Monday, April 21, 2008

When SELinux bites, tell SELinux to go bite it's self

SELinux is a rather impressive, if not annoying efficient process and access-based security system for Linux. I currently enjoy the warm, affectionate glow of alerts on Fedora 8.

As useful as SELinux can be, there are easy ways to make it squeal like a stuck pig (i.e. complain frequently.) My last "stuck pig episode" included a few 25M log files of nothing but squealing. At issue, was a mislabeled file that sendmail wanted to access. After causing my internal email to queue up more than 4000 messages, I decided to work on it.

If I had the specific path to the offending object(s) listed in the alert message, I could have solved this problem with something like:
# Fedora 8: tell SELinux to restore
# default security labels to a file
# or directory:
/sbin/restorecon 'services'
/sbin/restorecon -R '.'

Common net-thinking is that the default labels are occasionally fouled when some updates occur. They are most likely fouled more frequently by users editing in their home directory and promoting them into a new location on the file system without handling the security labeling (which is actually the point of this kind of security: know what you are doing and tell the OS what is and isn't OK to do.)

After trying to use the alert system's recommendation, I finally looked for a more blunt instrument (the alert needed to have an absolute path for the offending element so that I could have a change to locate and fix it.)

So, I went to my friend, my buddy, my pal: Google. Google told me (indirectly) to look here for this pearl of wisdom:
# Fedora 8: tell SELinux to restore
# security labels to all files:
touch /.autorelabel
reboot
This operation asks SELinux to reapply the default security labels to all files on the file systems after a reboot. This "relabel them all and let Root sort them out" approach may have solved more problems than I knew.

Note: I am not running any custom policies yet so there wasn't a conflict for me.

Monday, April 7, 2008

Using SSH and SOCKS to access the web [via Firefox] from remote computer

Source(s)
Information provided in this post was originally located here:
Description
Occasionally, it is necessary to "web surf from afar". Less about security than about originating IPs, I found a need to create a secure connection so I may web surf as if I were on a different computer.
Use Case 1: Some corporations do not want access to popular or potentially harmful web sites.

Use Case 2: Some websites do not service users from some IP ranges, i.e. from out of the country of hosting.

Setup
SSH Tunnel
In this solution, will will use an encrypted connection between the local computer and a remote computer that you have access and is running and ssh daemon. This solution will create a local computer port that will allow anything sent to this port to be transported to the remote computer and on to it's destination as if it had originated from the remote computer.

On the local computer:
ssh -N -C -D 9999 USER_NAME@IP_ADDRESS

  • -N : do not open an interactive console on the remote computer [optional]
  • -C : use compression [optional]
  • -D : use SOCKS 5 [required]
  • 9999 : local computer port to uses to access the SOCKS proxy [a port # is required, not necessarily 9999]
  • USER_NAME@IP_ADDRESS : the user name and remote computer information [require most likely]
Note: This connection will persist until the computer is rebooted or you find and kill the associated ssh task in the process list. That being said, be careful not to start more than one ssh tunnel to the same computer.

FireFox Proxy
  1. Use menus Tools | Options
  2. Click on Advanced icon
  3. Select Network tab
  4. Press Settings button
  5. Select Manual Proxy Configuration radio button
  6. Enter localhost and port 9999 on the SOCKS Host and Port.
  7. Press Apply/OK until all extra dialog boxes are closed.
  8. You are now ready to web surf though the remote computer.
Note: I recommend using a proxy switcher extension so you can enable and disable the use of the proxy without needing to go though the menus and dialogs, as shown above. Here is one for example.