Documentation


Viewing posts for the category Omarine User's Manual

SELinux: shadow: Enhancing security for a security program

useradd is a typical program of the shadow package, used to create new users. But it did not work in the secure domain regulated by the security policy. In this article, we add code to solve the problem.
There is a situation where the useradd runs in the wrong domain and cannot write shadow_t files, so it does not work, because the domain it is running is not allowed to do. We consider the following command, create a user named some_name

SELinux: kernel: The steps for security checking a program before it runs and the corresponding security rules

All programs are checked for security before running. In more detail, whenever the execve() function (or its front-ends functions) is called to execute a program, the kernel conducts a check of permissions. It does that by using hook functions installed with execve().
The execve() function is defined in the fs/exec.c file of the kernel source code. When preparing for the imminent process, it calls the internal function do_open_execat() to retrieve a file structure pointer. The file pointer is later taken to a linux_binprm structure (defined in the include/linux/binfmts.h header file) with its pointer is bprm. The linux_binprm structure is responsible for keeping the arguments that are used when loading binary. There are three stages of security checking: checking program file access, checking when preparing the linux_binprm structure, and checking when loading binary.

1) Checking the program file access
When called, do_open_execat() calls do_filp_open() (defined in fs/namei.c), with the flag argument is an open_flags structure. The open_flags structure is initialized with its component open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, and access mode component acc_mode = MAY_EXEC.
The __FMODE_EXEC flag indicates that a program is about to be run, and the MAY_EXEC access mode indicates that the executable binary is expected. The flag structure is used later to direct the appropriate control. The do_filp_open() function then calls path_openat() with the flag structure passed. At this point, the file structure is initialized with the alloc_empty_file() function (defined in the file fs/file_table.c) in which there is an argument to be the open_flag flag component. There, the f_flags component of the file structure is assigned with the open_flag flag component, and the f_mode component of the file structure is assigned as follows, where f is the pointer of the file structure and open_flag becomes the flags argument:

SELinux: xscreensaver-demo: Transitioning the file type

SELinux not only ensures the system securely against unauthorized access, but along with security policies also fixes software bugs, leads them in the right way in using resources and avoids conflicts. Xscreensaver-demo is a graphical tool used to set parameters for XScreenSaver. It creates ~/.xscreensaver configuration file and writes information into it

Scanning for viruses in the secure domain

Open source systems have begun to "get" the virus to care. The gdk-pixbuf software package has been identified by ClamAV antivirus software as virus infection since the releases after gdk-pixbuf-2.37:

Setting up security policy for xscreensaver-systemd

xscreensaver-systemd now belongs to the default installation of xscreensaver since xscreensaver-5.44. It works to lock the screen when the system goes into sleep mode.
However, the security rules for xscreensaver-systemd are not yet common, and we set it up in this article
We first declare the role group xscreensaver_systemd_roles, the type of domain and the type of the binary file