From: konrad.azzopardi@gmail.com (Konrad Azzopardi)
Date: Mon, 27 Oct 2008 16:30:44 +0100
Subject: [refpolicy] Help with policy writing
In-Reply-To: <C52B38B8.1A476%bwhalen@tresys.com>
References: <1225047539.3435.5.camel@sulphur.notebook.internal>
	<C52B38B8.1A476%bwhalen@tresys.com>
Message-ID: <af1a12460810270830s5200679fjaed89ed98cac8376@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

thanks for your help, I did use the can_exec and I also created a
domain samhain_script_exec_t  for the init script. Now I will refine
the policy cause I think I may have used macros that are supersets of
other macros {still learning here}. Tnx for your help

konrad

On Mon, Oct 27, 2008 at 2:22 PM, Brandon Whalen <bwhalen@tresys.com> wrote:
> On 10/26/08 2:58 PM, "Dominick Grift" <domg472@gmail.com> wrote:
>
>> On Sun, 2008-10-26 at 19:43 +0100, Konrad Azzopardi wrote:
>>
>>>
>>> Raw Audit Messages
>>>
>>> host=MALTA type=AVC msg=audit(1225045152.583:1290): avc:  denied  {
>>> execute_no_trans } for  pid=7159 comm="samhain"
>>> path="/usr/local/sbin/samhain" dev=dm-0 ino=7552222
>>> scontext=unconfined_u:system_r:samhain_t:s0
>>> tcontext=system_u:object_r:samhain_exec_t:s0 tclass=file
>>>
>>> host=MALTA type=SYSCALL msg=audit(1225045152.583:1290): arch=40000003
>>> syscall=11 success=yes exit=0 a0=b8f57000 a1=bfc3cc48 a2=bfc3cfa0
>>> a3=bfc3cd4c items=0 ppid=7158 pid=7159 auid=500 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="samhain"
>>> exe="/usr/local/sbin/samhain" subj=unconfined_u:system_r:samhain_t:s0
>>> key=(null)
>> samhain_t is trying to execute samhain executable file:
>>
>> can_exec(samhain_t, samhain_exec_t)
>>
>> might solve this. refer to this interface call in reference policy.
>>
> This looks like you are transitioning to the samhain domain when the initrc
> script is run and then that script is calling the actual executable. I would
> suggest creating an init domain specific to samhain for the init script, but
> you could just let it run as initrc_t and force the transition when the
> samhain executable is run.
>
> Not sure how far you are on this, but if you are going to submit this
> upstream for a process like samhain which is going to vary based upon the
> user you're probably going to want to give it something generic like
> files_getattr_all_files, so that it can check every file on the system and
> not just the specific ones you've listed in your database. Also, make sure
> you limit what it can write to so you limit any potential exploits.
>
>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>