[refpolicy] yule
Konrad Azzopardi
konrad.azzopardi at gmail.com
Tue Dec 2 15:17:05 CST 2008
Hi Chris,
I changed manage_files_pattern(yule_t,yule_config_t,yule_config_t)
to
allow yule_t yule_config_t:file read_file_perms;
The kill and sys_ptrace are needed, without it there are problems to
stop the service.
Tnx
Konrad
On Tue, Dec 2, 2008 at 9:19 PM, Konrad Azzopardi
<konrad.azzopardi at gmail.com> wrote:
> Hi Chris,
>
> Thanks for your answer. For sure I was getting a denial without
> execmod. For the rest I will check.
>
> tnx
> konrad
>
> On Tue, Dec 2, 2008 at 8:06 PM, Christopher J. PeBenito
> <cpebenito at tresys.com> wrote:
>>> On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
>>> <konrad.azzopardi at gmail.com> wrote:
>>> > Dear all,
>>> >
>>> > I am confining a service called 'yule' , which is the central server
>>> > for the file integrity checker SAMHAIN.
>>> >
>>> > Something about the server :
>>> >
>>> > Binary file is at /usr/local/sbin/yule
>>> > Startup script is at /etc/rc.d/init.d/yule --
>>> > Config file : /etc/yulerc
>>> > Logfiles /var/log/yule(/.*)?
>>> > PID file is at /var/run/yule.pid
>>> >
>>> > It optionally uses mysql and I have put this as a boolean. I would
>>> > appreciate if somebody review the files and give me some feedback to
>>> > know if i am on the right track.
>>> >
>>> > I have only one question....When I issue a stop by /etc/init.d/yule stop
>>> > I get all sorts of avc denials, however the daemon still stops. From
>>> > the avc denials and also via an strace it is evident that the stop
>>> > script is somehow doing a search in all proc directory. What is the
>>> > best thing to do here ? Allowing search to all types in /proc or make
>>> > a dontaudit and in both cases is there a macro that captures all types
>>> > inside /proc {don't think so}.
>>
>> Rule-wise I see a few things which seem questionable to me:
>>
>>> manage_files_pattern(yule_t,yule_config_t,yule_config_t)
>>
>> It seems like you would not want the daemon to modify its own config
>> files.
>>
>>> allow yule_t yule_exec_t:file execmod;
>>
>> Did you really encounter this as a denial? I wouldn't expect this on an
>> executable. Especially a daemon doing this on its own executable.
>>
>>> allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};
>>
>> The kill and sys_ptrace capabilities seem weird, as there do not seem to
>> be any process sigkill or process ptrace permissions being used in the
>> policy.
>>
>>
>> Assuming you're interested in getting this upstreamed:
>>
>>> /usr/local/sbin/yule -- gen_context(system_u:object_r:yule_exec_t,s0)
>>
>> Standard (distro) locations should be covered too, such
>> as /usr/sbin/yule, not just /usr/local.
>>
>> Also the organization of the file should be fixed to match the refpolicy
>> style better.
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>
More information about the refpolicy
mailing list