What's sandbox showshadow ? I didn't know the command sandbox. Pretty interesting. But my boss doesn't konw what the /etc/shadow is... 2010/2/19 Daniel J Walsh <dwalsh@xxxxxxxxxx>: > On 02/18/2010 04:44 PM, Dominick Grift wrote: > > On 02/18/2010 10:17 PM, Shintaro Fujiwara wrote: > > > Hi, I 'm ready to start SELinux server in my office first time, and I > want to persuade everyone how safe the SELinux server is. > How can I demonstrate administrators and my boss the advantage of > SELinux comparing other servers? > SELinux play machine hit me but is too far or should I just > demonstrate in a certain ocassion for certain purpose? > > > It depends a bit on your distro and policy model. > But generally you can demonstrate how TE enforces integrity for targeted > system daemons. > If you use strict policy you can also enforce integrity for user > processes. You can also demonstrate role based access control. > You can demonstrate how MCS can be useful to restrict processes access > to objects. > If you use MLS model you can demonstrate enforcement of confidentiality. > I never actually connected to play machine but i gather it mapped the > root Linux login to the user_u SELinux user. > There are a lot of ways to demonstrate SELinux. You could restrict a > simple hello world shell script and shows what happens if you extend the > script to make it do something it is not intended to do. > Same goes for webapplications. You could write a webapp and make it do > something that SELinux policy does not allow it to do. > Generally TE tries to prevent privilege escalation. It restricts processes. > > > Thanks in advance. > > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Simple demonstration in Fedora 12. Create a script. > > cat > /usr/bin/showshadow << _EOF > #!/bin/sh > id > cat /etc/shadow > _EOF > > chmod +x /usr/bin/showshadow > > showshadow > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > root:*::: > bin:*:14043:0:99999:7::: > daemon:*:14043:0:99999:7::: > adm:*:14043:0:99999:7::: > lp:*:14043:0:99999:7::: > sync:*:14043:0:99999:7::: > shutdown:*:14043:0:99999:7::: > halt:*:14043:0:99999:7::: > mail:*:14043:0:99999:7::: > news:*:14043:0:99999:7::: > uucp:*:14043:0:99999:7::: > operator:*:14043:0:99999:7::: > games:*:14043:0:99999:7::: > gopher:*:14043:0:99999:7::: > ftp:*:14043:0:99999:7::: > nobody:*:14043:0:99999:7::: > vcsa:!!:14043:0:99999:7::: > distcache:!!:14043:0:99999:7::: > nscd:!!:14043:0:99999:7::: > tcpdump:!!:14043:0:99999:7::: > > > # sandbox showshadow > uid=0 gid=0 groups=0,1,2,3,4,6,10 > context=staff_u:unconfined_r:sandbox_t:s0:c512,c625 > cat: /etc/shadow: Permission denied > > To see the error message > > # ausearch -m avc -ts recent > ---- > time->Thu Feb 18 17:03:36 2010 > type=PATH msg=audit(1266530616.620:1997): item=0 name="/etc/shadow" > inode=5688120 dev=fd:01 mode=0100400 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:shadow_t:s0 > type=CWD msg=audit(1266530616.620:1997): cwd="/tmp" > type=SYSCALL msg=audit(1266530616.620:1997): arch=c000003e syscall=2 > success=no exit=-13 a0=7fff6bb88798 a1=0 a2=7fff6bb88120 a3=a items=1 > ppid=26934 pid=26938 auid=3267 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts0 ses=3 comm="cat" exe="/bin/cat" > subj=staff_u:unconfined_r:sandbox_t:s0:c512,c625 key=(null) > type=AVC msg=audit(1266530616.620:1997): avc: denied { open } for > pid=26938 comm="cat" name="shadow" dev=dm-1 ino=5688120 > scontext=staff_u:unconfined_r:sandbox_t:s0:c512,c625 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > > grep shadow /var/log/messages > Feb 18 17:03:42 localhost setroubleshoot: SELinux is preventing /bin/cat > "open" access on /etc/shadow. For complete SELinux messages. run sealert -l > 95108dbb-8254-4a00-886d-028bafa4996a > > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > -- http://intrajp.no-ip.com/ Home Page -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
