simple Perl script to converse messages to access rules

simple Perl script to converse messages to access rules

[Justin Smith]

This will convert a sequence of access denied messages into
allow-commands.


One problem: even in permissive move, SELinux doesn't generate all
possible denied messages. After one enables access and reruns an
offending program, one gets more denied messages. It's as if the program
didn't completely run the previous time (although it should, in
permissive mode). 

Here's the perl script:
#------------------------------------cut here---------------------
#!/usr/bin/perl
open ERRFILE, "< messages";
open NEWRULES, "> newrules";

my %rules = ();

#
# format: $rules{ "$scontext|$tcontext|$tclass"}
#          = { '$accesstype1' => 1,'$accesstype2' => 1}, etc.,; 
#

while ($inline = <ERRFILE>)
  {
    next unless ($inline =~ /avc:\s*denied\s*\{\s*(\w+)\s*\}/);
    my $accesstype = $1;
    my $nextline = <ERRFILE>;
    $nextline =~ /:(\w+)\s*\Z/;
    my $scontext = $1;
    $nextline = <ERRFILE>;
    $nextline =~ /:(\w+)\s*\Z/;
    my $tcontext = $1;
    $nextline = <ERRFILE>;
    $nextline =~ /=(\w+)\s*\Z/;
    my $tclass = $1;
    $rules{"$scontext|$tcontext|$tclass" }{$accesstype}=1;
  }

# done  with the input file
# now generate the rules

foreach $k (sort keys %rules)
  {
    my ($scontext,$tcontext,$tclass) = split /\|/, $k;
    print NEWRULES "allow $scontext $tcontext:$tclass { ";
    my $access_types = $rules{$k};
    foreach $t (sort keys %$access_types)
      {
	print NEWRULES "$t ";
      }
    print NEWRULES "};\n";
  }


#-----------------end------------------------------------
-- 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: simple Perl script to converse messages to access rules

[Stephen Smalley]

On 4 Dec 2001, Justin Smith wrote:

> This will convert a sequence of access denied messages into
> allow-commands.
>
> One problem: even in permissive move, SELinux doesn't generate all
> possible denied messages. After one enables access and reruns an
> offending program, one gets more denied messages. It's as if the program
> didn't completely run the previous time (although it should, in
> permissive mode).

Thanks for the script.  The problem that you describe above should be
fixed in the next release.  The AVC has a ratelimit to prevent flooding
the system with AVC audit messages (copied from the existing net_ratelimit
for network log messages).  Currently, the ratelimit is applied regardless
of whether the system is in permissive mode or not, but I've changed this
behavior for future releases so that it is only applied in enforcing mode.
Also, in response to a request from a user on the list, I've changed the
AVC auditing code to put each audit message on a single line, so that will
likely require changes to your script.

While this script should be helpful in customizing the policy
configuration, you should carefully examine its output to ensure that the
resulting rules do not violate your security objectives.  Frequently,
rather than granting the permission between the existing domain and type,
you will want to define a new domain for the process and/or a new type for
the file and only grant the permission for the new domain and/or type.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: simple Perl script to converse messages to access rules

[Justin Smith]

On Tue, 2001-12-04 at 09:24, Stephen Smalley wrote:
> While this script should be helpful in customizing the policy
> configuration, you should carefully examine its output to ensure that the
> resulting rules do not violate your security objectives.  Frequently,
> rather than granting the permission between the existing domain and type,
> you will want to define a new domain for the process and/or a new type for
> the file and only grant the permission for the new domain and/or type.
> 
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
> 
> 

I envisioned this script as a quick and dirty way to get a system
working in enforcing mode AFTER one has defined a bunch of new domains
(that trigger lots of denied messages).

Naturally users should examine the output of this script to confirm that
it will do what they want. 

One great thing about SELinux is that it gives a detailed account of
what is taking place in a system. For instance, I discovered that web
users were trying to access files over symbolic links via my web server.
I hadn't been aware that my web server had symbolic link access enabled.
--


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] AVC auditing changes

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 396 bytes --]


I've attached a patch that implements the changes to the AVC auditing
code that I mentioned in my previous message (only impose ratelimit if
enforcing, put each audit message on a single line).  To apply, save
the attachment to ~/avc.patch, cd selinux, and run 'patch -p1 <
~/avc.patch'.  Then rebuild the LSM kernel with the SELinux module.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




[-- Attachment #2: Type: TEXT/PLAIN, Size: 1794 bytes --]

Index: selinux/module/selinux_plug/avc.c
diff -u selinux/module/selinux_plug/avc.c:1.10 selinux/module/selinux_plug/avc.c:1.12
--- selinux/module/selinux_plug/avc.c:1.10	Mon Nov 12 23:07:23 2001
+++ selinux/module/selinux_plug/avc.c	Tue Nov 27 11:27:38 2001
@@ -157,7 +157,6 @@
 	security_context_t scontext;
 	__u32 scontext_len;
 	
-	printk("\n   ");
  	rc = security_sid_to_context(ssid, &scontext, &scontext_len);
 	if (rc)
 		printk("ssid=%d", ssid);		
@@ -166,7 +165,6 @@
 		kfree(scontext);
 	}
 
-	printk("\n  ");
 	rc = security_sid_to_context(tsid, &scontext, &scontext_len);
 	if (rc)
 		printk(" tsid=%d", tsid);
@@ -174,8 +172,7 @@
 		printk(" tcontext=%s", scontext);
 		kfree(scontext);
 	}
-	printk("\n  ");
-	printk(" tclass=%s\n", class_to_string[tclass]);
+	printk(" tclass=%s", class_to_string[tclass]);
 }
 
 
@@ -547,6 +544,7 @@
  * Copied from net/core/utils.c:net_ratelimit and modified for
  * use by the AVC audit facility.
  */
+
 int avc_msg_cost = 5*HZ;
 int avc_msg_burst = 10*5*HZ;
 
@@ -583,6 +581,28 @@
 }
 
 
+#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+
+static inline int check_avc_ratelimit(void)  
+{
+	if (avc_debug_always_allow)
+		/* If permissive, then never suppress messages. */
+		return 1;
+	else
+		return avc_ratelimit();
+}
+
+#else
+
+static inline int check_avc_ratelimit(void)  
+{
+	return avc_ratelimit();
+}
+
+#endif
+
+
+
 /*
  * Audit the granting or denial of permissions.
  */
@@ -597,7 +617,7 @@
 {
 	char *p;
 
-	if (!avc_ratelimit())
+	if (!check_avc_ratelimit())
 		return;
 
 	printk("\navc:  %s ", denied ? "denied" : "granted");
@@ -739,7 +759,9 @@
 			break;
 		}
 	}
+	printk(" ");
 	avc_dump_query(ssid, tsid, tclass);
+	printk("\n");
 }