[refpolicy] yule

Konrad Azzopardi konrad.azzopardi at gmail.com
Tue Dec 2 14:19:18 CST 2008 

Hi Chris,

Thanks for your answer. For sure I was getting a denial without
execmod. For the rest I will check.

tnx
konrad

On Tue, Dec 2, 2008 at 8:06 PM, Christopher J. PeBenito
<cpebenito at tresys.com> wrote:
>> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
>> <konrad.azzopardi at gmail.com> wrote:
>> > Dear all,
>> >
>> > I am confining a service called 'yule' , which is the central server
>> > for the file integrity checker SAMHAIN.
>> >
>> > Something about the server :
>> >
>> > Binary file is at /usr/local/sbin/yule
>> > Startup script is at /etc/rc.d/init.d/yule      --
>> > Config file : /etc/yulerc
>> > Logfiles /var/log/yule(/.*)?
>> > PID file is at /var/run/yule.pid
>> >
>> > It optionally uses mysql and I have put this as a boolean. I would
>> > appreciate if somebody review the files and give me some feedback to
>> > know if i am on the right track.
>> >
>> > I have only one question....When I issue a stop by  /etc/init.d/yule stop
>> > I get all sorts of avc denials, however the daemon still stops. From
>> > the avc denials and also via an strace it is evident that the stop
>> > script is somehow doing a search in all proc directory. What is the
>> > best thing to do here ? Allowing search to all types in /proc or make
>> > a dontaudit and in both cases is there a macro that captures all types
>> > inside /proc {don't think so}.
>
> Rule-wise I see a few things which seem questionable to me:
>
>> manage_files_pattern(yule_t,yule_config_t,yule_config_t)
>
> It seems like you would not want the daemon to modify its own config
> files.
>
>> allow yule_t yule_exec_t:file execmod;
>
> Did you really encounter this as a denial?  I wouldn't expect this on an
> executable.  Especially a daemon doing this on its own executable.
>
>> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};
>
> The kill and sys_ptrace capabilities seem weird, as there do not seem to
> be any process sigkill or process ptrace permissions being used in the
> policy.
>
>
> Assuming you're interested in getting this upstreamed:
>
>> /usr/local/sbin/yule  --          gen_context(system_u:object_r:yule_exec_t,s0)
>
> Standard (distro) locations should be covered too, such
> as /usr/sbin/yule, not just /usr/local.
>
> Also the organization of the file should be fixed to match the refpolicy
> style better.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>

More information about the refpolicy mailing list