From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 02 Dec 2008 14:06:05 -0500 Subject: [refpolicy] yule In-Reply-To: References: Message-ID: <1228244768.9691.30.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi > wrote: > > Dear all, > > > > I am confining a service called 'yule' , which is the central server > > for the file integrity checker SAMHAIN. > > > > Something about the server : > > > > Binary file is at /usr/local/sbin/yule > > Startup script is at /etc/rc.d/init.d/yule -- > > Config file : /etc/yulerc > > Logfiles /var/log/yule(/.*)? > > PID file is at /var/run/yule.pid > > > > It optionally uses mysql and I have put this as a boolean. I would > > appreciate if somebody review the files and give me some feedback to > > know if i am on the right track. > > > > I have only one question....When I issue a stop by /etc/init.d/yule stop > > I get all sorts of avc denials, however the daemon still stops. From > > the avc denials and also via an strace it is evident that the stop > > script is somehow doing a search in all proc directory. What is the > > best thing to do here ? Allowing search to all types in /proc or make > > a dontaudit and in both cases is there a macro that captures all types > > inside /proc {don't think so}. Rule-wise I see a few things which seem questionable to me: > manage_files_pattern(yule_t,yule_config_t,yule_config_t) It seems like you would not want the daemon to modify its own config files. > allow yule_t yule_exec_t:file execmod; Did you really encounter this as a denial? I wouldn't expect this on an executable. Especially a daemon doing this on its own executable. > allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace}; The kill and sys_ptrace capabilities seem weird, as there do not seem to be any process sigkill or process ptrace permissions being used in the policy. Assuming you're interested in getting this upstreamed: > /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0) Standard (distro) locations should be covered too, such as /usr/sbin/yule, not just /usr/local. Also the organization of the file should be fixed to match the refpolicy style better. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150