[Wolves] Opinions wanted on a specific SElinux bool

[James Dutton]

On Fri, 10 Feb 2023 at 13:52, Simon Burke via Wolves <
wolves at mailman.lug.org.uk> wrote:

> Hi,
>
> So this is work related. Today, I'm slowly getting myself into a form of
> hell with SELinux.policies and semi-complex ksh scripts.
>
> The bool 'domain_can_mmap_files' currently defaults to off.
>
> It is my understanding that the intention of this bool is to force
> validation every time a process accesses a particular file. Which is only
> useful if we expect context changes.
>
> Would that mean if we did not expect context changes, then it would be
> relatively safe to enable this bool? Considering this server will be
> providing an internet facing service.
>
> I assume as the initial access of the file is still validated, then we
> don't have too much to worry about. Unless something malicious is somehow
> executed that changes the context of a file while it's mapped.
>
> Other mitigations are in-place like clamd (but that only scans input from
> end users), and rkhunter periodically runs. There is also inspection done
> to traffic inbound to the server via network based IDS/IPS.
>
>
>
I think it would be ok to change it to on.
Search for "mmap" on this page:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/new_features_security
I would probably go with its description of the feature.

I believe there is a way to enable/disable mmap on/off particular files,
but I don't remember the method.

selinux has a "learning/permissive" mode that can tell you all the rules if
you want everything that is accessed by a particular application to be
listed.
I then go through the list of rules, and only leave the ones I specifically
wish to permit and delete the rest.

Kind Regards

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20230215/8b0ea757/attachment.htm>