Engels started playing with Linux® in 1991 and obtained his Red Hat Certified Engineer (RHCE), Red Hat Certified Instructor (RHCI), and Red Hat Certified Examiner (RHCX) certifications in 2002. He is in charge of Bluepoint's Total Linux®, Linux Kernel Internals®, Perl & Python Programming, and Extreme PHP curriculum and instruction development.
/* Conveniently yanked from the Bluepoint Institute profile page */
Richard Keech, RHCE, RHCX conducted my RHCE, RHCI, and RHCX training & certification in his capacity as Red Hat Asia-Pacific's Chief Instructor. Before we parted ways, he congratulated me for becoming the first Filipino RHCX. I told him that I was trained by the best.
In loving memory of CPT Mario B. Mortega Sr., USAFFE, VET (1920-2004)
Tuesday, Aug 22, 2006, 11:58 PMHere's a cool tool for FC6 and RHEL5 from Dan Walsh:
One of the great strengths of SELinux and other MAC architectures is that applications do not have to be modified to be protected by SELinux. This allows us to write policy for a great many services without going through the process of modifying code and getting upstream acceptance. It also allows flexibility in that different vendors or different users can have different security profiles for an application without having to modify the application.
While this is a great benefit to the developers it is not necessarily a great benefit to usability. Since applications do not understand what SELinux is doing, they can not report that SELinux is preventing them from doing something. As an example if you are running an Apache Web Server and SELinux denies access to a file, the apache web server reports permission denied. Users of Unix and other operating systems have gained experience through the years, understand that permission denied means that there is a problem with either the files ownership or file permissions (DAC). But when they go look at the file they see that apache has ownership and can read it. This leads them to scratching their heads. They go back to the log file and all it says is permission denied.
Some may suspect that SELinux is the problem, but how do they tell? If they figure that SELinux is causing the denial, how do they fix it? Could this be a security violation attempt? Could this be a configuration problem? Is the file mislabeled?
We have created a new tool in FC6 and RHEL5 called the SELinux Troubleshooter (setroubleshoot). This tool watches the audit log files for AVC messages. When an AVC messages arrives the tool runs through the SELinux plugins database looking for a match and then sends a message to the user with a description, and a suggested fix.
As an example, say you create a file index.html in your homedir and mv it to /var/html/www directory. If you try to access this file via a web browser you will receive an avc message that looks like:
Obviously this tells you that apache web server is not allowed to look at files labeled with the users home directory label.:^)
With setroubleshoot you receive a message like the following:
You can also configure the setroubleshoot daemon to send mail when it receives an AVC. So you will get them even on servers or when not logged in.
There are currently 56 Plugins which map to all of the booleans along with several known situations that come up. There is also a catchall plugin (disable_trans) which will look for avc's with no match and will suggest either writing a loadable policy module or disable trans.
You can read more about this tool at http://fedoraproject.org/wiki/SELinux/setroubleshoot.
The Plugin code to generate the above message is fairly simple and looks like this:
Now if you are interested in helping in this effort. We could use help:
* proof reading these plugins. They are in /usr/share/setroubleshoot/plugins directory.
* If you have ideas about additional plugins, bring them up on the fedora-selinux list. Patches Welcome.
This tool is a work in progress.
There are some gotchas in this tool and it has been known to go into an infinite loop. Usually when it reports bugs about itself.
First Honors Address
Corazon Aquino (1933-2009)
More Than Geeks™
LCBA Day 2
LCBA Day 7
Sci Fi Convention
Sacha & Dominique
Xen Enterprise Grade Virtualization
First Tub Bath
Chronology of Conspiracy
Mifan and Ravindra
PLDT: Disconnecting People
LCBA Day 5
Microsoft + Novell = ?
Microsoft Will Acquire Skype