[refpolicy] yule

[justinmattock@gmail.com (Justin P. Mattock)]

On Tue, 2008-12-02 at 14:06 -0500, Christopher J. PeBenito wrote:
> > On Sun, Nov 30, 2008 at 3:31 PM, Konrad Azzopardi
> > <konrad.azzopardi@gmail.com> wrote:
> > > Dear all,
> > >
> > > I am confining a service called 'yule' , which is the central server
> > > for the file integrity checker SAMHAIN.
> > >
> > > Something about the server :
> > >
> > > Binary file is at /usr/local/sbin/yule
> > > Startup script is at /etc/rc.d/init.d/yule      --
> > > Config file : /etc/yulerc
> > > Logfiles /var/log/yule(/.*)?
> > > PID file is at /var/run/yule.pid
> > >
> > > It optionally uses mysql and I have put this as a boolean. I would
> > > appreciate if somebody review the files and give me some feedback to
> > > know if i am on the right track.
> > >
> > > I have only one question....When I issue a stop by  /etc/init.d/yule stop
> > > I get all sorts of avc denials, however the daemon still stops. From
> > > the avc denials and also via an strace it is evident that the stop
> > > script is somehow doing a search in all proc directory. What is the
> > > best thing to do here ? Allowing search to all types in /proc or make
> > > a dontaudit and in both cases is there a macro that captures all types
> > > inside /proc {don't think so}.
> 
> Rule-wise I see a few things which seem questionable to me:
> 
> > manage_files_pattern(yule_t,yule_config_t,yule_config_t)
> 
> It seems like you would not want the daemon to modify its own config
> files.
> 
> > allow yule_t yule_exec_t:file execmod;
> 
> Did you really encounter this as a denial?  I wouldn't expect this on an
> executable.  Especially a daemon doing this on its own executable.
> 
> > allow yule_t self:capability { setgid setuid dac_override ipc_lock fowner sys_resource kill sys_ptrace};
> 
> The kill and sys_ptrace capabilities seem weird, as there do not seem to
> be any process sigkill or process ptrace permissions being used in the
> policy.
> 
> 
> Assuming you're interested in getting this upstreamed:
> 
> > /usr/local/sbin/yule	--	    gen_context(system_u:object_r:yule_exec_t,s0)
> 
> Standard (distro) locations should be covered too, such
> as /usr/sbin/yule, not just /usr/local.
> 
> Also the organization of the file should be fixed to match the refpolicy
> style better.
> 

I'm not sure what was committed
or not when this occurred yesterday.
As for policy
I had pulled the refpolicy svn
last Thursday,(thanksgiving day)
then like I said, did a git-pull
yesterday(from linus's tree) 
and viola list error appeared.
Now this morning I pulled the refpolicy
from svn and did not see any such things.
So you got's me with what happened.  

-- 
Justin P. Mattock <justinmattock@gmail.com>