[gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     f549e5b78e8acb78d71d55f877fcca6daf9eaec6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct 15 13:03:59 2011 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Oct 15 13:03:59 2011 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=f549e5b7

Adding AVC information as well as policy modules. Section considered "finished" for now

---
 xml/selinux/hb-using-configuring.xml |  314 ++++++++++++++++++++++++++++++++++
 1 files changed, 314 insertions(+), 0 deletions(-)

diff --git a/xml/selinux/hb-using-configuring.xml b/xml/selinux/hb-using-configuring.xml
index 1a3f536..8a87b54 100644
--- a/xml/selinux/hb-using-configuring.xml
+++ b/xml/selinux/hb-using-configuring.xml
@@ -277,6 +277,246 @@ you'll need to update the Gentoo Hardened SELinux policy.
 </section>
 
 <section>
+<title>Reading Audit Logs</title>
+<subsection>
+<title>Introduction</title>
+<body>
+
+<p>
+When working with a SELinux-enabled system, you will eventually notice that
+things behave differently, but without giving any meaningful error message.
+Usually, when SELinux "denies" a particular access, it logs it into the audit
+log of the system, but for the application itself, it is perfectly possible that
+it just silently dies. If not, you're most likely to get a <e>permission
+denied</e> error message.
+</p>
+
+<p>
+Initially, SELinux is running in <c>permissive</c> mode, which means that
+SELinux will log what it <e>would</e> deny, but still let it through.
+This mode is perfect for getting the system in shape without having too
+much problems keeping it running. Once you think your security settings are
+in order, then this mode can be switched from <c>permissive</c> to
+<c>enforcing</c>. We'll talk about these modes later.
+</p>
+
+<p>
+First, let's take a look at the audit log and see what it is saying...
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Audit Log Location(s)</title>
+<body>
+
+<p>
+The SELinux kernel code writes its denials (and sometimes even allowed but
+audited activities) into the audit log. If you are running on a Gentoo Hardened
+installation with the <c>syslog-ng</c> system logger, then the logger is already
+configured to place these audit lines in <path>/var/log/avc.log</path>. However,
+different system loggers or system logger configurations might put the entries
+in a different log location (such as <path>/var/log/audit.log</path>).
+</p>
+
+<p>
+Below, you'll find the appropriate lines for the syslog-ng system logger
+configuration for writing the events in <path>/var/log/avc.log</path>.
+</p>
+
+<pre caption="syslog-ng.conf excerpt for SELinux AVC entries">
+<comment># The following lines are only /part/ of the configuration file!</comment>
+source kernsrc  { file("/proc/kmsg");       };
+destination avc { file("/var/log/avc.log"); };
+filter f_avc    { message(".*avc: .*");     };
+
+log {
+  source(kernsrc);
+  filter(f_avc);
+  destination(avc);
+};
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>What is AVC?</title>
+<body>
+
+<p>
+As we mentioned, SELinux writes its entries in the audit log. These entries are
+called <e>avc messages</e> or <e>avc log entries</e>. The abbreviation AVC
+stands for <e>Access Vector Cache</e> and, like the name sais, is a caching
+system.
+</p>
+
+<p>
+Using an access vector cache improves performance on dealing with (and
+enforcing) activities and privileges. Since SELinux offers a very detailed
+approach on privileges and permissions, it would become quite painful
+(performance-wise) if each call means that the SELinux code needs to look up the
+domain, the target resource label, the privilege and if it is allowed or not
+over and over again. Instead, SELinux uses the Access Vector Cache to store past
+requests/responses. It is the AVC subsystem that is responsible for checking
+accesses and (if necessary) logging it.
+</p>
+
+</body>
+</subsection>
+<subsection>
+<title>Reading an AVC Denial Message</title>
+<body>
+
+<p>
+Below you'll find a typical AVC denial message.
+</p>
+
+<pre caption="Example AVC denial message">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
+  avc:  denied  { module_request } for  pid=14561 comm="firefox" kmod="net-pf-10"
+  scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre>
+
+<p>
+Let's analyze each part of this message one by one.
+</p>
+
+<pre caption="AVC denial: Timestamp and location information">
+<i>Oct 15 13:04:54 hpl kernel: [963185.177043]</i> type=1400 audit(1318676694.660:2472): 
+  avc:  denied  { module_request } for  pid=14561 comm="firefox" kmod="net-pf-10"
+  scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t tclass=system
+</pre>
+
+<p>
+This first part of the message informs you when the message was written (Oct 15
+13:04:54), on which host (hpl) and how many seconds since the system was booted
+(963185.177043).
+</p>
+
+<pre caption="AVC denial: source information">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
+  avc:  denied  { module_request } for  <i>pid=14561 comm="firefox"</i> kmod="net-pf-10"
+  <i>scontext=staff_u:staff_r:mozilla_t</i> tcontext=system_u:system_r:kernel_t tclass=system
+</pre>
+
+<p>
+Next is the source of the denial, i.e. what process is trying to do something.
+In this case, the process is firefox, with PID 14561, which is running in the
+source domain staff_u:staff_r:mozilla_t.
+</p>
+
+<pre caption="AVC denial: target resource">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
+  avc:  denied  { module_request } for  pid=14561 comm="firefox" <i>kmod="net-pf-10"</i>
+  scontext=staff_u:staff_r:mozilla_t <i>tcontext=system_u:system_r:kernel_t</i> tclass=system
+</pre>
+
+<p>
+The target of the activity is a kernel module (net-pf-10, which is the internal
+name given for IPv6), labeled system_u:system_r:kernel_t
+</p>
+
+<pre caption="AVC denial: denied action">
+Oct 15 13:04:54 hpl kernel: [963185.177043] type=1400 audit(1318676694.660:2472): 
+  avc:  denied  { <i>module_request</i> } for  pid=14561 comm="firefox" kmod="net-pf-10"
+  scontext=staff_u:staff_r:mozilla_t tcontext=system_u:system_r:kernel_t <i>tclass=system</i>
+</pre>
+
+<p>
+Finally, the action that is denied (module_request) and its class (system).
+These classes help you to identify what is denied, because a read on a file is
+different from a read on a directory.
+</p>
+
+<p>
+For instance, in the following case, a process <c>gorg</c> with PID 13935 is
+trying to read a file called <path>localtime</path> with inode 130867 which
+resides on the device <path>/dev/md3</path>:
+</p>
+
+<pre caption="AVC denial example">
+Oct 15 14:40:30 hpl kernel: [968909.807802] type=1400 audit(1318682430.323:2614):
+  avc:  denied  { read } for  pid=13935 comm="gorg" name="localtime" dev=md3 ino=130867
+  scontext=staff_u:sysadm_r:gorg_t tcontext=system_u:object_r:locale_t tclass=file
+</pre>
+
+<p>
+In this case, it might be obvious that the file is <path>/etc/localtime</path>,
+but when that isn't the case, then you can find the following two commands
+useful:
+</p>
+
+<pre caption="Finding out the target resource based on inode and device">
+<comment>(Find out which device /dev/md3 is)</comment>
+# <i>mount | grep /dev/md3</i>
+/dev/md3 on / type ext4 (rw,seclabel,noatime,barrier=1,nodelalloc,data=journal)
+
+<comment>(Find out what file has inode 130867)</comment>
+# <i>find / -xdev -inum 130867</i>
+/etc/localtime
+</pre>
+
+</body>
+</subsection>
+<subsection>
+<title>Handling AVC denials</title>
+<body>
+
+<p>
+The major part of configuring SELinux is reading the denials, finding out what
+needs to be fixed (or ignored), fix it, and repeat the steps. Hopefully, the
+rest of this handbook will help you figure out what is causing a denial.
+</p>
+
+<p>
+Denials can be cosmetic (an activity that is denied, but has no effect on the
+application's functional behaviour). If that is the case, the denial can be
+marked as <e>dontaudit</e>, meaning that the denial is not logged by default
+anymore. If you think that a denial is occurring but you do not see it in the
+logs, try disabling the <e>dontaudit</e> rules:
+</p>
+
+<pre caption="Disabling dontaudit">
+<comment>(The command can also be abbreviated to "semodule -DB")</comment>
+# <i>semodule --build --disable_dontaudit</i>
+</pre>
+
+<p>
+In most cases though, denials need to be acted upon. Actions that might need to
+happen are:
+</p>
+
+<ul>
+  <li>
+    relabeling the target resource (wrong labels might cause legitimate actions
+    to be denied)
+  </li>
+  <li>
+    relabeling the source (process' binary file) as a wrong label might cause
+    the application to run in the wrong domain
+  </li>
+  <li>
+    loading a necessary SELinux module, since the modules contain the rules to
+    allow (and label) resources. Without the appropriate module loaded, you will
+    notice denials since no other module gives the necessary grants (allow
+    statements)
+  </li>
+  <li>
+    granting the right role to the user executing the application. We have
+    covered users and their roles initially but we will go deeper into this
+    subject later in the handbook.
+  </li>
+  <li>
+    adding your own SELinux policy statements, most likely because no SELinux
+    policy module exists for the application you are trying to run
+  </li>
+</ul>
+
+</body>
+</subsection>
+</section>
+
+<section>
 <title>Using (File) Labels</title>
 <subsection>
 <title>Introduction</title>
@@ -663,5 +903,79 @@ flexible SELinux policy.
 
 </body>
 </subsection>
+<subsection>
+<title>Managing SELinux Policy Modules</title>
+<body>
+
+<p>
+In this last part, we'll cover SELinux policy modules. We mentioned before that
+the SELinux policy used by Gentoo Hardened is based on the reference policy,
+which offers a modular approach to SELinux policies. There is one base policy,
+which is mandatory on every system and is kept as small as possible. The rest
+are SELinux policy modules, usually providing the declarations, rules and file
+contexts for a single application (or type of applications).
+</p>
+
+<p>
+With <c>semodule -l</c> you can see the list of SELinux policy modules loaded:
+</p>
+
+<pre caption="Listing the loaded SELinux modules">
+# <i>semodule -l</i>
+alsa       1.11.0
+apache     2.3.0
+entropyd   1.6.0
+dbus       1.15.0
+dnsmasq    1.9.0
+<comment>(...)</comment>
+</pre>
+
+<p>
+Within Gentoo Hardened, each module is provided by the package
+<path>sec-policy/selinux-&lt;modulename&gt;</path>. For instance, the first
+module encountered in the above example is provided by
+<path>selinux-alsa</path>:
+</p>
+
+<pre caption="The SELinux policy module package in Gentoo">
+$ <i>emerge --search selinux-alsa</i>
+Searching...
+[ Results for search key : selinux-alsa ]
+[ Applications found : 1]
+
+* sec-policy/selinux-alsa
+    Latest version available: 2.20110726
+    Latest version installed: 2.20110726
+    Size of files: 574 kB
+    Homepage:      http://www.gentoo.org/proj/en/hardened/selinux/
+    Description:   SELinux policy for alsa
+    License:       GPL-2
+</pre>
+
+<p>
+If you need a module that isn't installed on your system, this is considered a
+bug (packages that need it should depend on the SELinux policy package if the
+selinux USE flag is set). But once you install the package yourself, the module
+will be loaded automatically:
+</p>
+
+<pre caption="Installing a SELinux policy package">
+# <i>emerge selinux-screen</i>
+</pre>
+
+<p>
+If you want to remove a module from your system though, uninstalling the package
+will not suffice: the SELinux policy module itself is copied to the policy store
+earlier (as part of the installation process) and is not removed from this store
+by Portage. Instead, you will need to remove the module manually:
+</p>
+
+<pre caption="Uninstalling a SELinux policy module">
+# <i>emerge -C selinux-screen</i>
+# <i>semodule -r screen</i>
+</pre>
+
+</body>
+</subsection>
 </section>
 </sections>