From: harrytaurus2002@hotmail.com (HarryCiao) Date: Thu, 18 Nov 2010 06:33:11 +0000 Subject: [refpolicy] FW: Add support for the samhain program In-Reply-To: <4CE3E080.9070109@tresys.com> References: , , , , <20101111121804.GA17316@localhost.localdomain>, , , , <20101112115307.GB21277@localhost.localdomain>, , , , <20101115123522.GE21277@localhost.localdomain>, , <4CE3E080.9070109@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Many thanks Chris! Please see my inline responses and the attached v4 of samhain.pp. > Date: Wed, 17 Nov 2010 09:02:40 -0500 > From: cpebenito at tresys.com > To: harrytaurus2002 at hotmail.com > CC: domg472 at gmail.com; refpolicy at oss.tresys.com > Subject: Re: [refpolicy] FW: Add support for the samhain program > > On 11/16/10 02:11, HarryCiao wrote: > > Hi Chris, > > > > The attached is the v3 of the samhain.pp, I have been keeping improving > > it according to the suggestions from Dominick Grift. Now the sysadm and > > secadm could have a full control over the whole samhain application. > > > > Any other comments? > > Comments inline. > > > From 05eb3e1893917d5fbc83daddd37edb003281bd1d Mon Sep 17 00:00:00 2001 > > From: Harry Ciao > > Date: Mon, 8 Nov 2010 14:42:38 +0800 > > Subject: [v3 PATCH 1/1] Add support for the samhain program. > > > > Note, extra privileges may need to be granted to the samhain domain > > if its configuration file(/etc/samhainrc) is changed. > > > > The samhain program could be used in the following way: > > > > (In secadm_r role) > > 1. Initialize filesystem signature database: > > newrole -l s15:c0.c1023 -p -- -c "samhain -t init" > > > > 2. Start samhain deamon to check filesystem integrity > > newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D" > > > > 3. Update filesystem signature database: > > newrole -l s15:c0.c1023 -p -- -c "samhain -t update" > > Sounds like there needs to be a range_transition in the run interface. Right, I have added below range_transition rule to the samhain_run() interface to enforce the samhain domain to run in the clearance security level: ifdef(`enable_mls', ` range_transition $1 samhain_exec_t:process mls_systemhigh; ') However, since secadm_t does not belong to the mlsprocsetsl nor privrangetrans attribute, the MLS constraint for process transition will fail if the secadm is trying to run samhain in s0 in the command line, so secadm would still have to fallback on the newrole program to switch to the clearance level. But, above range_transition rule would enforce the samhain domain running with the clearance level, I think it's desirable to have it :-) Also, if we don't use above range_transition rule in the run interface, I guess having samhain executable labeled as mls_systemhigh as I used to do could also enforce the calling domain to have the clearance level. (there are more responses below...) > > > (In sysadm_r role) > > 1. Start samhain in daemon mode: > > run_init /etc/init.d/samhain start > > > > 2. Stop samhain daemon: > > run_init /etc/init.d/samhain stop > > > > 3. Check samhain daemon status: > > run_init /etc/init.d/samhain status > > > > 4. Read/write samhain log files: > > newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log" > > newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log" > > > > 5. Remove samhain database files > > newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file" > > > > Note: > > 1. Stop samhain daemon before updating signature database. > > 2. Don't try to start samhain daemon twice. > > > > Signed-off-by: Harry Ciao > > --- > > policy/modules/roles/sysadm.te | 4 + > > policy/modules/services/samhain.fc | 13 +++ > > policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++ > > policy/modules/services/samhain.te | 114 +++++++++++++++++++++ > > policy/modules/system/userdomain.if | 4 + > > 5 files changed, 321 insertions(+), 0 deletions(-) > > create mode 100644 policy/modules/services/samhain.fc > > create mode 100644 policy/modules/services/samhain.if > > create mode 100644 policy/modules/services/samhain.te > > > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > > index d5e88be..0655d95 100644 > > --- a/policy/modules/roles/sysadm.te > > +++ b/policy/modules/roles/sysadm.te > > @@ -290,6 +290,10 @@ optional_policy(` > > ') > > > > optional_policy(` > > + samhain_admin(sysadm_t) > > +') > > + > > +optional_policy(` > > screen_role_template(sysadm, sysadm_r, sysadm_t) > > ') > > > > diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc > > new file mode 100644 > > index 0000000..b0ac8a5 > > --- /dev/null > > +++ b/policy/modules/services/samhain.fc > > @@ -0,0 +1,13 @@ > > +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh) > > This should be s0, as there is nothing sensitive about this file. > > > +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh) > > Unless there is sensitive info in this file, it should be s0. Thank you! The only thing that matters are the samhain configuration files and database files and log files, so the init script, ELF binaries should be of s0. > > > +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh) > > +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh) > > Same thing, s0. > > > +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh) > > + > > +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) > > +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh) > > + > > +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh) > > diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if > > new file mode 100644 > > index 0000000..a7f2a48 > > --- /dev/null > > +++ b/policy/modules/services/samhain.if > > @@ -0,0 +1,186 @@ > > +## Samhain - check file integrity > > + > > +######################################## > > +## > > +## Execute samhain in the samhain domain > > +## > > +## > > +## > > +## Domain allowed to transition. > > +## > > +## > > +# > > +interface(`samhain_domtrans',` > > + gen_require(` > > + type samhain_t, samhain_exec_t; > > + ') > > + > > + corecmd_search_bin($1) > > + domtrans_pattern($1, samhain_exec_t, samhain_t) > > +') > > + > > +######################################## > > +## > > +## Execute samhain in the samhain domain, and > > +## allow the specifiled role the samhain domain > > +## > > +## > > +## > > +## Domain allowed to transition. > > +## > > +## > > +## > > +## > > +## Role allowed to access. > > +## > > +## > > +## > > +# > > +interface(`samhain_run',` > > + gen_require(` > > + type samhain_t; > > + ') > > + > > + samhain_domtrans($1) > > + role $2 types samhain_t; > > +') > > + > > +######################################## > > +## > > +## Manage samhain configuration files. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`samhain_manage_config_files',` > > + gen_require(` > > + type samhain_etc_t; > > + ') > > + > > + files_search_etc($1) > > + manage_files_pattern($1, samhain_etc_t, samhain_etc_t) > > +') > > + > > +######################################## > > +## > > +## Manage samhain database files. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`samhain_manage_db_files',` > > + gen_require(` > > + type samhain_db_t; > > + ') > > + > > + files_search_var_lib($1) > > + manage_files_pattern($1, samhain_db_t, samhain_db_t) > > +') > > + > > +######################################## > > +## > > +## Manage samhain log and log.lock files. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`samhain_manage_log_files',` > > + gen_require(` > > + type samhain_log_t; > > + ') > > + > > + logging_search_logs($1) > > + manage_files_pattern($1, samhain_log_t, samhain_log_t) > > +') > > + > > +######################################## > > +## > > +## Manage samhain pid files. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`samhain_manage_pid_files',` > > + gen_require(` > > + type samhain_var_run_t; > > + ') > > + > > + files_search_pids($1) > > + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) > > +') > > + > > +####################################### > > +## > > +## Manage samhain rc script files > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`samhain_manage_rc_script_files',` > > samhain_manage_init_script_files() > Gotcha, thanks! > > + gen_require(` > > + type samhain_initrc_exec_t; > > + ') > > + > > + files_search_etc($1) > > + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) > > +') > > + > > +####################################### > > +## > > +## All of the rules required to administrate > > +## the samhain environment. > > +## > > +## > > +##

> > +## This interface makes the calling domain able to > > +## ptrace and send signals to the samhain domain, > > +## also able to manage all samhain userspace files, > > +## but assumes that the calling domain has been able to > > +## remove an entry from /var/lib/ or /var/log/. > > +##

> > +##
> > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`samhain_admin',` > > + gen_require(` > > + type samhain_t, samhain_db_t, samhain_etc_t; > > + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; > > + ') > > + > > + allow $1 samhain_t:process { ptrace signal_perms }; > > + ps_process_pattern($1, samhain_t) > > + > > + files_list_var_lib($1) > > + admin_pattern($1, samhain_db_t) > > + > > + files_list_etc($1) > > + admin_pattern($1, samhain_etc_t) > > + admin_pattern($1, samhain_initrc_exec_t) > > + > > + logging_list_logs($1) > > + admin_pattern($1, samhain_log_t) > > + > > + files_list_pids($1) > > + admin_pattern($1, samhain_var_run_t) > > + > > + mls_file_write_all_levels($1) > > No. The caller needs to pass MLS constraints on its own. This is too > big of a privilege. > Very honestly speaking, I have been kinda worried about this too! This interface is expecting the calling domain able to do the following things on its own: 1. able to remove an entry from {var_log_t var_lib_t} : dir; 2. able to remove an entry of the clearance level from above dir which are of s0. Sadly so far neither secadm nor sysadm could have a full control over samhain files. With the mls_systemhigh level the sysadm could remove samhain_file from /var/lib/samhain/, but can't remove samhain_log from /var/log/, since the latter is of s0. I guess we would have to fall back on the permissive mode if we really want to remove it. Also considering that the sysadm has already been able to manage all files and dirs except shadow_t, calling samhain_admin(sysadm_t) would be kinda redundant. > > +') > > diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te > > new file mode 100644 > > index 0000000..612795f > > --- /dev/null > > +++ b/policy/modules/services/samhain.te > > @@ -0,0 +1,114 @@ > > +policy_module(samhain, 1.0.0) > > + > > +######################################## > > +# > > +# Declarations > > +# > > + > > +type samhain_etc_t; > > +files_config_file(samhain_etc_t) > > + > > +type samhain_log_t; > > +logging_log_file(samhain_log_t) > > + > > +# Filesystem signature database > > +type samhain_db_t; > > +files_type(samhain_db_t) > > + > > +type samhain_initrc_exec_t; > > +init_script_file(samhain_initrc_exec_t) > > + > > +type samhain_var_run_t; > > +files_pid_file(samhain_var_run_t) > > + > > +type samhain_t; > > +type samhain_exec_t; > > +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh) > > Needs a new domain. There should be a domain for this as a service, and > a domain for command line access. Then hopefully that should allow the > service to only be allowed read-only access to the database. I see your point here. The "domain for command line access" is to create the samhain database, while the "domain for samhain service" needs only to read from the database file. It would be great if we could have these two domains separated from each other. However, when the command line access domain is creating the database, it needs to getattr or read almost all kinds of files on the system, requiring exactly the same set of privileges granted to the service domain when performing the filesystem signature check. Moreover, the samhain service could be started not only by its init script, but also by the command line, by specifying the "samhain -t check -D" while "-D" means running as daemon or by specifying "daemon = yes" in samhain config files. So these two domain would have a lot of rules in common and it would greatly simplify our life if we keep them as one. > > > +######################################## > > +# > > +# Local policy > > +# > > + > > +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock }; > > +dontaudit samhain_t self:capability sys_resource; > > +allow samhain_t self:fd use; > > +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon > > +allow samhain_t self:process { setsched setrlimit signal_perms }; > > + > > +allow samhain_t samhain_etc_t:file read_file_perms; > > + > > +# Only needed when starting samhain daemon from its init script. > > +can_exec(samhain_t, samhain_exec_t) > > + > > +# Samhain needs to get the attribute of /proc/kcore. > > +kernel_getattr_core_if(samhain_t) > > + > > +corecmd_list_bin(samhain_t) > > +corecmd_read_bin_symlinks(samhain_t) > > + > > +# To get entropy > > +dev_read_urand(samhain_t) > > +dev_dontaudit_read_rand(samhain_t) > > + > > +domain_use_interactive_fds(samhain_t) > > + > > +files_search_etc(samhain_t) > > + > > +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t) > > +files_pid_filetrans(samhain_t, samhain_var_run_t, file) > > + > > +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) > > +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) > > + > > +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t) > > +logging_log_filetrans(samhain_t, samhain_log_t, file) > > + > > +# Samhain's pid, log and log.lock files are all in directories of s0, > > +# while samhain daemon is running with the clearance level. > > +mls_file_write_all_levels(samhain_t) > > + > > +# Read from utmp when monitoring login/logout events > > +auth_read_login_records(samhain_t) > > + > > +# Get the attributes of all kinds of files in the rootfs > > +dev_getattr_all_blk_files(samhain_t) > > +dev_getattr_all_chr_files(samhain_t) > > +dev_getattr_generic_blk_files(samhain_t) > > +dev_getattr_generic_chr_files(samhain_t) > > + > > +files_getattr_all_dirs(samhain_t) > > +files_getattr_all_files(samhain_t) > > +files_getattr_all_symlinks(samhain_t) > > +files_getattr_all_pipes(samhain_t) > > +files_getattr_all_sockets(samhain_t) > > +files_getattr_all_mountpoints(samhain_t) > > + > > +# Read from the file_type attribute and the lnk_file class > > +files_read_all_files(samhain_t) > > +files_read_all_symlinks(samhain_t) > > + > > +# Read from wtmp when monitoring login/logout events > > +init_read_utmp(samhain_t) > > + > > +# Get the attribute of other filesystem's mountpoint, such as /selinux > > +# /proc, /sys and /tmp, but not the contents inside, which suggests > > +# that following rules should be set in samhain configuration file: > > +# [Attributes] > > +# file = /tmp > > +# file = /proc > > +# file = /sys > > +# file = /selinux > > +# [IgnoreALL] > > +# dir = -1/tmp > > +# dir = -1/proc > > +# dir = -1/sys > > +# dir = -1/selinux > > +fs_getattr_all_dirs(samhain_t) > > + > > +# Get attribute of files with variant sensitivity levels > > +mls_file_read_all_levels(samhain_t) > > If the service is running at system high, I wouldn't expect that this is > necessary. Great! "no read up and no write down", but with the clearance level the samhain domain is able to read *down* on any security level. Thanks a lot! Best regards, Harry > > > +logging_send_syslog_msg(samhain_t) > > + > > +userdom_use_user_terminals(samhain_t) > > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > > index ea7b47d..7a847eb 100644 > > --- a/policy/modules/system/userdomain.if > > +++ b/policy/modules/system/userdomain.if > > @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',` > > ') > > > > optional_policy(` > > + samhain_run($1, $2) > > + ') > > + > > + optional_policy(` > > consoletype_exec($1) > > ') > > > > -- > > 1.7.0.4 > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101118/396dcd4a/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: v4-Add-support-for-the-samhain-program.patch Type: text/x-patch Size: 11499 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101118/396dcd4a/attachment-0001.bin