[afnog] Security profiles - AppArmor/SELinux (Was: [nme-afnog2011] NFSEN Setup - nfsend connect() error:)

Phil Regnauld regnauld at nsrc.org
Sat Sep 10 08:36:45 UTC 2011 

    [I'm copying the AFNOG list as this is pretty relevant for many
    people running Linux with AppArmor or SELinux enabled].

Hosea Phiri (hphiri) writes:
> 
> "Are you using AppArmor or SELinux ?"
> 
> After seeing this question I didn't hesitate but to vim /etc/selinux/config
> where I discovered line SELINUX=enforcing
> 
> I changed enforcing to disabled, rebooted the server and then restarted
> nfsen. Although I got the output below but now the browser is working. I can
> see the graphs although not yet populated.

    That will take a little while...

    You can control that packets ARE coming into your interface,
    by doing a tcpdump on the port you configured.

> 
> Now I just have to make decision whether to disable SELinux permanently

    Well, packages for this kind of distribution normally include the
    access control profiles (MAC) required to allow just what the
    application should be allowed to do, both on the local filesystem
    and on the network.

    Note that other people have had this problem with NFSen, with
    several suggesting to just turn off SELinux.  I tend to do that
    myself, but I won't suggest what is good for your network :)

    http://www.mail-archive.com/nfsen-discuss@lists.sourceforge.net/msg00705.html
    (that entire thread)

    http://www.mail-archive.com/nfsen-discuss@lists.sourceforge.net/msg00468.html
    http://pwiki.pontetec.com/index.php/Userflow_Machine_Configuration

    If you install a lot of packages from source, you will need
    to either a) make an exception for that application in the SELinux
    configuration (if possible), or b) disable SELinux entirely

    b) may not be a good idea if you want to run a very secure
    environment.  So maybe you could go for the third solution
    which is to *write* the MAC profile for SELinux for NFSen.

    http://forums.fedoraforum.org/archive/index.php/t-257540.html

    Luckily, there are tools that can automate profile creation by
    analyzing ("recording") all the actions that the application
    performs, such as opening files, connecting to sockets, etc...

    http://www.suse.com/support/security/apparmor/features/selinux_comparison.html
    (See under "More automated")

    The risk is that you don't know everything your app will do
    in advance, so if you analyze it for a giver period of time,
    and you see it connects to some server X on port 80, then it
    opens a file "/tmp/a", and writes to it, then closes it, that
    doesn't tell you if later the program will need to open file
    "/tmp/b".

    You could also run SELinux in "Permissive" mode for a while,
    where SELinux is active, but warns instead of blocks the
    action of the program:

    http://it.toolbox.com/blogs/surachart/switch-selinux-enforcing-mode-to-permissive-mode-33758

    Cheers,
    Phil

More information about the afnog mailing list