[Clip] DISA STIG SRR Scripts
Eric Gearhart
eric at nixwizard.net
Wed Sep 9 11:58:06 CDT 2009
On Wed, Sep 9, 2009 at 5:42 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> On Wed, 2009-09-09 at 08:16 -0400, Joe_Wulf wrote:
> > Stephen,
> >
> > Going one step further.... for any particular instance of SELinux out
> there,
> > would you say the permissions are already 'correct'? From an auditor's
> > perspective---how can/should I, during a Host Based Assessment, know what
> is
> > there, is in fact, correct?
>
> The initial file modes for the selinuxfs (/selinux) files are compiled
> into the kernel and set correctly at boot each time. So you can either
> read the selinuxfs code in the kernel to see the expected values or you
> can sample them at boot on a known-good system.
>
> And even if the file modes were completely opened up, SELinux applies
> its own permission checks when operating on those files.
>
> The files that are likely of greatest interest are:
> /selinux/load - used to reload policy
> /selinux/enforce - used to read or modify the enforcing status
> /selinux/booleans/* - used to read or modify the policy booleans
> /selinux/commit_pending_bools - used to commit changes to the booleans
>
> These files are also subjected to SELinux permission checks, so the only
> case where the DAC file mode is relevant is if you are using targeted
> policy and have unconfined_t processes. In that situation, those files
> are prevented from being modified by non-root unconfined_t processes via
> the DAC controls.
>
>
Thanks Stephen I wasn't aware that /selinux was a psuedo filesystem (along
the same lines as /proc I'd assume) - I'd just noticed that the perms were
more permissive than 640 on /selinux. That's easily explained to the
auditors evaluating us for DIACAP compliance.
--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/clip/attachments/20090909/401df073/attachment.html
More information about the Clip
mailing list