Where to go for advice on local policy secuirity implications

Where to go for advice on local policy secuirity implications

[James B. Byrne]

We employ a third-party Apache module (passenger aka mod-rails) to
handle our Ruby-on-Rails web applications.  Because of the lack of
SELinux awareness built into the module we currently run these on an
isolated virtual host in SE permissive mode.

We are in the process of examining whether it is possible to create a
local policy for Passenger which will allow it to run in enforcing
mode but not open the system to other exploits. We would like to know
if there is any on-line venue where the security aspects of specific
policy elements might be discussed.

Is there such a resource?  If so, can anyone here provide the reference?


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Where to go for advice on local policy secuirity implications

[Dominick Grift]

On Mon, 2012-05-28 at 11:54 -0400, James B. Byrne wrote:
> We would like to know
> if there is any on-line venue where the security aspects of specific
> policy elements might be discussed.

There is a list with many of the security classes and their av
permissions with small descriptions here:

http://www.selinuxproject.org/page/ObjectClassesPerms

This information can be used as a guide to more information available on
Internet.

There is more information available at www.selinuxproject.org

I hope this helps



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Where to go for advice on local policy secuirity implications

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/28/2012 11:54 AM, James B. Byrne wrote:
> We employ a third-party Apache module (passenger aka mod-rails) to handle
> our Ruby-on-Rails web applications.  Because of the lack of SELinux
> awareness built into the module we currently run these on an isolated
> virtual host in SE permissive mode.
> 
> We are in the process of examining whether it is possible to create a local
> policy for Passenger which will allow it to run in enforcing mode but not
> open the system to other exploits. We would like to know if there is any
> on-line venue where the security aspects of specific policy elements might
> be discussed.
> 
> Is there such a resource?  If so, can anyone here provide the reference?
> 
> 
Why not just email to refpolicy list the rules you want to allow along with
the AVC's.  If there is security info you do not want to reveal, I would be
willing to look at them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/E2+kACgkQrlYvE4MpobNBpACfVdm6sAYBtuTg2L5q7p8Hzv/3
5SoAmQFChBdVOQtNR1Nwp04GHtu6Q+7c
=U0yB
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Where to go for advice on local policy secuirity implications

[James B. Byrne]

On Tue, May 29, 2012 10:23, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/28/2012 11:54 AM, James B. Byrne wrote:
>> We are in the process of examining whether it is possible to
>> create a local policy for Passenger which will allow it to
>> run in enforcing mode but not open the system to other
>> exploits. We would like to know if there is any on-line venue
>> where the security aspects of specific policy elements
>> might be discussed.
>>
>> Is there such a resource?  If so, can anyone here provide the
>> reference?
>>
>>
> Why not just email to refpolicy list the rules you want to allow
> along with the AVC's.  If there is security info you do not want
> to reveal, I would be willing to look at them.

Thank you.  The refpolicy list is the reference I was seeking. I will
inquire there.

We have no unusually sensitive security issues with revealing the avcs
and recommended policies.  At the present time the server is running
in permissive mode so any action which offers us the hope of setting
it to enforcing is a step in the right direction.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.