Gentoo Archives: gentoo-security

From: Bill McCarty <bmccarty@××××××.net>
To: gentoo security <gentoo-security@l.g.o>
Subject: [gentoo-security] Learning to write SELinux policies
Date: Sat, 17 Jan 2004 23:54:05
Message-Id: 231713466.1074354671@[192.168.0.100]
1 Hi all,
2
3 I'm beginning to write SELinux policies for some of the programs that I use
4 for which no policies seem to exist. One of the first I'm tackling is the
5 host intrusion detection program Samhain. Perhaps I should start with an
6 easier program <g>, but I thought best to tackle the most important,
7 security-related programs first.
8
9 So far, the Samhain policy is not going well. I hope that someone can help
10 me as I learn how to debug SELinux policies. I find that debugging is easy
11 when AVC log entries appear. But, I haven't yet learned how to cope when
12 they do not.
13
14 Here's a case in point. My system is configured in permissive mode, and I'm
15 root, in the sysadm_r role:
16
17 > uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
18 > 6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
19 > context=bmccarty:sysadm_r:sysadm_t
20
21 I launch the Samhain executable, but it doesn't run:
22
23 > # /usr/local/sbin/samhain -t check
24 > -/bin/bash: /usr/local/sbin/samhain: Permission denied
25
26 No log entry explaining the denial appears. I double-check the DAC
27 permissions, which prove good:
28
29 > # ls -l /usr/local/sbin/samhain
30 > -rwx------ 1 root root 888616 Jan 11 21:11
31 > /usr/local/sbin/samhain
32
33 I also double check the labeling of the file, which likewise proves good:
34
35 > # ls -Z /usr/local/sbin/samhain
36 > -rwx------ root root system_u:object_r:samhain_exec_t
37 > /usr/local/sbin/samhain
38
39 I double-check the TE file, which looks good to me:
40
41 > daemon_domain(samhain);
42 > type samhain_etc_t, file_type, sysadmfile;
43 > type samhain_state_t, file_type, sysadmfile;
44 >
45 > domain_auto_trans(sysadm_t, samhain_exec_t, samhain_t);
46 >
47 > allow samhain_t samhain_etc_t:file { getattr read };
48 > allow samhain_t samhain_state_t:file { getattr read };
49
50 The TE file is obviously incomplete (I've removed some irrelevant entries),
51 but I don't see that it lacks any specification necessary to loading and
52 running Samhain.
53
54 Thinking that a dontaudit might be the cause, I delete from policy.conf all
55 dontaudits that refer to both the samhain_exec_t and sysadm_t domains. I
56 then run "make load." Still no log entries.
57
58 I return to the policy.conf file, thinking perhaps I don't understand one
59 or more of the macros used in the TE file:
60
61 ># grep 'sysadm.*samh\|samh.*sysadm' policy.conf
62 > type samhain_exec_t, file_type, sysadmfile, exec_type;
63 ># dontaudit samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file {
64 ># read write ioctl };
65 > type samhain_var_run_t alias var_run_samhain_t, file_type, sysadmfile,
66 pidfile;
67 ># dontaudit samhain_t sysadm_home_dir_t:dir search;
68 > type samhain_etc_t, file_type, sysadmfile;
69 > type samhain_state_t, file_type, sysadmfile;
70 > allow sysadm_t samhain_t:process transition;
71 ># dontaudit sysadm_t samhain_t:process noatsecure;
72 ># dontaudit sysadm_t samhain_t:process siginh;
73 ># dontaudit sysadm_t samhain_t:process rlimitinh;
74 > allow sysadm_t samhain_exec_t:file { read { getattr execute } };
75 > allow samhain_t sysadm_t:process sigchld;
76 > allow samhain_t sysadm_t:fd use;
77 > allow sysadm_t samhain_t:fd use;
78 > allow samhain_t sysadm_t:fifo_file { ioctl read getattr lock write
79 append};
80 > type_transition sysadm_t samhain_exec_t:process samhain_t;
81 > allow samhain_t sysadm_home_dir_t:dir search;
82 > allow samhain_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file { read
83 > write ioctl }; allow sysadm_t samhain_t:process noatsecure;
84 > allow sysadm_t samhain_t:process rlimitinh;
85 > allow sysadm_t samhain_t:process siginh;
86
87 But, I don't see anything amiss. In particular, the sysadm_t domain seems
88 authorized to read and execute samhain_exec_t files, and seems able to
89 transition to the samhain_t domain upon doing so.
90
91 Can anyone spot my (presumably stupid) error, or suggest an improvement to
92 my troubleshooting procedure?
93
94 Thanks!
95
96 Cheers,
97
98 ---------------------------------------------------
99 Bill McCarty
100
101 --
102 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Learning to write SELinux policies Bill McCarty <bmccarty@××××××.net>
Re: [gentoo-security] Learning to write SELinux policies Chris PeBenito <pebenito@g.o>