Next: 8 Specification of simplified
Up: 7 Example
Previous: 7 Example
Contents
Subsections
As an example of configuration of daemon, let's configure vsftpd using
simplified policy. In this example, configure Anonymous ftp access.
By default, the domain of vsftpd is initrc_t .
initrc_t is a domain for scripts under /etc/rc.d . vsftpd
is executed by /etc/rc.d/init.d/vsftpd(the domain is initrc_t) and
inherits the domain.
However, this is not secure. Because initrc_t has a lots of access
rights(see /etc/selinux/seedit/src/policy/simplified_policy/initrc_t.a
).
In following current directory is /etc/selinux/seedit/src/policy, and permissive mode
login: root
....
# newrole -r sysadm_r
# id -Z
root:sysadm_r:sysadm_t
# cd /etc/selinux/seedit/src/policy
# setenforce 0
And for detail of syntax, see 8 .
Let's give vftpd vsftpd_t domain.
- Create configuration file
Create simplified_policy/vsftpd_t.a .
- Configure domain transition
In simplified_policy/vsftpd_t.a write following.
# simplified_policy/vsftpd_t.a
{
domain vsftpd_t;
domain_trans initrc_t /usr/sbin/vsftpd;
}
In line 2, you've defined domain vsftpd_t. In line 3, you've configured
domain transition, parent domain is initrc_t, entry point is /usr/sbin/vsftpd.
When you edit configuration, you must use make command to indicate
kernel change of configuration(See 5.3). In this case, type as below.
# make diffrelabel
Usually make diffrelabel is enough.
Restart vsftpd and check the domain of vsftpd.
# /etc/init.d/vsftpd restart
# ps -eZ
...
root:system_r:vsftpd_t 13621 pts/1 00:00:00 vsftpd
...
You can see that the domain of vsftpd is vsftpd_t. Domain transition
is successful.
Protect files related to vsftpd
If you want to protect files related to domain, the best way is deny in global. In this case, let's protect /etc/vsftpd and
/var/ftp. Add following in simplified_policy global. Note you
have to add between { and }.
# In simplifed_policy/global
deny /etc/vsftpd;
deny /var/ftp;
And
# make diffrelabel
As a result, if some domain want to access /etc/vsftpd and
/var/ftp, it must be allowed explicitly. e.g: If httpd_t want to read
/etc/vsftpd, allow /etc/vsftpd r; must be described in
httpd_t, if allow /etc r; is described, access to
/etc/vsftpd is not allowed. deny is useful to mark important
files.
The default access right for vsftpd_t is inherited from
simplified_policy/global. It is not enough, you have to add
configuration. The best way to know what
is necessary is to test vsftpd on permissive mode and see SELinux
log(The process is skipped in this document..).
Below is a policy for vsftpd_t.
# simplifed_policy/vsftpd_t.a
1 {
2 domain vsftpd_t;
3 domain_trans initrc_t /usr/sbin/vsftpd;
4 # access to files related to vsftpd
5 allow /etc/vsftpd r,s;
6 allow /var/ftp r,s;
7 allowonly /var/log r,w,s;
8 # allow to communicate with syslog
9 allow dev_log_t r,w,s;
10 allowcom -unix syslogd_t;
11 # allow to use tcp 20 and 21
12 allownet;
13 allownet -connect;
14 allownet -tcp -port 20;
15 allownet -tcp -port 21;
16 #
17 allowadm chroot;
18 }
After writing this,
# make diffrelabel
Let's review the file.
- Line 5 to 7
These are configuration to access files related to vsftpd. In line 5 and
6, giving access rights to read vsftpd configuration files and
ftp public directory.
Pay attention to line 7.
allowonly /var/log r,w,s;
In this, we want to allow to write /var/log/xferlog. If we could
configure,
allow /var/log/xferlog r,w,s;
this would be the best. However, /var/log/xferlog may be
deleted by administrater, and when re-created the SELinux label
information is lost. So we can not control access to
/var/log/xferlog.
So we used allowonly /var/log r,w,s. In this vsftpd_t can write
all files on /var/log/, but can not write files on child
directories. This is better than allow /var/log r,w,s;(This
allows write access to all files under /var/log including child directories).
Similally, for /tmp, /var/run, you can not controll access
per-file, in those directories, files are deleted and re-created,
SElinux label information may be lost.
If you have a enough knowledge of SELinux, you can use allow
file exclusive label; This configures SELinux's file type
transition. You can configure access control to files that are
deleted and re-created. For detail see 8.8.1.
- Line 9,10
Those are to communicate syslogd. If you want to communicate with
syslogd, always include these two lines.
- Line 12-15
These are to communicate via tcp 20 and 21.
initrc_t is a type for start up script(/etc/init.d/vsftpd).
This requires read access to /etc/vsftpd. But access to this file is
denied in global, so you have to allow explicitly.
#add to simplified_policy/initrc_t.a
allow /etc/vsftpd r,s;
Then,
# make diffrelabel
Test in permissive mode and see access log.
If no deny is outputted, then test in enforcing mode.
Next: 8 Specification of simplified
Up: 7 Example
Previous: 7 Example
Contents
2005-07-19