SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 2

File myapp.if myapp.if has three interfaces: myapp_domtrans used to transition domain. myapp_run is used to transition domain and assign role. myapp_read_log is used to read the log files. The content of the file myapp.if is as follows: ## <summary>Myapp example policy</summary> ## <desc> ## <p> ## More descriptive text about myapp. The desc ## tag […]

SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 1

A program running in its own domain is secure because we can design so that only it can access its data and no user can run the program (even root) except for those use is allowed by policy. The security policy is very strong and no application can interfere because it is controlled directly from […]

Setting up an fstab that does not depend on the device name

If you install Omarine on an external USB hard drive, it will be assigned a device name that might be changed when there are other USB devices. Suppose your USB hard drive is /dev/sdc divided into two partitions, /dev/sdc1 for root partition and /dev/sdc2 for /home partition. The two corresponding entries in your /etc/fstab may […]

SELinux with omarine policy: Allowing a guest user to login without a password

We have Omarine with SELinux in enforcing mode. This is a favorable condition for us to allow a user to login without entering a password. That user is only allowed to login in enforcing mode, otherwise, is denied to login in the permissive mode. Therefore this feature is only available in an SELinux system that […]

Using audit to find out unauthorized access

Omarine has set up an audit rule in the file /etc/audit/rules.d/access-other.rules as follows -a always,exit -F arch=b64 -S openat -F dir=/home/ -F success=0 -C uid!=obj_uid -k access-other The meaning is as follows: -a always,exit: Add the rule at the end of the ‘exit’ list that is used every time a system call exits. An audit […]

An unsuccessful small file transfer experience!

File size 23.8 kB (23,784 bytes), it is sepolicy-update-2019.1-1.x86_64.rpm. The server has the address 35.200.224.211, the client behind NAT has the address 192.168.1.2. We first observe the packets captured during the communication between the client and server that successfully transferring the file, using wireshark The file sepolicy-update-2019.1-1.x86_64.rpm is uploaded to the FTP server in passive […]

SELinux with omarine policy: Disabling policy rules

Because of the diverse needs of users, Omarine by default allows processes in the user domain (ie staff_t, user_t) to read the password file (/etc/shadow). This may cause vulnerabilities if there are such tasks. It is best to be able to read the password file only for the dedicated program ‘passwd’. I have defined a […]