2008-11-30 14:31:53

by konrad.azzopardi

[permalink] [raw]
Subject: [refpolicy] yule

Dear all,

I am confining a service called 'yule' , which is the central server
for the file integrity checker SAMHAIN.

Something about the server :

Binary file is at /usr/local/sbin/yule
Startup script is at /etc/rc.d/init.d/yule --
Config file : /etc/yulerc
Logfiles /var/log/yule(/.*)?
PID file is at /var/run/yule.pid

It optionally uses mysql and I have put this as a boolean. I would
appreciate if somebody review the files and give me some feedback to
know if i am on the right track.

I have only one question....When I issue a stop by /etc/init.d/yule stop
I get all sorts of avc denials, however the daemon still stops. From
the avc denials and also via an strace it is evident that the stop
script is somehow doing a search in all proc directory. What is the
best thing to do here ? Allowing search to all types in /proc or make
a dontaudit and in both cases is there a macro that captures all types
inside /proc {don't think so}.

Many thanks for your help
Konrad
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yule.fc
Type: application/octet-stream
Size: 420 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081130/1ac8b70a/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yule.if
Type: application/octet-stream
Size: 1612 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081130/1ac8b70a/attachment-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yule.te
Type: application/octet-stream
Size: 2342 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081130/1ac8b70a/attachment-0002.obj


2008-11-30 16:17:49

by konrad.azzopardi

[permalink] [raw]
Subject: [refpolicy] yule

Hi all,

I made some updates, namely added /var/lib/yule , since it seems to be
needed although directory is empty {probably used by extra modules}.

Tnx
Konrad

On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
<[email protected]> wrote:
> Dear all,
>
> I am confining a service called 'yule' , which is the central server
> for the file integrity checker SAMHAIN.
>
> Something about the server :
>
> Binary file is at /usr/local/sbin/yule
> Startup script is at /etc/rc.d/init.d/yule --
> Config file : /etc/yulerc
> Logfiles /var/log/yule(/.*)?
> PID file is at /var/run/yule.pid
>
> It optionally uses mysql and I have put this as a boolean. I would
> appreciate if somebody review the files and give me some feedback to
> know if i am on the right track.
>
> I have only one question....When I issue a stop by /etc/init.d/yule stop
> I get all sorts of avc denials, however the daemon still stops. From
> the avc denials and also via an strace it is evident that the stop
> script is somehow doing a search in all proc directory. What is the
> best thing to do here ? Allowing search to all types in /proc or make
> a dontaudit and in both cases is there a macro that captures all types
> inside /proc {don't think so}.
>
> Many thanks for your help
> Konrad
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yule.fc
Type: application/octet-stream
Size: 501 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081130/d20b20e5/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yule.if
Type: application/octet-stream
Size: 1612 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081130/d20b20e5/attachment-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: yule.te
Type: application/octet-stream
Size: 2466 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081130/d20b20e5/attachment-0002.obj

2008-12-02 19:06:05

by cpebenito

[permalink] [raw]
Subject: [refpolicy] yule

> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
> <[email protected]> wrote:
> > Dear all,
> >
> > I am confining a service called 'yule' , which is the central server
> > for the file integrity checker SAMHAIN.
> >
> > Something about the server :
> >
> > Binary file is at /usr/local/sbin/yule
> > Startup script is at /etc/rc.d/init.d/yule --
> > Config file : /etc/yulerc
> > Logfiles /var/log/yule(/.*)?
> > PID file is at /var/run/yule.pid
> >
> > It optionally uses mysql and I have put this as a boolean. I would
> > appreciate if somebody review the files and give me some feedback to
> > know if i am on the right track.
> >
> > I have only one question....When I issue a stop by /etc/init.d/yule stop
> > I get all sorts of avc denials, however the daemon still stops. From
> > the avc denials and also via an strace it is evident that the stop
> > script is somehow doing a search in all proc directory. What is the
> > best thing to do here ? Allowing search to all types in /proc or make
> > a dontaudit and in both cases is there a macro that captures all types
> > inside /proc {don't think so}.

Rule-wise I see a few things which seem questionable to me:

> manage_files_pattern(yule_t,yule_config_t,yule_config_t)

It seems like you would not want the daemon to modify its own config
files.

> allow yule_t yule_exec_t:file execmod;

Did you really encounter this as a denial? I wouldn't expect this on an
executable. Especially a daemon doing this on its own executable.

> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};

The kill and sys_ptrace capabilities seem weird, as there do not seem to
be any process sigkill or process ptrace permissions being used in the
policy.


Assuming you're interested in getting this upstreamed:

> /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0)

Standard (distro) locations should be covered too, such
as /usr/sbin/yule, not just /usr/local.

Also the organization of the file should be fixed to match the refpolicy
style better.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2008-12-02 19:47:16

by Justin P. Mattock

[permalink] [raw]
Subject: [refpolicy] yule

On Tue, 2008-12-02 at 14:06 -0500, Christopher J. PeBenito wrote:
> > On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
> > <[email protected]> wrote:
> > > Dear all,
> > >
> > > I am confining a service called 'yule' , which is the central server
> > > for the file integrity checker SAMHAIN.
> > >
> > > Something about the server :
> > >
> > > Binary file is at /usr/local/sbin/yule
> > > Startup script is at /etc/rc.d/init.d/yule --
> > > Config file : /etc/yulerc
> > > Logfiles /var/log/yule(/.*)?
> > > PID file is at /var/run/yule.pid
> > >
> > > It optionally uses mysql and I have put this as a boolean. I would
> > > appreciate if somebody review the files and give me some feedback to
> > > know if i am on the right track.
> > >
> > > I have only one question....When I issue a stop by /etc/init.d/yule stop
> > > I get all sorts of avc denials, however the daemon still stops. From
> > > the avc denials and also via an strace it is evident that the stop
> > > script is somehow doing a search in all proc directory. What is the
> > > best thing to do here ? Allowing search to all types in /proc or make
> > > a dontaudit and in both cases is there a macro that captures all types
> > > inside /proc {don't think so}.
>
> Rule-wise I see a few things which seem questionable to me:
>
> > manage_files_pattern(yule_t,yule_config_t,yule_config_t)
>
> It seems like you would not want the daemon to modify its own config
> files.
>
> > allow yule_t yule_exec_t:file execmod;
>
> Did you really encounter this as a denial? I wouldn't expect this on an
> executable. Especially a daemon doing this on its own executable.
>
> > allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};
>
> The kill and sys_ptrace capabilities seem weird, as there do not seem to
> be any process sigkill or process ptrace permissions being used in the
> policy.
>
>
> Assuming you're interested in getting this upstreamed:
>
> > /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0)
>
> Standard (distro) locations should be covered too, such
> as /usr/sbin/yule, not just /usr/local.
>
> Also the organization of the file should be fixed to match the refpolicy
> style better.
>

I'm not sure what was committed
or not when this occurred yesterday.
As for policy
I had pulled the refpolicy svn
last Thursday,(thanksgiving day)
then like I said, did a git-pull
yesterday(from linus's tree)
and viola list error appeared.
Now this morning I pulled the refpolicy
from svn and did not see any such things.
So you got's me with what happened.

--
Justin P. Mattock <[email protected]>

2008-12-02 20:19:18

by konrad.azzopardi

[permalink] [raw]
Subject: [refpolicy] yule

Hi Chris,

Thanks for your answer. For sure I was getting a denial without
execmod. For the rest I will check.

tnx
konrad

On Tue, Dec 2, 2008 at 8:06 PM, Christopher J. PeBenito
<[email protected]> wrote:
>> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
>> <[email protected]> wrote:
>> > Dear all,
>> >
>> > I am confining a service called 'yule' , which is the central server
>> > for the file integrity checker SAMHAIN.
>> >
>> > Something about the server :
>> >
>> > Binary file is at /usr/local/sbin/yule
>> > Startup script is at /etc/rc.d/init.d/yule --
>> > Config file : /etc/yulerc
>> > Logfiles /var/log/yule(/.*)?
>> > PID file is at /var/run/yule.pid
>> >
>> > It optionally uses mysql and I have put this as a boolean. I would
>> > appreciate if somebody review the files and give me some feedback to
>> > know if i am on the right track.
>> >
>> > I have only one question....When I issue a stop by /etc/init.d/yule stop
>> > I get all sorts of avc denials, however the daemon still stops. From
>> > the avc denials and also via an strace it is evident that the stop
>> > script is somehow doing a search in all proc directory. What is the
>> > best thing to do here ? Allowing search to all types in /proc or make
>> > a dontaudit and in both cases is there a macro that captures all types
>> > inside /proc {don't think so}.
>
> Rule-wise I see a few things which seem questionable to me:
>
>> manage_files_pattern(yule_t,yule_config_t,yule_config_t)
>
> It seems like you would not want the daemon to modify its own config
> files.
>
>> allow yule_t yule_exec_t:file execmod;
>
> Did you really encounter this as a denial? I wouldn't expect this on an
> executable. Especially a daemon doing this on its own executable.
>
>> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};
>
> The kill and sys_ptrace capabilities seem weird, as there do not seem to
> be any process sigkill or process ptrace permissions being used in the
> policy.
>
>
> Assuming you're interested in getting this upstreamed:
>
>> /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0)
>
> Standard (distro) locations should be covered too, such
> as /usr/sbin/yule, not just /usr/local.
>
> Also the organization of the file should be fixed to match the refpolicy
> style better.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

2008-12-02 21:17:05

by konrad.azzopardi

[permalink] [raw]
Subject: [refpolicy] yule

Hi Chris,

I changed manage_files_pattern(yule_t,yule_config_t,yule_config_t)

to

allow yule_t yule_config_t:file read_file_perms;

The kill and sys_ptrace are needed, without it there are problems to
stop the service.

Tnx
Konrad

On Tue, Dec 2, 2008 at 9:19 PM, Konrad Azzopardi
<[email protected]> wrote:
> Hi Chris,
>
> Thanks for your answer. For sure I was getting a denial without
> execmod. For the rest I will check.
>
> tnx
> konrad
>
> On Tue, Dec 2, 2008 at 8:06 PM, Christopher J. PeBenito
> <[email protected]> wrote:
>>> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
>>> <[email protected]> wrote:
>>> > Dear all,
>>> >
>>> > I am confining a service called 'yule' , which is the central server
>>> > for the file integrity checker SAMHAIN.
>>> >
>>> > Something about the server :
>>> >
>>> > Binary file is at /usr/local/sbin/yule
>>> > Startup script is at /etc/rc.d/init.d/yule --
>>> > Config file : /etc/yulerc
>>> > Logfiles /var/log/yule(/.*)?
>>> > PID file is at /var/run/yule.pid
>>> >
>>> > It optionally uses mysql and I have put this as a boolean. I would
>>> > appreciate if somebody review the files and give me some feedback to
>>> > know if i am on the right track.
>>> >
>>> > I have only one question....When I issue a stop by /etc/init.d/yule stop
>>> > I get all sorts of avc denials, however the daemon still stops. From
>>> > the avc denials and also via an strace it is evident that the stop
>>> > script is somehow doing a search in all proc directory. What is the
>>> > best thing to do here ? Allowing search to all types in /proc or make
>>> > a dontaudit and in both cases is there a macro that captures all types
>>> > inside /proc {don't think so}.
>>
>> Rule-wise I see a few things which seem questionable to me:
>>
>>> manage_files_pattern(yule_t,yule_config_t,yule_config_t)
>>
>> It seems like you would not want the daemon to modify its own config
>> files.
>>
>>> allow yule_t yule_exec_t:file execmod;
>>
>> Did you really encounter this as a denial? I wouldn't expect this on an
>> executable. Especially a daemon doing this on its own executable.
>>
>>> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};
>>
>> The kill and sys_ptrace capabilities seem weird, as there do not seem to
>> be any process sigkill or process ptrace permissions being used in the
>> policy.
>>
>>
>> Assuming you're interested in getting this upstreamed:
>>
>>> /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0)
>>
>> Standard (distro) locations should be covered too, such
>> as /usr/sbin/yule, not just /usr/local.
>>
>> Also the organization of the file should be fixed to match the refpolicy
>> style better.
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>