1 |
Hi all, |
2 |
|
3 |
I'm beginning to write SELinux policies for some of the programs that I use |
4 |
for which no policies seem to exist. One of the first I'm tackling is the |
5 |
host intrusion detection program Samhain. Perhaps I should start with an |
6 |
easier program <g>, but I thought best to tackle the most important, |
7 |
security-related programs first. |
8 |
|
9 |
So far, the Samhain policy is not going well. I hope that someone can help |
10 |
me as I learn how to debug SELinux policies. I find that debugging is easy |
11 |
when AVC log entries appear. But, I haven't yet learned how to cope when |
12 |
they do not. |
13 |
|
14 |
Here's a case in point. My system is configured in permissive mode, and I'm |
15 |
root, in the sysadm_r role: |
16 |
|
17 |
> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm), |
18 |
> 6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) |
19 |
> context=bmccarty:sysadm_r:sysadm_t |
20 |
|
21 |
I launch the Samhain executable, but it doesn't run: |
22 |
|
23 |
> # /usr/local/sbin/samhain -t check |
24 |
> -/bin/bash: /usr/local/sbin/samhain: Permission denied |
25 |
|
26 |
No log entry explaining the denial appears. I double-check the DAC |
27 |
permissions, which prove good: |
28 |
|
29 |
> # ls -l /usr/local/sbin/samhain |
30 |
> -rwx------ 1 root root 888616 Jan 11 21:11 |
31 |
> /usr/local/sbin/samhain |
32 |
|
33 |
I also double check the labeling of the file, which likewise proves good: |
34 |
|
35 |
> # ls -Z /usr/local/sbin/samhain |
36 |
> -rwx------ root root system_u:object_r:samhain_exec_t |
37 |
> /usr/local/sbin/samhain |
38 |
|
39 |
I double-check the TE file, which looks good to me: |
40 |
|
41 |
> daemon_domain(samhain); |
42 |
> type samhain_etc_t, file_type, sysadmfile; |
43 |
> type samhain_state_t, file_type, sysadmfile; |
44 |
> |
45 |
> domain_auto_trans(sysadm_t, samhain_exec_t, samhain_t); |
46 |
> |
47 |
> allow samhain_t samhain_etc_t:file { getattr read }; |
48 |
> allow samhain_t samhain_state_t:file { getattr read }; |
49 |
|
50 |
The TE file is obviously incomplete (I've removed some irrelevant entries), |
51 |
but I don't see that it lacks any specification necessary to loading and |
52 |
running Samhain. |
53 |
|
54 |
Thinking that a dontaudit might be the cause, I delete from policy.conf all |
55 |
dontaudits that refer to both the samhain_exec_t and sysadm_t domains. I |
56 |
then run "make load." Still no log entries. |
57 |
|
58 |
I return to the policy.conf file, thinking perhaps I don't understand one |
59 |
or more of the macros used in the TE file: |
60 |
|
61 |
># grep 'sysadm.*samh\|samh.*sysadm' policy.conf |
62 |
> type samhain_exec_t, file_type, sysadmfile, exec_type; |
63 |
># dontaudit samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { |
64 |
># read write ioctl }; |
65 |
> type samhain_var_run_t alias var_run_samhain_t, file_type, sysadmfile, |
66 |
pidfile; |
67 |
># dontaudit samhain_t sysadm_home_dir_t:dir search; |
68 |
> type samhain_etc_t, file_type, sysadmfile; |
69 |
> type samhain_state_t, file_type, sysadmfile; |
70 |
> allow sysadm_t samhain_t:process transition; |
71 |
># dontaudit sysadm_t samhain_t:process noatsecure; |
72 |
># dontaudit sysadm_t samhain_t:process siginh; |
73 |
># dontaudit sysadm_t samhain_t:process rlimitinh; |
74 |
> allow sysadm_t samhain_exec_t:file { read { getattr execute } }; |
75 |
> allow samhain_t sysadm_t:process sigchld; |
76 |
> allow samhain_t sysadm_t:fd use; |
77 |
> allow sysadm_t samhain_t:fd use; |
78 |
> allow samhain_t sysadm_t:fifo_file { ioctl read getattr lock write |
79 |
append}; |
80 |
> type_transition sysadm_t samhain_exec_t:process samhain_t; |
81 |
> allow samhain_t sysadm_home_dir_t:dir search; |
82 |
> allow samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read |
83 |
> write ioctl }; allow sysadm_t samhain_t:process noatsecure; |
84 |
> allow sysadm_t samhain_t:process rlimitinh; |
85 |
> allow sysadm_t samhain_t:process siginh; |
86 |
|
87 |
But, I don't see anything amiss. In particular, the sysadm_t domain seems |
88 |
authorized to read and execute samhain_exec_t files, and seems able to |
89 |
transition to the samhain_t domain upon doing so. |
90 |
|
91 |
Can anyone spot my (presumably stupid) error, or suggest an improvement to |
92 |
my troubleshooting procedure? |
93 |
|
94 |
Thanks! |
95 |
|
96 |
Cheers, |
97 |
|
98 |
--------------------------------------------------- |
99 |
Bill McCarty |
100 |
|
101 |
-- |
102 |
gentoo-security@g.o mailing list |