[Clip] DISA STIG SRR Scripts
Stephen Smalley
sds at tycho.nsa.gov
Wed Sep 9 07:42:52 CDT 2009
On Wed, 2009-09-09 at 08:16 -0400, Joe_Wulf wrote:
> Stephen,
>
> Going one step further.... for any particular instance of SELinux out there,
> would you say the permissions are already 'correct'? From an auditor's
> perspective---how can/should I, during a Host Based Assessment, know what is
> there, is in fact, correct?
The initial file modes for the selinuxfs (/selinux) files are compiled
into the kernel and set correctly at boot each time. So you can either
read the selinuxfs code in the kernel to see the expected values or you
can sample them at boot on a known-good system.
And even if the file modes were completely opened up, SELinux applies
its own permission checks when operating on those files.
The files that are likely of greatest interest are:
/selinux/load - used to reload policy
/selinux/enforce - used to read or modify the enforcing status
/selinux/booleans/* - used to read or modify the policy booleans
/selinux/commit_pending_bools - used to commit changes to the booleans
These files are also subjected to SELinux permission checks, so the only
case where the DAC file mode is relevant is if you are using targeted
policy and have unconfined_t processes. In that situation, those files
are prevented from being modified by non-root unconfined_t processes via
the DAC controls.
--
Stephen Smalley
National Security Agency
More information about the Clip
mailing list