From: konrad.azzopardi@gmail.com (Konrad Azzopardi) Date: Tue, 2 Dec 2008 22:17:05 +0100 Subject: [refpolicy] yule In-Reply-To: References: <1228244768.9691.30.camel@gorn> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Chris, I changed manage_files_pattern(yule_t,yule_config_t,yule_config_t) to allow yule_t yule_config_t:file read_file_perms; The kill and sys_ptrace are needed, without it there are problems to stop the service. Tnx Konrad On Tue, Dec 2, 2008 at 9:19 PM, Konrad Azzopardi wrote: > Hi Chris, > > Thanks for your answer. For sure I was getting a denial without > execmod. For the rest I will check. > > tnx > konrad > > On Tue, Dec 2, 2008 at 8:06 PM, Christopher J. PeBenito > wrote: >>> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi >>> wrote: >>> > Dear all, >>> > >>> > I am confining a service called 'yule' , which is the central server >>> > for the file integrity checker SAMHAIN. >>> > >>> > Something about the server : >>> > >>> > Binary file is at /usr/local/sbin/yule >>> > Startup script is at /etc/rc.d/init.d/yule -- >>> > Config file : /etc/yulerc >>> > Logfiles /var/log/yule(/.*)? >>> > PID file is at /var/run/yule.pid >>> > >>> > It optionally uses mysql and I have put this as a boolean. I would >>> > appreciate if somebody review the files and give me some feedback to >>> > know if i am on the right track. >>> > >>> > I have only one question....When I issue a stop by /etc/init.d/yule stop >>> > I get all sorts of avc denials, however the daemon still stops. From >>> > the avc denials and also via an strace it is evident that the stop >>> > script is somehow doing a search in all proc directory. What is the >>> > best thing to do here ? Allowing search to all types in /proc or make >>> > a dontaudit and in both cases is there a macro that captures all types >>> > inside /proc {don't think so}. >> >> Rule-wise I see a few things which seem questionable to me: >> >>> manage_files_pattern(yule_t,yule_config_t,yule_config_t) >> >> It seems like you would not want the daemon to modify its own config >> files. >> >>> allow yule_t yule_exec_t:file execmod; >> >> Did you really encounter this as a denial? I wouldn't expect this on an >> executable. Especially a daemon doing this on its own executable. >> >>> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace}; >> >> The kill and sys_ptrace capabilities seem weird, as there do not seem to >> be any process sigkill or process ptrace permissions being used in the >> policy. >> >> >> Assuming you're interested in getting this upstreamed: >> >>> /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0) >> >> Standard (distro) locations should be covered too, such >> as /usr/sbin/yule, not just /usr/local. >> >> Also the organization of the file should be fixed to match the refpolicy >> style better. >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> (410) 290-1411 x150 >> >> >