On Monday, 3 July 2023 22:37:35 AEST Russell Coker wrote:
> https://wiki.debian.org/ReleaseGoals/SystemdAnalyzeSecurity
People have asked how hard it is to create policy for daemons. For an
individual to create them it's a moderate amount of work, 1-2 hours per daemon
which is a lot considering the dozens of daemons that people use. But for a
group of people it's not a big deal, it's almost nothing compared to the scale
of Debian development work. The work that I've done writing SE Linux policy
for daemons is significantly greater than what I'd like the collective of DDs
to do in this regard.
One thing that can be done to assist in this process is looking at SE Linux or
AppArmor policy. For example the following is an example of how to get the
capabilities needed for crond which shows that when you don't need to have
net_bind_service for NIS+ or { fsetid sys_admin } for polyinstantiation you
only need { audit_control audit_write chown dac_override dac_read_search
fowner setgid setuid sys_nice sys_resource }.
# sesearch -A -s crond_t -c capability
allow crond_t crond_t:capability net_bind_service; [ allow_ypbind ]:True
allow crond_t crond_t:capability net_bind_service; [ allow_ypbind ]:True
allow crond_t crond_t:capability net_bind_service; [ allow_ypbind ]:True
allow crond_t crond_t:capability net_bind_service; [ allow_ypbind ]:True
allow crond_t crond_t:capability { audit_control audit_write chown
dac_override dac_read_search fowner setgid setuid sys_nice sys_resource };
allow crond_t crond_t:capability { chown fowner fsetid sys_admin }; [
allow_polyinstantiation ]:True
Now this is NOT the sum of all access needed by everything that crond might
run, just everything that runs without running a setuid program etc. Also
there's nothing stopping regular users from using something like bwrap to wrap
their own cron jobs, and this would be a good practice that we should
encourage.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
