Documentation


Viewing posts for the category Omarine User's Manual

SELinux: Why not allow root to read the password file and the benefits of this?

root is the superuser who has the power to manipulate any system issue. So it sounds ridiculous that we restrict its rights. The essence of the problem is that malicious programs can use root privileges to damage the system. A good security policy should prevent all user domains including also the sysadm_t domain of the root from directly accessing the password file. Access to the password file is only for specialized programs that perform systemized administrative tasks. Thus a crack program running in sysadm_t domain cannot steal a user's password.
We follow the steps below to experiment a password-stealing attack. We create a crack program, which can steal a user's password if allowed to read the password file. Then security policy will make it invalid.

1) Compiling dictionary creation program wordmagic
Download wordmagic and compile the program as follows

Installing the Omarine 7.0 from a USB stick

Installing Omarine 7.0 from a USB stick is very simple. You just need to copy omarine-7.0-dvd.iso to the USB stick using the command below, assume that the USB device is /dev/sdb:

SELinux: shadow: Enhancing security for a security program

useradd is a typical program of the shadow package, used to create new users. But it did not work in the secure domain regulated by the security policy. In this article, we add code to solve the problem.
There is a situation where the useradd runs in the wrong domain and cannot write shadow_t files, so it does not work, because the domain it is running is not allowed to do. We consider the following command, create a user named some_name

SELinux: kernel: The steps for security checking a program before it runs and the corresponding security rules

All programs are checked for security before running. In more detail, whenever the execve() function (or its front-ends functions) is called to execute a program, the kernel conducts a check of permissions. It does that by using hook functions installed with execve().
The execve() function is defined in the fs/exec.c file of the kernel source code. When preparing for the imminent process, it calls the internal function do_open_execat() to retrieve a file structure pointer. The file pointer is later taken to a linux_binprm structure (defined in the include/linux/binfmts.h header file) with its pointer is bprm. The linux_binprm structure is responsible for keeping the arguments that are used when loading binary. There are three stages of security checking: checking program file access, checking when preparing the linux_binprm structure, and checking when loading binary.

1) Checking the program file access
When called, do_open_execat() calls do_filp_open() (defined in fs/namei.c), with the flag argument is an open_flags structure. The open_flags structure is initialized with its component open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, and access mode component acc_mode = MAY_EXEC.
The __FMODE_EXEC flag indicates that a program is about to be run, and the MAY_EXEC access mode indicates that the executable binary is expected. The flag structure is used later to direct the appropriate control. The do_filp_open() function then calls path_openat() with the flag structure passed. At this point, the file structure is initialized with the alloc_empty_file() function (defined in the file fs/file_table.c) in which there is an argument to be the open_flag flag component. There, the f_flags component of the file structure is assigned with the open_flag flag component, and the f_mode component of the file structure is assigned as follows, where f is the pointer of the file structure and open_flag becomes the flags argument:

SELinux: xscreensaver-demo: Transitioning the file type

SELinux not only ensures the system securely against unauthorized access, but along with security policies also fixes software bugs, leads them in the right way in using resources and avoids conflicts. Xscreensaver-demo is a graphical tool used to set parameters for XScreenSaver. It creates ~/.xscreensaver configuration file and writes information into it