Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo security <gentoo-security@g.o>
From: Bill McCarty <bmccarty@...>
Subject: Learning to write SELinux policies
Date: Sat, 17 Jan 2004 15:51:11 -0800
Hi all,

I'm beginning to write SELinux policies for some of the programs that I use 
for which no policies seem to exist. One of the first I'm tackling is the 
host intrusion detection program Samhain. Perhaps I should start with an 
easier program <g>, but I thought best to tackle the most important, 
security-related programs first.

So far, the Samhain policy is not going well. I hope that someone can help 
me as I learn how to debug SELinux policies. I find that debugging is easy 
when AVC log entries appear. But, I haven't yet learned how to cope when 
they do not.

Here's a case in point. My system is configured in permissive mode, and I'm 
root, in the sysadm_r role:

> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
> 6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
> context=bmccarty:sysadm_r:sysadm_t

I launch the Samhain executable, but it doesn't run:

> # /usr/local/sbin/samhain -t check
> -/bin/bash: /usr/local/sbin/samhain: Permission denied

No log entry explaining the denial appears. I double-check the DAC 
permissions, which prove good:

> # ls -l /usr/local/sbin/samhain
> -rwx------    1 root     root       888616 Jan 11 21:11
>     /usr/local/sbin/samhain

I also double check the labeling of the file, which likewise proves good:

> # ls -Z /usr/local/sbin/samhain
> -rwx------  root     root     system_u:object_r:samhain_exec_t
>     /usr/local/sbin/samhain

I double-check the TE file, which looks good to me:

> daemon_domain(samhain);
> type samhain_etc_t,    file_type, sysadmfile;
> type samhain_state_t,  file_type, sysadmfile;
>
> domain_auto_trans(sysadm_t, samhain_exec_t, samhain_t);
>
> allow samhain_t samhain_etc_t:file   { getattr read };
> allow samhain_t samhain_state_t:file { getattr read };

The TE file is obviously incomplete (I've removed some irrelevant entries), 
but I don't see that it lacks any specification necessary to loading and 
running Samhain.

Thinking that a dontaudit might be the cause, I delete from policy.conf all 
dontaudits that refer to both the samhain_exec_t and sysadm_t domains. I 
then run "make load." Still no log entries.

I return to the policy.conf file, thinking perhaps I don't understand one 
or more of the macros used in the TE file:

># grep 'sysadm.*samh\|samh.*sysadm' policy.conf
> type samhain_exec_t, file_type, sysadmfile, exec_type;
># dontaudit samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file {
># read write ioctl };
> type samhain_var_run_t alias var_run_samhain_t, file_type, sysadmfile, 
pidfile;
># dontaudit samhain_t sysadm_home_dir_t:dir search;
> type samhain_etc_t,    file_type, sysadmfile;
> type samhain_state_t,  file_type, sysadmfile;
> allow sysadm_t samhain_t:process transition;
># dontaudit sysadm_t samhain_t:process noatsecure;
># dontaudit sysadm_t samhain_t:process siginh;
># dontaudit sysadm_t samhain_t:process rlimitinh;
> allow sysadm_t samhain_exec_t:file { read { getattr execute } };
> allow samhain_t sysadm_t:process sigchld;
> allow samhain_t sysadm_t:fd use;
> allow sysadm_t samhain_t:fd use;
> allow samhain_t sysadm_t:fifo_file { ioctl read getattr lock write 
append};
> type_transition sysadm_t samhain_exec_t:process samhain_t;
> allow samhain_t sysadm_home_dir_t:dir search;
> allow samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read
> write ioctl }; allow sysadm_t samhain_t:process noatsecure;
> allow sysadm_t samhain_t:process rlimitinh;
> allow sysadm_t samhain_t:process siginh;

But, I don't see anything amiss. In particular, the sysadm_t domain seems 
authorized to read and execute samhain_exec_t files, and seems able to 
transition to the samhain_t domain upon doing so.

Can anyone spot my (presumably stupid) error, or suggest an improvement to 
my troubleshooting procedure?

Thanks!

Cheers,

---------------------------------------------------
Bill McCarty

--
gentoo-security@g.o mailing list

Replies:
Re: Learning to write SELinux policies
-- Chris PeBenito
Re: Learning to write SELinux policies
-- Bill McCarty
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
LSA list
Next by thread:
Re: Learning to write SELinux policies
Previous by date:
Re: LSA list
Next by date:
Re: Learning to write SELinux policies


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.