Gentoo Archives: gentoo-security

From: Bill McCarty <bmccarty@××××××.net>
To: gentoo security <gentoo-security@l.g.o>
Subject: [gentoo-security] Learning to write SELinux policies
Date: Sat, 17 Jan 2004 23:54:05
Message-Id: 231713466.1074354671@[192.168.0.100]
Hi all,

I'm beginning to write SELinux policies for some of the programs that I use 
for which no policies seem to exist. One of the first I'm tackling is the 
host intrusion detection program Samhain. Perhaps I should start with an 
easier program <g>, but I thought best to tackle the most important, 
security-related programs first.

So far, the Samhain policy is not going well. I hope that someone can help 
me as I learn how to debug SELinux policies. I find that debugging is easy 
when AVC log entries appear. But, I haven't yet learned how to cope when 
they do not.

Here's a case in point. My system is configured in permissive mode, and I'm 
root, in the sysadm_r role:

> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), > 6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) > context=bmccarty:sysadm_r:sysadm_t
I launch the Samhain executable, but it doesn't run:
> # /usr/local/sbin/samhain -t check > -/bin/bash: /usr/local/sbin/samhain: Permission denied
No log entry explaining the denial appears. I double-check the DAC permissions, which prove good:
> # ls -l /usr/local/sbin/samhain > -rwx------ 1 root root 888616 Jan 11 21:11 > /usr/local/sbin/samhain
I also double check the labeling of the file, which likewise proves good:
> # ls -Z /usr/local/sbin/samhain > -rwx------ root root system_u:object_r:samhain_exec_t > /usr/local/sbin/samhain
I double-check the TE file, which looks good to me:
> daemon_domain(samhain); > type samhain_etc_t, file_type, sysadmfile; > type samhain_state_t, file_type, sysadmfile; > > domain_auto_trans(sysadm_t, samhain_exec_t, samhain_t); > > allow samhain_t samhain_etc_t:file { getattr read }; > allow samhain_t samhain_state_t:file { getattr read };
The TE file is obviously incomplete (I've removed some irrelevant entries), but I don't see that it lacks any specification necessary to loading and running Samhain. Thinking that a dontaudit might be the cause, I delete from policy.conf all dontaudits that refer to both the samhain_exec_t and sysadm_t domains. I then run "make load." Still no log entries. I return to the policy.conf file, thinking perhaps I don't understand one or more of the macros used in the TE file:
># grep 'sysadm.*samh\|samh.*sysadm' policy.conf > type samhain_exec_t, file_type, sysadmfile, exec_type; ># dontaudit samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { ># read write ioctl }; > type samhain_var_run_t alias var_run_samhain_t, file_type, sysadmfile,
pidfile;
># dontaudit samhain_t sysadm_home_dir_t:dir search; > type samhain_etc_t, file_type, sysadmfile; > type samhain_state_t, file_type, sysadmfile; > allow sysadm_t samhain_t:process transition; ># dontaudit sysadm_t samhain_t:process noatsecure; ># dontaudit sysadm_t samhain_t:process siginh; ># dontaudit sysadm_t samhain_t:process rlimitinh; > allow sysadm_t samhain_exec_t:file { read { getattr execute } }; > allow samhain_t sysadm_t:process sigchld; > allow samhain_t sysadm_t:fd use; > allow sysadm_t samhain_t:fd use; > allow samhain_t sysadm_t:fifo_file { ioctl read getattr lock write
append};
> type_transition sysadm_t samhain_exec_t:process samhain_t; > allow samhain_t sysadm_home_dir_t:dir search; > allow samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read > write ioctl }; allow sysadm_t samhain_t:process noatsecure; > allow sysadm_t samhain_t:process rlimitinh; > allow sysadm_t samhain_t:process siginh;
But, I don't see anything amiss. In particular, the sysadm_t domain seems authorized to read and execute samhain_exec_t files, and seems able to transition to the samhain_t domain upon doing so. Can anyone spot my (presumably stupid) error, or suggest an improvement to my troubleshooting procedure? Thanks! Cheers, --------------------------------------------------- Bill McCarty -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Learning to write SELinux policies Bill McCarty <bmccarty@××××××.net>
Re: [gentoo-security] Learning to write SELinux policies Chris PeBenito <pebenito@g.o>