
(Via Slashdot:.)
Back Track v2.0
BackTrack v2.0 - Hackers LiveCD Finally Released
Darknet spilled these bits on April 13th 2007 @ 6:35 am
BackTrack is the result of the merging of the two innovative penetration testing live linux distributions Auditor security collection and Whax. By combining the best features from both distributions and putting continous development energy, the most complete and finest security testing live distro was born: BackTrack
BackTrack
BackTrack v.2.0 is finally released, it’s been a long wait that’s for sure, it does look good though so perhaps it was worth rate.
You can find some screenshots here.
BackTrack ranked number one in Darknet’s well regarded list 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery).
It’s taken BackTrack almost 5 months to pull themselves out of the beta stage. Many features have been added and many of the persistent bugs have been fixed.
New exciting features in BackTrack 2, to mention a few:
* Updated Kernel-Running 2.6.20, with several patches.
* Broadcom based wireless card support
* Most wireless drivers are built to support raw packet injection
* Metasploit2 and Metasploit3 framework integration
* Alignment to open standards and frameworks like ISSAF and OSSTMM
* Redesigned menu structure to assist the novice as well as the pro
* Japanese input support-reading and writing in Hiragana / Katakana / Kanji.
As usual, Nessus is not included into BackTrack as Tenable forbid redistribution.
The public wiki project is available at http://backtrack.offensive-security.com. Please help us by providing entries in HCL (Hardware compatibility list).
You can download BackTrack here
BackTrack 2 Stable release Mar 06 2007
Darknet spilled these bits on April 13th 2007 @ 6:35 am
BackTrack is the result of the merging of the two innovative penetration testing live linux distributions Auditor security collection and Whax. By combining the best features from both distributions and putting continous development energy, the most complete and finest security testing live distro was born: BackTrack
BackTrack
BackTrack v.2.0 is finally released, it’s been a long wait that’s for sure, it does look good though so perhaps it was worth rate.
You can find some screenshots here.
BackTrack ranked number one in Darknet’s well regarded list 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery).
It’s taken BackTrack almost 5 months to pull themselves out of the beta stage. Many features have been added and many of the persistent bugs have been fixed.
New exciting features in BackTrack 2, to mention a few:
* Updated Kernel-Running 2.6.20, with several patches.
* Broadcom based wireless card support
* Most wireless drivers are built to support raw packet injection
* Metasploit2 and Metasploit3 framework integration
* Alignment to open standards and frameworks like ISSAF and OSSTMM
* Redesigned menu structure to assist the novice as well as the pro
* Japanese input support-reading and writing in Hiragana / Katakana / Kanji.
As usual, Nessus is not included into BackTrack as Tenable forbid redistribution.
The public wiki project is available at http://backtrack.offensive-security.com. Please help us by providing entries in HCL (Hardware compatibility list).
You can download BackTrack here
BackTrack 2 Stable release Mar 06 2007
Thursday, April 12, 2007
Reducing spam with OpenBSD and spamd
A very decent article which explains how spamd & OpenBSD work
to reduce SPAM. Article explains how greylisting works & even what greytrapping is.
Quite an interesting read. Configuration details would be available tomorrow [ as mentioned on the website ]
& the best of all is that it features on linux.com ;-)
to read the whole article go to
http://www.linux.com/article.pl?sid=07/03/28/1522252
to reduce SPAM. Article explains how greylisting works & even what greytrapping is.
Quite an interesting read. Configuration details would be available tomorrow [ as mentioned on the website ]
& the best of all is that it features on linux.com ;-)
to read the whole article go to
http://www.linux.com/article.pl?sid=07/03/28/1522252
Tuesday, April 10, 2007
An excellent debate on is Mac OS more secure than Windows..
Myth or Fact? Is Mac OS X Really More Secure than Windows?
1. Kernel Weakness
2. Firewall and Bon Jour Problems
3. Wireless Weaknesses
4. Threat-Prevention Techniques Not Used in Mac OS X
5. Other Vulnerabilities
6. More Secure at Install
7. Root Is Disabled
8. Apple and Open Source Response
9. Optional Security
10. Is It a Myth?
11. Further Resources
http://www.informit.com/articles/article.asp?p=712742&rl=1
From InformIT.com
1. Kernel Weakness
2. Firewall and Bon Jour Problems
3. Wireless Weaknesses
4. Threat-Prevention Techniques Not Used in Mac OS X
5. Other Vulnerabilities
6. More Secure at Install
7. Root Is Disabled
8. Apple and Open Source Response
9. Optional Security
10. Is It a Myth?
11. Further Resources
http://www.informit.com/articles/article.asp?p=712742&rl=1
From InformIT.com
Sunday, April 01, 2007
New IOBSD Launched !!!
The IOBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and performant storage. IOBSD supports binary emulation of most programs from OpenBSD.
IOBSD is not freely available from our FTP sites, and also not available in an inexpensive 3-CD set. If you really want a stable operating system, might we suggest OpenBSD?
The current release is IOBSD 0.1 which was released Feb 31, 2007.
IOBSD is developed by volunteers. The project funds development and releases by selling CDs and T-shirts, as well as donations from organizations and individuals. These finances ensure that IOBSD will continue to exist, and will remain free for everyone to use and reuse as they see fit.
Any Hints here???
Like release date perhaps ?
Happy April Fools day!
IOBSD is not freely available from our FTP sites, and also not available in an inexpensive 3-CD set. If you really want a stable operating system, might we suggest OpenBSD?
The current release is IOBSD 0.1 which was released Feb 31, 2007.
IOBSD is developed by volunteers. The project funds development and releases by selling CDs and T-shirts, as well as donations from organizations and individuals. These finances ensure that IOBSD will continue to exist, and will remain free for everyone to use and reuse as they see fit.
Any Hints here???
Like release date perhaps ?
Happy April Fools day!
Subscribe to:
Comments (Atom)