CentOS - Mar 2005 - Re: CentOS Digest, Vol 3, Issue 97

On 18 Mar 2005 at 4:31, centos-request@caosity.org wrote:
> Man. You open your system to everyone who cracks apache server.
> Open for reading but that''s enough. OK, there are DAC rules too
but
> that''s too open.
The relevant question is: Is this worse than no SELinux at all?
Should I turn off SELinux until the packages that are essential to
my client''s business are properly configured to work with SELinux
on CentOS?

I have clients presently running mailman on RH 7.3.  Surely moving
them to CentOS4 with SELinux enabled and the configurations as set
above is not worse than leaving things where they are?

Until last week I knew absolutely nothing about SELinux and while
the subject is no doubt fascinating for those that have the time to
delve deeply into it I have not that luxury at present.  I need a
standardized basic mailserver setup with mailman, squirrelmail,
cyrus-imapd and mailscanner all running in an environment no less
secure than that available on RH 7.3.  That is a functional
requirement that must be met.

As far as I can see, the security issues being raised at this
juncture are more theoretical than real as SELinux is not yet, to
my understanding, widely in use.  However, from the tone of these
comments I am beginning to sense that there may be a deeper problem
that I, in my ignorance, fail to appreciate.  IS SELinux LESS
secure than a non-SELinux enabled OS if the policies are not
exactly right?

I have dug around in the contexts files and this is what I have
found:

see /etc/selinux/targeted/contexts/files

files/file_contexts:/var/mailman/bin(/.*)?		system_u:object_r:bin_t

files/file_contexts:/var/mailman/pythonlib(/.*)?/.*\.so(\..*)?	--
system_u:object_r:shlib_t

files/file_contexts:# mailman list server

files/file_contexts:/var/lib/mailman(/.*)?		
system_u:object_r:mailman_data_t

files/file_contexts:/var/log/mailman(/.*)?		
system_u:object_r:mailman_log_t

files/file_contexts:/usr/lib/mailman/cron/.*		--
system_u:object_r:mailman_queue_exec_t

files/file_contexts:/usr/lib/mailman/bin/mailmanctl	--
system_u:object_r:mailman_mail_exec_t

files/file_contexts:/var/run/mailman(/.*)?		
system_u:object_r:mailman_lock_t

files/file_contexts:/var/lib/mailman/archives(/.*)?	
system_u:object_r:mailman_archive_t

files/file_contexts:/usr/lib/mailman/cgi-bin/.*		--
system_u:object_r:mailman_cgi_exec_t

files/file_contexts:/var/lock/mailman(/.*)?		
system_u:object_r:mailman_lock_t

files/file_contexts:/usr/lib/mailman/scripts/mailman	--
system_u:object_r:mailman_mail_exec_t

files/file_contexts:/usr/lib/mailman/bin/qrunner	--
system_u:object_r:mailman_queue_exec_t

files/file_contexts:/etc/mailman(/.*)?			
system_u:object_r:mailman_data_t

files/file_contexts:/var/spool/mailman(/.*)?		
system_u:object_r:mailman_data_t


I infer from the comments that the following local.te entries are
the controversial ones:
> allow mailman_cgi_t file_t:dir write;
> allow mailman_cgi_t file_t:dir add_name;
> allow mailman_cgi_t file_t:dir create;
> allow mailman_cgi_t file_t:file create;
> allow mailman_cgi_t file_t:file { getattr write };
> allow mailman_cgi_t file_t:lnk_file create;
I would think that these should work, but they do not.
> allow mailman_cgi_t mailman_archive_t:dir write;
> allow mailman_cgi_t mailman_archive_t:dir add_name;
> allow mailman_cgi_t mailman_archive_t:dir create;
> allow mailman_cgi_t mailman_archive_t:file create;
> allow mailman_cgi_t mailman_archive_t:file { getattr write };
> allow mailman_cgi_t mailman_archive_t:lnk_file create;
The first error I receive is:

  File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line 95, in
InitVars
    os.mkdir(self.archive_dir()+''.mbox'', 02775)
OSError: [Errno 13] Permission denied:
''/var/lib/mailman/archives/private/test1.mbox''

audit2allow provides this:

allow mailman_cgi_t file_t:dir write;

Now, do I need to add something regarding mailman_cgi_t and
mailman_archive_t somewhere else in some other file?


Regards,
Jim

---
     *** e-mail is not a secure channel ***
mailto:byrnejb.<token>@harte-lyne.ca
James B. Byrne                Harte & Lyne Limited
vox: +1 905 561 1241          9 Brockley Drive
fax: +1 905 561 0757          Hamilton, Ontario
<token> = hal                 Canada L8E 3C3


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
Postmaster

Harte & Lyne Limited

James B. Byrne wrote:
>The relevant question is: Is this worse than no SELinux at all?
>Should I turn off SELinux until the packages that are essential to
>my client''s business are properly configured to work with SELinux
>on CentOS?
>
>
No, you don''t. Right know you weaken the maximum available security but
that''s much far better than not SELinux at all.
>that I, in my ignorance, fail to appreciate.  IS SELinux LESS
>secure than a non-SELinux enabled OS if the policies are not
>
>
Definetly not. SELinux is a complementary to DAC not overriding those.
Eg.: you don''t have write permissions to a directory but SELinux
enables
it you will still fail. There''s RSBAC on the ground too - another
security patch but unofficial - where you can disable DAC but that''s
not
the story with SELinux, AFAIK.
>I have dug around in the contexts files and this is what I have
>found:
>
>
>
[lots of things]
Yes, it seems that the guys at RedHat thought about the usage of mailman.
>>allow mailman_cgi_t mailman_archive_t:dir write;
>>allow mailman_cgi_t mailman_archive_t:dir add_name;
>>allow mailman_cgi_t mailman_archive_t:dir create;
>>allow mailman_cgi_t mailman_archive_t:file create;
>>allow mailman_cgi_t mailman_archive_t:file { getattr write };
>>allow mailman_cgi_t mailman_archive_t:lnk_file create;
>>The first error I receive is:
>>
>>  File "/usr/lib/mailman/Mailman/Archiver/Archiver.py", line
95, in
>>InitVars
>>    os.mkdir(self.archive_dir()+''.mbox'', 02775)
>>OSError: [Errno 13] Permission denied:
>>''/var/lib/mailman/archives/private/test1.mbox''
>>
>>
I think that the context of Archiver.py differs from mailman_cgi_t
that''s the problem. But I have to go right now.
I will take a look at it tomorrow if I can.
>>Now, do I need to add something regarding mailman_cgi_t and
>>mailman_archive_t somewhere else in some other file?
>>
>>
>>
Yes, to go towards the best solution you can achieve.
But don''t worry. That"s much secure than no SELinux at all.

bye,
Ago