From: harrytaurus2002@hotmail.com (HarryCiao) Date: Tue, 16 Nov 2010 07:03:21 +0000 Subject: [refpolicy] FW: Add support for the samhain program In-Reply-To: <20101115123522.GE21277@localhost.localdomain> References: , , <20101111121804.GA17316@localhost.localdomain>, , <20101112115307.GB21277@localhost.localdomain>, , <20101115123522.GE21277@localhost.localdomain> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Dom, Thanks for your answer! Now I am very clear how sysadm is made able to read from all types of files except shadow_t. However, for the samhain case, I still think we should call it for the sysadm rather than the secadm, despite we had called samhain_run(secadm_t), just because the samhain_admin() assumes that the calling domain would have been able to write to (remove an entry from) /var/log/ and /var/lib/, and so far only the sysadm could do that. The samhain_admin() would call the mls_file_write_all_levels() for the calling domain, so that it could be able to write to /var/lib/ or /var/log/ which are of s0 in order to delete the samhain files which are of mls_systemhigh. With samhain_admin(sysadm_t) the sysadm could be able to remove samhain files successfully by the following command: newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log" Best regards, Harry Date: Mon, 15 Nov 2010 13:35:23 +0100 From: domg472@gmail.com To: refpolicy at oss.tresys.com Subject: Re: [refpolicy] FW: Add support for the samhain program On Mon, Nov 15, 2010 at 01:54:58AM +0000, HarryCiao wrote: > > > > From: harrytaurus2002 at hotmail.com > > > To: refpolicy at oss.tresys.com > > > Date: Tue, 9 Nov 2010 03:33:24 +0000 > > > Subject: [refpolicy] Add support for the samhain program > > > > > > > > > Hi SELinux experts: > > > > > > I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks! > > > > > > I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc): > > > > > > (In sysadm_r role, install samhain.pp and update sysadm.pp) > > > 1. Initialize database: > > > newrole -l s15:c0.c1023 -- -c "samhain -t init" > > > > > > 2. Check samhain daemon status: > > > run_init /etc/init.d/samhain status > > > > > > 3. Start samhain in daemon mode: > > > run_init /etc/init.d/samhain start > > > or, > > > newrole -l s15:c0.c1023 -- -c "samhain -t check -D" > > > > > > 4. Stop samhain daemon: > > > run_init /etc/init.d/samhain stop > > > > > > > > > Tow more questions: > > > 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib > > > / already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities. > > I think you can compare samhain to aide and so you can look how its dealt with in aides case. > In aides case secadm calls aide_run() and so that is what i would do as well. > > > Hi Dom, > > This the v2 version for the samhain.pp patch, I have added the call of the samhain_run() interface in the userdom_security_admin_template(), so that when MLS is enabled the secadm would be able to run it. Since samhain application provides init script, the sysadm would also be able to start/stop/qeury status by the run_init tool. > > Also I have some follow-up questions for the aide_admin or samhain_admin interfaces: > > 1. aide_admin() is not used by any kind of administrator, should we define such not used interface in the .if file? Yes because then end-users can use it in their custom modules. if we would by default create admin roles for each server we would end up with many role modules and most of then would probably not be used. by atleast providing access to the interface we dont install it by default but we still make it available. > > 2. I know aide_run() is called by the userdom_security_admin_template(), so sysadm or secadm would be able to run the aide program when the MLS feature is enabled or not respectively. Why does the aide_admin() have not been called there along with aide_run()? I am not sure why aide_run wasnt added to aide_admin, and aide_admin was called in sysadm and secadm instead of aide_run. I guess adding aide_run() to aide_admin and then replacing aide_run by aide_admin in sysadm and secadmin would be a better idea. Although for sysadmin it doesnt really matter because sysadm can manage all files except shadow. > > 3. Moreover, I don't get it so far, although aide_admin() has not been called for sysadm, but with the sesearch tool I can see that sysadm seems to have been granted the privileges of admin_pattern(sysadm_t, aide_db_t) and admin_pattern(sysadm_t, aide_log_t), for example: sysadm can manage/relabel all files except shadow (see userdom_admin_user_template) > > allow sysadm_t aide_log_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; > allow sysadm_t aide_log_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ; > ...... > > allow sysadm_t aide_db_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; > allow sysadm_t aide_db_t : dir { ioctl read write create getattr setattr lock relabelfrom relabelto unlink link rename add_name remove_name reparent search rmdir open } ; > ...... > > Also, no admin domain has the ptrace privilege on the aide_t domain, which means aide_admin() has not actually been called for sysadm_t: auth_manage_all_files_except_shadow($1_t) auth_relabel_all_files_except_shadow($1_t) was called from userdom_admin_user_template, which in turn was called by sysadm > > root at qemu-host:/root> sesearch -SCA -s sysadm_t -t aide_t -c process -p ptrace > > root at qemu-host:/root> sesearch -SCA -t aide_t -c process -p ptrace > > root at qemu-host:/root> > > So how could sysadm_t have been granted above privileges without aide_admin(sysadm_t) being called explicitly? > > 4. Although secadm is able to run samhain, but it is unable to remove entry from /var/log/ or /var/lib/, so it can't remove samhain's log/log.lock or database files. On the other hand, although sysadm could manage /var/log/ and /var/lib/, but their security levels are s0 while the samhain_log's security level is mls_systemhigh. Since sysadm_t does not belong to the mlsfilewrite attribute, it could not remove samhain_log from /var/log/. How could we solve such catch-22 problem while SELinux is in the enforcing mode? Good point it may be better to add samhain_admin to secadm instead of samhain_run afterall. not sure about the mls complications though. > > Thanks a lot! > > Best regards, > Harry > > From 55c5b47c17bcaf8688aabfe71482e235ffd50130 Mon Sep 17 00:00:00 2001 > From: Harry Ciao > Date: Mon, 8 Nov 2010 14:42:38 +0800 > Subject: [v2 PATCH 1/1] Add support for the samhain program. > > Add support for the samhain program. > > Note, extra privileges may need to be granted to the samhain domain > if its default configuration file(/etc/samhainrc) is changed. > > The samhain program could be used in the following way: > > (In secadm_r role) > 1. Initialize database: > newrole -l s15:c0.c1023 -- -c "samhain -t init" > > 2. Start samhain deamon to check filesystem integrity > newrole -l s15:c0.c1023 -- -c "samhain -t check -D" > > (In sysadm_r role) > 1. Start samhain in daemon mode: > run_init /etc/init.d/samhain start > > 2. Stop samhain daemon: > run_init /etc/init.d/samhain stop > > 3. Check samhain daemon status: > run_init /etc/init.d/samhain status > > Signed-off-by: Harry Ciao > --- > policy/modules/services/samhain.fc | 13 +++ > policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++ > policy/modules/services/samhain.te | 114 +++++++++++++++++++++ > policy/modules/system/userdomain.if | 4 + > 4 files changed, 317 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/services/samhain.fc > create mode 100644 policy/modules/services/samhain.if > create mode 100644 policy/modules/services/samhain.te > > diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc > new file mode 100644 > index 0000000..b0ac8a5 > --- /dev/null > +++ b/policy/modules/services/samhain.fc > @@ -0,0 +1,13 @@ > +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh) > + > +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh) > + > +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh) > +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh) > + > +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh) > + > +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) > +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) > + > +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) > diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if > new file mode 100644 > index 0000000..275ef4b > --- /dev/null > +++ b/policy/modules/services/samhain.if > @@ -0,0 +1,186 @@ > +## Samhain - check file integrity > + > +######################################## > +## > +## Execute samhain in the samhain domain > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`samhain_domtrans',` > + gen_require(` > + type samhain_t, samhain_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, samhain_exec_t, samhain_t) > +') > + > +######################################## > +## > +## Execute samhain in the samhain domain, and > +## allow the specifiled role the samhain domain > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed to access. > +## > +## > +## > +# > +interface(`samhain_run',` > + gen_require(` > + type samhain_t; > + ') > + > + samhain_domtrans($1) > + role $2 types samhain_t; > +') > + > +######################################## > +## > +## Manage samhain configuration files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samhain_manage_config_files',` > + gen_require(` > + type samhain_etc_t; > + ') > + > + files_search_etc($1) > + manage_files_pattern($1, samhain_etc_t, samhain_etc_t) > +') > + > +######################################## > +## > +## Manage samhain database files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samhain_manage_db_files',` > + gen_require(` > + type samhain_db_t; > + ') > + > + files_search_var_lib($1) > + manage_files_pattern($1, samhain_db_t, samhain_db_t) > +') > + > +######################################## > +## > +## Manage samhain log and log.lock files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samhain_manage_log_files',` > + gen_require(` > + type samhain_log_t; > + ') > + > + logging_search_logs($1) > + manage_files_pattern($1, samhain_log_t, samhain_log_t) > +') > + > +######################################## > +## > +## Manage samhain pid files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samhain_manage_pid_files',` > + gen_require(` > + type samhain_var_run_t; > + ') > + > + files_search_pids($1) > + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) > +') > + > +####################################### > +## > +## Manage samhain rc script files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`samhain_manage_rc_script_files',` > + gen_require(` > + type samhain_initrc_exec_t; > + ') > + > + files_search_etc($1) > + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) > +') > + > +####################################### > +## > +## All of the rules required to administrate > +## the samhain environment. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`samhain_admin',` > + gen_require(` > + type samhain_t, samhain_db_t, samhain_etc_t; > + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; > + role system_r; > + ') > + > + allow $1 samhain_t:process { ptrace signal_perms }; > + ps_process_pattern($1, samhain_t) > + > + files_list_var_lib($1) > + admin_pattern($1, samhain_db_t) > + > + files_list_etc($1) > + admin_pattern($1, samhain_etc_t) > + admin_pattern($1, samhain_initrc_exec_t) > + > + logging_list_logs($1) > + admin_pattern($1, samhain_log_t) > + > + files_list_pids($1) > + admin_pattern($1, samhain_var_run_t) > + > + # The parent directories of samhain's database, log/log.lock files, > + # pid files are of s0, while these files are of the clearance level. > + mls_file_write_all_levels($1) > +') > diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te > new file mode 100644 > index 0000000..612795f > --- /dev/null > +++ b/policy/modules/services/samhain.te > @@ -0,0 +1,114 @@ > +policy_module(samhain, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type samhain_etc_t; > +files_config_file(samhain_etc_t) > + > +type samhain_log_t; > +logging_log_file(samhain_log_t) > + > +# Filesystem signature database > +type samhain_db_t; > +files_type(samhain_db_t) > + > +type samhain_initrc_exec_t; > +init_script_file(samhain_initrc_exec_t) > + > +type samhain_var_run_t; > +files_pid_file(samhain_var_run_t) > + > +type samhain_t; > +type samhain_exec_t; > +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh) > + > +######################################## > +# > +# Local policy > +# > + > +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock }; > +dontaudit samhain_t self:capability sys_resource; > +allow samhain_t self:fd use; > +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon > +allow samhain_t self:process { setsched setrlimit signal_perms }; > + > +allow samhain_t samhain_etc_t:file read_file_perms; > + > +# Only needed when starting samhain daemon from its init script. > +can_exec(samhain_t, samhain_exec_t) > + > +# Samhain needs to get the attribute of /proc/kcore. > +kernel_getattr_core_if(samhain_t) > + > +corecmd_list_bin(samhain_t) > +corecmd_read_bin_symlinks(samhain_t) > + > +# To get entropy > +dev_read_urand(samhain_t) > +dev_dontaudit_read_rand(samhain_t) > + > +domain_use_interactive_fds(samhain_t) > + > +files_search_etc(samhain_t) > + > +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t) > +files_pid_filetrans(samhain_t, samhain_var_run_t, file) > + > +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) > +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) > + > +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t) > +logging_log_filetrans(samhain_t, samhain_log_t, file) > + > +# Samhain's pid, log and log.lock files are all in directories of s0, > +# while samhain daemon is running with the clearance level. > +mls_file_write_all_levels(samhain_t) > + > +# Read from utmp when monitoring login/logout events > +auth_read_login_records(samhain_t) > + > +# Get the attributes of all kinds of files in the rootfs > +dev_getattr_all_blk_files(samhain_t) > +dev_getattr_all_chr_files(samhain_t) > +dev_getattr_generic_blk_files(samhain_t) > +dev_getattr_generic_chr_files(samhain_t) > + > +files_getattr_all_dirs(samhain_t) > +files_getattr_all_files(samhain_t) > +files_getattr_all_symlinks(samhain_t) > +files_getattr_all_pipes(samhain_t) > +files_getattr_all_sockets(samhain_t) > +files_getattr_all_mountpoints(samhain_t) > + > +# Read from the file_type attribute and the lnk_file class > +files_read_all_files(samhain_t) > +files_read_all_symlinks(samhain_t) > + > +# Read from wtmp when monitoring login/logout events > +init_read_utmp(samhain_t) > + > +# Get the attribute of other filesystem's mountpoint, such as /selinux > +# /proc, /sys and /tmp, but not the contents inside, which suggests > +# that following rules should be set in samhain configuration file: > +# [Attributes] > +# file = /tmp > +# file = /proc > +# file = /sys > +# file = /selinux > +# [IgnoreALL] > +# dir = -1/tmp > +# dir = -1/proc > +# dir = -1/sys > +# dir = -1/selinux > +fs_getattr_all_dirs(samhain_t) > + > +# Get attribute of files with variant sensitivity levels > +mls_file_read_all_levels(samhain_t) > + > +logging_send_syslog_msg(samhain_t) > + > +userdom_use_user_terminals(samhain_t) > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index ea7b47d..7a847eb 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',` > ') > > optional_policy(` > + samhain_run($1, $2) > + ') > + > + optional_policy(` > consoletype_exec($1) > ') > > -- > 1.7.0.4 > _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101116/0eed08a6/attachment-0001.html