auditdeny is painful

All of lore.kernel.org
 help / color / mirror / Atom feed

* auditdeny is painful
@ 2002-06-03 22:30 Russell Coker
  2002-06-04  0:50 ` Mini-cd's Ed Street
  2002-06-04 13:28 ` auditdeny is painful Stephen Smalley
  0 siblings, 2 replies; 9+ messages in thread
From: Russell Coker @ 2002-06-03 22:30 UTC (permalink / raw)
  To: SE Linux

I think that auditdeny is misdesigned.  Having to specify that we want to 
audit the opposite of what we don't want to audit is really confusing when 
you first start, and even with some practise it can result in results other 
than what you expect.  Consider the situation where you want to specify in 
one file to not audit getattr while in another file you want to specify not 
to audit search (this has seemed to be impossible in my tests).

Also I am having problems with the following:
auditdeny apmd_t { file_type fs_type }:dir_file_class_set ~getattr;
auditdeny apmd_t user_home_t:dir ~{ search getattr };

The result is that "apmd_t user_home_t:dir search" is audited.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Mini-cd's
  2002-06-03 22:30 auditdeny is painful Russell Coker
@ 2002-06-04  0:50 ` Ed Street
  2002-06-04  7:26   ` Mini-cd's Russell Coker
  2002-06-04 13:28 ` auditdeny is painful Stephen Smalley
  1 sibling, 1 reply; 9+ messages in thread
From: Ed Street @ 2002-06-04  0:50 UTC (permalink / raw)
  To: 'Russell Coker', 'SE Linux'

Hello,

I am currently working on a mini woody boot cd that will install selinux
by default.  Currently I have striped out everything to the bare core
(approx 34 megs) and adding packages in.  Any suggestions/ideas on going
this route?

Ed


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Mini-cd's
  2002-06-04  0:50 ` Mini-cd's Ed Street
@ 2002-06-04  7:26   ` Russell Coker
  0 siblings, 0 replies; 9+ messages in thread
From: Russell Coker @ 2002-06-04  7:26 UTC (permalink / raw)
  To: blacknet, 'SE Linux'

On Tue, 4 Jun 2002 02:50, Ed Street wrote:
> I am currently working on a mini woody boot cd that will install selinux
> by default.  Currently I have striped out everything to the bare core
> (approx 34 megs) and adding packages in.  Any suggestions/ideas on going
> this route?

Sure, that should be easy enough to do.  Have your CD with the base packages, 
the "selinux" and "selinux-policy-default" packages and my SE modified 
versions of base packages.  Then for the base.tgz, have a copy of the default 
policy in /usr/share/selinux/policy/current (with a sym-link from there to 
/etc/selinux) and remove the .te files which don't apply.  Also you'll 
probably want a pre-installed policydb if you want to use SE on first boot.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: auditdeny is painful
  2002-06-03 22:30 auditdeny is painful Russell Coker
  2002-06-04  0:50 ` Mini-cd's Ed Street
@ 2002-06-04 13:28 ` Stephen Smalley
  2002-06-04 14:18   ` Russell Coker
  2002-06-04 19:24   ` [patch] " Stephen Smalley
  1 sibling, 2 replies; 9+ messages in thread
From: Stephen Smalley @ 2002-06-04 13:28 UTC (permalink / raw)
  To: Russell Coker; +Cc: SE Linux

On Tue, 4 Jun 2002, Russell Coker wrote:

> I think that auditdeny is misdesigned.  Having to specify that we want to
> audit the opposite of what we don't want to audit is really confusing when
> you first start, and even with some practise it can result in results other
> than what you expect.  Consider the situation where you want to specify in
> one file to not audit getattr while in another file you want to specify not
> to audit search (this has seemed to be impossible in my tests).

The auditdeny access vector specifies what permission denials should be
audited.  If no auditdeny access vector is specified for a particular
(type, type, class) triple, then all permission denials are audited for
that triple, since you typically want to audit all denials by default.
When you specify an auditdeny rule, you are indicating that only a
particular subset of permission denials should be audited for that (type,
type, class) triple.   You can either specify that subset of permission
denials positively, listing the set of permissions that you want audited,
or negatively, specifying the complement (~) of a set of permissions that
you don't want audited, as with other rules.  When multiple auditdeny
rules are specified for a single (type, type, class) triple, the union of
the permission sets is used, as with other rules.

I suppose that we could introduce a dontaudit rule that automatically
generates auditdeny access vectors with the complement of the specified
set of permissions, and that uses the intersection of the permission sets
when multiple rules are specified for a single (type, type, class) triple.
This would likely be more suited to what a human would expect.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: auditdeny is painful
  2002-06-04 13:28 ` auditdeny is painful Stephen Smalley
@ 2002-06-04 14:18   ` Russell Coker
  2002-06-04 19:24   ` [patch] " Stephen Smalley
  1 sibling, 0 replies; 9+ messages in thread
From: Russell Coker @ 2002-06-04 14:18 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SE Linux

On Tue, 4 Jun 2002 15:28, Stephen Smalley wrote:
> you don't want audited, as with other rules.  When multiple auditdeny
> rules are specified for a single (type, type, class) triple, the union of
> the permission sets is used, as with other rules.

The problem is that it is the union of the audit rules, but when people are 
writing such rules they tend to do them as "don't audit" rules so we get the 
intersection instead.

> I suppose that we could introduce a dontaudit rule that automatically
> generates auditdeny access vectors with the complement of the specified
> set of permissions, and that uses the intersection of the permission sets
> when multiple rules are specified for a single (type, type, class) triple.
> This would likely be more suited to what a human would expect.

Sounds good to me!

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [patch] Re: auditdeny is painful
  2002-06-04 13:28 ` auditdeny is painful Stephen Smalley
  2002-06-04 14:18   ` Russell Coker
@ 2002-06-04 19:24   ` Stephen Smalley
  2002-06-05 11:00     ` Justin Smith
  2002-06-05 11:19     ` Russell Coker
  1 sibling, 2 replies; 9+ messages in thread
From: Stephen Smalley @ 2002-06-04 19:24 UTC (permalink / raw)
  To: Russell Coker; +Cc: SE Linux

[-- Attachment #1: Type: TEXT/PLAIN, Size: 802 bytes --]


On Tue, 4 Jun 2002, Stephen Smalley wrote:

> I suppose that we could introduce a dontaudit rule that automatically
> generates auditdeny access vectors with the complement of the specified
> set of permissions, and that uses the intersection of the permission sets
> when multiple rules are specified for a single (type, type, class) triple.
> This would likely be more suited to what a human would expect.

I've attached a patch to checkpolicy and the example policy configuration
that adds support for these 'dontaudit' rules and replaces all 'auditdeny'
rules in the example configuration with equivalent 'dontaudit' rules.
This patch has not yet been committed.  Feedback is welcome (as with the
prior checkpolicy patch for optional sections).

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 14455 bytes --]

Index: module/checkpolicy/policy_parse.y
===================================================================
RCS file: /cvs/lsm/selinux/module/checkpolicy/policy_parse.y,v
retrieving revision 1.14
diff -u -r1.14 policy_parse.y
--- module/checkpolicy/policy_parse.y	2002/05/29 17:25:57	1.14
+++ module/checkpolicy/policy_parse.y	2002/06/04 19:10:51
@@ -87,6 +87,7 @@
 %token ALLOW
 %token AUDITALLOW
 %token AUDITDENY
+%token DONTAUDIT
 %token SOURCE
 %token TARGET
 %token SAMEUSER
@@ -236,6 +237,7 @@
 te_avtab_def		: allow_def
 			| auditallow_def
 			| auditdeny_def
+			| dontaudit_def
 			| neverallow_def
 			;
 allow_def		: ALLOW names names ':' names names  ';'
@@ -247,6 +249,9 @@
 auditdeny_def		: AUDITDENY names names ':' names names ';'
 			{if (define_te_avtab(AVTAB_AUDITDENY)) return -1; }
 		        ;
+dontaudit_def		: DONTAUDIT names names ':' names names ';'
+			{if (define_te_avtab(-AVTAB_AUDITDENY)) return -1; }
+		        ;
 neverallow_def		: NEVERALLOW names names ':' names names  ';'
 			{if (define_te_avtab(-AVTAB_ALLOWED)) return -1; }
 		        ;
@@ -1751,12 +1756,17 @@
 
 
 static int te_avtab_helper(int which, int stype, int ttype, 
-			   ebitmap_t *tclasses, access_vector_t *avp) 
+			   ebitmap_t *tclasses, access_vector_t *avp)
+
 {
 	avtab_key_t avkey;
 	avtab_datum_t avdatum, *avdatump;
 	int ret, k;
-	
+
+	if (which == -AVTAB_ALLOWED) {
+		yyerror("neverallow should not reach this function.");
+		return -1;
+	}
 
 	for (k = ebitmap_startbit(tclasses); k < ebitmap_length(tclasses); k++) {
 		if (!ebitmap_get_bit(tclasses, k)) 
@@ -1766,11 +1776,8 @@
 		avkey.target_class = k + 1;
 		avdatump = avtab_search(&policydbp->te_avtab, &avkey, AVTAB_AV);
 		if (!avdatump) {
-			if (which == -AVTAB_ALLOWED) {
-				continue;
-			}
 			memset(&avdatum, 0, sizeof avdatum);
-			avdatum.specified = which;
+			avdatum.specified = (which > 0) ? which : -which;
 			ret = avtab_insert(&policydbp->te_avtab, &avkey, &avdatum);
 			if (ret) {
 				yyerror("hash table overflow");
@@ -1783,18 +1790,7 @@
 			}
 		}
 
-		if (which == -AVTAB_ALLOWED) {
-			if ((avdatump->specified & AVTAB_ALLOWED) &&
-			    (avtab_allowed(avdatump) & avp[k])) {
-				sprintf(errormsg, "assertion failed:  allow %s %s:%s {%s } was granted.", type_val_to_name(stype+1), type_val_to_name(ttype+1), policydbp->p_class_val_to_name[k], 
-					av_to_string(k+1,
-						     avtab_allowed(avdatump) & avp[k]));
-				yyerror(errormsg);
-			}
-			continue;
-		}
-				
-		avdatump->specified |= which;
+		avdatump->specified |= ((which > 0) ? which : -which);
 
 		switch (which) {
 		case AVTAB_ALLOWED:
@@ -1806,6 +1802,12 @@
 		case AVTAB_AUDITDENY:
 			avtab_auditdeny(avdatump) |= avp[k];
 			break;
+		case -AVTAB_AUDITDENY:
+			if (avtab_auditdeny(avdatump))
+				avtab_auditdeny(avdatump) &= ~avp[k];
+			else
+				avtab_auditdeny(avdatump) = ~avp[k];
+			break;
 		}
 	}
 
@@ -1889,6 +1891,8 @@
 
 			if (strcmp(id, "~") == 0) {
 				/* complement the set */
+				if (which == -AVTAB_AUDITDENY) 
+					yywarn("dontaudit rule with a ~?");
 				avp[i] = ~avp[i];
 				continue;
 			}
Index: module/checkpolicy/policy_scan.l
===================================================================
RCS file: /cvs/lsm/selinux/module/checkpolicy/policy_scan.l,v
retrieving revision 1.5
diff -u -r1.5 policy_scan.l
--- module/checkpolicy/policy_scan.l	2002/05/06 21:10:54	1.5
+++ module/checkpolicy/policy_scan.l	2002/06/04 19:10:51
@@ -70,6 +70,8 @@
 auditallow		        { return(AUDITALLOW); }
 AUDITDENY |
 auditdeny		        { return(AUDITDENY); }
+DONTAUDIT |
+dontaudit                       { return(DONTAUDIT); }
 SOURCE |
 source			        { return(SOURCE); }
 TARGET |
Index: policy/domains/user.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/user.te,v
retrieving revision 1.1
diff -u -r1.1 user.te
--- policy/domains/user.te	2002/03/07 20:14:29	1.1
+++ policy/domains/user.te	2002/06/04 19:10:51
@@ -22,14 +22,14 @@
 # update the /root/.Xauthority file, and the user shell may
 # try to update the shell history. This isnt allowed, but 
 # we dont need to audit it.
-auditdeny user_su_t sysadm_home_t:dir  ~{ read getattr search write add_name remove_name };
-auditdeny user_su_t sysadm_home_t:file ~{ read getattr create write link unlink };
-auditdeny user_t    sysadm_home_t:dir ~{ read search getattr };
-auditdeny user_t    sysadm_home_t:file ~{ read getattr append };
+dontaudit user_su_t sysadm_home_t:dir  { read getattr search write add_name remove_name };
+dontaudit user_su_t sysadm_home_t:file { read getattr create write link unlink };
+dontaudit user_t    sysadm_home_t:dir { read search getattr };
+dontaudit user_t    sysadm_home_t:file { read getattr append };
 
 # Some programs that are left in user_t will try to connect
 # to syslogd, but we don not want to let them generate log messages.
 # Do not audit.
-auditdeny user_t devlog_t:sock_file ~{ read write };
-auditdeny user_t syslogd_t:unix_dgram_socket ~sendto;
+dontaudit user_t devlog_t:sock_file { read write };
+dontaudit user_t syslogd_t:unix_dgram_socket sendto;
 
Index: policy/domains/program/bootloader.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/bootloader.te,v
retrieving revision 1.3
diff -u -r1.3 bootloader.te
--- policy/domains/program/bootloader.te	2002/04/24 20:03:44	1.3
+++ policy/domains/program/bootloader.te	2002/06/04 19:10:51
@@ -31,7 +31,7 @@
 
 can_exec(bootloader_t, { bootloader_exec_t bin_t })
 allow bootloader_t { bin_t sbin_t }:dir r_dir_perms;
-auditdeny bootloader_t sysadm_home_t:dir ~r_dir_perms;
+dontaudit bootloader_t sysadm_home_t:dir r_dir_perms;
 
 allow bootloader_t boot_t:dir rw_dir_perms;
 allow bootloader_t boot_t:{ file lnk_file } create_file_perms;
@@ -40,7 +40,7 @@
 allow bootloader_t self:capability { sys_rawio sys_admin };
 # allow bootloader to get attributes of any device node
 allow bootloader_t { devfs_t file_type }:dir_file_class_set getattr;
-auditdeny bootloader_t devpts_t:dir ~create_dir_perms;
+dontaudit bootloader_t devpts_t:dir create_dir_perms;
 
 allow bootloader_t self:process { fork sigchld };
 
Index: policy/domains/program/crond.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/crond.te,v
retrieving revision 1.2
diff -u -r1.2 crond.te
--- policy/domains/program/crond.te	2002/03/08 13:54:59	1.2
+++ policy/domains/program/crond.te	2002/06/04 19:10:51
@@ -204,7 +204,7 @@
 
 # /sbin/runlevel ask for w access to utmp, but will operate
 # correctly without it.  Do not audit write denials to utmp.
-auditdeny system_crond_t initrc_var_run_t:file ~{ read write };
+dontaudit system_crond_t initrc_var_run_t:file { read write };
 
 # Access accounting summary files.
 allow system_crond_t var_log_sa_t:file create_file_perms;
@@ -220,7 +220,7 @@
 allow system_crond_t etc_mrtg_t:file create_file_perms;
 
 # Do not audit attempts to search unlabeled directories (e.g. slocate).
-auditdeny system_crond_t unlabeled_t:dir ~r_dir_perms;
-auditdeny system_crond_t unlabeled_t:file ~r_file_perms;
+dontaudit system_crond_t unlabeled_t:dir r_dir_perms;
+dontaudit system_crond_t unlabeled_t:file r_file_perms;
 
 
Index: policy/domains/program/ipsec.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/ipsec.te,v
retrieving revision 1.5
diff -u -r1.5 ipsec.te
--- policy/domains/program/ipsec.te	2002/04/19 17:58:09	1.5
+++ policy/domains/program/ipsec.te	2002/06/04 19:10:51
@@ -101,12 +101,12 @@
 allow ipsec_mgmt_t ipsec_t:{ file lnk_file } r_file_perms;
 
 # denials when ps tries to search /proc. Do not audit these denials.
-auditdeny ipsec_mgmt_t domain:dir ~r_dir_perms;
-auditdeny ipsec_mgmt_t domain:notdevfile_class_set ~r_file_perms;
+dontaudit ipsec_mgmt_t domain:dir r_dir_perms;
+dontaudit ipsec_mgmt_t domain:notdevfile_class_set r_file_perms;
 
 # suppress audit messages about unnecessary socket access
-auditdeny ipsec_mgmt_t domain:key_socket ~{ read write };
-auditdeny ipsec_mgmt_t domain:udp_socket ~{ read write };
+dontaudit ipsec_mgmt_t domain:key_socket { read write };
+dontaudit ipsec_mgmt_t domain:udp_socket { read write };
 
 #
 # bits and pieces from other files to make this as self-contained as possible
Index: policy/domains/program/login.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/login.te,v
retrieving revision 1.6
diff -u -r1.6 login.te
--- policy/domains/program/login.te	2002/05/29 17:48:26	1.6
+++ policy/domains/program/login.te	2002/06/04 19:10:51
@@ -42,12 +42,12 @@
 allow local_login_t sysadm_home_t:file r_file_perms;
 
 # Do not audit denied attempts to access devices.
-auditdeny local_login_t fixed_disk_device_t:blk_file ~{ getattr setattr };
-auditdeny local_login_t removable_device_t:blk_file ~{ getattr setattr };
-auditdeny local_login_t device_t:{ chr_file blk_file lnk_file } ~{ getattr setattr };
-auditdeny local_login_t misc_device_t:{ chr_file blk_file lnk_file } ~{ getattr setattr };
-auditdeny local_login_t framebuf_device_t:{ chr_file blk_file lnk_file } ~{ getattr setattr read };
-auditdeny local_login_t apm_bios_t:chr_file ~{ getattr setattr };
+dontaudit local_login_t fixed_disk_device_t:blk_file { getattr setattr };
+dontaudit local_login_t removable_device_t:blk_file { getattr setattr };
+dontaudit local_login_t device_t:{ chr_file blk_file lnk_file } { getattr setattr };
+dontaudit local_login_t misc_device_t:{ chr_file blk_file lnk_file } { getattr setattr };
+dontaudit local_login_t framebuf_device_t:{ chr_file blk_file lnk_file } { getattr setattr read };
+dontaudit local_login_t apm_bios_t:chr_file { getattr setattr };
 
 # Write to /var/run/utmp.
 allow local_login_t initrc_var_run_t:file rw_file_perms;
Index: policy/domains/program/passwd.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/passwd.te,v
retrieving revision 1.9
diff -u -r1.9 passwd.te
--- policy/domains/program/passwd.te	2002/03/08 13:41:40	1.9
+++ policy/domains/program/passwd.te	2002/06/04 19:10:51
@@ -38,7 +38,7 @@
 
 # /usr/bin/passwd asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
-auditdeny passwd_t initrc_var_run_t:file ~{ read write };
+dontaudit passwd_t initrc_var_run_t:file { read write };
 
 # Access terminals.
 allow passwd_t ttyfile:chr_file rw_file_perms;
Index: policy/domains/program/sendmail.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/sendmail.te,v
retrieving revision 1.2
diff -u -r1.2 sendmail.te
--- policy/domains/program/sendmail.te	2002/03/08 13:54:59	1.2
+++ policy/domains/program/sendmail.te	2002/06/04 19:10:51
@@ -49,7 +49,7 @@
 
 # /usr/sbin/sendmail asks for w access to utmp, but it will operate
 # correctly without it.  Do not audit write denials to utmp.
-auditdeny sendmail_t initrc_var_run_t:file ~{ read write };
+dontaudit sendmail_t initrc_var_run_t:file { read write };
 
 # When sendmail runs as user_mail_t (from a cron job, for example), it needs
 # some extra permissions.
Index: policy/domains/program/xdm.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/domains/program/xdm.te,v
retrieving revision 1.4
diff -u -r1.4 xdm.te
--- policy/domains/program/xdm.te	2002/04/24 19:31:59	1.4
+++ policy/domains/program/xdm.te	2002/06/04 19:10:51
@@ -112,14 +112,14 @@
 allow xdm_t userdomain:fd { use };
 
 # Do not audit denied attempts to access devices.
-auditdeny xdm_t fixed_disk_device_t:blk_file ~rw_file_perms;
-auditdeny xdm_t removable_device_t:blk_file ~rw_file_perms;
-auditdeny xdm_t device_t:file_class_set ~rw_file_perms;
-auditdeny xdm_t misc_device_t:file_class_set ~rw_file_perms;
+dontaudit xdm_t fixed_disk_device_t:blk_file rw_file_perms;
+dontaudit xdm_t removable_device_t:blk_file rw_file_perms;
+dontaudit xdm_t device_t:file_class_set rw_file_perms;
+dontaudit xdm_t misc_device_t:file_class_set rw_file_perms;
 
 # Do not audit denied probes of /proc.
-auditdeny xdm_t domain:dir ~r_dir_perms;
-auditdeny xdm_t domain:{ file lnk_file } ~r_file_perms;
+dontaudit xdm_t domain:dir r_dir_perms;
+dontaudit xdm_t domain:{ file lnk_file } r_file_perms;
 
 # Access sound device.
 allow xdm_t sound_device_t:chr_file { setattr getattr };
Index: policy/macros/global_macros.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/macros/global_macros.te,v
retrieving revision 1.7
diff -u -r1.7 global_macros.te
--- policy/macros/global_macros.te	2002/04/19 17:58:09	1.7
+++ policy/macros/global_macros.te	2002/06/04 19:10:51
@@ -801,7 +801,7 @@
 allow $1 null_device_t:chr_file rw_file_perms;
 
 # Do not audit write denials to /etc/ld.so.cache.
-auditdeny $1 ld_so_cache_t:file ~write;
+dontaudit $1 ld_so_cache_t:file write;
 ')
 
 #
Index: policy/macros/user_macros.te
===================================================================
RCS file: /cvs/lsm/selinux/policy/macros/user_macros.te,v
retrieving revision 1.4
diff -u -r1.4 user_macros.te
--- policy/macros/user_macros.te	2002/03/26 19:32:12	1.4
+++ policy/macros/user_macros.te	2002/06/04 19:10:51
@@ -161,12 +161,12 @@
 
 # When the user domain runs ps, there will be a number of access
 # denials when ps tries to search /proc.  Do not audit these denials.
-auditdeny $1_t domain:dir ~r_dir_perms;
-auditdeny $1_t domain:notdevfile_class_set ~r_file_perms;
+dontaudit $1_t domain:dir r_dir_perms;
+dontaudit $1_t domain:notdevfile_class_set r_file_perms;
 
 # Some shells ask for w access to utmp, but will operate
 # correctly without it.  Do not audit write denials to utmp.
-auditdeny $1_t initrc_var_run_t:file ~{ read write };
+dontaudit $1_t initrc_var_run_t:file { read write };
 
 # Connect to the X server run by the X Display Manager.
 can_unix_connect($1_t, xdm_t)

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [patch] Re: auditdeny is painful
  2002-06-04 19:24   ` [patch] " Stephen Smalley
@ 2002-06-05 11:00     ` Justin Smith
  2002-06-05 11:19     ` Russell Coker
  1 sibling, 0 replies; 9+ messages in thread
From: Justin Smith @ 2002-06-05 11:00 UTC (permalink / raw)
  To: selinux

I'll jump into the thread and add my $.02:

The permission denied messages can be an excellent intrusion detection
system (like tripwire). If one eliminates denials that are innocent
(programs accessing files they don't need to), the remaining ones can
give a pretty good picture of what is going on in one's system. And this
approach is much more refined than tripwire: it doesn't scan huge chunks
of file systems to see what changes. Instead, it intercepts  system
calls that attempt to make the changes.

On several occasions, I've noticed illicit attempts to access my student
records database. Although (I think) these attempts would have failed
without SELinux (because of standard unix permissions), I also wouldn't
have gotten such clear indications of it.
-- 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [patch] Re: auditdeny is painful
  2002-06-04 19:24   ` [patch] " Stephen Smalley
  2002-06-05 11:00     ` Justin Smith
@ 2002-06-05 11:19     ` Russell Coker
  2002-06-06 14:14       ` Stephen Smalley
  1 sibling, 1 reply; 9+ messages in thread
From: Russell Coker @ 2002-06-05 11:19 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: SE Linux

On Tue, 4 Jun 2002 21:24, Stephen Smalley wrote:
> On Tue, 4 Jun 2002, Stephen Smalley wrote:
> > I suppose that we could introduce a dontaudit rule that automatically
> > generates auditdeny access vectors with the complement of the specified
> > set of permissions, and that uses the intersection of the permission sets
> > when multiple rules are specified for a single (type, type, class)
> > triple. This would likely be more suited to what a human would expect.
>
> I've attached a patch to checkpolicy and the example policy configuration
> that adds support for these 'dontaudit' rules and replaces all 'auditdeny'
> rules in the example configuration with equivalent 'dontaudit' rules.
> This patch has not yet been committed.  Feedback is welcome (as with the
> prior checkpolicy patch for optional sections).

Looks good to me.  I've just built some packages with it, and after a brief 
test they seem to work OK.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [patch] Re: auditdeny is painful
  2002-06-05 11:19     ` Russell Coker
@ 2002-06-06 14:14       ` Stephen Smalley
  0 siblings, 0 replies; 9+ messages in thread
From: Stephen Smalley @ 2002-06-06 14:14 UTC (permalink / raw)
  To: Russell Coker; +Cc: SE Linux


On Wed, 5 Jun 2002, Russell Coker wrote:

> Looks good to me.  I've just built some packages with it, and after a brief
> test they seem to work OK.

This patch has now been committed to the sourceforge CVS.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2002-06-06 14:15 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-03 22:30 auditdeny is painful Russell Coker
2002-06-04  0:50 ` Mini-cd's Ed Street
2002-06-04  7:26   ` Mini-cd's Russell Coker
2002-06-04 13:28 ` auditdeny is painful Stephen Smalley
2002-06-04 14:18   ` Russell Coker
2002-06-04 19:24   ` [patch] " Stephen Smalley
2002-06-05 11:00     ` Justin Smith
2002-06-05 11:19     ` Russell Coker
2002-06-06 14:14       ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.