From: konrad.azzopardi@gmail.com (Konrad Azzopardi) Date: Tue, 2 Dec 2008 21:19:18 +0100 Subject: [refpolicy] yule In-Reply-To: <1228244768.9691.30.camel@gorn> References: <1228244768.9691.30.camel@gorn> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Chris, Thanks for your answer. For sure I was getting a denial without execmod. For the rest I will check. tnx konrad On Tue, Dec 2, 2008 at 8:06 PM, Christopher J. PeBenito wrote: >> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi >> wrote: >> > Dear all, >> > >> > I am confining a service called 'yule' , which is the central server >> > for the file integrity checker SAMHAIN. >> > >> > Something about the server : >> > >> > Binary file is at /usr/local/sbin/yule >> > Startup script is at /etc/rc.d/init.d/yule -- >> > Config file : /etc/yulerc >> > Logfiles /var/log/yule(/.*)? >> > PID file is at /var/run/yule.pid >> > >> > It optionally uses mysql and I have put this as a boolean. I would >> > appreciate if somebody review the files and give me some feedback to >> > know if i am on the right track. >> > >> > I have only one question....When I issue a stop by /etc/init.d/yule stop >> > I get all sorts of avc denials, however the daemon still stops. From >> > the avc denials and also via an strace it is evident that the stop >> > script is somehow doing a search in all proc directory. What is the >> > best thing to do here ? Allowing search to all types in /proc or make >> > a dontaudit and in both cases is there a macro that captures all types >> > inside /proc {don't think so}. > > Rule-wise I see a few things which seem questionable to me: > >> manage_files_pattern(yule_t,yule_config_t,yule_config_t) > > It seems like you would not want the daemon to modify its own config > files. > >> allow yule_t yule_exec_t:file execmod; > > Did you really encounter this as a denial? I wouldn't expect this on an > executable. Especially a daemon doing this on its own executable. > >> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace}; > > The kill and sys_ptrace capabilities seem weird, as there do not seem to > be any process sigkill or process ptrace permissions being used in the > policy. > > > Assuming you're interested in getting this upstreamed: > >> /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0) > > Standard (distro) locations should be covered too, such > as /usr/sbin/yule, not just /usr/local. > > Also the organization of the file should be fixed to match the refpolicy > style better. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > >