From: bwhalen@tresys.com (Brandon Whalen) Date: Mon, 27 Oct 2008 09:22:00 -0400 Subject: [refpolicy] Help with policy writing In-Reply-To: <1225047539.3435.5.camel@sulphur.notebook.internal> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/26/08 2:58 PM, "Dominick Grift" wrote: > On Sun, 2008-10-26 at 19:43 +0100, Konrad Azzopardi wrote: > >> >> Raw Audit Messages >> >> host=MALTA type=AVC msg=audit(1225045152.583:1290): avc: denied { >> execute_no_trans } for pid=7159 comm="samhain" >> path="/usr/local/sbin/samhain" dev=dm-0 ino=7552222 >> scontext=unconfined_u:system_r:samhain_t:s0 >> tcontext=system_u:object_r:samhain_exec_t:s0 tclass=file >> >> host=MALTA type=SYSCALL msg=audit(1225045152.583:1290): arch=40000003 >> syscall=11 success=yes exit=0 a0=b8f57000 a1=bfc3cc48 a2=bfc3cfa0 >> a3=bfc3cd4c items=0 ppid=7158 pid=7159 auid=500 uid=0 gid=0 euid=0 >> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="samhain" >> exe="/usr/local/sbin/samhain" subj=unconfined_u:system_r:samhain_t:s0 >> key=(null) > samhain_t is trying to execute samhain executable file: > > can_exec(samhain_t, samhain_exec_t) > > might solve this. refer to this interface call in reference policy. > This looks like you are transitioning to the samhain domain when the initrc script is run and then that script is calling the actual executable. I would suggest creating an init domain specific to samhain for the init script, but you could just let it run as initrc_t and force the transition when the samhain executable is run. Not sure how far you are on this, but if you are going to submit this upstream for a process like samhain which is going to vary based upon the user you're probably going to want to give it something generic like files_getattr_all_files, so that it can check every file on the system and not just the specific ones you've listed in your database. Also, make sure you limit what it can write to so you limit any potential exploits. >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy