[CentOS] Server Hacked: Cpanel

Wed Aug 9 16:56:55 UTC 2006
Daniel de Kok <danieldk at pobox.com>

On Wed, 2006-08-09 at 13:42 -0300, Rodrigo Barbosa wrote:
> As a side not, I have started playing with SELinux to try and improve
> the security of my servers. My main problem is that you simply
> can't find a working rule set for Exim, and I'm working hard on
> creating one while learning SELinux at the same time.

Slightly OT: I have been playing a bit with the Simplified Policy
Description Language (SPDL), that is part of the SEEdit project[1]. The
language looks like AppArmor policies. I still use the 'targeted' policy
on servers, but on the other hand using SPDL seems better than turning
SELinux off completely[2].

E.g., this is a simple quick sample policy, quite readable if you know
UNIX DAC semantics.

---
{ 
domain vsftpd_t; 
program /usr/sbin/vsftpd; 
include common-relaxed.sp; 
include daemon.sp; 
include nameservice.sp; 

allow /etc/shadow  r,s; 
allow /etc/pam.d/vsftpd  r,s; 
allow /etc/security/pam_env.conf  r,s; 
allow /etc/vsftpd.user_list  r,s; 
allow /etc/vsftpd/vsftpd.conf  r,s; 
allow /var/log/xferlog  a,r,s; 
allow ~/**  rw,s; 

allowpriv netlink; 
allowpriv cap_sys_chroot; 
allowpriv audit_write; 
allow /etc/selinux/config  r,s; 

allownet -protocol tcp -port 20 server; 
allownet -protocol tcp -port 21 server; 
allownet -protocol tcp -port 1024- server; 
}
---

-- Daniel

[1] http://seedit.sourceforge.net/
[2] I think that the majority of the current system administrators will
never bother to learn to understand the current policy or the new
'reference policy', and will simply turn it off when the default policy
gets in the way.