[refpolicy] Help with policy writing

Brandon Whalen bwhalen at tresys.com
Mon Oct 27 08:22:00 CDT 2008

On 10/26/08 2:58 PM, "Dominick Grift" <domg472 at gmail.com> wrote:

> On Sun, 2008-10-26 at 19:43 +0100, Konrad Azzopardi wrote:
>> Raw Audit Messages
>> host=MALTA type=AVC msg=audit(1225045152.583:1290): avc:  denied  {
>> execute_no_trans } for  pid=7159 comm="samhain"
>> path="/usr/local/sbin/samhain" dev=dm-0 ino=7552222
>> scontext=unconfined_u:system_r:samhain_t:s0
>> tcontext=system_u:object_r:samhain_exec_t:s0 tclass=file
>> host=MALTA type=SYSCALL msg=audit(1225045152.583:1290): arch=40000003
>> syscall=11 success=yes exit=0 a0=b8f57000 a1=bfc3cc48 a2=bfc3cfa0
>> a3=bfc3cd4c items=0 ppid=7158 pid=7159 auid=500 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="samhain"
>> exe="/usr/local/sbin/samhain" subj=unconfined_u:system_r:samhain_t:s0
>> key=(null)
> samhain_t is trying to execute samhain executable file:
> can_exec(samhain_t, samhain_exec_t)
> might solve this. refer to this interface call in reference policy.
This looks like you are transitioning to the samhain domain when the initrc
script is run and then that script is calling the actual executable. I would
suggest creating an init domain specific to samhain for the init script, but
you could just let it run as initrc_t and force the transition when the
samhain executable is run.

Not sure how far you are on this, but if you are going to submit this
upstream for a process like samhain which is going to vary based upon the
user you're probably going to want to give it something generic like
files_getattr_all_files, so that it can check every file on the system and
not just the specific ones you've listed in your database. Also, make sure
you limit what it can write to so you limit any potential exploits.

>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy

More information about the refpolicy mailing list