From: hal@deer-run.com (Hal Pomeranz) Date: Sat, 18 Jul 2009 16:02:24 -0700 Subject: [refpolicy] Critique requested Message-ID: <20090718230224.GB26512@deer-run.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I'm still wrapping my head around the SELinux Reference Policy, but I was curious if the experts on this list would like to comment on the sample policy files below. It's a simple policy for the old portsentry HIDS. It's not a complete policy by any means, since I've just been testing in "stealth mode" and not triggering any actions on detects, but it's a start. I'm curious if I'm making any stylistic or technical errors. Also a question, if I may. I originally compiled portsentry from source as a standard dynamically-linked executable. However, when I started this binary under SELinux control I kept getting denials on the shared library "lib_t" files and directories as well as on various "ld_so*_t" files. Recompiling as a statically-linked executable made this problem go away (obviously), but what's the magic to get a standard dynamically-linked executable to not generate these errors? I've looked at the sample files in the refpolicy source and haven't been able to figure out the trick. FWIW I've been doing my testing on a CentOS (RHEL) 5.3 system. It doesn't have the latest and greatest version of refpolicy installed by default, but it's a fairly recent version. -- Hal Pomeranz, Founder/CEO Deer Run Associates hal at deer-run.com Network Connectivity and Security, Systems Management, Training -------------- next part -------------- /usr/local/sbin/portsentry -- gen_context(system_u:object_r:portsentry_exec_t,s0) /etc/portsentry(/.*)? gen_context(system_u:object_r:portsentry_etc_t,s0) /var/lib/portsentry(/.*)? gen_context(system_u:object_r:portsentry_log_t,s0) -------------- next part -------------- policy_module(portsentry, 1.0.4) #### Declarations type portsentry_t; domain_type(portsentry_t) role system_r types portsentry_t; type portsentry_exec_t; domain_entry_file(portsentry_t, portsentry_exec_t) init_daemon_domain(portsentry_t, portsentry_exec_t) type portsentry_etc_t; files_config_file(portsentry_etc_t) type portsentry_log_t; logging_log_file(portsentry_log_t); #### Policy # limited since we're going to allow binding to everything define(`portsentry_socket_perms', `{ bind connect create listen read write }') allow portsentry_t self:tcp_socket portsentry_socket_perms; allow portsentry_t self:udp_socket portsentry_socket_perms; allow portsentry_t self:unix_dgram_socket portsentry_socket_perms; allow portsentry_t self:rawip_socket portsentry_socket_perms; allow portsentry_t self:capability { net_raw net_bind_service }; allow portsentry_t self:process fork; allow portsentry_t portsentry_etc_t:dir list_dir_perms; allow portsentry_t portsentry_etc_t:file read_file_perms; allow portsentry_t portsentry_log_t:dir list_dir_perms; allow portsentry_t portsentry_log_t:file rw_file_perms; corenet_tcp_bind_all_ports(portsentry_t) corenet_tcp_bind_all_nodes(portsentry_t) corenet_udp_bind_all_ports(portsentry_t) corenet_udp_bind_all_nodes(portsentry_t) kernel_sendrecv_unlabeled_packets(portsentry_t) logging_send_syslog_msg(portsentry_t) miscfiles_read_localization(portsentry_t) files_search_etc(portsentry_t) files_search_var_lib(portsentry_t)