hidden files and se linux?

hidden files and se linux?

[Tobias]

hello!

is it possible to hide files under selinux?
i don't mean to prohibit the acces, i mean to make
some files absolute invisible for the entire system.

background: as lids, it may hide files time specified.

best regards
tobias



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hidden files and se linux?

[Kerry Thompson]

Tobias said:
> hello!
>
> is it possible to hide files under selinux?
> i don't mean to prohibit the acces, i mean to make
> some files absolute invisible for the entire system.

No problem.
Just create a new type with minimal permissions, and label the files with
this type. I just tried it on my test box :

# cat <<! >domains/misc/hidden.te
# Basic type for completely hidden files
type hidden_t;
allow sysadm_t hidden_t:file { relabelto };
allow sysadm_t hidden_t:dir { relabelto };
allow hidden_t fs_t:filesystem { associate };
!

Now, run 'make load' to load that small addition to the policy, then label
some files :

# mkdir /var/tmp/hidden
# touch /var/tmp/hidden/hiddenfile
# chcon system_u:object_r:hidden_t /var/tmp/hidden/hiddenfile
# chcon system_u:object_r:hidden_t /var/tmp/hidden

.. and now test :

# ls -l /var/tmp/hidden
ls: /var/tmp/hidden: Permission denied
# ls -l /var/tmp/hidden/*
ls: /var/tmp/hidden/*: Permission denied
# ls -l /var/tmp
ls: /var/tmp/hidden: Permission denied

Of course, an intruder could infer that something was there from the
permission denied message, but nobody - not even the system admin - can
get into that directory without either changing the policy to allow access
or dropping ther system into permissive mode. In reality, you'll probably
want to add some rules to the policy to give a small amount of access to
someone.

Kerry


-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry@crypt.gen.nz




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hidden files and se linux?

[coUnt3r]

hi kerry, hi maillist,

> Of course, an intruder could infer that something was there from the
> permission denied message, but nobody - not even the system admin - can
> get into that directory without 

ok, that's not a true invisibility, but rather a workaround ;)

thx for your detailed hint!
regards
t.


> Tobias said:
> > hello!
> >
> > is it possible to hide files under selinux?
> > i don't mean to prohibit the acces, i mean to make
> > some files absolute invisible for the entire system.
> 
> No problem.
> Just create a new type with minimal permissions, and label the files with
> this type. I just tried it on my test box :
> 
> # cat <<! >domains/misc/hidden.te
> # Basic type for completely hidden files
> type hidden_t;
> allow sysadm_t hidden_t:file { relabelto };
> allow sysadm_t hidden_t:dir { relabelto };
> allow hidden_t fs_t:filesystem { associate };
> !
> 
> Now, run 'make load' to load that small addition to the policy, then label
> some files :
> 
> # mkdir /var/tmp/hidden
> # touch /var/tmp/hidden/hiddenfile
> # chcon system_u:object_r:hidden_t /var/tmp/hidden/hiddenfile
> # chcon system_u:object_r:hidden_t /var/tmp/hidden
> 
> .. and now test :
> 
> # ls -l /var/tmp/hidden
> ls: /var/tmp/hidden: Permission denied
> # ls -l /var/tmp/hidden/*
> ls: /var/tmp/hidden/*: Permission denied
> # ls -l /var/tmp
> ls: /var/tmp/hidden: Permission denied
> 
> Of course, an intruder could infer that something was there from the
> permission denied message, but nobody - not even the system admin - can
> get into that directory without either changing the policy to allow access
> or dropping ther system into permissive mode. In reality, you'll probably
> want to add some rules to the policy to give a small amount of access to
> someone.
> 
> Kerry
> 
> 
> -- 
> Kerry Thompson, CCNA CISSP
> Information Systems Security Consultant
> http://www.crypt.gen.nz  kerry@crypt.gen.nz
> 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
> 

-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++

Jetzt ein- oder umsteigen und USB-Speicheruhr als Prämie sichern!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hidden files and se linux?

[Russell Coker]

On Mon, 21 Jul 2003 18:38, Tobias wrote:
> is it possible to hide files under selinux?

To do that properly requires poly-instantiated directories.  AFAIK no-one will 
do that in the near future, more important file system related things such as 
NFS file labeling have not been done yet...

SE Linux allows you to deny "getattr" access (IE a stat() system call fails), 
but "ls *" will still show the existance of files.

It is my understanding that LIDS allows the files to be hidden (so a readdir() 
will not show them).  But this is not fully adequate, a hostile user can 
guess at file names and try to create them, if a file creation fails and 
there are no other issues (such as lack of disk space) then you can infer the 
existance of the file name.  Polyinstantiated directories is the solution to 
this problem.

I think that the consensus of opinion of people on this list is that hidden 
files without polyinstantiated directories is of little use.

There has been some previous discussion of this matter, checking the list 
archives (see my web site for the link) will provide you with more 
information.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: hidden files and se linux?

[Dean Anderson]

There is an easy hack to do this, as can be seen by examining linux kernel
module root kits.  It does not need to be "integrated" into selinux.

One thing to watch for though, is that many of the kernel module rootkits
have memory leaks. (Usually this is a clue to rooted machines) The code
from a root kit needs some serious repair, but demonstrates the general
idea.

It might be useful to have second syslogd logging SElinux events
off-machine, and to hide both SELinux and this syslogd, to create some
confusion for the cracker, and thereby insuring that you know he is there
before he knows that you know.

		--Dean

On Tue, 22 Jul 2003, Russell Coker wrote:

> On Mon, 21 Jul 2003 18:38, Tobias wrote:
> > is it possible to hide files under selinux?
>
> To do that properly requires poly-instantiated directories.  AFAIK no-one will
> do that in the near future, more important file system related things such as
> NFS file labeling have not been done yet...
>
> SE Linux allows you to deny "getattr" access (IE a stat() system call fails),
> but "ls *" will still show the existance of files.
>
> It is my understanding that LIDS allows the files to be hidden (so a readdir()
> will not show them).  But this is not fully adequate, a hostile user can
> guess at file names and try to create them, if a file creation fails and
> there are no other issues (such as lack of disk space) then you can infer the
> existance of the file name.  Polyinstantiated directories is the solution to
> this problem.
>
> I think that the consensus of opinion of people on this list is that hidden
> files without polyinstantiated directories is of little use.
>
> There has been some previous discussion of this matter, checking the list
> archives (see my web site for the link) will provide you with more
> information.
>
> --
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.