zaterdag 20 juni 2009

SELinux Lockdown Part Two: PAM SEPermit

In a previous article i discussed the advantage of mapping Linux users to confined SELinux users. There may be times when you are required to troubleshoot issues on the system or solve issues that require you to operate in SELinux Permissive Mode.

The SELinux Permissive Mode is a state in which SELinux restrictions are not enforced. SELinux does however audit SELinux policy violations that would have normally be prevented. Look at Permissive Mode as a Intrusion Detection System where Enforcing Mode could be considered a Intrusion Prevention System.

In most cases one will want to move the system out of production whilst operating in Permissive Mode. In some cases this may not be so easy.

There are ways to minimize the risks involved with Permissive Mode. A feature that was recently introduced called SELinux Permissive Domains is a preferred method to accomplish this. Permissive Domains will be discussed in a later chapter.

The Pluggable Authentication Module called SEPermit can also help minimizing exposure of Permissive Mode.

PAM SEPermit can disable Linux user logins when the system operates in Permissive Mode. Consider operating a system where your local Linux users are restricted by SELinux. Permissive Mode effectively lifts those restrictions. Linux users may take advantage of this by accessing resources they would otherwise be restricted to use.

In Fedora 11 PAM SEPermit is enabled by default in the various appropriate files in
/etc/pam.d/ like for example /etc/pam.d/sshd. One can simply configure SEPermit to disable Linux user logins in Permissive mode by adding Linux users and or SELinux users to the SEPermit configuration file located in /etc/security/sepermit.conf.

Appending
%user_u to your sepermit.conf file in /etc/security for example, disable login for SELinux user user_u when the system is in Permissive Mode.

Be aware that SELinux Permissive Mode however also lifts SELinux restrictions for processes other then Linux users like for example system services.

In most cases you are still encouraged to move your system out of the Demilitarized Zone when troubleshooting issues in Permissive Mode. PAM SEPermit can however be helpful in some cases.

Try it out!

Conclusion:

Prefer SELinux Permissive Domains over SELinux Permissive Mode.
If Permissive Mode in a live environment is required on a system with SELinux restricted Linux users then you are encourage to disable Linux user logins with the SEPermit Pluggable Authentication Module.
Be aware that this only affects Linux Users and that system services will not be protected by SELinux in Permissive Mode.


refer: man pam_sepermit, man setenforce, man getenforce

Geen opmerkingen:

Een reactie plaatsen