From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SODF2-0008PG-1k for garchives@archives.gentoo.org; Sat, 28 Apr 2012 19:23:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 14248E06C8; Sat, 28 Apr 2012 19:23:27 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id B667DE06C2 for ; Sat, 28 Apr 2012 19:23:25 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 44AA51B4014 for ; Sat, 28 Apr 2012 19:23:25 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 42C66E5402 for ; Sat, 28 Apr 2012 19:23:23 +0000 (UTC) From: "Francisco Blas Izquierdo Riera" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Francisco Blas Izquierdo Riera" Message-ID: <1335640534.5dff830dc201fb5a1927aee293f3fc62ccf09a22.klondike@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: html/, html/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: html/revdep-pax.html html/roadmap.html html/selinux-faq.html html/selinux/hb-using-install.html html/selinux/hb-using-troubleshoot.html X-VCS-Directories: html/ html/selinux/ X-VCS-Committer: klondike X-VCS-Committer-Name: Francisco Blas Izquierdo Riera X-VCS-Revision: 5dff830dc201fb5a1927aee293f3fc62ccf09a22 X-VCS-Branch: master Date: Sat, 28 Apr 2012 19:23:23 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 68d44576-fcfc-4e5a-8218-1349ccd8e6e1 X-Archives-Hash: 9adc5197ec03a49639449f6e2775cee9 commit: 5dff830dc201fb5a1927aee293f3fc62ccf09a22 Author: klondike xiscosoft es> AuthorDate: Sat Apr 28 19:15:34 2012 +0000 Commit: Francisco Blas Izquierdo Riera xiscosoft = es> CommitDate: Sat Apr 28 19:15:34 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D5dff830d Update previews --- html/revdep-pax.html | 551 ++-----------------------= ------ html/roadmap.html | 22 +- html/selinux-faq.html | 27 ++- html/selinux/hb-using-install.html | 18 +- html/selinux/hb-using-troubleshoot.html | 27 ++- 5 files changed, 106 insertions(+), 539 deletions(-) diff --git a/html/revdep-pax.html b/html/revdep-pax.html index ee4e6d4..accbeee 100644 --- a/html/revdep-pax.html +++ b/html/revdep-pax.html @@ -21,13 +21,18 @@
Content:

= 1. What's revdep-pax about?

-

A quick introduction t= o PaX markings.

+

+Since the early days of PaX it was known that all programs were equal al= though +some were more equal than others and needed an environment with less +restrictions in order to be able to run. Thus, in order to have a secure= way of +allowing system administrators and users telling the system which binari= es +needed this lessened environment the PaX marks were created. +

=E2=80=94Geroge Orwell

+

A quick introduction t= o PaX markings.

There are some programs which won't be able to run in an environment wit= h all the PaX features enabled, for example you may have a program which has s= o called @@ -88,7 +93,7 @@ marks to the library to state it needs trampoline emula= tion but still we haven't fixed the issue since the kernel will only read the marks on the binary = being called. In order to solve this issue we have created revdep-pax.

-

What's revdep-pax?=

+

What's revdep-pax?=

revdep-pax is a tool that allows= to check for differences in PaX markings between elf objects linking to libraries (for example /bin/bash) @@ -108,530 +113,42 @@ libraries linked by an object and backwards to the= objects linked by a library.

= 2. Using revdep-pax

-

Propagating PaX marks = backwards from a library to objects that link at it +

+In order to witness the firepower of this fully ARMED and OPERATIONAL to= ol +you'll first need to learn how to use it, once you are done, you'll be +able to fire at will. +

=E2=80=94The Emperor

+

Propagating PaX marks = backwards from a library to objects that link at it

This is going to be probably the main way in which you are going to use = this -utility. What it does is check all the libraries linked statically=20 -The scanelf application is part = of the app-misc/pax-utils package= . -With this application you can print out information specific to the ELF -structure of a binary. The following table sums up the various options. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionLong OptionDescription
-p--pathScan all directories in PATH environment
-l--ldpathScan all directories in /etc/ld.so.conf
-R--recursiveScan directories recursively
-m--mountDon't recursively cross mount points
-y--symlinkDon't scan symlinks
-A--archivesScan archives (.a files)
-L--ldcacheUtilize ld.so.cache information (use with -r/-= n)
-X--fixTry and 'fix' bad things (use with -r/-e)
-z [arg]--setpax [arg]Sets EI_PAX/PT_PAX_FLAGS to [arg] (use with -X= x)
OptionLong OptionDescription
-x--paxPrint PaX markings
-e--headerPrint GNU_STACK/PT_LOAD markings
-t--textrelPrint TEXTREL information
-r--rpathPrint RPATH information
-n--neededPrint NEEDED information
-i--interpPrint INTERP information
-b--bindPrint BIND information
-S--sonamePrint SONAME information
-s [arg]--symbol [arg]Find a specified symbol
-k [arg]--section [arg]Find a specified section
-N [arg]--lib [arg]Find a specified library
-g--gmatchUse strncmp to match libraries. (use with -N)<= /td> -
-T--textrelsLocate cause of TEXTREL
-E [arg]--etype [arg]Print only ELF files matching etype ET_DYN,ET_= EXEC ...
-M [arg]--bits [arg]Print only ELF files matching numeric bits -
-a--allPrint all scanned info (-x -e -t -r -b)
OptionLong OptionDescription
-q--quietOnly output 'bad' things
-v--verboseBe verbose (can be specified more than once) -
-F [arg]--format [arg]Use specified format for output
-f [arg]--from [arg]Read input stream from a filename
-o [arg]--file [arg]Write output stream to a filename
-B--nobannerDon't display the header
-h--helpPrint this help and exit
-V--versionPrint version and exit
-

-The format specifiers for the -F= option are given in the following table. -Prefix each specifier with % (ve= rbose) or # (silent) accordingly. -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SpecifierFull NameSpecifierFull Name
FFilenamexPaX Flags
eSTACK/RELROtTEXTREL
rRPATHnNEEDED
iINTERPbBIND
sSymbolNLibrary
oTypepFile name
fBase file namekSection
aARCH/e_machine
-

Using scanelf for Text= Relocations

-

-As an example, we will use scanelf to find binaries containing text -relocations. -

-

-A relocation is an operation that rewrites an address in a loaded segmen= t. Such -an address rewrite can happen when a segment has references to a shared = object -and that shared object is loaded in memory. In this case, the references= are -substituted with the real address values. Similar events can occur insid= e the=20 -shared object itself. -

-

-A text relocation is a relocation in the text segment. Since text segmen= ts -contain executable code, system administrators might prefer not to have = these -segments writable. This is perfectly possible, but since text relocation= s -actually write in the text segment, it is not always feasible.=20 -

-

-If you want to eliminate text relocations, you will need to make sure -that the application and shared object is built with Position Independent -Code (PIC), making references obsolete. This not only increases s= ecurity, -but also increases the performance in case of shared objects (allowing w= rites in -the text segment requires a swap space reservation and a private copy of= the -shared object for each application that uses it). -

-

-The following example will search your library paths recursively, withou= t -leaving the mounted file system and ignoring symbolic links, for any ELF= binary -containing a text relocation: +utility. What it does is check all the libraries linked statically by th= e +binaries using ldd and then smar= tly add the paxmarks of those libraries +to generate the new set. As a result if /usr/games/bin/armagetronad +links with /usr/lib64/libGL.so.1= which has the -m PaX mark +(allow RWX mappings) because you are using a llvm requiring graphics dri= ver +you'll get that binary marked with the -m PaX mark too since it needs it. +Below you can see how to run it.

- +

Code Listing2.1: Scan= ning the system for text relocation binaries

Code Listing2.1: Prop= agating the PaX marks from the libraries

-# scanelf -lqtmyR
+# mv /etc/grsec/learning.roles /etc/grsec/pol=
icy
+# chmod 0600 /etc/grsec/policy
-

-If you want to scan your entire system for any<= /span> file containing text -relocations: -

- - - -

Code Listing2.2: Scan= ning the entire system for text relocation files

-# scanelf -qtmyR /
-
-

Using scanelf for Spec= ific Header

-

-The scanelf util can be used to quickly identify files that contain a=20 -given section header using the -k .section option. -

-

-In this example we are looking for all files in /usr/lib/debug=20 -recursively using a format modifier with quiet mode enabled that have be= en=20 -stripped. A stripped elf will lack a .symtab entry, so we use the '!'=20 -to invert the matching logic. -

- - - -

Code Listing2.3: Scan= ning for stripped or non stripped executables

-# scanelf -k '!.symtab' /usr/lib/debug -Rq -F=
%F#k
-
-

Using scanelf for Spec= ific Segment Markings

-

-Each segment has specific flags assigned to it in the Program Header of = the -binary. One of those flags is the type of the segment. Interesting value= s are -PT_LOAD (the segment must be loaded in memory from file), PT_DYNAMIC (th= e -segment contains dynamic linking information), PT_INTERP (the segment=20 -contains the name of the program interpreter), PT_GNU_STACK (a GNU exten= sion -for the ELF format, used by some stack protection mechanisms), and PT_PA= X_FLAGS -(a PaX extension for the ELF format, used by the security-minded=20 -PaX Project. -

-

-If we want to scan all executables in the current working directory, PAT= H -environment and library paths and report those who have a writable and -executable PT_LOAD or PT_GNU_STACK marking, you could use the following = command: -

- - - -

Code Listing2.4: Scan= ning for Write/eXecute flags for PT_LOAD and PT_GNU_STACK

-# scanelf -lpqe .
-
-

Using scanelf's Format= Modifier Handler

-

-A useful feature of the scanelf = utility is the format modifier handler. =20 -With this option you can control the output of scanelf, thereby=20 -simplifying parsing the output with scripts. -

-

-As an example, we will use scanelf to print the file names that contain -text relocations: -

- - - -

Code Listing2.5: Exam= ple of the scanelf format modifier handler

-# scanelf -l -p -R -q -F "%F #t"
-
-

3. - Listing PaX Flags and Capabilities

-

About PaX

-

-PaX is a project hosted by the= grsecurity project. Quoting th= e PaX documentation, its main=20 -goal is "to research various defense mechanisms against the exploitation= of=20 -software bugs that give an attacker arbitrary read/write access to the=20 -attacked task's address space. This class of bugs contains among others=20 -various forms of buffer overflow bugs (be they stack or heap based), use= r -supplied format string bugs, etc." -

-

-To be able to benefit from these defense mechanisms, you need to run a L= inux -kernel patched with the latest PaX code. The Hardened Gentoo project supports PaX and -its parent project, grsecurity. The supported kernel package is -sys-kernel/hardened-sources. -

-

-The Gentoo/Hardened project has a Gentoo= PaX Quickstart Guide -for your reading pleasure. -

-

Flags and Capabilities=

-

-If your toolchain supports it, your binaries can have additional PaX fla= gs in -their Program Header. The following flags are supported: -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagNameDescription
PPAGEEXEC - Refuse code execution on writable pages based on the NX bit - (or emulated NX bit) -
SSEGMEXEC - Refuse code execution on writable pages based on the - segmentation logic of IA-32 -
EEMUTRAMP - Allow known code execution sequences on writable pages that - should not cause any harm -
MMPROTECT - Prevent the creation of new executable code to the process - address space -
RRANDMMAP - Randomize the stack base to prevent certain stack overflow - attacks from being successful -
XRANDEXEC - Randomize the address where the application maps to prevent - certain attacks from being exploitable -
-

-The default Linux kernel also supports certain capabilities, grouped in = the -so-called POSIX.1e Capabilities. You can= find a listing of those -capabilities in our POSIX Capabilities= document. -

-

Using pspax

-

-The pspax application, part of t= he pax-utils package, displays th= e -run-time capabilities of all programs you have permission for. On Linux = kernels -with additional support for extended attributes (such as SELinux) those -attributes are shown as well. -

-

-When ran, pspax shows the follow= ing information: -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ColumnDescription
USEROwner of the process
PIDProcess id
PAXRun-time PaX flags (if applicable)
MAPSWrite/eXecute markings for the process map -
ELF_TYPEProcess executable type: ET_DYN or ET_EXEC -
NAMEName of the process
CAPSPOSIX.1e capabilities (see note)
ATTRExtended attributes (if applicable)

Note: = -pspax only displays these capabi= lities when it is linked with -the external capabilities library. This requires you to build pax-utils -with -DWANT_SYSCAP. +Due to the way in which ldd work= s you'll get all the libraries required +at runtime, even those required by libraries you link to (and so on recu= rsively) +as a result revdep-pax will dete= ct all dependencies in a single pass. If +the behaviour of ldd changes so = may change the behaviour of +revdep-pax

-By default, pspax does not show = any kernel processes. If you want those -to be taken as well, use the -a = switch. -

-

= 4. - Programming with ELF files

-

The dumpelf Utility

-

-With the dumpelf utility you can= convert a ELF file into human readable C -code that defines a structure with the same image as the original ELF fi= le. +The scanelf application is part = of the app-misc/pax-utils package= . +With this application you can print out information specific to the ELF +structure of a binary. The following table sums up the various options.

- - - -

Code Listing4.1: dump= elf example

-$ dumpelf /bin/hostname
-#include <elf.h>
-
-/*
- * ELF dump of '/bin/hostname'
- *     10276 (0x2824) bytes
- */
-
-struct {
-        Elf32_Ehdr ehdr;
-        Elf32_Phdr phdrs[8];
-        Elf32_Shdr shdrs[26];
-} dumpedelf_0 =3D {
-
-.ehdr =3D {
-(... Output stripped ...)
-

The contents of this document, unless otherwise expressly stated, are l= icensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.

diff --git a/html/roadmap.html b/html/roadmap.html index 17be1a3..e35467e 100644 --- a/html/roadmap.html +++ b/html/roadmap.html @@ -270,29 +270,15 @@ of the packages and standard policies. Related Bugs - Deprecate old policies - 2011-11-10 - done - SwifT - - - - Deprecate old profiles - 2011-12-01 - done - blueness - - - - Get mainstream packages the proper dependencie= s on the SELinux policies - 2011-12-31 + Stabilize 20120215 policies + 2012-04-30 SwifT Have SELinux-enabled stage3 available on the m= irrors - 2012-01-31 + 2012-06-31 @@ -302,7 +288,7 @@ of the packages and standard policies. - +

Print

Page upda= ted December 10, 2011

Page upda= ted April 5, 2012

Summary:= A roadmap that plots current needs and goals of the Hardened Gentoo project. diff --git a/html/selinux-faq.html b/html/selinux-faq.html index 41695b4..29c7826 100644 --- a/html/selinux-faq.html +++ b/html/selinux-faq.html @@ -79,6 +79,7 @@ FAILED (crontabs/root)'

  • Applications do not transition on a nosuid-mount= ed partition
  • Why do I always need to re-authenticate w= hen operating init scripts?
  • How do I use SELinux with initramfs?
    • +
  • Logons through xdm (or similar) fail

    • = 2. General SELinux Support Questions

    @@ -728,11 +729,35 @@ When enabled, enforcing mode cannot be disabled any= more (until you reboot). # setsebool secure_mode_policyload on
    +

    L= ogons through xdm (or similar) fail

    +

    +If you log on through xdm, gdm, kdm, slim or any other graphical logon m= anager, +you might notice in permissive mode that your context is off, and in enf= orcing +mode that you just cannot log on. +

    +

    +The reason of this is that PAM needs to be configured to include SELinux +awareness in your session handling: +

    + + + +

    Code Listing5.18: Upd= ating pam setting for gdm

    +...
+session  required   pam_loginuid.so
+session  optional   pam_console.so
+session  optional   pam_selinux.so
+
    +

    +Replicate the calls towards pam_selinux= .so in the various +/etc/pam.d/gdm* files (or simila= r depending on your graphical +logon manager). +



    - +

    Print

    Page upda= ted February 26, 2012

    Page upda= ted April 5, 2012

    Summary:= Frequently Asked Questions on SELinux integration with Gentoo Hardened. The FAQ is a collection of solutions found on IRC, mailinglist, forums o= r=20 diff --git a/html/selinux/hb-using-install.html b/html/selinux/hb-using-i= nstall.html index fc61177..9e97553 100644 --- a/html/selinux/hb-using-install.html +++ b/html/selinux/hb-using-install.html @@ -58,6 +58,7 @@ we recommend to switch to Python 2 until the packages a= re updated and fixed.

    Code Listing1.1: Swit= ching to python 2

    +~# emerge '<=3Ddev-lang/python-3.0'
 ~# eselect python list
 Available Python interpreters:
   [1]   python2.7
@@ -184,6 +185,7 @@ The following changes might<=
/span> be necessary on your s
 tools or configurations that apply.
 
    
 
      
+ =20
   
    • 
     If you use LVM for one or more file systems, you need to edit
     /lib/rcscripts/addons/lvm-start.sh<=
/span> (or /lib64/..)
@@ -200,6 +202,12 @@ tools or configurations that apply.
     which mess up the file labelling. For instance, cp /bin/hostname=20
     /bin/hostname.old.
   
      • 
+ =20
+  
    • 
+    Edit /etc/sandbox.conf and a=
dd in
+    /sys/fs/selinux/context to t=
he SANDBOX_WRITE parameter.
+    This is currently needed to work around bug 410687.
+  
      • 
 
    
 
    Installing a SELinux K=
ernel
    
 
    
@@ -560,7 +568,8 @@ access to the /dev/u=
random device:

    Define the Administrat= or Accounts

    -Finally, we need to map the account(s) you use to manage your system (th= ose +If the SELINUXTYPE is set to strict, then we=20 +need to map the account(s) you use to manage your system (those that need access to Portage) to the sta= ff_u SELinux user. If not, none of your accounts will be able to succesfully manage the system (except f= or root, but then you will need to = login as root directly and not @@ -596,11 +605,16 @@ staff_u:sysadm_r:sysadm_t

    +If you however use a targeted po= licy, then the user you work with will be +of type unconfined_t and will already ha= ve the necessary privileges to +perform system administrative tasks. +

    +

    With that done, enjoy - your first steps into the SELinux world are now = made.

    - +

    Page upda= ted January 29, 2012

    Page upda= ted April 10, 2012

    Donate to support our development efforts.

    diff --git a/html/selinux/hb-using-troubleshoot.html b/html/selinux/hb-us= ing-troubleshoot.html index 983cc5a..c18afc1 100644 --- a/html/selinux/hb-using-troubleshoot.html +++ b/html/selinux/hb-using-troubleshoot.html @@ -95,6 +95,31 @@ selinux USE flag is in place, and reinstall sys-app the selinux USE flag is not in place, check your Gentoo profile and make= sure it points to a selinux/v2refpolicy/... profile.

    +

    Policy Store is Corrup= t

    +

    +If you encounter problems during boot-up or semodule operations which +fail with loading problems, but cannot be resolved with the above soluti= on, then +you might need to reinstall the policies after eliminating the corrupt s= tore. +

    + + + +

    Code Listing1.1: Reco= vering from store corruption

    +~# semodule -n -B
+libsemanage.semanage_load_module: Error while reading from module file
+/etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory)
+
+~# setenforce 0
+~# mv /etc/selinux/targeted /etc/selinux/targ=
eted.old
+~# FEATURES=3D"-selinux" emerge -1av $(qlist =
-IC sec-policy)
+~# restorecon -R /etc/selinux
+
    +

    +This will effectively disable the current, corrupted SELinux policy stor= e and +then use Portage to reinstall all SELinux policy packages that are insta= lled on +the system. When done, the file contexts of /etc/selinux are +restored, after which you should be able to continue. +

    = 1. Unable to Log On

    Problem Description

    @@ -267,7 +292,7 @@ disable its SELinux support. To relabel the entire fi= le system, use     		- +

    Page upda= ted December 11, 2011

    Page upda= ted April 10, 2012

    Donate to support our development efforts.