From: konrad.azzopardi@gmail.com (Konrad Azzopardi) Date: Mon, 27 Oct 2008 16:30:44 +0100 Subject: [refpolicy] Help with policy writing In-Reply-To: References: <1225047539.3435.5.camel@sulphur.notebook.internal> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com thanks for your help, I did use the can_exec and I also created a domain samhain_script_exec_t for the init script. Now I will refine the policy cause I think I may have used macros that are supersets of other macros {still learning here}. Tnx for your help konrad On Mon, Oct 27, 2008 at 2:22 PM, Brandon Whalen wrote: > On 10/26/08 2:58 PM, "Dominick Grift" wrote: > >> On Sun, 2008-10-26 at 19:43 +0100, Konrad Azzopardi wrote: >> >>> >>> Raw Audit Messages >>> >>> host=MALTA type=AVC msg=audit(1225045152.583:1290): avc: denied { >>> execute_no_trans } for pid=7159 comm="samhain" >>> path="/usr/local/sbin/samhain" dev=dm-0 ino=7552222 >>> scontext=unconfined_u:system_r:samhain_t:s0 >>> tcontext=system_u:object_r:samhain_exec_t:s0 tclass=file >>> >>> host=MALTA type=SYSCALL msg=audit(1225045152.583:1290): arch=40000003 >>> syscall=11 success=yes exit=0 a0=b8f57000 a1=bfc3cc48 a2=bfc3cfa0 >>> a3=bfc3cd4c items=0 ppid=7158 pid=7159 auid=500 uid=0 gid=0 euid=0 >>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="samhain" >>> exe="/usr/local/sbin/samhain" subj=unconfined_u:system_r:samhain_t:s0 >>> key=(null) >> samhain_t is trying to execute samhain executable file: >> >> can_exec(samhain_t, samhain_exec_t) >> >> might solve this. refer to this interface call in reference policy. >> > This looks like you are transitioning to the samhain domain when the initrc > script is run and then that script is calling the actual executable. I would > suggest creating an init domain specific to samhain for the init script, but > you could just let it run as initrc_t and force the transition when the > samhain executable is run. > > Not sure how far you are on this, but if you are going to submit this > upstream for a process like samhain which is going to vary based upon the > user you're probably going to want to give it something generic like > files_getattr_all_files, so that it can check every file on the system and > not just the specific ones you've listed in your database. Also, make sure > you limit what it can write to so you limit any potential exploits. > > >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy > > >