2010-11-11 12:18:05

by domg472

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On Thu, Nov 11, 2010 at 11:01:37AM +0000, HarryCiao wrote:
>
> Hi Chris and Dom,

some comments inline
>
> Sorry to bother you again.
>
> I'd tried to develop a .pp for the samhain program(filesystem integrity checker). I am wondering if you could help give some comments on it so that I could do it in the right way :-)
>
> Many thanks!
>
> Best regards,
> Harry
>
> From: harrytaurus2002 at hotmail.com
> To: refpolicy at oss.tresys.com
> Date: Tue, 9 Nov 2010 03:33:24 +0000
> Subject: [refpolicy] Add support for the samhain program
>
>
>
>
>
>
>
>
> Hi SELinux experts:
>
> I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
>
> I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
>
> (In sysadm_r role, install samhain.pp and update sysadm.pp)
> 1. Initialize database:
> newrole -l s15:c0.c1023 -- -c "samhain -t init"
>
> 2. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> 3. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
> or,
> newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
>
> 4. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
>
> Tow more questions:
> 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.
>
> Or some other better solution?
>
> 2. Would the samhain_run_init_script() make sense if the samhain_admin() is called for secadm?
>
> Thanks a lot!
>
> Best regards,
> Harry
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

> From 78c86950bcbc5ff4eb78c03cf8e0a59f11c542b7 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v0 PATCH 1/1] Add support for the samhain program.
>
> Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its configuration file(/etc/samhainrc) is changed.
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 210 ++++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 118 ++++++++++++++++++++
> 4 files changed, 345 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index d5e88be..69cb358 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -290,6 +290,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samhain_admin(sysadm_t, sysadm_r)
> +')

why not samhain_run?

> +
> +optional_policy(`
> screen_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..5f78098
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> +
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> +
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)

I think refpolicy wants you to escape the dot (although i dont think it matters for file extensions

> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..2db64f8
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,210 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain configuration file.

personal nickpick but i usually use plural:

Manage samhain configuration files.

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

Watch your tabs and whitespaces.

> +## </param>
> +#
> +interface(`samhain_manage_config',`

I would use samhain_manage_config_files because thats what it does.

> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain database directory and file.

plural: Manage samhain databases or Manage samhain database content.


> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs and spaces.

> +## </param>
> +#
> +interface(`samhain_manage_db',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)

In the description you say manage directories and files but this only allows management of files. if this is correct use: samhain_manage_db_files.
> +')
> +
> +#######################################
> +## <summary>
> +## Manage the samhain init script.

plural: Manage samhain rc script files.

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs and spaces. When you copy and paste interfaces: double check that all is correct and applicable
> +## </param>
> +#
> +interface(`samhain_manage_init_script',`

samhain_manage_rc_script_files.
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain log and log.lock files.

Manage samhain log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs and whitespaces
> +## </param>
> +#
> +interface(`samhain_manage_log',`

samhain_manage_log_files

> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain pid file.

Manage samhain pid files.

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs

> +## </param>
> +#
> +interface(`samhain_manage_pid',`

samhain_manage_pid_files.

> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)

files_search_pids()

> +')
> +
> +#######################################
> +## <summary>
> +## Enable executing the samhain init script directly
> +## (thus bypassing the run_init tool)

Use a generic description, Extra comments go in <desc> ... </desc>

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

Domain allowed to transition.

watch your tabs

> +## </param>
> +## <param name="role">
> +## <summary>
> +## User role allowed access.

Role allowed access.

> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run_init_script',`
> + gen_require(`
> + type samhain_initrc_exec_t;
> + role system_r;
> + ')
> +
> + init_labeled_script_domtrans($1, samhain_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 samhain_initrc_exec_t system_r;
> + allow $2 system_r;

This doesnt look right. look in refpolicy for other examples of how this is done properly.

> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + samhain_manage_config($1)
> + samhain_manage_db($1)
> + samhain_manage_init_script($1)
> + samhain_manage_log($1)
> + samhain_manage_pid($1)

Use admin_patterns() instead of this interface calls.
Example:

logging_list_logs($1)
admin_pattern($1, samhain_log_t)

> +
> + # The parent directories of samhain's database, log/log.lock files,
> + # pid files are of s0, while these files are of the clearance level.
> + mls_file_write_all_levels($1)
> +
> + samhain_run($1, $2)
> +
> + #samhain_run_init_script($1, $2)
Look to other similar *_admin() interfaces to see how its done properly. If samhain does not have an rc script then just remove it.

> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..aaf9d23
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,118 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# Configuration file

These comments are redundant.

> +type samhain_etc_t;
> +files_security_file(samhain_etc_t)

Not sure about this but looks wrong. i would use files_config_file()

> +
> +# Log files

comment redundant.

> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# File signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +# init script

comment redundant.

> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +# PID file

comment redundant.

> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +# Samhain domain
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability { sys_resource };

brace not needed (nothing to expand)

> +allow samhain_t self:fd { use };

Brace not needed. (nothing to expand)

> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };

new line

> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)

I think this goes above kernel_*

> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)

Why dontaudit this?

> +
> +domain_use_interactive_fds(samhain_t)
> +
> +# To read configuration file
> +files_search_etc(samhain_t)
> +
> +# Manage PID file

comment redundant. This goes above the interface calls.

> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +# Manage database directory and file
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +# Manage log and log.lock files

comment redundant. This goes above the interface calls

> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's PID and log.lock files are in directories of s0,
> +# while samhain daemon is running with the clearance level
> +mls_file_write_all_levels(samhain_t)
> +
> +# Get the attribute of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)

newline

> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from utmp and wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +auth_read_login_records(samhain_t)

Use proper ordering. see style guide and refpolicy examples.

> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
> +
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> --
> 1.7.0.4
>

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101111/504f282c/attachment.bin


2010-11-12 10:27:12

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


Hi Dom,

So many thanks for your patent reply! I have enhanced samhain.pp based on your comments, please see the attached v1 version. But I did have some related pending questions I would like to further ask you about, please see my inline replies(prefixed by "[H]"), thanks a lot!


Date: Thu, 11 Nov 2010 13:18:05 +0100
From: [email protected]
To: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] FW: Add support for the samhain program

On Thu, Nov 11, 2010 at 11:01:37AM +0000, HarryCiao wrote:
>
> Hi Chris and Dom,

some comments inline
>
> Sorry to bother you again.
>
> I'd tried to develop a .pp for the samhain program(filesystem integrity checker). I am wondering if you could help give some comments on it so that I could do it in the right way :-)
>
> Many thanks!
>
> Best regards,
> Harry
>
> From: harrytaurus2002 at hotmail.com
> To: refpolicy at oss.tresys.com
> Date: Tue, 9 Nov 2010 03:33:24 +0000
> Subject: [refpolicy] Add support for the samhain program
>
>
> Hi SELinux experts:
>
> I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
>
> I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
>
> (In sysadm_r role, install samhain.pp and update sysadm.pp)
> 1. Initialize database:
> newrole -l s15:c0.c1023 -- -c "samhain -t init"
>
> 2. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> 3. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
> or,
> newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
>
> 4. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
>
> Tow more questions:
> 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.
>
> Or some other better solution?
>
> 2. Would the samhain_run_init_script() make sense if the samhain_admin() is called for secadm?
>
> Thanks a lot!
>
> Best regards,
> Harry
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

> From 78c86950bcbc5ff4eb78c03cf8e0a59f11c542b7 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v0 PATCH 1/1] Add support for the samhain program.
>
> Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its configuration file(/etc/samhainrc) is changed.
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 210 ++++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 118 ++++++++++++++++++++
> 4 files changed, 345 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index d5e88be..69cb358 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -290,6 +290,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samhain_admin(sysadm_t, sysadm_r)
> +')

why not samhain_run?

[H]: Ok, I have changed to call samhain_run() for the sysadm, but then the samhain_admin() interface is defined but not currently used anywhere(same as aide_admin()). If samhain daemon is in a bad condition, then no administrator role could clean up its log/log.lock files or database files when SELinux is in the Enforcing mode.

What's the point of defining some so-far-not-used interface? I guess one possible answer is that they are likely to be used in the future, for example, the logadm may want to be able to manage the samhain log files in the future.

What you think?

> +
> +optional_policy(`
> screen_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..5f78098
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> +
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> +
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)

I think refpolicy wants you to escape the dot (although i dont think it matters for file extensions

[H]: Right, I should have put a "\" in the front of the "." character here.

> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..2db64f8
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,210 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain configuration file.

personal nickpick but i usually use plural:

Manage samhain configuration files.

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

Watch your tabs and whitespaces.

> +## </param>
> +#
> +interface(`samhain_manage_config',`

I would use samhain_manage_config_files because thats what it does.

> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain database directory and file.

plural: Manage samhain databases or Manage samhain database content.


> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs and spaces.

> +## </param>
> +#
> +interface(`samhain_manage_db',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)

In the description you say manage directories and files but this only allows management of files. if this is correct use: samhain_manage_db_files.

[H]: Gotcha, thanks!

> +')
> +
> +#######################################
> +## <summary>
> +## Manage the samhain init script.

plural: Manage samhain rc script files.

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs and spaces. When you copy and paste interfaces: double check that all is correct and applicable

[H]: Gotcha, thanks!

> +## </param>
> +#
> +interface(`samhain_manage_init_script',`

samhain_manage_rc_script_files.
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain log and log.lock files.

Manage samhain log files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs and whitespaces
> +## </param>
> +#
> +interface(`samhain_manage_log',`

samhain_manage_log_files

> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage the samhain pid file.

Manage samhain pid files.

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

tabs

> +## </param>
> +#
> +interface(`samhain_manage_pid',`

samhain_manage_pid_files.

> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)

files_search_pids()

> +')
> +
> +#######################################
> +## <summary>
> +## Enable executing the samhain init script directly
> +## (thus bypassing the run_init tool)

Use a generic description, Extra comments go in <desc> ... </desc>

> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>

Domain allowed to transition.

watch your tabs

> +## </param>
> +## <param name="role">
> +## <summary>
> +## User role allowed access.

Role allowed access.

> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run_init_script',`
> + gen_require(`
> + type samhain_initrc_exec_t;
> + role system_r;
> + ')
> +
> + init_labeled_script_domtrans($1, samhain_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 samhain_initrc_exec_t system_r;
> + allow $2 system_r;

This doesnt look right. look in refpolicy for other examples of how this is done properly.

[H]: Ok, I have removed this interface but preserving the role allow and role transition rules above into the samhain_admin() interface, in the hope that the samhain administrator could use its rc init script file directly and the samhain domain would run in the system_r role, the same role as when it is started by init during system starting up.

> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + samhain_manage_config($1)
> + samhain_manage_db($1)
> + samhain_manage_init_script($1)
> + samhain_manage_log($1)
> + samhain_manage_pid($1)

Use admin_patterns() instead of this interface calls.
Example:

logging_list_logs($1)
admin_pattern($1, samhain_log_t)

[H]: I see your points, and I'd noticed the usage of admin_pattern in aide.if.

Same concern as above: if these samhain_manage_xxxx_files() interfaces not used(in neither .te nor .if here), should we preserve them or discard them?

> +
> + # The parent directories of samhain's database, log/log.lock files,
> + # pid files are of s0, while these files are of the clearance level.
> + mls_file_write_all_levels($1)
> +
> + samhain_run($1, $2)
> +
> + #samhain_run_init_script($1, $2)
Look to other similar *_admin() interfaces to see how its done properly. If samhain does not have an rc script then just remove it.

> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..aaf9d23
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,118 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +# Configuration file

These comments are redundant.

> +type samhain_etc_t;
> +files_security_file(samhain_etc_t)

Not sure about this but looks wrong. i would use files_config_file()

> +
> +# Log files

comment redundant.

> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# File signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +# init script

comment redundant.

> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +# PID file

comment redundant.

> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +# Samhain domain
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability { sys_resource };

brace not needed (nothing to expand)

> +allow samhain_t self:fd { use };

Brace not needed. (nothing to expand)

> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };

new line

[H]: Gotcha, thanks!


> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)

I think this goes above kernel_*

[H]: Yes, turns out can_exec is a macro indeed and should be placed before any interface called.

> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)

Why dontaudit this?

[H]: Right, this interface has nothing to do with /dev/urandom or /dev/random

Have a nice weekend!

Best regards,
Harry

> +
> +domain_use_interactive_fds(samhain_t)
> +
> +# To read configuration file
> +files_search_etc(samhain_t)
> +
> +# Manage PID file

comment redundant. This goes above the interface calls.

> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +# Manage database directory and file
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +# Manage log and log.lock files

comment redundant. This goes above the interface calls

> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's PID and log.lock files are in directories of s0,
> +# while samhain daemon is running with the clearance level
> +mls_file_write_all_levels(samhain_t)
> +
> +# Get the attribute of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)

newline

> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from utmp and wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +auth_read_login_records(samhain_t)

Use proper ordering. see style guide and refpolicy examples.

> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
> +
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> --
> 1.7.0.4
>

> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101112/7685dbb4/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v1-Add-support-for-the-samhain-program.patch
Type: text/x-patch
Size: 10255 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101112/7685dbb4/attachment-0001.bin

2010-11-12 11:53:08

by domg472

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On Fri, Nov 12, 2010 at 10:27:12AM +0000, HarryCiao wrote:
>
> Hi Dom,
>
> So many thanks for your patent reply! I have enhanced samhain.pp based on your comments, please see the attached v1 version. But I did have some related pending questions I would like to further ask you about, please see my inline replies(prefixed by "[H]"), thanks a lot!
>
>
> Date: Thu, 11 Nov 2010 13:18:05 +0100
> From: domg472 at gmail.com
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] FW: Add support for the samhain program
>
> On Thu, Nov 11, 2010 at 11:01:37AM +0000, HarryCiao wrote:
> >
> > Hi Chris and Dom,
>
> some comments inline
> >
> > Sorry to bother you again.
> >
> > I'd tried to develop a .pp for the samhain program(filesystem integrity checker). I am wondering if you could help give some comments on it so that I could do it in the right way :-)
> >
> > Many thanks!
> >
> > Best regards,
> > Harry
> >
> > From: harrytaurus2002 at hotmail.com
> > To: refpolicy at oss.tresys.com
> > Date: Tue, 9 Nov 2010 03:33:24 +0000
> > Subject: [refpolicy] Add support for the samhain program
> >
> >
> > Hi SELinux experts:
> >
> > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
> >
> > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
> >
> > (In sysadm_r role, install samhain.pp and update sysadm.pp)
> > 1. Initialize database:
> > newrole -l s15:c0.c1023 -- -c "samhain -t init"
> >
> > 2. Check samhain daemon status:
> > run_init /etc/init.d/samhain status
> >
> > 3. Start samhain in daemon mode:
> > run_init /etc/init.d/samhain start
> > or,
> > newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
> >
> > 4. Stop samhain daemon:
> > run_init /etc/init.d/samhain stop
> >
> >
> > Tow more questions:
> > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.

I think you can compare samhain to aide and so you can look how its dealt with in aides case.
In aides case secadm calls aide_run() and so that is what i would do as well.

> >
> > Or some other better solution?
> >
> > 2. Would the samhain_run_init_script() make sense if the samhain_admin() is called for secadm?

I dont think so no, but i am not sure
> >
> > Thanks a lot!
> >
> > Best regards,
> > Harry
> >
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> > From 78c86950bcbc5ff4eb78c03cf8e0a59f11c542b7 Mon Sep 17 00:00:00 2001
> > From: Harry Ciao <[email protected]>
> > Date: Mon, 8 Nov 2010 14:42:38 +0800
> > Subject: [v0 PATCH 1/1] Add support for the samhain program.
> >
> > Add support for the samhain program.
> >
> > Note, extra privileges may need to be granted to the samhain domain
> > if its configuration file(/etc/samhainrc) is changed.
> >
> > Signed-off-by: Harry Ciao <[email protected]>
> > ---
> > policy/modules/roles/sysadm.te | 4 +
> > policy/modules/services/samhain.fc | 13 +++
> > policy/modules/services/samhain.if | 210 ++++++++++++++++++++++++++++++++++++
> > policy/modules/services/samhain.te | 118 ++++++++++++++++++++
> > 4 files changed, 345 insertions(+), 0 deletions(-)
> > create mode 100644 policy/modules/services/samhain.fc
> > create mode 100644 policy/modules/services/samhain.if
> > create mode 100644 policy/modules/services/samhain.te
> >
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index d5e88be..69cb358 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -290,6 +290,10 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + samhain_admin(sysadm_t, sysadm_r)
> > +')
>
> why not samhain_run?
>
> [H]: Ok, I have changed to call samhain_run() for the sysadm, but then the samhain_admin() interface is defined but not currently used anywhere(same as aide_admin()). If samhain daemon is in a bad condition, then no administrator role could clean up its log/log.lock files or database files when SELinux is in the Enforcing mode.
>
> What's the point of defining some so-far-not-used interface? I guess one possible answer is that they are likely to be used in the future, for example, the logadm may want to be able to manage the samhain log files in the future.
>
> What you think?
>
> > +
> > +optional_policy(`
> > screen_role_template(sysadm, sysadm_r, sysadm_t)
> > ')
> >
> > diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> > new file mode 100644
> > index 0000000..5f78098
> > --- /dev/null
> > +++ b/policy/modules/services/samhain.fc
> > @@ -0,0 +1,13 @@
> > +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> > +
> > +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> > +
> > +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> > +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> > +
> > +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> > +
> > +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> > +/var/log/samhain_log.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
>
> I think refpolicy wants you to escape the dot (although i dont think it matters for file extensions
>
> [H]: Right, I should have put a "\" in the front of the "." character here.
>
> > +
> > +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> > diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> > new file mode 100644
> > index 0000000..2db64f8
> > --- /dev/null
> > +++ b/policy/modules/services/samhain.if
> > @@ -0,0 +1,210 @@
> > +## <summary>Samhain - check file integrity</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Execute samhain in the samhain domain
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_domtrans',`
> > + gen_require(`
> > + type samhain_t, samhain_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + domtrans_pattern($1, samhain_exec_t, samhain_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute samhain in the samhain domain, and
> > +## allow the specifiled role the samhain domain
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed to access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`samhain_run',`
> > + gen_require(`
> > + type samhain_t;
> > + ')
> > +
> > + samhain_domtrans($1)
> > + role $2 types samhain_t;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage the samhain configuration file.
>
> personal nickpick but i usually use plural:
>
> Manage samhain configuration files.
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
>
> Watch your tabs and whitespaces.
>
> > +## </param>
> > +#
> > +interface(`samhain_manage_config',`
>
> I would use samhain_manage_config_files because thats what it does.
>
> > + gen_require(`
> > + type samhain_etc_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage the samhain database directory and file.
>
> plural: Manage samhain databases or Manage samhain database content.
>
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
>
> tabs and spaces.
>
> > +## </param>
> > +#
> > +interface(`samhain_manage_db',`
> > + gen_require(`
> > + type samhain_db_t;
> > + ')
> > +
> > + files_search_var_lib($1)
> > + manage_files_pattern($1, samhain_db_t, samhain_db_t)
>
> In the description you say manage directories and files but this only allows management of files. if this is correct use: samhain_manage_db_files.
>
> [H]: Gotcha, thanks!
>
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Manage the samhain init script.
>
> plural: Manage samhain rc script files.
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
>
> tabs and spaces. When you copy and paste interfaces: double check that all is correct and applicable
>
> [H]: Gotcha, thanks!
>
> > +## </param>
> > +#
> > +interface(`samhain_manage_init_script',`
>
> samhain_manage_rc_script_files.
> > + gen_require(`
> > + type samhain_initrc_exec_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage the samhain log and log.lock files.
>
> Manage samhain log files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
>
> tabs and whitespaces
> > +## </param>
> > +#
> > +interface(`samhain_manage_log',`
>
> samhain_manage_log_files
>
> > + gen_require(`
> > + type samhain_log_t;
> > + ')
> > +
> > + logging_search_logs($1)
> > + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage the samhain pid file.
>
> Manage samhain pid files.
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
>
> tabs
>
> > +## </param>
> > +#
> > +interface(`samhain_manage_pid',`
>
> samhain_manage_pid_files.
>
> > + gen_require(`
> > + type samhain_var_run_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
>
> files_search_pids()
>
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Enable executing the samhain init script directly
> > +## (thus bypassing the run_init tool)
>
> Use a generic description, Extra comments go in <desc> ... </desc>
>
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
>
> Domain allowed to transition.
>
> watch your tabs
>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## User role allowed access.
>
> Role allowed access.
>
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`samhain_run_init_script',`
> > + gen_require(`
> > + type samhain_initrc_exec_t;
> > + role system_r;
> > + ')
> > +
> > + init_labeled_script_domtrans($1, samhain_initrc_exec_t)
> > + domain_system_change_exemption($1)
> > + role_transition $2 samhain_initrc_exec_t system_r;
> > + allow $2 system_r;
>
> This doesnt look right. look in refpolicy for other examples of how this is done properly.
>
> [H]: Ok, I have removed this interface but preserving the role allow and role transition rules above into the samhain_admin() interface, in the hope that the samhain administrator could use its rc init script file directly and the samhain domain would run in the system_r role, the same role as when it is started by init during system starting up.
>
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## All of the rules required to administrate
> > +## the samhain environment.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`samhain_admin',`
> > + gen_require(`
> > + type samhain_t;
> > + ')
> > +
> > + allow $1 samhain_t:process { ptrace signal_perms };
> > + ps_process_pattern($1, samhain_t)
> > +
> > + samhain_manage_config($1)
> > + samhain_manage_db($1)
> > + samhain_manage_init_script($1)
> > + samhain_manage_log($1)
> > + samhain_manage_pid($1)
>
> Use admin_patterns() instead of this interface calls.
> Example:
>
> logging_list_logs($1)
> admin_pattern($1, samhain_log_t)
>
> [H]: I see your points, and I'd noticed the usage of admin_pattern in aide.if.
>
> Same concern as above: if these samhain_manage_xxxx_files() interfaces not used(in neither .te nor .if here), should we preserve them or discard them?
>
> > +
> > + # The parent directories of samhain's database, log/log.lock files,
> > + # pid files are of s0, while these files are of the clearance level.
> > + mls_file_write_all_levels($1)
> > +
> > + samhain_run($1, $2)
> > +
> > + #samhain_run_init_script($1, $2)
> Look to other similar *_admin() interfaces to see how its done properly. If samhain does not have an rc script then just remove it.
>
> > +')
> > diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> > new file mode 100644
> > index 0000000..aaf9d23
> > --- /dev/null
> > +++ b/policy/modules/services/samhain.te
> > @@ -0,0 +1,118 @@
> > +policy_module(samhain, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +# Configuration file
>
> These comments are redundant.
>
> > +type samhain_etc_t;
> > +files_security_file(samhain_etc_t)
>
> Not sure about this but looks wrong. i would use files_config_file()
>
> > +
> > +# Log files
>
> comment redundant.
>
> > +type samhain_log_t;
> > +logging_log_file(samhain_log_t)
> > +
> > +# File signature database
> > +type samhain_db_t;
> > +files_type(samhain_db_t)
> > +
> > +# init script
>
> comment redundant.
>
> > +type samhain_initrc_exec_t;
> > +init_script_file(samhain_initrc_exec_t)
> > +
> > +# PID file
>
> comment redundant.
>
> > +type samhain_var_run_t;
> > +files_pid_file(samhain_var_run_t)
> > +
> > +# Samhain domain
> > +type samhain_t;
> > +type samhain_exec_t;
> > +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> > +
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> > +dontaudit samhain_t self:capability { sys_resource };
>
> brace not needed (nothing to expand)
>
> > +allow samhain_t self:fd { use };
>
> Brace not needed. (nothing to expand)
>
> > +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> > +allow samhain_t self:process { setsched setrlimit signal_perms };
>
> new line
>
> [H]: Gotcha, thanks!
>
>
> > +allow samhain_t samhain_etc_t:file read_file_perms;
> > +
> > +# Samhain needs to get the attribute of /proc/kcore.
> > +kernel_getattr_core_if(samhain_t)
> > +
> > +# Only needed when starting samhain daemon from its init script.
> > +can_exec(samhain_t, samhain_exec_t)
>
> I think this goes above kernel_*
>
> [H]: Yes, turns out can_exec is a macro indeed and should be placed before any interface called.
>
> > +
> > +corecmd_list_bin(samhain_t)
> > +corecmd_read_bin_symlinks(samhain_t)
> > +
> > +# To get entropy
> > +dev_read_urand(samhain_t)
> > +dev_dontaudit_read_rand(samhain_t)
>
> Why dontaudit this?
>
> [H]: Right, this interface has nothing to do with /dev/urandom or /dev/random
>
> Have a nice weekend!
>
> Best regards,
> Harry
>
> > +
> > +domain_use_interactive_fds(samhain_t)
> > +
> > +# To read configuration file
> > +files_search_etc(samhain_t)
> > +
> > +# Manage PID file
>
> comment redundant. This goes above the interface calls.
>
> > +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> > +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> > +
> > +# Manage database directory and file
> > +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> > +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> > +
> > +# Manage log and log.lock files
>
> comment redundant. This goes above the interface calls
>
> > +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> > +logging_log_filetrans(samhain_t, samhain_log_t, file)
> > +
> > +# Samhain's PID and log.lock files are in directories of s0,
> > +# while samhain daemon is running with the clearance level
> > +mls_file_write_all_levels(samhain_t)
> > +
> > +# Get the attribute of all kinds of files in the rootfs
> > +dev_getattr_all_blk_files(samhain_t)
> > +dev_getattr_all_chr_files(samhain_t)
> > +dev_getattr_generic_blk_files(samhain_t)
> > +dev_getattr_generic_chr_files(samhain_t)
>
> newline
>
> > +files_getattr_all_dirs(samhain_t)
> > +files_getattr_all_files(samhain_t)
> > +files_getattr_all_symlinks(samhain_t)
> > +files_getattr_all_pipes(samhain_t)
> > +files_getattr_all_sockets(samhain_t)
> > +files_getattr_all_mountpoints(samhain_t)
> > +# Read from the file_type attribute and the lnk_file class
> > +files_read_all_files(samhain_t)
> > +files_read_all_symlinks(samhain_t)
> > +
> > +# Read from utmp and wtmp when monitoring login/logout events
> > +init_read_utmp(samhain_t)
> > +auth_read_login_records(samhain_t)
>
> Use proper ordering. see style guide and refpolicy examples.
>
> > +
> > +# Get the attribute of other filesystem's mountpoint, such as /selinux
> > +# /proc, /sys and /tmp, but not the contents inside, which suggests
> > +# that following rules should be set in samhain configuration file:
> > +# [Attributes]
> > +# file = /tmp
> > +# file = /proc
> > +# file = /sys
> > +# file = /selinux
> > +# [IgnoreALL]
> > +# dir = -1/tmp
> > +# dir = -1/proc
> > +# dir = -1/sys
> > +# dir = -1/selinux
> > +fs_getattr_all_dirs(samhain_t)
> > +
> > +# Get attribute of files with variant sensitivity levels
> > +mls_file_read_all_levels(samhain_t)
> > +
> > +logging_send_syslog_msg(samhain_t)
> > +
> > +userdom_use_user_terminals(samhain_t)
> > --
> > 1.7.0.4
> >
>
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

> From e45600ec48cc43ca241b399a5db5c075cc704b8c Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v1 PATCH 1/1] Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its configuration file(/etc/samhainrc) is changed. The samhain
> program could be used in the following way:
>
> (In sysadm_r role)
> 1. Initialize database:
> newrole -l s15:c0.c1023 -- -c "samhain -t init"
>
> 2. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> 3. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
> or,
> newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
>
> 4. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 189 ++++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 113 +++++++++++++++++++++
> 4 files changed, 319 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index d5e88be..91e147e 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -290,6 +290,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samhain_run(sysadm_t, sysadm_r)
> +')
> +
> +optional_policy(`
> screen_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> +
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> +
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..5e5920a
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,189 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t, samhain_db_t, samhain_etc_t;
> + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> + role system_r;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + allow $2 system_r;
> + role_transition $2 samhain_initrc_exec_t system_r;
> +
> + files_list_var_lib($1)
> + admin_pattern($1, samhain_db_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, samhain_etc_t)
> + admin_pattern($1, samhain_initrc_exec_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, samhain_log_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, samhain_var_run_t)
> +
> + # The parent directories of samhain's database, log/log.lock files,
> + # pid files are of s0, while these files are of the clearance level.
> + mls_file_write_all_levels($1)
> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..4b519a9
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,113 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
> +
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> --
> 1.7.0.4
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101112/1b10725c/attachment-0001.bin

2010-11-15 01:54:58

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


> > From: harrytaurus2002 at hotmail.com
> > To: refpolicy at oss.tresys.com
> > Date: Tue, 9 Nov 2010 03:33:24 +0000
> > Subject: [refpolicy] Add support for the samhain program
> >
> >
> > Hi SELinux experts:
> >
> > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
> >
> > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
> >
> > (In sysadm_r role, install samhain.pp and update sysadm.pp)
> > 1. Initialize database:
> > newrole -l s15:c0.c1023 -- -c "samhain -t init"
> >
> > 2. Check samhain daemon status:
> > run_init /etc/init.d/samhain status
> >
> > 3. Start samhain in daemon mode:
> > run_init /etc/init.d/samhain start
> > or,
> > newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
> >
> > 4. Stop samhain daemon:
> > run_init /etc/init.d/samhain stop
> >
> >
> > Tow more questions:
> > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.

I think you can compare samhain to aide and so you can look how its dealt with in aides case.
In aides case secadm calls aide_run() and so that is what i would do as well.


Hi Dom,

This the v2 version for the samhain.pp patch, I have added the call of the samhain_run() interface in the userdom_security_admin_template(), so that when MLS is enabled the secadm would be able to run it. Since samhain application provides init script, the sysadm would also be able to start/stop/qeury status by the run_init tool.

Also I have some follow-up questions for the aide_admin or samhain_admin interfaces:

1. aide_admin() is not used by any kind of administrator, should we define such not used interface in the .if file?

2. I know aide_run() is called by the userdom_security_admin_template(), so sysadm or secadm would be able to run the aide program when the MLS feature is enabled or not respectively. Why does the aide_admin() have not been called there along with aide_run()?

3. Moreover, I don't get it so far, although aide_admin() has not been called for sysadm, but with the sesearch tool I can see that sysadm seems to have been granted the privileges of admin_pattern(sysadm_t, aide_db_t) and admin_pattern(sysadm_t, aide_log_t), for example:

allow sysadm_t aide_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t aide_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
......

allow sysadm_t aide_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
allow sysadm_t aide_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
......

Also, no admin domain has the ptrace privilege on the aide_t domain, which means aide_admin() has not actually been called for sysadm_t:

root at qemu-host:/root> sesearch -SCA -s sysadm_t -t aide_t -c process -p ptrace

root at qemu-host:/root> sesearch -SCA -t aide_t -c process -p ptrace

root at qemu-host:/root>

So how could sysadm_t have been granted above privileges without aide_admin(sysadm_t) being called explicitly?

4. Although secadm is able to run samhain, but it is unable to remove entry from /var/log/ or /var/lib/, so it can't remove samhain's log/log.lock or database files. On the other hand, although sysadm could manage /var/log/ and /var/lib/, but their security levels are s0 while the samhain_log's security level is mls_systemhigh. Since sysadm_t does not belong to the mlsfilewrite attribute, it could not remove samhain_log from /var/log/. How could we solve such catch-22 problem while SELinux is in the enforcing mode?

Thanks a lot!

Best regards,
Harry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101115/bd36651a/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v2-Add-support-for-the-samhain-program.patch
Type: text/x-patch
Size: 10351 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101115/bd36651a/attachment.bin

2010-11-15 12:35:23

by domg472

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On Mon, Nov 15, 2010 at 01:54:58AM +0000, HarryCiao wrote:
>
> > > From: harrytaurus2002 at hotmail.com
> > > To: refpolicy at oss.tresys.com
> > > Date: Tue, 9 Nov 2010 03:33:24 +0000
> > > Subject: [refpolicy] Add support for the samhain program
> > >
> > >
> > > Hi SELinux experts:
> > >
> > > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
> > >
> > > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
> > >
> > > (In sysadm_r role, install samhain.pp and update sysadm.pp)
> > > 1. Initialize database:
> > > newrole -l s15:c0.c1023 -- -c "samhain -t init"
> > >
> > > 2. Check samhain daemon status:
> > > run_init /etc/init.d/samhain status
> > >
> > > 3. Start samhain in daemon mode:
> > > run_init /etc/init.d/samhain start
> > > or,
> > > newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
> > >
> > > 4. Stop samhain daemon:
> > > run_init /etc/init.d/samhain stop
> > >
> > >
> > > Tow more questions:
> > > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> > > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.
>
> I think you can compare samhain to aide and so you can look how its dealt with in aides case.
> In aides case secadm calls aide_run() and so that is what i would do as well.
>
>
> Hi Dom,
>
> This the v2 version for the samhain.pp patch, I have added the call of the samhain_run() interface in the userdom_security_admin_template(), so that when MLS is enabled the secadm would be able to run it. Since samhain application provides init script, the sysadm would also be able to start/stop/qeury status by the run_init tool.
>
> Also I have some follow-up questions for the aide_admin or samhain_admin interfaces:
>
> 1. aide_admin() is not used by any kind of administrator, should we define such not used interface in the .if file?

Yes because then end-users can use it in their custom modules. if we would by default create admin roles for each server we would end up with many role modules and most of then would probably not be used. by atleast providing access to the interface we dont install it by default but we still make it available.

>
> 2. I know aide_run() is called by the userdom_security_admin_template(), so sysadm or secadm would be able to run the aide program when the MLS feature is enabled or not respectively. Why does the aide_admin() have not been called there along with aide_run()?


I am not sure why aide_run wasnt added to aide_admin, and aide_admin was called in sysadm and secadm instead of aide_run. I guess adding aide_run() to aide_admin and then replacing aide_run by aide_admin in sysadm and secadmin would be a better idea. Although for sysadmin it doesnt really matter because sysadm can manage all files except shadow.

>
> 3. Moreover, I don't get it so far, although aide_admin() has not been called for sysadm, but with the sesearch tool I can see that sysadm seems to have been granted the privileges of admin_pattern(sysadm_t, aide_db_t) and admin_pattern(sysadm_t, aide_log_t), for example:

sysadm can manage/relabel all files except shadow (see userdom_admin_user_template)

>
> allow sysadm_t aide_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
> allow sysadm_t aide_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
> ......
>
> allow sysadm_t aide_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
> allow sysadm_t aide_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
> ......
>
> Also, no admin domain has the ptrace privilege on the aide_t domain, which means aide_admin() has not actually been called for sysadm_t:

auth_manage_all_files_except_shadow($1_t)
auth_relabel_all_files_except_shadow($1_t)

was called from userdom_admin_user_template, which in turn was called by sysadm

>
> root at qemu-host:/root> sesearch -SCA -s sysadm_t -t aide_t -c process -p ptrace
>
> root at qemu-host:/root> sesearch -SCA -t aide_t -c process -p ptrace
>
> root at qemu-host:/root>
>
> So how could sysadm_t have been granted above privileges without aide_admin(sysadm_t) being called explicitly?
>
> 4. Although secadm is able to run samhain, but it is unable to remove entry from /var/log/ or /var/lib/, so it can't remove samhain's log/log.lock or database files. On the other hand, although sysadm could manage /var/log/ and /var/lib/, but their security levels are s0 while the samhain_log's security level is mls_systemhigh. Since sysadm_t does not belong to the mlsfilewrite attribute, it could not remove samhain_log from /var/log/. How could we solve such catch-22 problem while SELinux is in the enforcing mode?

Good point it may be better to add samhain_admin to secadm instead of samhain_run afterall. not sure about the mls complications though.

>
> Thanks a lot!
>
> Best regards,
> Harry
>

> From 55c5b47c17bcaf8688aabfe71482e235ffd50130 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v2 PATCH 1/1] Add support for the samhain program.
>
> Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its default configuration file(/etc/samhainrc) is changed.
>
> The samhain program could be used in the following way:
>
> (In secadm_r role)
> 1. Initialize database:
> newrole -l s15:c0.c1023 -- -c "samhain -t init"
>
> 2. Start samhain deamon to check filesystem integrity
> newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
>
> (In sysadm_r role)
> 1. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
>
> 2. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
> 3. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 114 +++++++++++++++++++++
> policy/modules/system/userdomain.if | 4 +
> 4 files changed, 317 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> +
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> +
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..275ef4b
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,186 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t, samhain_db_t, samhain_etc_t;
> + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> + role system_r;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, samhain_db_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, samhain_etc_t)
> + admin_pattern($1, samhain_initrc_exec_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, samhain_log_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, samhain_var_run_t)
> +
> + # The parent directories of samhain's database, log/log.lock files,
> + # pid files are of s0, while these files are of the clearance level.
> + mls_file_write_all_levels($1)
> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..612795f
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,114 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
> +
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index ea7b47d..7a847eb 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
> ')
>
> optional_policy(`
> + samhain_run($1, $2)
> + ')
> +
> + optional_policy(`
> consoletype_exec($1)
> ')
>
> --
> 1.7.0.4
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101115/c6511d77/attachment-0001.bin

2010-11-16 07:03:21

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


Hi Dom,

Thanks for your answer! Now I am very clear how sysadm is made able to read from all types of files except shadow_t. However, for the samhain case, I still think we should call it for the sysadm rather than the secadm, despite we had called samhain_run(secadm_t), just because the samhain_admin() assumes that the calling domain would have been able to write to (remove an entry from) /var/log/ and /var/lib/, and so far only the sysadm could do that.

The samhain_admin() would call the mls_file_write_all_levels() for the calling domain, so that it could be able to write to /var/lib/ or /var/log/ which are of s0 in order to delete the samhain files which are of mls_systemhigh.

With samhain_admin(sysadm_t) the sysadm could be able to remove samhain files successfully by the following command:

newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log"

Best regards,
Harry


Date: Mon, 15 Nov 2010 13:35:23 +0100
From: [email protected]
To: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] FW: Add support for the samhain program

On Mon, Nov 15, 2010 at 01:54:58AM +0000, HarryCiao wrote:
>
> > > From: harrytaurus2002 at hotmail.com
> > > To: refpolicy at oss.tresys.com
> > > Date: Tue, 9 Nov 2010 03:33:24 +0000
> > > Subject: [refpolicy] Add support for the samhain program
> > >
> > >
> > > Hi SELinux experts:
> > >
> > > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
> > >
> > > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
> > >
> > > (In sysadm_r role, install samhain.pp and update sysadm.pp)
> > > 1. Initialize database:
> > > newrole -l s15:c0.c1023 -- -c "samhain -t init"
> > >
> > > 2. Check samhain daemon status:
> > > run_init /etc/init.d/samhain status
> > >
> > > 3. Start samhain in daemon mode:
> > > run_init /etc/init.d/samhain start
> > > or,
> > > newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
> > >
> > > 4. Stop samhain daemon:
> > > run_init /etc/init.d/samhain stop
> > >
> > >
> > > Tow more questions:
> > > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> > > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.
>
> I think you can compare samhain to aide and so you can look how its dealt with in aides case.
> In aides case secadm calls aide_run() and so that is what i would do as well.
>
>
> Hi Dom,
>
> This the v2 version for the samhain.pp patch, I have added the call of the samhain_run() interface in the userdom_security_admin_template(), so that when MLS is enabled the secadm would be able to run it. Since samhain application provides init script, the sysadm would also be able to start/stop/qeury status by the run_init tool.
>
> Also I have some follow-up questions for the aide_admin or samhain_admin interfaces:
>
> 1. aide_admin() is not used by any kind of administrator, should we define such not used interface in the .if file?

Yes because then end-users can use it in their custom modules. if we would by default create admin roles for each server we would end up with many role modules and most of then would probably not be used. by atleast providing access to the interface we dont install it by default but we still make it available.

>
> 2. I know aide_run() is called by the userdom_security_admin_template(), so sysadm or secadm would be able to run the aide program when the MLS feature is enabled or not respectively. Why does the aide_admin() have not been called there along with aide_run()?


I am not sure why aide_run wasnt added to aide_admin, and aide_admin was called in sysadm and secadm instead of aide_run. I guess adding aide_run() to aide_admin and then replacing aide_run by aide_admin in sysadm and secadmin would be a better idea. Although for sysadmin it doesnt really matter because sysadm can manage all files except shadow.

>
> 3. Moreover, I don't get it so far, although aide_admin() has not been called for sysadm, but with the sesearch tool I can see that sysadm seems to have been granted the privileges of admin_pattern(sysadm_t, aide_db_t) and admin_pattern(sysadm_t, aide_log_t), for example:

sysadm can manage/relabel all files except shadow (see userdom_admin_user_template)

>
> allow sysadm_t aide_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
> allow sysadm_t aide_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
> ......
>
> allow sysadm_t aide_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
> allow sysadm_t aide_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
> ......
>
> Also, no admin domain has the ptrace privilege on the aide_t domain, which means aide_admin() has not actually been called for sysadm_t:

auth_manage_all_files_except_shadow($1_t)
auth_relabel_all_files_except_shadow($1_t)

was called from userdom_admin_user_template, which in turn was called by sysadm

>
> root at qemu-host:/root> sesearch -SCA -s sysadm_t -t aide_t -c process -p ptrace
>
> root at qemu-host:/root> sesearch -SCA -t aide_t -c process -p ptrace
>
> root at qemu-host:/root>
>
> So how could sysadm_t have been granted above privileges without aide_admin(sysadm_t) being called explicitly?
>
> 4. Although secadm is able to run samhain, but it is unable to remove entry from /var/log/ or /var/lib/, so it can't remove samhain's log/log.lock or database files. On the other hand, although sysadm could manage /var/log/ and /var/lib/, but their security levels are s0 while the samhain_log's security level is mls_systemhigh. Since sysadm_t does not belong to the mlsfilewrite attribute, it could not remove samhain_log from /var/log/. How could we solve such catch-22 problem while SELinux is in the enforcing mode?

Good point it may be better to add samhain_admin to secadm instead of samhain_run afterall. not sure about the mls complications though.

>
> Thanks a lot!
>
> Best regards,
> Harry
>

> From 55c5b47c17bcaf8688aabfe71482e235ffd50130 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v2 PATCH 1/1] Add support for the samhain program.
>
> Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its default configuration file(/etc/samhainrc) is changed.
>
> The samhain program could be used in the following way:
>
> (In secadm_r role)
> 1. Initialize database:
> newrole -l s15:c0.c1023 -- -c "samhain -t init"
>
> 2. Start samhain deamon to check filesystem integrity
> newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
>
> (In sysadm_r role)
> 1. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
>
> 2. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
> 3. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 114 +++++++++++++++++++++
> policy/modules/system/userdomain.if | 4 +
> 4 files changed, 317 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> +
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> +
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..275ef4b
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,186 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t, samhain_db_t, samhain_etc_t;
> + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> + role system_r;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, samhain_db_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, samhain_etc_t)
> + admin_pattern($1, samhain_initrc_exec_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, samhain_log_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, samhain_var_run_t)
> +
> + # The parent directories of samhain's database, log/log.lock files,
> + # pid files are of s0, while these files are of the clearance level.
> + mls_file_write_all_levels($1)
> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..612795f
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,114 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
> +
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index ea7b47d..7a847eb 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
> ')
>
> optional_policy(`
> + samhain_run($1, $2)
> + ')
> +
> + optional_policy(`
> consoletype_exec($1)
> ')
>
> --
> 1.7.0.4
>


_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101116/0eed08a6/attachment-0001.html

2010-11-16 07:11:25

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


Hi Chris,

The attached is the v3 of the samhain.pp, I have been keeping improving it according to the suggestions from Dominick Grift. Now the sysadm and secadm could have a full control over the whole samhain application.

Any other comments?

Thanks a lot!

Best regards,
Harry


From: [email protected]
To: domg472 at gmail.com; refpolicy at oss.tresys.com
Date: Tue, 16 Nov 2010 07:03:21 +0000
Subject: Re: [refpolicy] FW: Add support for the samhain program








Hi Dom,

Thanks for your answer! Now I am very clear how sysadm is made able to read from all types of files except shadow_t. However, for the samhain case, I still think we should call it for the sysadm rather than the secadm, despite we had called samhain_run(secadm_t), just because the samhain_admin() assumes that the calling domain would have been able to write to (remove an entry from) /var/log/ and /var/lib/, and so far only the sysadm could do that.

The samhain_admin() would call the mls_file_write_all_levels() for the calling domain, so that it could be able to write to /var/lib/ or /var/log/ which are of s0 in order to delete the samhain files which are of mls_systemhigh.

With samhain_admin(sysadm_t) the sysadm could be able to remove samhain files successfully by the following command:

newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log"

Best regards,
Harry


Date: Mon, 15 Nov 2010 13:35:23 +0100
From: domg472@
gmail.com
To: refpolicy at oss.tresys.com
Subject: Re: [refpolicy] FW: Add support for the samhain program

On Mon, Nov 15, 2010 at 01:54:58AM +0000, HarryCiao wrote:
>
> > > From: harrytaurus2002 at hotmail.com
> > > To: refpolicy at oss.tresys.com
> > > Date: Tue, 9 Nov 2010 03:33:24 +0000
> > > Subject: [refpolicy] Add support for the samhain program
> > >
> > >
> > > Hi SELinux experts:
> > >
> > > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks!
> > >
> > > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc):
> > >
> > > (In
sysadm_r role, install samhain.pp and update sysadm.pp)
> > > 1. Initialize database:
> > > newrole -l s15:c0.c1023 -- -c "samhain -t init"
> > >
> > > 2. Check samhain daemon status:
> > > run_init /etc/init.d/samhain status
> > >
> > > 3. Start samhain in daemon mode:
> > > run_init /etc/init.d/samhain start
> > > or,
> > > newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
> > >
> > > 4. Stop samhain daemon:
> > > run_init /etc/init.d/samhain stop
> > >
> > >
> > > Tow more questions:
> > > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib
> > > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities.
>
> I think you can compare samha
in to aide and so you can look how its dealt with in aides case.
> In aides case secadm calls aide_run() and so that is what i would do as well.
>
>
> Hi Dom,
>
> This the v2 version for the samhain.pp patch, I have added the call of the samhain_run() interface in the userdom_security_admin_template(), so that when MLS is enabled the secadm would be able to run it. Since samhain application provides init script, the sysadm would also be able to start/stop/qeury status by the run_init tool.
>
> Also I have some follow-up questions for the aide_admin or samhain_admin interfaces:
>
> 1. aide_admin() is not used by any kind of administrator, should we define such not used interface in the .if file?

Yes because then end-users can use it in their custom modules. if we would by default create admin roles for each server we would end up with many role modules and most of then would probably not be used. by atl
east providing access to the interface we dont install it by default but we still make it available.

>
> 2. I know aide_run() is called by the userdom_security_admin_template(), so sysadm or secadm would be able to run the aide program when the MLS feature is enabled or not respectively. Why does the aide_admin() have not been called there along with aide_run()?


I am not sure why aide_run wasnt added to aide_admin, and aide_admin was called in sysadm and secadm instead of aide_run. I guess adding aide_run() to aide_admin and then replacing aide_run by aide_admin in sysadm and secadmin would be a better idea. Although for sysadmin it doesnt really matter because sysadm can manage all files except shadow.

>
> 3. Moreover, I don't get it so far, although aide_admin() has not been called for sysadm, but with the sesearch tool I can see that sysadm seems to have been granted the privileges of admin_pattern(sysadm_t, aide_db_t) and
admin_pattern(sysadm_t, aide_log_t), for example:

sysadm can manage/relabel all files except shadow (see userdom_admin_user_template)

>
> allow sysadm_t aide_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
> allow sysadm_t aide_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
> ......
>
> allow sysadm_t aide_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;
> allow sysadm_t aide_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ;
> ......
>
> Also, no admin domain has the ptrace privilege on the aide_t domain, which means aide_admin() has not actu
ally been called for sysadm_t:

auth_manage_all_files_except_shadow($1_t)
auth_relabel_all_files_except_shadow($1_t)

was called from userdom_admin_user_template, which in turn was called by sysadm

>
> root at qemu-host:/root> sesearch -SCA -s sysadm_t -t aide_t -c process -p ptrace
>
> root at qemu-host:/root> sesearch -SCA -t aide_t -c process -p ptrace
>
> root at qemu-host:/root>
>
> So how could sysadm_t have been granted above privileges without aide_admin(sysadm_t) being called explicitly?
>
> 4. Although secadm is able to run samhain, but it is unable to remove entry from /var/log/ or /var/lib/, so it can't remove samhain's log/log.lock or database files. On the other hand, although sysadm could manage /var/log/ and /var/lib/, but their security levels are s0 while the samhain_log's security level is mls_systemhigh. Since sysadm_t does not belong to the mlsfilewrite attribute, i
t could not remove samhain_log from /var/log/. How could we solve such catch-22 problem while SELinux is in the enforcing mode?

Good point it may be better to add samhain_admin to secadm instead of samhain_run afterall. not sure about the mls complications though.

>
> Thanks a lot!
>
> Best regards,
> Harry
>

> From 55c5b47c17bcaf8688aabfe71482e235ffd50130 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v2 PATCH 1/1] Add support for the samhain program.
>
> Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its default configuration file(/etc/samhainrc) is changed.
>
> The samhain program could be used in the following way:
>
> (In secadm_r role)
> 1. Initialize database:
>
newrole -l s15:c0.c1023 -- -c "samhain -t init"
>
> 2. Start samhain deamon to check filesystem integrity
> newrole -l s15:c0.c1023 -- -c "samhain -t check -D"
>
> (In sysadm_r role)
> 1. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
>
> 2. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
> 3. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 114 +++++++++++++++++++++
> policy/modules/system/userdomain.if | 4 +
> 4 files changed, 317 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 p
olicy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
> +
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
> +
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_l
og\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..275ef4b
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,186 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + c
orecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain co
nfiguration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db
_t, samhain_db_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> + g
en_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t, samhain_db_t, samhain_etc_t;
> + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> + role system_r;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, samhain_db_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, samhain_etc_t)
> + admin_pattern($1, samhain_initrc_exec_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, s
amhain_log_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, samhain_var_run_t)
> +
> + # The parent directories of samhain's database, log/log.lock files,
> + # pid files are of s0, while these files are of the clearance level.
> + mls_file_write_all_levels($1)
> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..612795f
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,114 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)<
br>> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain
daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout eve
nts
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
> +
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index ea7b47d..7a847eb 100644
> --- a/policy/modules/sys
tem/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
> ')
>
> optional_policy(`
> + samhain_run($1, $2)
> + ')
> +
> + optional_policy(`
> consoletype_exec($1)
> ')
>
> --
> 1.7.0.4
>


_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101116/4f102526/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v3-Add-support-for-the-samhain-program.patch
Type: text/x-patch
Size: 11228 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101116/4f102526/attachment-0001.bin

2010-11-17 14:02:40

by cpebenito

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On 11/16/10 02:11, HarryCiao wrote:
> Hi Chris,
>
> The attached is the v3 of the samhain.pp, I have been keeping improving
> it according to the suggestions from Dominick Grift. Now the sysadm and
> secadm could have a full control over the whole samhain application.
>
> Any other comments?

Comments inline.

> From 05eb3e1893917d5fbc83daddd37edb003281bd1d Mon Sep 17 00:00:00 2001
> From: Harry Ciao <[email protected]>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v3 PATCH 1/1] Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its configuration file(/etc/samhainrc) is changed.
>
> The samhain program could be used in the following way:
>
> (In secadm_r role)
> 1. Initialize filesystem signature database:
> newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
>
> 2. Start samhain deamon to check filesystem integrity
> newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
>
> 3. Update filesystem signature database:
> newrole -l s15:c0.c1023 -p -- -c "samhain -t update"

Sounds like there needs to be a range_transition in the run interface.

> (In sysadm_r role)
> 1. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
>
> 2. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
> 3. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> 4. Read/write samhain log files:
> newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"
> newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log"
>
> 5. Remove samhain database files
> newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"
>
> Note:
> 1. Stop samhain daemon before updating signature database.
> 2. Don't try to start samhain daemon twice.
>
> Signed-off-by: Harry Ciao <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 114 +++++++++++++++++++++
> policy/modules/system/userdomain.if | 4 +
> 5 files changed, 321 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index d5e88be..0655d95 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -290,6 +290,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samhain_admin(sysadm_t)
> +')
> +
> +optional_policy(`
> screen_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)

This should be s0, as there is nothing sensitive about this file.

> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)

Unless there is sensitive info in this file, it should be s0.

> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)

Same thing, s0.

> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..a7f2a48
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,186 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`

samhain_manage_init_script_files()

> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <desc>
> +## <p>
> +## This interface makes the calling domain able to
> +## ptrace and send signals to the samhain domain,
> +## also able to manage all samhain userspace files,
> +## but assumes that the calling domain has been able to
> +## remove an entry from /var/lib/ or /var/log/.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t, samhain_db_t, samhain_etc_t;
> + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, samhain_db_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, samhain_etc_t)
> + admin_pattern($1, samhain_initrc_exec_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, samhain_log_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, samhain_var_run_t)
> +
> + mls_file_write_all_levels($1)

No. The caller needs to pass MLS constraints on its own. This is too
big of a privilege.

> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..612795f
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,114 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)

Needs a new domain. There should be a domain for this as a service, and
a domain for command line access. Then hopefully that should allow the
service to only be allowed read-only access to the database.

> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)

If the service is running at system high, I wouldn't expect that this is
necessary.

> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index ea7b47d..7a847eb 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
> ')
>
> optional_policy(`
> + samhain_run($1, $2)
> + ')
> +
> + optional_policy(`
> consoletype_exec($1)
> ')
>
> --
> 1.7.0.4


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-11-18 06:33:11

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


Many thanks Chris! Please see my inline responses and the attached v4 of samhain.pp.


> Date: Wed, 17 Nov 2010 09:02:40 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: domg472 at gmail.com; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] FW: Add support for the samhain program
>
> On 11/16/10 02:11, HarryCiao wrote:
> > Hi Chris,
> >
> > The attached is the v3 of the samhain.pp, I have been keeping improving
> > it according to the suggestions from Dominick Grift. Now the sysadm and
> > secadm could have a full control over the whole samhain application.
> >
> > Any other comments?
>
> Comments inline.
>
> > From 05eb3e1893917d5fbc83daddd37edb003281bd1d Mon Sep 17 00:00:00 2001
> > From: Harry Ciao <[email protected]>
> > Date: Mon, 8 Nov 2010 14:42:38 +0800
> > Subject: [v3 PATCH 1/1] Add support for the samhain program.
> >
> > Note, extra privileges may need to be granted to the samhain domain
> > if its configuration file(/etc/samhainrc) is changed.
> >
> > The samhain program could be used in the following way:
> >
> > (In secadm_r role)
> > 1. Initialize filesystem signature database:
> > newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
> >
> > 2. Start samhain deamon to check filesystem integrity
> > newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
> >
> > 3. Update filesystem signature database:
> > newrole -l s15:c0.c1023 -p -- -c "samhain -t update"
>
> Sounds like there needs to be a range_transition in the run interface.

Right, I have added below range_transition rule to the samhain_run() interface to enforce the samhain domain to run in the clearance security level:

ifdef(`enable_mls', `
range_transition $1 samhain_exec_t:process mls_systemhigh;
')

However, since secadm_t does not belong to the mlsprocsetsl nor privrangetrans attribute, the MLS constraint for process transition will fail if the secadm is trying to run samhain in s0 in the command line, so secadm would still have to fallback on the newrole program to switch to the clearance level.

But, above range_transition rule would enforce the samhain domain running with the clearance level, I think it's desirable to have it :-)

Also, if we don't use above range_transition rule in the run interface, I guess having samhain executable labeled as mls_systemhigh as I used to do could also enforce the calling domain to have the clearance level.

(there are more responses below...)

>
> > (In sysadm_r role)
> > 1. Start samhain in daemon mode:
> > run_init /etc/init.d/samhain start
> >
> > 2. Stop samhain daemon:
> > run_init /etc/init.d/samhain stop
> >
> > 3. Check samhain daemon status:
> > run_init /etc/init.d/samhain status
> >
> > 4. Read/write samhain log files:
> > newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"
> > newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log"
> >
> > 5. Remove samhain database files
> > newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"
> >
> > Note:
> > 1. Stop samhain daemon before updating signature database.
> > 2. Don't try to start samhain daemon twice.
> >
> > Signed-off-by: Harry Ciao <[email protected]>
> > ---
> > policy/modules/roles/sysadm.te | 4 +
> > policy/modules/services/samhain.fc | 13 +++
> > policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++
> > policy/modules/services/samhain.te | 114 +++++++++++++++++++++
> > policy/modules/system/userdomain.if | 4 +
> > 5 files changed, 321 insertions(+), 0 deletions(-)
> > create mode 100644 policy/modules/services/samhain.fc
> > create mode 100644 policy/modules/services/samhain.if
> > create mode 100644 policy/modules/services/samhain.te
> >
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index d5e88be..0655d95 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -290,6 +290,10 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + samhain_admin(sysadm_t)
> > +')
> > +
> > +optional_policy(`
> > screen_role_template(sysadm, sysadm_r, sysadm_t)
> > ')
> >
> > diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> > new file mode 100644
> > index 0000000..b0ac8a5
> > --- /dev/null
> > +++ b/policy/modules/services/samhain.fc
> > @@ -0,0 +1,13 @@
> > +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
>
> This should be s0, as there is nothing sensitive about this file.
>
> > +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
>
> Unless there is sensitive info in this file, it should be s0.

Thank you! The only thing that matters are the samhain configuration files and database files and log files, so the init script, ELF binaries should be of s0.

>
> > +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> > +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
>
> Same thing, s0.
>
> > +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> > +
> > +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> > +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> > +
> > +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> > diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> > new file mode 100644
> > index 0000000..a7f2a48
> > --- /dev/null
> > +++ b/policy/modules/services/samhain.if
> > @@ -0,0 +1,186 @@
> > +## <summary>Samhain - check file integrity</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Execute samhain in the samhain domain
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_domtrans',`
> > + gen_require(`
> > + type samhain_t, samhain_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + domtrans_pattern($1, samhain_exec_t, samhain_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute samhain in the samhain domain, and
> > +## allow the specifiled role the samhain domain
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed to access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`samhain_run',`
> > + gen_require(`
> > + type samhain_t;
> > + ')
> > +
> > + samhain_domtrans($1)
> > + role $2 types samhain_t;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage samhain configuration files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_manage_config_files',`
> > + gen_require(`
> > + type samhain_etc_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage samhain database files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_manage_db_files',`
> > + gen_require(`
> > + type samhain_db_t;
> > + ')
> > +
> > + files_search_var_lib($1)
> > + manage_files_pattern($1, samhain_db_t, samhain_db_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage samhain log and log.lock files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_manage_log_files',`
> > + gen_require(`
> > + type samhain_log_t;
> > + ')
> > +
> > + logging_search_logs($1)
> > + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage samhain pid files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_manage_pid_files',`
> > + gen_require(`
> > + type samhain_var_run_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## Manage samhain rc script files
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_manage_rc_script_files',`
>
> samhain_manage_init_script_files()
>

Gotcha, thanks!

> > + gen_require(`
> > + type samhain_initrc_exec_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> > +')
> > +
> > +#######################################
> > +## <summary>
> > +## All of the rules required to administrate
> > +## the samhain environment.
> > +## </summary>
> > +## <desc>
> > +## <p>
> > +## This interface makes the calling domain able to
> > +## ptrace and send signals to the samhain domain,
> > +## also able to manage all samhain userspace files,
> > +## but assumes that the calling domain has been able to
> > +## remove an entry from /var/lib/ or /var/log/.
> > +## </p>
> > +## </desc>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samhain_admin',`
> > + gen_require(`
> > + type samhain_t, samhain_db_t, samhain_etc_t;
> > + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> > + ')
> > +
> > + allow $1 samhain_t:process { ptrace signal_perms };
> > + ps_process_pattern($1, samhain_t)
> > +
> > + files_list_var_lib($1)
> > + admin_pattern($1, samhain_db_t)
> > +
> > + files_list_etc($1)
> > + admin_pattern($1, samhain_etc_t)
> > + admin_pattern($1, samhain_initrc_exec_t)
> > +
> > + logging_list_logs($1)
> > + admin_pattern($1, samhain_log_t)
> > +
> > + files_list_pids($1)
> > + admin_pattern($1, samhain_var_run_t)
> > +
> > + mls_file_write_all_levels($1)
>
> No. The caller needs to pass MLS constraints on its own. This is too
> big of a privilege.
>

Very honestly speaking, I have been kinda worried about this too!

This interface is expecting the calling domain able to do the following things on its own:
1. able to remove an entry from {var_log_t var_lib_t} : dir;
2. able to remove an entry of the clearance level from above dir which are of s0.

Sadly so far neither secadm nor sysadm could have a full control over samhain files. With the mls_systemhigh level the sysadm could remove samhain_file from /var/lib/samhain/, but can't remove samhain_log from /var/log/, since the latter is of s0. I guess we would have to fall back on the permissive mode if we really want to remove it.

Also considering that the sysadm has already been able to manage all files and dirs except shadow_t, calling samhain_admin(sysadm_t) would be kinda redundant.

> > +')
> > diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> > new file mode 100644
> > index 0000000..612795f
> > --- /dev/null
> > +++ b/policy/modules/services/samhain.te
> > @@ -0,0 +1,114 @@
> > +policy_module(samhain, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +type samhain_etc_t;
> > +files_config_file(samhain_etc_t)
> > +
> > +type samhain_log_t;
> > +logging_log_file(samhain_log_t)
> > +
> > +# Filesystem signature database
> > +type samhain_db_t;
> > +files_type(samhain_db_t)
> > +
> > +type samhain_initrc_exec_t;
> > +init_script_file(samhain_initrc_exec_t)
> > +
> > +type samhain_var_run_t;
> > +files_pid_file(samhain_var_run_t)
> > +
> > +type samhain_t;
> > +type samhain_exec_t;
> > +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
>
> Needs a new domain. There should be a domain for this as a service, and
> a domain for command line access. Then hopefully that should allow the
> service to only be allowed read-only access to the database.

I see your point here.

The "domain for command line access" is to create the samhain database, while the "domain for samhain service" needs only to read from the database file.

It would be great if we could have these two domains separated from each other. However, when the command line access domain is creating the database, it needs to getattr or read almost all kinds of files on the system, requiring exactly the same set of privileges granted to the service domain when performing the filesystem signature check. Moreover, the samhain service could be started not only by its init script, but also by the command line, by specifying the "samhain -t check -D" while "-D" means running as daemon or by specifying "daemon = yes" in samhain config files.

So these two domain would have a lot of rules in common and it would greatly simplify our life if we keep them as one.

>
> > +########################################
> > +#
> > +# Local policy
> > +#
> > +
> > +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> > +dontaudit samhain_t self:capability sys_resource;
> > +allow samhain_t self:fd use;
> > +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> > +allow samhain_t self:process { setsched setrlimit signal_perms };
> > +
> > +allow samhain_t samhain_etc_t:file read_file_perms;
> > +
> > +# Only needed when starting samhain daemon from its init script.
> > +can_exec(samhain_t, samhain_exec_t)
> > +
> > +# Samhain needs to get the attribute of /proc/kcore.
> > +kernel_getattr_core_if(samhain_t)
> > +
> > +corecmd_list_bin(samhain_t)
> > +corecmd_read_bin_symlinks(samhain_t)
> > +
> > +# To get entropy
> > +dev_read_urand(samhain_t)
> > +dev_dontaudit_read_rand(samhain_t)
> > +
> > +domain_use_interactive_fds(samhain_t)
> > +
> > +files_search_etc(samhain_t)
> > +
> > +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> > +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> > +
> > +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> > +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> > +
> > +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> > +logging_log_filetrans(samhain_t, samhain_log_t, file)
> > +
> > +# Samhain's pid, log and log.lock files are all in directories of s0,
> > +# while samhain daemon is running with the clearance level.
> > +mls_file_write_all_levels(samhain_t)
> > +
> > +# Read from utmp when monitoring login/logout events
> > +auth_read_login_records(samhain_t)
> > +
> > +# Get the attributes of all kinds of files in the rootfs
> > +dev_getattr_all_blk_files(samhain_t)
> > +dev_getattr_all_chr_files(samhain_t)
> > +dev_getattr_generic_blk_files(samhain_t)
> > +dev_getattr_generic_chr_files(samhain_t)
> > +
> > +files_getattr_all_dirs(samhain_t)
> > +files_getattr_all_files(samhain_t)
> > +files_getattr_all_symlinks(samhain_t)
> > +files_getattr_all_pipes(samhain_t)
> > +files_getattr_all_sockets(samhain_t)
> > +files_getattr_all_mountpoints(samhain_t)
> > +
> > +# Read from the file_type attribute and the lnk_file class
> > +files_read_all_files(samhain_t)
> > +files_read_all_symlinks(samhain_t)
> > +
> > +# Read from wtmp when monitoring login/logout events
> > +init_read_utmp(samhain_t)
> > +
> > +# Get the attribute of other filesystem's mountpoint, such as /selinux
> > +# /proc, /sys and /tmp, but not the contents inside, which suggests
> > +# that following rules should be set in samhain configuration file:
> > +# [Attributes]
> > +# file = /tmp
> > +# file = /proc
> > +# file = /sys
> > +# file = /selinux
> > +# [IgnoreALL]
> > +# dir = -1/tmp
> > +# dir = -1/proc
> > +# dir = -1/sys
> > +# dir = -1/selinux
> > +fs_getattr_all_dirs(samhain_t)
> > +
> > +# Get attribute of files with variant sensitivity levels
> > +mls_file_read_all_levels(samhain_t)
>
> If the service is running at system high, I wouldn't expect that this is
> necessary.

Great! "no read up and no write down", but with the clearance level the samhain domain is able to read *down* on any security level.

Thanks a lot!

Best regards,
Harry


>
> > +logging_send_syslog_msg(samhain_t)
> > +
> > +userdom_use_user_terminals(samhain_t)
> > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> > index ea7b47d..7a847eb 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
> > ')
> >
> > optional_policy(`
> > + samhain_run($1, $2)
> > + ')
> > +
> > + optional_policy(`
> > consoletype_exec($1)
> > ')
> >
> > --
> > 1.7.0.4
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101118/396dcd4a/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v4-Add-support-for-the-samhain-program.patch
Type: text/x-patch
Size: 11499 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101118/396dcd4a/attachment-0001.bin

2010-11-19 15:20:36

by cpebenito

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On 11/18/10 01:33, HarryCiao wrote:
> Many thanks Chris! Please see my inline responses and the attached v4 of
> samhain.pp.
>
>> Date: Wed, 17 Nov 2010 09:02:40 -0500
>> From: cpebenito at tresys.com
>>
>> On 11/16/10 02:11, HarryCiao wrote:
>> > From 05eb3e1893917d5fbc83daddd37edb003281bd1d Mon Sep 17 00:00:00 2001
>> > From: Harry Ciao <[email protected]>
>> > Date: Mon, 8 Nov 2010 14:42:38 +0800
>> > Sub ject: [v3 PATCH 1/1] Add support for the samhain program.
>> >
>> > Note, extra privileges may need to be granted to the samhain domain
>> > if its configuration file(/etc/samhainrc) is changed.
>> >
>> > The samhain program could be used in the following way:
>> >
>> > (In secadm_r role)
>> > 1. Initialize filesystem signature database:
>> > newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
>> >
>> > 2. Start samhain deamon to check filesystem integrity
>> > newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
>> >
>> > 3. Update filesystem signature database:
>> > newrole -l s15:c0.c1023 -p -- -c "samhain -t update"
>>
>> Sounds like there needs to be a range_transition in the run interface.
>
> Right, I have added below range_transition rule to the samhain_run()
> interface to enforce the samhain domain to run in the clearance se
> curity level:
>
> ifdef(`enable_mls', `
> range_transition $1 samhain_exec_t:process mls_systemhigh;
> ')
>
> However, since secadm_t does not belong to the mlsprocsetsl nor
> privrangetrans attribute, the MLS constraint for process transition will
> fail if the secadm is trying to run samhain in s0 in the command line,
> so secadm would still have to fallback on the newrole program to switch
> to the clearance level.
> But, above range_transition rule would enforce the samhain domain
> running with the clearance level, I think it's desirable to have it :-)

After thinking about this some more, the level change should probably be
an active decision, so we should skip the range_transition. Theres also
the problem that if the user and it's terminal are, for example, system
low, then they run samhain at system high, samhain won't be able to
write to the terminal.

> Also, if we don't use above range_transition rule in the run interface,
> I guess having samhain executable labeled as mls_systemhigh as I used to
> do could also enforce the calling domain to have the clearance level.

No. There is not any sensitive info in the executable, so it should be s0.

[cut]
>> > +interface(`samhain_admin',`
>> > + gen_require(`
>> > + type samhain_t, samhain_db_t, samhain_etc_t;
>> > + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
>> > + ')
>> > +
>> > + allow $1 samhain_t:process { ptrace signal_perms };
>> > + ps_process_pattern($1, samhain_t)
>> > +
>> > + files_list_var_lib($1)
>> > + admin_pattern($1, samhain_db_t)
>> > +
>> > + files_list_etc($1)
>> > + admin_pattern($1, samhain_etc_t)
>> > + admin_pattern($1, samhain_initrc_exec_t)
>> > +
>> > + logging_list_logs($1)
>> > + admin_pattern($1, samhain_log_t)
>> > +
>> > + files_list_pids($1)
>> > + admin_pattern($1, samhain_var_run_t)
>> > +
>> > + mls_file_write_all_levels($1)
>>
>> No. The caller needs to pass MLS constraints on its own. This is too
>> big of a privilege.
>>
>
> Very honestly speaking, I have been kinda worried about this too!
>
> This interface is expecting the calling domain able to do the following
> things on its own:
> 1. able to remove an entry from {var_log_t var_lib_t} : dir;
> 2. able to remove an entry of the clearance level from above dir which
> are of s0.
>
> Sadly so far neither secadm nor sysadm could have a full control over
> samhain files. With the mls_systemhigh level the sysadm could remove
> samhain_file from /var/lib/samhain/, but can't remove samhain_log from
> /var/log/, since the latter is of s0. I guess we would have to fall back
> on the permissive mode if we really want to remove it.

Directories that have data with mixed levels are problematic :\ Perhaps
we should reconsider the MLS constraints of ranged directories.

> Also considering that the sysadm has already been able to manage all
> files and dirs except shadow_t, calling samhain_admin(sysadm_t) would be
> kinda redundant.
>
>> > +')
>> > diff --git a/policy/modules/services/samhain.te
> b/policy/modules/services/samhain.te
>> ; > new file mode 100644
>> > index 0000000..612795f
>> > --- /dev/null
>> > +++ b/policy/modules/services/samhain.te
>> > @@ -0,0 +1,114 @@
>> > +policy_module(samhain, 1.0.0)
>> > +
>> > +########################################
>> > +#
>> > +# Declarations
>> > +#
>> > +
>> > +type samhain_etc_t;
>> > +files_config_file(samhain_etc_t)
>> > +
>> > +type samhain_log_t;
>> > +logging_log_file(samhain_log_t)
>> > +
>> > +# Filesystem signature database
>> > +type samhain_db_t;
>> > +files_type(samhain_db_t)
>> > +
>> > +type samhain_initrc_exec_t;
>> > +init_script_file(samhain_initrc_exec_t)
>> > +
>> > +type samhain_var_run_t;
>> > +files_pid_file(samhain_var_run_t)
>> > +
>> > +type samhain_t;
>> > +type samhain_exec_t;
>> > +init_rang ed_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
>>
>> Needs a new domain. There should be a domain for this as a service, and
>> a domain for command line access. Then hopefully that should allow the
>> service to only be allowed read-only access to the database.
>
> I see your point here.
>
> The "domain for command line access" is to create the samhain database,
> while the "domain for samhain service" needs only to read from the
> database file.
>
> It would be great if we could have these two domains separated from each
> other. However, when the command line access domain is creating the
> database, it needs to getattr or read almost all kinds of files on the
> system, requiring exactly the same set of privileges granted to the
> service domain when performing the filesystem signature check. Moreover,
> the samhain service could be started not only by its init script, but
> also by the command line, by specifying the "samhain -t check - D" while
> "-D" means running as daemon or by specifying "daemon = yes" in samhain
> config files.
>
> So these two domain would have a lot of rules in common and it would
> greatly simplify our life if we keep them as one.

Using an attribute would make it easier. Create two domains having a
common attribute, and then add the common rules to the attribute.
Alternatively, you could use a template.

The key thing here is the database. We only want it writeable when its
intended, which is when its run interactively to create/update it.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-11-22 10:57:07

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


Hi Chris,

Please see my inline responses, thanks!

[cut]
> >
> > Right, I have added below range_transition rule to the samhain_run()
> > interface to enforce the samhain domain to run in the clearance se
> > curity level:
> >
> > ifdef(`enable_mls', `
> > range_transition $1 samhain_exec_t:process mls_systemhigh;
> > ')
> >
> > However, since secadm_t does not belong to the mlsprocsetsl nor
> > privrangetrans attribute, the MLS constraint for process transition will
> > fail if the secadm is trying to run samhain in s0 in the command line,
> > so secadm would still have to fallback on the newrole program to switch
> > to the clearance level.
> > But, above range_transition rule would enforce the samhain domain
> > running with the clearance level, I think it's desirable to have it :-)
>
> After thinking about this some more, the level change should probably be
> an active decision, so we should skip the range_transition. Theres also
> the problem that if the user and it's terminal are, for example, system
> low, then they run samhain at system high, samhain won't be able to
> write to the terminal.
>

Well, I see you point, and I still want to preserve the range_transition there in the samhain_run interface, which could enforce the samhain domain running in mls_systemhigh, which in turn I think is the only way to ensure the samhain log files or data base files to be of mls_systemhigh too. (BTW do we have range_transition rule for files?)

Well, since samhain would have to create and write to its log files to /var/log/ which is of s0, I have granted it the mlsfilewrite attribute, so it will be fine to run on user_devpts_t:s0 already :-)


[cut]
> >
> > So these two domain would have a lot of rules in common and it would
> > greatly simplify our life if we keep them as one.
>
> Using an attribute would make it easier. Create two domains having a
> common attribute, and then add the common rules to the attribute.
> Alternatively, you could use a template.
>
> The key thing here is the database. We only want it writeable when its
> intended, which is when its run interactively to create/update it.
>

Right, thanks a lot! Template is the right choice to collect all those common rules for both domains no matter started by command line or init script, then I could grant each domain different privileges against the signature database.

Please see my attached v5 patch, it's really exciting to be able to make use of the template for the very first of my time :-)

Have a nice day!

Best regards,
Harry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101122/9c2264ea/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v5-Add-support-for-the-samhain-program.patch
Type: text/x-patch
Size: 11519 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101122/9c2264ea/attachment.bin

2010-11-30 15:07:15

by cpebenito

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On 11/22/10 05:57, HarryCiao wrote:
> Hi Chris,
>
> Please see my inline responses, thanks!

I have additional comments inline.

> [cut]
>> >
>> > Right, I have added below range_transition rule to the samhain_run()
>> > interface to enforce the samhain domain to run in the clearance se
>> > curity level:
>> >
>> > ifdef(`enable_mls', `
>> > range_transition $1 samhain_exec_t:process mls_systemhigh;
>> > ')
>> >
>> > However, since secadm_t does not belong to the mlsprocsetsl nor
>> > privrangetrans attribute, the MLS constraint for process transition will
>> > fail if the secadm is trying to run samhain in s0 in the command line,
>> > so secadm would still have to fallback on the newrole program to switch
>> > to the clearance level.
>> > But, above range_transition rule would enforce the samhain domain
>> > running with the clearance level, I think it's desirable to have it
> :-)< br>>
>> After thinking about this some more, the level change should probably be
>> an active decision, so we should skip the range_transition. Theres also
>> the problem that if the user and it's terminal are, for example, system
>> low, then they run samhain at system high, samhain won't be able to
>> write to the terminal.
>>
>
> Well, I see you point, and I still want to preserve the range_transition
> there in the samhain_run interface, which could enforce the samhain
> domain running in mls_systemhigh, which in turn I think is the only way
> to ensure the samhain log files or data base files to be of
> mls_systemhigh too. (BTW do we have range_transition rule for files?)

Range transitions work on files too, but that would definitely not be an
appropriate solution to make sure the files have the right sensitivity
if the application is running in the wrong domain.

> Well, since samhain would have to create and write to its log files to
> /var/log/ which is of s0, I have granted it the mlsfilewrite attribute,
> so it will be fine to run on user_devpts_t:s0 already :-)
>
>
> [cut]
>> >
>> > So these two domain w ould have a lot of rules in common and it would
>> > greatly simplify our life if we keep them as one.
>>
>> Using an attribute would make it easier. Create two domains having a
>> common attribute, and then add the common rules to the attribute.
>> Alternatively, you could use a template.
>>
>> The key thing here is the database. We only want it writeable when its
>> intended, which is when its run interactively to create/update it.
>>
>
> Right, thanks a lot! Template is the right choice to collect all those
> common rules for both domains no matter started by command line or init
> script, then I could grant each domain different privileges against the
> signature database.
>
> Please see my attached v5 patch, it's really exciting to be able to make
> use of the template for the very first of my time :-)
>
> Have a nice day!
>
> Best regards,
> Harry

> +## <summary>Samhain - check file integrity</summary>
> +
> +#######################################
> +## <summary>
> +## The template containing the most basic rules
> +## common to the samhain domains.
> +## </summary>
> +## <param name="samhaindomain_prefix">
> +## <summary>
> +## The prefix of the samhain domain(e.g., samhain
> +## for the domain of command line access, samhaind
> +## for the domain started by init script).
> +## </summary>
> +## </param>
> +## <rolebase/>
> +#
> +template(`samhain_service_template',`
> + gen_require(`
> + type etc_t, samhain_etc_t;
> + type samhain_log_t, samhain_var_run_t;
> + ')
> +
> + allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
> + dontaudit $1_t self:capability sys_resource;
> + allow $1_t self:fd use;
> + allow $1_t self:process { setsched setrlimit signull };
> +
> + read_files_pattern($1_t, etc_t, samhain_etc_t)
> +
> + kernel_getattr_core_if($1_t)
> +
> + corecmd_list_bin($1_t)
> + corecmd_read_bin_symlinks($1_t)
> +
> + dev_read_urand($1_t)
> + dev_dontaudit_read_rand($1_t)
> +
> + domain_use_interactive_fds($1_t)
> +
> + manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
> + files_pid_filetrans($1_t, samhain_var_run_t, file)

Does samhain_t really need manage acccess? I would think it would just
need to read the pid file.

> + manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
> + logging_log_filetrans($1_t, samhain_log_t, file)

Similarly, does the command line version also log to the log files?

> + mls_file_write_all_levels($1_t)

If the above write accesses for the pid and log files should be dropped
for the command line, then this likely should be too.

> + auth_read_login_records($1_t)
> +
> + dev_getattr_all_blk_files($1_t)
> + dev_getattr_all_chr_files($1_t)
> + dev_getattr_generic_blk_files($1_t)
> + dev_getattr_generic_chr_files($1_t)
> +
> + files_getattr_all_dirs($1_t)
> + files_getattr_all_files($1_t)
> + files_getattr_all_symlinks($1_t)
> +
> + files_getattr_all_pipes($1_t)
> + files_getattr_all_sockets($1_t)
> + files_getattr_all_mountpoints($1_t)
> +
> + files_read_all_files($1_t)
> + files_read_all_symlinks($1_t)
> +
> + init_read_utmp($1_t)
> +
> + fs_getattr_all_dirs($1_t)
> +
> + logging_send_syslog_msg($1_t)
> +
> + userdom_use_user_terminals($1_t)

I would not expect this access for samhaind_t.

[cut]
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..40a4e70
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,56 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +# Domain for samhain service started by samhain init script
> +type samhaind_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhaind_t, samhain_exec_t, mls_systemhigh)
> +samhain_service_template(samhaind)
> +
> +# Domain for command line access
> +type samhain_t;
> +application_domain(samhain_t, samhain_exec_t)
> +samhain_service_template(samhain)
> +
> +########################################
> +#
> +# Samhain local policy
> +#
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +########################################
> +#
> +# Samhaind local policy
> +#
> +
> +allow samhaind_t self:capability sys_ptrace;

This can most likely be dontaudited.

> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhaind_t { samhain_t self }:process signal_perms;

The daemon needs to signal the command line version?

> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhaind_t, samhain_exec_t)
> +
> +read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-12-04 12:54:21

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program


Hi Chris,

Thanks a lot for your comments, the attached is the v6 of samhain.pp.

My replies are below.

Have a nice weekend!

Best regards,
Harry


> Date: Tue, 30 Nov 2010 10:07:15 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: domg472 at gmail.com; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] FW: Add support for the samhain program
>
> On 11/22/10 05:57, HarryCiao wrote:
> > Hi Chris,
> >
> > Please see my inline responses, thanks!
>
> I have additional comments inline.
>
> > [cut]
> >> >
> >> > Right, I have added below range_transition rule to the samhain_run()
> >> > interface to enforce the samhain domain to run in the clearance se
> >> > curity level:
> >> >
> >> > ifdef(`enable_mls', `
> >> > range_transition $1 samhain_exec_t:process mls_systemhigh;
> >> > ')
> >> >
> >> > However, since secadm_t does not belong to the mlsprocsetsl nor
> >> > privrangetrans attribute, the MLS constraint for process transition will
> >> > fail if the secadm is trying to run samhain in s0 in the command line,
> >> > so secadm would still have to fallback on the newrole program to switch
> >> > to the clearance level.
> >> > But, above range_transition rule would enforce the samhain domain
> >> > running with the clearance level, I think it's desirable to have it
> > :-)< br>>
> >> After thinking about this some more, the level change should probably be
> >> an active decision, so we should skip the range_transition. Theres also
> >> the problem that if the user and it's terminal are, for example, system
> >> low, then they run samhain at system high, samhain won't be able to
> >> write to the terminal.
> >>
> >
> > Well, I see you point, and I still want to preserve the range_transition
> > there in the samhain_run interface, which could enforce the samhain
> > domain running in mls_systemhigh, which in turn I think is the only way
> > to ensure the samhain log files or data base files to be of
> > mls_systemhigh too. (BTW do we have range_transition rule for files?)
>
> Range transitions work on files too, but that would definitely not be an
> appropriate solution to make sure the files have the right sensitivity
> if the application is running in the wrong domain.
>

Yeah, you're right, the newly created file should share the same security level with its creator process.


> > Well, since samhain would have to create and write to its log files to
> > /var/log/ which is of s0, I have granted it the mlsfilewrite attribute,
> > so it will be fine to run on user_devpts_t:s0 already :-)
> >
> >
[cut]
> > +
> > + domain_use_interactive_fds($1_t)
> > +
> > + manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
> > + files_pid_filetrans($1_t, samhain_var_run_t, file)
>
> Does samhain_t really need manage acccess? I would think it would just
> need to read the pid file.
>
> > + manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
> > + logging_log_filetrans($1_t, samhain_log_t, file)
>
> Similarly, does the command line version also log to the log files?
>
> > + mls_file_write_all_levels($1_t)
>
> If the above write accesses for the pid and log files should be dropped
> for the command line, then this likely should be too.
>

Yeah, both samhain_t and samhaind_t would need to manage the log, log.lock and pid files, since no matter how the samhain daemon is started, both domains would have to create log.lock and pid files on start and remove them on stop. Since log.lock and pid files are in /var/log/ or /var/run/ of s0 while samhain daemons are in mls_systemhigh, we have to add them to mlsfilewrite attribute.


[cut]
> > + userdom_use_user_terminals($1_t)
>
> I would not expect this access for samhaind_t.

Yep, both domain_use_interactive_fds() and userdom_use_user_terminals() would be unnecessary for samhaind_t that don't have to interact with the user. So I've removed them from the samhain_service_template() and have the called for samhain_t only.

[cut]
> > +########################################
> > +#
> > +# Samhaind local policy
> > +#
> > +
> > +allow samhaind_t self:capability sys_ptrace;
>
> This can most likely be dontaudited.

Thanks!

>
> > +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> > +allow samhaind_t { samhain_t self }:process signal_perms;
>
> The daemon needs to signal the command line version?
>

Yes, I am afraid so. Without the signull permission the samhaind_t domain would fail to get the status of samhain_t domain, although the latter has been started already:

root at qemu-host:/root> run_init /etc/init.d/samhain status
Authenticating root.
Password:
type=1400 audit(1291456018.568:143): avc: denied { signull } for pid=1277 comm="samhain" scontext=system_u:system_r:samhaind_t:s15:c0.c1023 tcontext=root:secadm_r:samhain_t:s15:c0.c1023 tclass=process
Service samhain: Stopped and /var/run pid file exists
root at qemu-host:/root>
root at qemu-host:/root> newrole -l s15:c0.c1023 -p -- -c "ps -eZ | grep samhain"
Password:
root:secadm_r:samhain_t:s15:c0.c1023 1370 ? 00:01:04 samhain
root at qemu-host:/root>

> > +# Only needed when starting samhain daemon from its init script.
> > +can_exec(samhaind_t, samhain_exec_t)
> > +
> > +read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101204/cdaaed50/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: v6-Add-support-for-the-samhain-program.patch
Type: text/x-patch
Size: 12451 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101204/cdaaed50/attachment-0001.bin

2010-12-15 19:08:14

by cpebenito

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On 12/04/10 07:54, HarryCiao wrote:
> Hi Chris,
>
> Thanks a lot for your comments, the attached is the v6 of samhain.pp.
>
> My replies are below.

Merged. I did some additional cleanup, mainly reordering some
statements. I did have to fix the range transition so that it would
work on mcs systems

>> Date: Tue, 30 Nov 2010 10:07:15 -0500
>> From: cpebenito at tresys.com
>> To: harrytaurus2002 at hotmail.com
>> CC: domg472 at gmail.com; refpolicy at oss.tresys.com
>> Subject: Re: [refpolicy] FW: Add support for the samhain program
>>
>> On 11/22/10 05:57, HarryCiao wrote:
>> > Hi Chris,
>> >
>> > Please see my inline responses, thanks!
>>
>> I have additional comments inline.
>>
>> > [cut]
>> >> >
>> >> > Right, I have added below range_transition rule to the samhain_run()
>> >> > interface to enforce the samhain domain to run in the clearance se
>> >> > curity level:
>> >> >
>> >> > ifdef(`enable_mls', `
>> >> > range_t ransition $1 samhain_exec_t:process mls_systemhigh;
>> >> > ')
>> >> >
>> >> > However, since secadm_t does not belong to the mlsprocsetsl nor
>> >> > privrangetrans attribute, the MLS constraint for process
> transition will
>> >> > fail if the secadm is trying to run samhain in s0 in the command
> line,
>> >> > so secadm would still have to fallback on the newrole program to
> switch
>> >> > to the clearance level.
>> >> > But, above range_transition rule would enforce the samhain domain
>> >> > running with the clearance level, I think it's desirable to have it
>> > :-)< br>>
>> >> After thinking about this some more, the level change should
> probably be
>> >> an active decision, so we should skip the range_transition. Theres also
>> >> the problem that if the user and it's terminal are, for example,
> system
>> >> low, then they run samhain at system high, samhain won't be able to
>> >> write to the terminal.
>> >>
>> >
>> > Well, I see you point, and I still want to preserve the range_transition
>> > there in the samhain_run interface, which could enforce the samhain
>> > domain running in mls_systemhigh, which in turn I think is the only way
>> > to ensure the samhain log files or data base files to be of
>> > mls_systemhigh too. (BTW do we have range_transition rule for files?)
>>
>> Range transitions work on files too, but that would definitely not be an
>> appropriate solution to make sure the files have the right sensitivity
>> if the application is running in the wrong domain.
>>
>
> Yeah, you're right, the newly created file should share the same
> security level with its creator process.
>
>
>> > Well, since samhain would have to create and write to its log files to
>> > /var/log/ which is of s0, I have granted it the mlsfilewrite attribute,
>> > so it will be fine to run on user_devpts_t:s0 already :-)
>> >
>> >
> [cut]
>> > +
>> > + domain_use_interactive_fds($1_t)
>> > +
>> > + manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
>> > + files_pid_filetrans($1_t, samhain_var_run_t, file)
>>
>> Does samhain_t really need manage acccess? I would think it would just
>> need to read the pid file.
>>
>> > + manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
>> > + logging_log_filetrans($1_t, samhain_log_t, file)
>>
>> Similarly, does the command line version also log to the log files?
>>
>> > + mls_file_write_all_levels($1_t)
>>
>> If the above write accesses for the pid and log files should be dropped
>> for the command line, then this likely should be too.
>>
>
> Yeah, both samhain_t and samhaind_t would need to manage the log,
> log.lock and pid files, since no matter how the samhain daemon is
> started, both domains would have to create log.lock and pid files on
> start and remove them on stop. Since log.lock and pid files are in
> /var/log/ or /var/run/ of s0 while samhain daemons are in
> mls_systemhigh, we have to add them to mlsfilewrite attribute.
>
>
> [cut]
>> > + userdom_use_user_terminals($1_t)
>>
>> I would not expect this access for samhaind_t.
>
> Yep, both domain_use_interactive_fds() and userdom_use_user_terminals()
> would be unnecessary for samhaind_t that don't have to interact with the
> user. So I've removed them from the samhain_service_template() and have
> the called for samhain_t only.
>
> [cut]
>> > +########################################
>> > +#
>> > +# Samhaind local policy
>> > +#
>> > +
>> > +allow samhaind_t self: capability sys_ptrace;
>>
>> This can most likely be dontaudited.
>
> Thanks!
>
>>
>> > +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain
> daemon
>> > +allow samhaind_t { samhain_t self }:process signal_perms;
>>
>> The daemon needs to signal the command line version?
>>
>
> Yes, I am afraid so. Without the signull permission the samhaind_t
> domain would fail to get the status of samhain_t domain, although the
> latter has been started already:
>
> root at qemu-host:/root> run_init /etc/init.d/samhain status
> Authenticating root.
> Password:
> type=1400 audit(1291456018.568:143): avc: denied { signull } for
> pid=1277 comm="samhain"
> scontext=system_u:system_r:samhaind_t:s15:c0.c1023
> tcontext=root:secadm_r:samhain_t:s15:c0.c1023 tclass=process
> Service samhain: Stopped and /var/run pid file exists
> root at qemu-host:/root>
> root at qemu-host:/root> newrole -l s15:c0.c1023 -p -- -c "ps -eZ | grep
> samhain"
> Password:
> root:secadm_r:samhain_t:s15:c0.c1023 1370 ? 00:01:04 samhain
> root at qemu-host:/root>
>
>> > +# Only needed when starting samhain daemon from its init script.
>> > +can_exec(samhaind_t, samhain_exec_t)
>> > +
>> > +read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
>>
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> http://www.tresys.com | oss.tresys.com


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-12-16 10:17:53

by harrytaurus2002

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program




> Date: Wed, 15 Dec 2010 14:08:14 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: domg472 at gmail.com; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] FW: Add support for the samhain program
>
> On 12/04/10 07:54, HarryCiao wrote:
> > Hi Chris,
> >
> > Thanks a lot for your comments, the attached is the v6 of samhain.pp.
> >
> > My replies are below.
>
> Merged. I did some additional cleanup, mainly reordering some
> statements. I did have to fix the range transition so that it would
> work on mcs systems
>

Hi Chris,

Many thanks for endorsing samhain.pp to the upstream, you've made me very proud of my effort to keep improving it!

Well, I've studied all your cleanups and I have a few questions or concerns that I would like to discuss with you further:

1. From the notes you left I knew that the call to the init_ranged_daemon_domain() has been replaced by init_ranged_system_domain(), in order to workaround some type transition conflict on MCS system. Honestly speaking I've tested just on MLS system but not MCS, so I am very curious about what the exact type transition conflict is?

2. Moreover, while I am testing the samhain.pp pulled from upstream today I run into two error messages by far:

2.1)
root at qemu-host:/root> run_init /etc/init.d/samhain status
Authenticating root.
Password:
type=1400 audit(1292488062.229:64): avc: denied { transition } for pid=991 comm="samhain" path="/usr/sbin/samhain" dev=sda ino=8425 scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:samhaind_t:s15:c0.c1023 tclass=process
/etc/init.d/samhain: line 291: /usr/sbin/samhain: Permission denied
Service samhain: Status unknown
root at qemu-host:/root>

2.2)
type=1400 audit(1292490235.885:75): avc: denied { read write } for pid=1131 comm="samhain" path="/dev/pts/1" dev=devpts ino=4 scontext=system_u:system_r:samhaind_t:s15:c0.c1023 tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file

They are triggered since init_ranged_system_domain() won't go on to call mls_rangetrans_target() and init_use_script_ptys() interfaces as in the init_ranged_daemon_domain().

Without adding samhaind_t domain into the mlsrangetrans attribute the domain transition from initrc_t to samhaind_t would fail, making the samhain init script unable to control samhain_t daemon at all. So I guess if we have to fall back on the current init_ranged_system_domain(), we'd better call mls_rangetrans_target(samhaind_t) as well.

As for the second error message, since the samhain init script would be started by the run_init tool, which calls open_init_pty to have the pty relabeled as init_devpts_t, I simply guess it would be the right thing to do to call init_use_script_ptys(samhaind_t).

What do you think? thanks!

Best regards,
Harry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101216/359b032f/attachment-0001.html

2010-12-16 13:28:04

by cpebenito

[permalink] [raw]
Subject: [refpolicy] FW: Add support for the samhain program

On 12/16/10 05:17, HarryCiao wrote:
>
>
>> Date: Wed, 15 Dec 2010 14:08:14 -0500
>> From: cpebenito at tresys.com
>> To: harrytaurus2002 at hotmail.com
>> CC: domg472 at gmail.com; refpolicy at oss.tresys.com
>> Subject: Re: [refpolicy] FW: Add support for the samhain program
>>
>> On 12/04/10 07:54, HarryCiao wrote:
>> > Hi Chris,
>> >
>> > Thanks a lot for your comments, the attached is the v6 of samhain.pp.
>> >
>> > My replies are below.
>>
>> Merged. I did some additional cleanup, mainly reordering some
>> statements. I did have to fix the range transition so that it would
>> work on mcs systems
>>
>
> Hi Chris,
>
> Many thanks for endorsing samhain.pp to the upstream, you've made me
> very proud of my effort to keep improving it!
>
> Well, I've studied all your cleanups and I have a few questions or
> concerns that I would like to discuss with you further:
>
> 1. From the notes you left I knew that the call to the
> init_ranged_daemon_domain() has been replaced by
> init_ranged_system_domain(), in order to workaround some type transition
> conflict on MCS system. Honestly speaking I've tested just on MLS system
> but not MCS, so I am very curious about what the exact type transition
> conflict is?

Theres two things. I called it once on MCS and once on MLS since
mls_systemhigh is not a valid level on MCS.

The type transition conflict is hit when you turn on the DIRECT_INITRC
option.

> 2. Moreover, while I am testing the samhain.pp pulled from upstream
> today I run into two error messages by far:
>
> 2.1)
> root at qemu-host:/root> run_init /etc/init.d/samhain status
> Authenticating root.
> Password:
> type=1400 audit(1292488062.229:64): avc: denied { transition } for
> pid=991 comm="samhain" path="/usr/sbin/samhain" dev=sda ino=8425
> scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:system_r:samhaind_t:s15:c0.c1023 tclass=process
> /etc/init.d/samhain: line 291: /usr/sbin/samhain: Permission denied
> Service samhain: Status unknown
> root at qemu-host:/root>
>
> 2.2)
> type=1400 audit(1292490235.885:75): avc:&nbs p; denied { read write }
> for pid=1131 comm="samhain" path="/dev/pts/1" dev=devpts ino=4
> scontext=system_u:system_r:samhaind_t:s15:c0.c1023
> tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file
>
> They are triggered since init_ranged_system_domain() won't go on to call
> mls_rangetrans_target() and init_use_script_ptys() interfaces as in the
> init_ranged_daemon_domain().
>
> Without adding samhaind_t domain into the mlsrangetrans attribute the
> domain transition from initrc_t to samhaind_t would fail, making the
> samhain init script unable to control samhain_t daemon at all. So I
> guess if we have to fall back on the current
> init_ranged_system_domain(), we'd better call
> mls_rangetrans_target(samhaind_t) as well.
>
> As for the second error message, since the samhain init script would be
> started by the run_init tool, which calls open_init_pty to have the pty
> relabeled as init_devpts_t, I simply guess it would be the right thing
> to do to call init_use_scr ipt_ptys(samhaind_t).
>
> What do you think? thanks!

I'll add these rules.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com