From: harrytaurus2002@hotmail.com (HarryCiao) Date: Mon, 15 Nov 2010 01:54:58 +0000 Subject: [refpolicy] FW: Add support for the samhain program In-Reply-To: <20101112115307.GB21277@localhost.localdomain> References: , , <20101111121804.GA17316@localhost.localdomain>, , <20101112115307.GB21277@localhost.localdomain> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > > From: harrytaurus2002 at hotmail.com > > To: refpolicy at oss.tresys.com > > Date: Tue, 9 Nov 2010 03:33:24 +0000 > > Subject: [refpolicy] Add support for the samhain program > > > > > > Hi SELinux experts: > > > > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks! > > > > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc): > > > > (In sysadm_r role, install samhain.pp and update sysadm.pp) > > 1. Initialize database: > > newrole -l s15:c0.c1023 -- -c "samhain -t init" > > > > 2. Check samhain daemon status: > > run_init /etc/init.d/samhain status > > > > 3. Start samhain in daemon mode: > > run_init /etc/init.d/samhain start > > or, > > newrole -l s15:c0.c1023 -- -c "samhain -t check -D" > > > > 4. Stop samhain daemon: > > run_init /etc/init.d/samhain stop > > > > > > Tow more questions: > > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib > > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities. I think you can compare samhain to aide and so you can look how its dealt with in aides case. In aides case secadm calls aide_run() and so that is what i would do as well. Hi Dom, This the v2 version for the samhain.pp patch, I have added the call of the samhain_run() interface in the userdom_security_admin_template(), so that when MLS is enabled the secadm would be able to run it. Since samhain application provides init script, the sysadm would also be able to start/stop/qeury status by the run_init tool. Also I have some follow-up questions for the aide_admin or samhain_admin interfaces: 1. aide_admin() is not used by any kind of administrator, should we define such not used interface in the .if file? 2. I know aide_run() is called by the userdom_security_admin_template(), so sysadm or secadm would be able to run the aide program when the MLS feature is enabled or not respectively. Why does the aide_admin() have not been called there along with aide_run()? 3. Moreover, I don't get it so far, although aide_admin() has not been called for sysadm, but with the sesearch tool I can see that sysadm seems to have been granted the privileges of admin_pattern(sysadm_t, aide_db_t) and admin_pattern(sysadm_t, aide_log_t), for example: allow sysadm_t aide_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; allow sysadm_t aide_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ; ...... allow sysadm_t aide_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; allow sysadm_t aide_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ; ...... Also, no admin domain has the ptrace privilege on the aide_t domain, which means aide_admin() has not actually been called for sysadm_t: root at qemu-host:/root> sesearch -SCA -s sysadm_t -t aide_t -c process -p ptrace root at qemu-host:/root> sesearch -SCA -t aide_t -c process -p ptrace root at qemu-host:/root> So how could sysadm_t have been granted above privileges without aide_admin(sysadm_t) being called explicitly? 4. Although secadm is able to run samhain, but it is unable to remove entry from /var/log/ or /var/lib/, so it can't remove samhain's log/log.lock or database files. On the other hand, although sysadm could manage /var/log/ and /var/lib/, but their security levels are s0 while the samhain_log's security level is mls_systemhigh. Since sysadm_t does not belong to the mlsfilewrite attribute, it could not remove samhain_log from /var/log/. How could we solve such catch-22 problem while SELinux is in the enforcing mode? Thanks a lot! Best regards, Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101115/bd36651a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: v2-Add-support-for-the-samhain-program.patch Type: text/x-patch Size: 10351 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101115/bd36651a/attachment.bin