OOPS, the earlier script had an error

OOPS, the earlier script had an error

[Justin Smith]

Here's the corrected one:
#----------------------cut---------------------------------------

#!/usr/bin/perl
open ERRFILE, "< messages";
open NEWRULES, "> newrules";

my %rules = ();

# format: $rules{ "$scontext|$tcontext|$tclass"}
#          = { '$accesstype' => 1}; 

while ($inline = <ERRFILE>)
  {
    next unless ($inline =~ /avc:\s*denied\s*\{((\w|\s)*)\}/);
    my $accesstype = $1;
    my $nextline = $';
    $nextline =~ /scontext=\w+:\w+:(\w+)\s*/;
    my $scontext = $1;
    $nextline = $';
    $nextline =~ /tcontext=\w+:\w+:(\w+)\s*/;
    my $tcontext = $1;
    $nextline = $';
    $nextline =~ /tclass=(\w+)\s*\Z/;
    my $tclass = $1;
    my @atypes = split /\s+/,$accesstype;
    foreach $atype (@atypes)
      {
	next unless $atype =~ /\S/;
	my $trim=undef;
	$atype =~ m/\s*(\w+)\s*/;
	$trim = $1;
	$rules{"$scontext|$tcontext|$tclass"}{$trim}=1;
      }
  }

# done  with the input file
# now generate the rules

foreach $k (sort keys %rules)
  {
    my ($scontext,$tcontext,$tclass) = split /\|/, $k;
    print NEWRULES "allow $scontext $tcontext:$tclass { ";
    my $access_types = $rules{$k};
    foreach $t (sort keys %$access_types)
      {
	print NEWRULES "$t ";
      }
    print NEWRULES "};\n";
  }
#--------------------------------end-------------------------


and the corrected ipchains

#-------------------------------------------------------

#
# Rules for the ipchains_t domain.
#
type ipchains_t, domain, privlog;
type ipchains_exec_t, file_type, sysadmfile, exec_type;
type ipchains_file_t, file_type, syadmfile;
type ipchains_var_run_t, file_type, sysadmfile, pidfile;

domain_auto_trans(ipchains_t, insmod_exec_t, insmod_t)

domain_auto_trans(ipchains_t, ifconfig_exec_t, ifconfig_t)
file_type_auto_trans(ipchains_t, var_run_t, ipchains_var_run_t)

# Inherit and use descriptors from init.
allow ipchains_t init_t:fd inherit_fd_perms;

allow ipchains_t bin_t:file { execute execute_no_trans };
allow ipchains_t ipchains_exec_t:file { execute_no_trans };
allow ipchains_t ipchains_t:capability { net_admin net_raw };
allow ipchains_t ipchains_t:rawip_socket { create setopt };


#-------------------------------------------------------

-- 
______________________________________________________________________
Time blows wildly against my door       | Justin R. Smith
Stirring discarded sorrows      	| Department of Mathematics and
Like dead leaves of summers past        |     Computer Science
Memories of forgotten lore          	| Drexel University
Making way for new tomorrows         	| Philadelphia, PA 19104
New hopes, new fears,                   |
         and new ways that last         | Office: (215) 895-1847
URL: http://vorpal.mcs.drexel.edu       | Fax:    (215) 895-1582



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: OOPS, the earlier script had an error

[Stephen Smalley]

Thanks for the updated script.  You might want to make it a filter,
reading from standard input and writing to standard output.  Then you can
just do 'dmesg | script > newrules.te' or 'script < /var/log/messages >
newrules.te'.  Could you clarify under what terms you are releasing
this script (e.g. GPL)?

In addition to my earlier caveat about carefully reviewing the output to
see whether you should add some new domains and/or types rather than
simply granting the permission for the existing domains and/or types, let
me add a couple of other notes of caution:

1) The script assumes that a denial occurs due to a lack of permission in
the Type Enforcement (TE) configuration.  But a denial might also occur
due to a lack of authorization in the Role-Based Access Control (RBAC)
configuration or a constraint in the constraints configuration (or, if
MLS is enabled, a violation of the MLS policy).  Due to the encapsulation
of the security policy logic and the caching of security decisions, there
is no way to know the particular policy component that caused the denial
when the access is denied and the audit message is generated.  You can't
address this problem in your script - it requires other support either
from the checkpolicy program or from policy analysis tools.  But you
should be aware of it, since you may find yourself encountering the same
denial even after adding the permission to the TE configuration.

2) The script doesn't know whether the application truly needs the
permission in order to function.  For example, the library functions for
accessing utmp file entries always try to open utmp with read and write
access, and fall back to opening with read-only access if this fails.  So
applications that only need to read from utmp will still show up as trying
to open with write access.  In this case, there is no legitimate reason to
grant write permission, but it will show up in the audit messages unless
you suppress it using the auditdeny rules.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com










--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Didn't notice this question

[Justin Smith]

On Tue, 2001-12-04 at 14:43, Stephen Smalley wrote:
> newrules.te'.  Could you clarify under what terms you are releasing
> this script (e.g. GPL)?

> 
Of  course, I am GPL'ing this script. Here's a slightly revised form (it
runs dmesg itself):


#----------------------------cut-------------------
#!/usr/bin/perl
#
#    newrules.pl.
#
#    
#    Copyright (C) 2001  Justin R. Smith (jsmith@mcs.drexel.edu)
#
#    This program is free software; you can redistribute it and/or 
#    modify
#    it under the terms of the GNU General Public License as published
#    by
#    the Free Software Foundation; either version 2 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program; if not, write to the Free Software
#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
#                                        02111-1307  USA
#

# Get the 'access denied' messages
@allmessages=split /\n/,`dmesg`;


my %rules = ();

# format: $rules{ "$scontext|$tcontext|$tclass"}
#          = { '$accesstype' => 1}; 

foreach $inline (@allmessages)
  {
    next unless ($inline =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/);
    my $accesstype = $1;
    my $nextline = $';
    $nextline =~ m/scontext=\w+:\w+:(\w+)\s*/;
    my $scontext = $1;
    $nextline = $';
    $nextline =~ m/tcontext=\w+:\w+:(\w+)\s*/;
    my $tcontext = $1;
    $nextline = $';
    $nextline =~ m/tclass=(\w+)\s*\Z/;
    my $tclass = $1;
    my @atypes = split /\s+/,$accesstype;
    foreach $atype (@atypes)
      {
	next unless $atype =~ m/\S/;
	my $trim=undef;
	$atype =~ m/\s*(\w+)\s*/;
	$trim = $1;
	$rules{"$scontext|$tcontext|$tclass"}{$trim}=1;
      }
  }

# done  with the input file
# now generate the rules

foreach $k (sort keys %rules)
  {
    my ($scontext,$tcontext,$tclass) = split /\|/, $k;
    print  "allow $scontext $tcontext:$tclass { ";
    my $access_types = $rules{$k};
    foreach $t (sort keys %$access_types)
      {
	print  "$t ";
      }
    print  "};\n";
  }
#

------------------cut---------------------------


If I find the time (?), I'll try to expand this to a gui tool for
configuring security policies (using Perl/Tk).

-- 



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.