Patch to cleanup audit handling in policy.

Patch to cleanup audit handling in policy.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 239 bytes --]

I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
and added constraints to make sure no one accidentally breaks auditing 
rules.

logging_send_audit_msg
logging_set_audit
logging_set_auditctl
logging_set_loginuid



[-- Attachment #2: audit.patch --]
[-- Type: text/x-patch, Size: 24865 bytes --]

--- serefpolicy-2.6.1/policy/modules/services/dbus.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/dbus.te	2007-04-27 17:16:58.000000000 -0400
@@ -40,8 +40,6 @@
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
-send_audit_msgs_pattern(system_dbusd_t)
-
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -93,6 +91,7 @@
 libs_use_shared_libs(system_dbusd_t)
 
 logging_send_syslog_msg(system_dbusd_t)
+logging_send_audit_msg(system_dbusd_t)
 
 miscfiles_read_localization(system_dbusd_t)
 miscfiles_read_certs(system_dbusd_t)
--- serefpolicy-2.6.1/policy/modules/services/oddjob.te~	2007-04-23 09:52:08.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/oddjob.te	2007-04-27 16:56:37.000000000 -0400
@@ -27,7 +27,7 @@
 # oddjob local policy
 #
 
-allow oddjob_t self:capability { audit_write setgid } ;
+allow oddjob_t self:capability setgid;
 allow oddjob_t self:process { setexec signal };
 allow oddjob_t self:fifo_file { read write };
 allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
--- serefpolicy-2.6.1/policy/modules/services/hal.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/hal.te	2007-04-27 17:17:10.000000000 -0400
@@ -61,8 +61,6 @@
 # For backwards compatibility with older kernels
 allow hald_t self:netlink_socket create_socket_perms;
 
-send_audit_msgs_pattern(hald_t)
-
 manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
 manage_files_pattern(hald_t,hald_tmp_t,hald_tmp_t)
 files_tmp_filetrans(hald_t, hald_tmp_t, { file dir })
@@ -174,6 +172,7 @@
 libs_exec_ld_so(hald_t)
 libs_exec_lib_files(hald_t)
 
+logging_send_audit_msg(hald_t)
 logging_send_syslog_msg(hald_t)
 logging_search_logs(hald_t)
 
--- serefpolicy-2.6.1/policy/modules/services/cron.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/cron.te	2007-04-27 17:15:06.000000000 -0400
@@ -93,7 +93,7 @@
 # Cron Local policy
 #
 
-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search audit_control };
+allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow crond_t self:process { setexec setfscreate };
@@ -133,7 +133,6 @@
 fs_search_auto_mountpoints(crond_t)
 
 # need auth_chkpwd to check for locked accounts.
-send_audit_msgs_pattern(crond_t)
 auth_domtrans_upd_passwd(crond_t)
 
 corecmd_exec_shell(crond_t)
@@ -165,6 +164,7 @@
 libs_use_shared_libs(crond_t)
 
 logging_send_syslog_msg(crond_t)
+logging_send_audit_msg(crond_t)
 
 seutil_read_config(crond_t)
 seutil_read_default_contexts(crond_t)
--- serefpolicy-2.6.1/policy/modules/services/samba.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/samba.te	2007-04-27 16:44:16.000000000 -0400
@@ -597,7 +597,6 @@
 allow swat_t self:process signal_perms;
 allow swat_t self:fifo_file rw_file_perms;
 allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:netlink_audit_socket create;
 allow swat_t self:tcp_socket create_stream_socket_perms;
 allow swat_t self:udp_socket create_socket_perms;
 allow swat_t self:netlink_route_socket r_netlink_socket_perms;
--- serefpolicy-2.6.1/policy/modules/services/nscd.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/nscd.te	2007-04-27 16:56:26.000000000 -0400
@@ -28,14 +28,14 @@
 # Local policy
 #
 
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
 dontaudit nscd_t self:capability sys_tty_config;
 allow nscd_t self:process { getattr setcap setsched signal_perms };
 allow nscd_t self:fifo_file { read write };
 allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
 allow nscd_t self:tcp_socket create_socket_perms;
 allow nscd_t self:udp_socket create_socket_perms;
 
@@ -93,6 +93,7 @@
 libs_use_shared_libs(nscd_t)
 
 logging_send_syslog_msg(nscd_t)
+logging_send_audit_msg(nscd_t)
 
 miscfiles_read_localization(nscd_t)
 
--- serefpolicy-2.6.1/policy/modules/services/aide.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/aide.te	2007-04-27 17:16:32.000000000 -0400
@@ -26,7 +26,7 @@
 
 allow aide_t self:capability { dac_override fowner };
 
-send_audit_msgs_pattern(aide_t)
+logging_send_audit_msg(aide_t)
 
 # database actions
 manage_files_pattern(aide_t,aide_db_t,aide_db_t)
--- serefpolicy-2.6.1/policy/modules/services/pegasus.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/pegasus.te	2007-04-27 17:17:21.000000000 -0400
@@ -38,8 +38,6 @@
 allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
 allow pegasus_t self:tcp_socket create_stream_socket_perms;
 
-send_audit_msgs_pattern(pegasus_t)
-
 allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
 allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
@@ -129,6 +127,7 @@
 
 optional_policy(`
 	logging_send_syslog_msg(pegasus_t)
+	logging_send_audit_msg(pegasus_t)
 ')
 
 optional_policy(`
--- serefpolicy-2.6.1/policy/modules/services/dbus.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/dbus.if	2007-04-27 17:15:53.000000000 -0400
@@ -85,8 +85,6 @@
 	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
 	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
 
-	send_audit_msgs_pattern($1_dbusd_t)
-
 	# For connecting to the bus
 	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
@@ -159,6 +157,7 @@
 	libs_use_shared_libs($1_dbusd_t)
 
 	logging_send_syslog_msg($1_dbusd_t)
+	logging_send_audit_msg($1_dbusd_t)
 
 	miscfiles_read_localization($1_dbusd_t)
 
--- serefpolicy-2.6.1/policy/modules/services/cups.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/services/cups.te	2007-04-27 17:16:10.000000000 -0400
@@ -93,8 +93,6 @@
 # generic socket here until appletalk socket is available in kernels
 allow cupsd_t self:socket create_socket_perms;
 
-send_audit_msgs_pattern(cupsd_t)
-
 allow cupsd_t cupsd_etc_t:{ dir file } setattr;
 read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
 read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
@@ -216,6 +214,7 @@
 libs_read_lib_files(cupsd_t)
 
 logging_send_syslog_msg(cupsd_t)
+logging_send_audit_msg(cupsd_t)
 
 miscfiles_read_localization(cupsd_t)
 # invoking ghostscript needs to read fonts
--- serefpolicy-2.6.1/policy/modules/system/init.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/init.te	2007-04-27 18:05:56.000000000 -0400
@@ -89,7 +89,7 @@
 #
 
 # Use capabilities. old rule:
-allow init_t self:capability ~sys_module;
+allow init_t self:capability ~{ audit_control audit_write sys_module };
 # is ~sys_module really needed? observed: 
 # sys_boot
 # sys_tty_config
@@ -205,7 +205,7 @@
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 
--- serefpolicy-2.6.1/policy/modules/system/logging.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/logging.if	2007-04-27 17:56:00.000000000 -0400
@@ -584,3 +584,121 @@
 	files_search_var($1)
 	manage_files_pattern($1,var_log_t,var_log_t)
 ')
+
+########################################
+## <summary>
+##	Send audit messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_send_audit_msg',`
+	gen_require(`
+		attribute can_send_audit_msg;
+	')
+
+	typeattribute $1 can_send_audit_msg;
+	allow $1 self:capability audit_write;
+	allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Set login uid
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_loginuid',`
+	gen_require(`
+		attribute can_set_loginuid;
+		attribute can_send_audit_msg;
+	')
+
+	typeattribute $1 can_set_loginuid, can_send_audit_msg;
+
+	allow $1 self:capability audit_control;
+	allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay };
+')
+
+########################################
+## <summary>
+##	Set up audit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_audit',`
+	gen_require(`
+		attribute can_set_audit;
+		attribute can_send_audit_msg;
+	')
+
+	typeattribute $1  can_set_audit, can_send_audit_msg;
+	allow $1 self:capability { audit_write audit_control };
+	allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_write nlmsg_relay };
+')
+
+########################################
+## <summary>
+##	Set audit control rules
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_auditctl',`
+	gen_require(`
+		attribute can_set_auditctl;
+	')
+
+	typeattribute $1  can_set_auditctl;
+	logging_set_audit($1)
+	allow $1 self:netlink_audit_socket nlmsg_readpriv;
+')
+
+########################################
+## <summary>
+##	Unconfined access to the loggin module.
+## </summary>
+## <desc>
+##	<p>
+##	Unconfined access to the authlogin module.
+##	</p>
+##	<p>
+##	Currently, this only allows assertions for
+##	the audit susbsystem to be passed.
+##      No access is granted yet.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_unconfined',`
+	gen_require(`
+		attribute can_set_audit;
+		attribute can_set_auditctl;
+		attribute can_send_audit_msg;
+		attribute can_set_loginuid;
+	')
+
+	typeattribute $1 can_set_loginuid;
+	typeattribute $1 can_set_audit;
+	typeattribute $1 can_set_auditctl;
+	typeattribute $1 can_send_audit_msg;
+')
+
--- serefpolicy-2.6.1/policy/modules/system/authlogin.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/authlogin.te	2007-04-27 17:45:25.000000000 -0400
@@ -258,7 +258,7 @@
 # System check password local policy
 #
 
-allow system_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(system_chkpwd_t)
 
 allow system_chkpwd_t shadow_t:file { getattr read };
 
--- serefpolicy-2.6.1/policy/modules/system/ipsec.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/ipsec.te	2007-04-27 17:31:20.000000000 -0400
@@ -283,13 +283,13 @@
 # Racoon local policy
 #
 
-allow racoon_t self:capability { net_admin net_bind_service audit_control };
+allow racoon_t self:capability { net_admin net_bind_service };
 allow racoon_t self:netlink_route_socket create_netlink_socket_perms;
 allow racoon_t self:unix_dgram_socket { connect create ioctl write };
 allow racoon_t self:netlink_selinux_socket { bind create read };
 allow racoon_t self:udp_socket create_socket_perms;
 allow racoon_t self:key_socket { create read setopt write };
-allow racoon_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(racoon_t)
 
 # manage pid file
 manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
--- serefpolicy-2.6.1/policy/modules/system/clock.te~	2007-04-23 09:52:09.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/clock.te	2007-04-27 17:17:59.000000000 -0400
@@ -26,8 +26,6 @@
 allow hwclock_t self:process signal_perms;
 allow hwclock_t self:fifo_file { getattr read write };
 
-send_audit_msgs_pattern(hwclock_t)
-
 # Allow hwclock to store & retrieve correction factors.
 allow hwclock_t adjtime_t:file { rw_file_perms setattr };
 
@@ -61,6 +59,7 @@
 libs_use_shared_libs(hwclock_t)
 
 logging_send_syslog_msg(hwclock_t)
+logging_send_audit_msg(hwclock_t)
 
 miscfiles_read_localization(hwclock_t)
 
--- serefpolicy-2.6.1/policy/modules/system/logging.te~	2007-04-27 16:38:36.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/logging.te	2007-04-27 18:00:26.000000000 -0400
@@ -7,6 +7,10 @@
 #
 
 attribute logfile;
+attribute can_set_audit;
+attribute can_set_auditctl;
+attribute can_set_loginuid;
+attribute can_send_audit_msg;
 
 type auditctl_t;
 type auditctl_exec_t;
@@ -60,6 +64,12 @@
 	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
 ')
 
+neverallow ~{ can_set_loginuid can_set_audit } self:capability audit_control;
+neverallow ~can_set_audit self:netlink_audit_socket nlmsg_write;
+neverallow ~can_set_auditctl self:netlink_audit_socket nlmsg_readpriv;
+neverallow ~can_send_audit_msg self:capability audit_write;
+neverallow ~can_send_audit_msg  self:netlink_audit_socket nlmsg_relay;
+
 ########################################
 #
 # Auditd local policy
--- serefpolicy-2.6.1/policy/modules/system/selinuxutil.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/selinuxutil.te	2007-04-27 16:42:12.000000000 -0400
@@ -243,7 +243,7 @@
 allow newrole_t self:msg { send receive };
 allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(newrole_t)
 
 read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
 read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
@@ -493,7 +493,7 @@
 allow run_init_t self:process setexec;
 allow run_init_t self:capability setuid;
 allow run_init_t self:fifo_file rw_file_perms;
-allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(run_init_t)
 
 # often the administrator runs such programs from a directory that is owned
 # by a different user or has restrictive SE permissions, do not want to audit
@@ -564,7 +564,7 @@
 allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+logging_send_audit_msg(semanage_t)
 
 allow semanage_t policy_config_t:file { read write };
 
--- serefpolicy-2.6.1/policy/modules/system/authlogin.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/authlogin.if	2007-04-27 17:46:20.000000000 -0400
@@ -27,11 +27,9 @@
 	domain_type($1_chkpwd_t)
 	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
 
-	allow $1_chkpwd_t self:capability { audit_control setuid };
+	allow $1_chkpwd_t self:capability setuid;
 	allow $1_chkpwd_t self:process getattr;
 
-	send_audit_msgs_pattern($1_chkpwd_t)
-
 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };
 
@@ -53,6 +51,7 @@
 	libs_use_shared_libs($1_chkpwd_t)
 
 	logging_send_syslog_msg($1_chkpwd_t)
+	logging_send_audit_msg($1_chkpwd_t)
 
 	miscfiles_read_localization($1_chkpwd_t)
 
@@ -109,7 +108,7 @@
 	role $3 types system_chkpwd_t;
 
 	# cjp: is this really needed?
-	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+	logging_send_audit_msg($2)
 
 	dontaudit $2 shadow_t:file { getattr read };
 
@@ -320,10 +319,6 @@
 		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
 	')
 
-	# cjp: is this really needed?
-	allow $1 self:capability audit_control;
-	send_audit_msgs_pattern($1)
-
 	corecmd_search_bin($1)
 	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
 
--- serefpolicy-2.6.1/policy/modules/system/unconfined.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/unconfined.if	2007-04-27 18:03:53.000000000 -0400
@@ -61,7 +61,6 @@
 #		auditallow $1 self:process execstack;
 	')
 
-
 	optional_policy(`
 		auth_unconfined($1)
 	')
@@ -78,6 +77,10 @@
 	')
 
 	optional_policy(`
+		logging_unconfined($1)
+	')
+
+	optional_policy(`
 		nscd_unconfined($1)
 	')
 
--- serefpolicy-2.6.1/policy/modules/system/userdomain.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/system/userdomain.if	2007-04-27 16:43:07.000000000 -0400
@@ -1173,8 +1173,6 @@
 	# Manipulate other users crontab.
 	allow $1_t self:passwd crontab;
 
-	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
-
 	kernel_read_software_raid_state($1_t)
 	kernel_getattr_core_if($1_t)
 	kernel_getattr_message_if($1_t)
--- serefpolicy-2.6.1/policy/modules/kernel/kernel.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/kernel/kernel.te	2007-04-27 18:07:15.000000000 -0400
@@ -281,6 +281,7 @@
 
 optional_policy(`
 	logging_send_syslog_msg(kernel_t)
+	logging_unconfined(kernel_t)
 ')
 
 optional_policy(`
--- serefpolicy-2.6.1/policy/modules/admin/amtu.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/admin/amtu.te	2007-04-27 16:55:38.000000000 -0400
@@ -16,8 +16,7 @@
 #
 
 # Specific allow rules required for amtu
-allow amtu_t self:capability { audit_write net_raw };
-allow amtu_t self:netlink_audit_socket { create nlmsg_relay read write };
+allow amtu_t self:capability net_raw;
 allow amtu_t self:packet_socket { bind create read write };
 allow amtu_t self:udp_socket { create ioctl };
 
@@ -30,6 +29,8 @@
 libs_use_ld_so(amtu_t)
 libs_use_shared_libs(amtu_t)
 
+logging_send_audit_msg(amtu_t)
+
 optional_policy(`
     seutil_use_newrole_fds(amtu_t)
 ');
--- serefpolicy-2.6.1/policy/modules/admin/su.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/admin/su.if	2007-04-27 16:55:00.000000000 -0400
@@ -41,12 +41,11 @@
 
 	allow $2 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:key { search write };
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:unix_stream_socket create_stream_socket_perms;
 
 	# Transition from the user domain to this domain.
@@ -90,6 +89,7 @@
 	libs_use_ld_so($1_su_t)
 	libs_use_shared_libs($1_su_t)
 
+	logging_send_audit_msg($1_su_t)
 	logging_send_syslog_msg($1_su_t)
 
 	miscfiles_read_localization($1_su_t)
@@ -175,11 +175,9 @@
 
 	allow $2 $1_su_t:process signal;
 
-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 	dontaudit $1_su_t self:capability sys_tty_config;
 	allow $1_su_t self:process { setexec setsched setrlimit };
 	allow $1_su_t self:fifo_file rw_fifo_file_perms;
-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:key { search write };
 
 	# Transition from the user domain to this domain.
@@ -230,6 +228,7 @@
 	libs_use_shared_libs($1_su_t)
 
 	logging_send_syslog_msg($1_su_t)
+	logging_send_audit_msg($1_su_t)
 
 	miscfiles_read_localization($1_su_t)
 
--- serefpolicy-2.6.1/policy/modules/admin/sudo.if~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/admin/sudo.if	2007-04-27 18:15:10.000000000 -0400
@@ -69,7 +69,6 @@
 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
 	allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
 
 	# Enter this derived domain from the user domain
@@ -91,8 +90,8 @@
 	fs_search_auto_mountpoints($1_sudo_t)
 	fs_getattr_xattr_fs($1_sudo_t)
 
-	auth_run_chk_passwd($1_sudo_t)
-	auth_run_upd_passwd($1_sudo_t)
+	auth_domtrans_chk_passwd($1_sudo_t)
+	auth_domtrans_upd_passwd($1_sudo_t)
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
 
@@ -116,6 +115,7 @@
 	libs_use_shared_libs($1_sudo_t)
 
 	logging_send_syslog_msg($1_sudo_t)
+	logging_send_audit_msg($1_sudo_t)
 
 	miscfiles_read_localization($1_sudo_t)
 
--- serefpolicy-2.6.1/policy/modules/admin/usermanage.te~	2007-04-27 16:34:57.000000000 -0400
+++ serefpolicy-2.6.1/policy/modules/admin/usermanage.te	2007-04-27 16:57:42.000000000 -0400
@@ -184,7 +184,7 @@
 # Groupadd local policy
 #
 
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
+allow groupadd_t self:capability { dac_override chown kill setuid sys_resource };
 dontaudit groupadd_t self:capability { fsetid sys_tty_config };
 allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow groupadd_t self:process { setrlimit setfscreate };
@@ -198,7 +198,6 @@
 allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
 allow groupadd_t self:unix_dgram_socket sendto;
 allow groupadd_t self:unix_stream_socket connectto;
-allow groupadd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 fs_getattr_xattr_fs(groupadd_t)
 fs_search_auto_mountpoints(groupadd_t)
@@ -231,6 +230,7 @@
 corecmd_exec_bin(groupadd_t)
 
 logging_send_syslog_msg(groupadd_t)
+logging_send_audit_msg(groupadd_t)
 
 miscfiles_read_localization(groupadd_t)
 
@@ -266,7 +266,7 @@
 # Passwd local policy
 #
 
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource audit_control audit_write };
+allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
 allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow passwd_t self:process { setrlimit setfscreate };
 allow passwd_t self:fd use;
@@ -276,7 +276,6 @@
 allow passwd_t self:unix_stream_socket create_stream_socket_perms;
 allow passwd_t self:unix_dgram_socket sendto;
 allow passwd_t self:unix_stream_socket connectto;
-allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow passwd_t self:shm create_shm_perms;
 allow passwd_t self:sem create_sem_perms;
 allow passwd_t self:msgq create_msgq_perms;
@@ -329,6 +328,7 @@
 libs_use_shared_libs(passwd_t)
 
 logging_send_syslog_msg(passwd_t)
+logging_send_audit_msg(passwd_t)
 
 miscfiles_read_localization(passwd_t)
 
@@ -449,7 +449,7 @@
 # Useradd local policy
 #
 
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
+allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
 dontaudit useradd_t self:capability sys_tty_config;
 allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow useradd_t self:process setfscreate;
@@ -463,7 +463,6 @@
 allow useradd_t self:unix_stream_socket create_stream_socket_perms;
 allow useradd_t self:unix_dgram_socket sendto;
 allow useradd_t self:unix_stream_socket connectto;
-allow useradd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 # for getting the number of groups
 kernel_read_kernel_sysctls(useradd_t)
@@ -509,6 +508,7 @@
 libs_use_shared_libs(useradd_t)
 
 logging_send_syslog_msg(useradd_t)
+logging_send_audit_msg(useradd_t)
 
 miscfiles_read_localization(useradd_t)
 
--- serefpolicy-2.6.1/policy/support/misc_patterns.spt~	2007-04-23 09:52:10.000000000 -0400
+++ serefpolicy-2.6.1/policy/support/misc_patterns.spt	2007-04-27 17:27:40.000000000 -0400
@@ -41,11 +41,6 @@
 #
 # Other process permissions
 #
-define(`send_audit_msgs_pattern',`
-	allow $1 self:capability audit_write;
-	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-')
-
 define(`ps_process_pattern',`
 	allow $1 $2:dir { search getattr read };
 	allow $1 $2:{ file lnk_file } { read getattr };

Re: Patch to cleanup audit handling in policy.

[Steve G]

>I have removed -send_audit_msgs_pattern and replaced it with 4 functions 

I'd like to clarify what they are in case anyone thinks the names need tweeking

logging_send_audit_msg - This is for any Trusted App that needs to send audit
events

logging_set_loginuid - This would be for entry point daemons or daemons that
perform actions on behalf of a user (cron/at). Includes the ability to send audit
events.

logging_set_audit - This should be for the audit daemon only

logging_set_auditctl - This is only for auditctl and autrace.

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
> >I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
> 
> I'd like to clarify what they are in case anyone thinks the names need tweeking
> 
> logging_send_audit_msg - This is for any Trusted App that needs to send audit
> events
> 
> logging_set_loginuid - This would be for entry point daemons or daemons that
> perform actions on behalf of a user (cron/at). Includes the ability to send audit
> events.
> 
> logging_set_audit - This should be for the audit daemon only
> 
> logging_set_auditctl - This is only for auditctl and autrace.

I'm not convinced that these are necessary.  The assertions in the
policy are mainly to stop people from accidentally shooting themselves
in the foot by allowing potentially dangerous access, for example,
access to /etc/shadow or raw disk access.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
>   
>>> I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
>>>       
>> I'd like to clarify what they are in case anyone thinks the names need tweeking
>>
>> logging_send_audit_msg - This is for any Trusted App that needs to send audit
>> events
>>
>> logging_set_loginuid - This would be for entry point daemons or daemons that
>> perform actions on behalf of a user (cron/at). Includes the ability to send audit
>> events.
>>
>> logging_set_audit - This should be for the audit daemon only
>>
>> logging_set_auditctl - This is only for auditctl and autrace.
>>     
>
> I'm not convinced that these are necessary.  The assertions in the
> policy are mainly to stop people from accidentally shooting themselves
> in the foot by allowing potentially dangerous access, for example,
> access to /etc/shadow or raw disk access.
>
>   
When I reviewed the policy, almost ever call to allow audit was wrong.  
I think we should
take advantage of the tools to allow policy writers to accidently grant 
more access then is
necessary.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Mon, 2007-04-30 at 10:25 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
> >   
> >>> I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
> >>>       
> >> I'd like to clarify what they are in case anyone thinks the names need tweeking
> >>
> >> logging_send_audit_msg - This is for any Trusted App that needs to send audit
> >> events
> >>
> >> logging_set_loginuid - This would be for entry point daemons or daemons that
> >> perform actions on behalf of a user (cron/at). Includes the ability to send audit
> >> events.
> >>
> >> logging_set_audit - This should be for the audit daemon only
> >>
> >> logging_set_auditctl - This is only for auditctl and autrace.
> >>     
> >
> > I'm not convinced that these are necessary.  The assertions in the
> > policy are mainly to stop people from accidentally shooting themselves
> > in the foot by allowing potentially dangerous access, for example,
> > access to /etc/shadow or raw disk access.
> >
> >   
> When I reviewed the policy, almost ever call to allow audit was wrong.  

Wrong in what sense?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2007-04-30 at 10:25 -0400, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
>>>   
>>>       
>>>>> I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
>>>>>       
>>>>>           
>>>> I'd like to clarify what they are in case anyone thinks the names need tweeking
>>>>
>>>> logging_send_audit_msg - This is for any Trusted App that needs to send audit
>>>> events
>>>>
>>>> logging_set_loginuid - This would be for entry point daemons or daemons that
>>>> perform actions on behalf of a user (cron/at). Includes the ability to send audit
>>>> events.
>>>>
>>>> logging_set_audit - This should be for the audit daemon only
>>>>
>>>> logging_set_auditctl - This is only for auditctl and autrace.
>>>>     
>>>>         
>>> I'm not convinced that these are necessary.  The assertions in the
>>> policy are mainly to stop people from accidentally shooting themselves
>>> in the foot by allowing potentially dangerous access, for example,
>>> access to /etc/shadow or raw disk access.
>>>
>>>   
>>>       
>> When I reviewed the policy, almost ever call to allow audit was wrong.  
>>     
>
> Wrong in what sense?
>
>   

Wrong in the sense of granting more privs then they intended.  Login 
programs being able to change the audit rules.  audit_control versus 
audit_write and netlinkmsg_write versus netlinkmsg_relay.  Better to put 
them into interfaces and force policy writers to use them.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Mon, 2007-04-30 at 10:55 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2007-04-30 at 10:25 -0400, Daniel J Walsh wrote:
> >   
> >> Christopher J. PeBenito wrote:
> >>     
> >>> On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
> >>>   
> >>>       
> >>>>> I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
> >>>>>       
> >>>>>           
> >>>> I'd like to clarify what they are in case anyone thinks the names need tweeking
> >>>>
> >>>> logging_send_audit_msg - This is for any Trusted App that needs to send audit
> >>>> events
> >>>>
> >>>> logging_set_loginuid - This would be for entry point daemons or daemons that
> >>>> perform actions on behalf of a user (cron/at). Includes the ability to send audit
> >>>> events.
> >>>>
> >>>> logging_set_audit - This should be for the audit daemon only
> >>>>
> >>>> logging_set_auditctl - This is only for auditctl and autrace.
> >>>>     
> >>>>         
> >>> I'm not convinced that these are necessary.  The assertions in the
> >>> policy are mainly to stop people from accidentally shooting themselves
> >>> in the foot by allowing potentially dangerous access, for example,
> >>> access to /etc/shadow or raw disk access.
> >>>
> >>>   
> >>>       
> >> When I reviewed the policy, almost ever call to allow audit was wrong.  
> >>     
> >
> > Wrong in what sense?
> >
> Wrong in the sense of granting more privs then they intended.  Login 
> programs being able to change the audit rules.  audit_control versus 
> audit_write and netlinkmsg_write versus netlinkmsg_relay.  Better to put 
> them into interfaces and force policy writers to use them.

This is an argument for more patterns, which would be fine.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Mon, 2007-04-30 at 10:55 -0400, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Mon, 2007-04-30 at 10:25 -0400, Daniel J Walsh wrote:
>>>   
>>>       
>>>> Christopher J. PeBenito wrote:
>>>>     
>>>>         
>>>>> On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>>> I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
>>>>>>>       
>>>>>>>           
>>>>>>>               
>>>>>> I'd like to clarify what they are in case anyone thinks the names need tweeking
>>>>>>
>>>>>> logging_send_audit_msg - This is for any Trusted App that needs to send audit
>>>>>> events
>>>>>>
>>>>>> logging_set_loginuid - This would be for entry point daemons or daemons that
>>>>>> perform actions on behalf of a user (cron/at). Includes the ability to send audit
>>>>>> events.
>>>>>>
>>>>>> logging_set_audit - This should be for the audit daemon only
>>>>>>
>>>>>> logging_set_auditctl - This is only for auditctl and autrace.
>>>>>>     
>>>>>>         
>>>>>>             
>>>>> I'm not convinced that these are necessary.  The assertions in the
>>>>> policy are mainly to stop people from accidentally shooting themselves
>>>>> in the foot by allowing potentially dangerous access, for example,
>>>>> access to /etc/shadow or raw disk access.
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> When I reviewed the policy, almost ever call to allow audit was wrong.  
>>>>     
>>>>         
>>> Wrong in what sense?
>>>
>>>       
>> Wrong in the sense of granting more privs then they intended.  Login 
>> programs being able to change the audit rules.  audit_control versus 
>> audit_write and netlinkmsg_write versus netlinkmsg_relay.  Better to put 
>> them into interfaces and force policy writers to use them.
>>     
>
> This is an argument for more patterns, which would be fine.
>
>   

Why would we want patterns over interfaces?  We can not use constraints 
in interfaces.  I want constraints to stop people from making dumb 
mistakes.  The interface most often uses is logging_send_audit_msg which 
matches up very closely to logging_send_syslog_msg.  To me patterns make 
no sense here, these are interfaces.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Mon, 2007-04-30 at 11:36 -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2007-04-30 at 10:55 -0400, Daniel J Walsh wrote:
> >> Christopher J. PeBenito wrote:
> >>> On Mon, 2007-04-30 at 10:25 -0400, Daniel J Walsh wrote:
> >>>> Christopher J. PeBenito wrote:
> >>>>> On Fri, 2007-04-27 at 16:38 -0700, Steve G wrote:
> >>>>>>> I have removed -send_audit_msgs_pattern and replaced it with 4 functions 
> >>>>>>> 
> >>>>>> I'd like to clarify what they are in case anyone thinks the names need tweeking
> >>>>>>
> >>>>>> logging_send_audit_msg - This is for any Trusted App that needs to send audit
> >>>>>> events
> >>>>>>
> >>>>>> logging_set_loginuid - This would be for entry point daemons or daemons that
> >>>>>> perform actions on behalf of a user (cron/at). Includes the ability to send audit
> >>>>>> events.
> >>>>>>
> >>>>>> logging_set_audit - This should be for the audit daemon only
> >>>>>>
> >>>>>> logging_set_auditctl - This is only for auditctl and autrace.
> >>>>>>             
> >>>>> I'm not convinced that these are necessary.  The assertions in the
> >>>>> policy are mainly to stop people from accidentally shooting themselves
> >>>>> in the foot by allowing potentially dangerous access, for example,
> >>>>> access to /etc/shadow or raw disk access.
> >>>>>           
> >>>> When I reviewed the policy, almost ever call to allow audit was wrong.  
> >>>>         
> >>> Wrong in what sense?
> >>>       
> >> Wrong in the sense of granting more privs then they intended.  Login 
> >> programs being able to change the audit rules.  audit_control versus 
> >> audit_write and netlinkmsg_write versus netlinkmsg_relay.  Better to put 
> >> them into interfaces and force policy writers to use them.
> >
> > This is an argument for more patterns, which would be fine.   
> 
> Why would we want patterns over interfaces?  We can not use constraints 
> in interfaces.  I want constraints to stop people from making dumb 
> mistakes.

Having assertions would make the interfaces needed, but I still argue
that they aren't required in this instance; see my response to Steve.

>   The interface most often uses is logging_send_audit_msg which 
> matches up very closely to logging_send_syslog_msg.

This is the most compelling argument so far, but I don't think I'm
convinced yet.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Steve G]

>I'm not convinced that these are necessary.

The audit policy seems very broken. It allows way too much permission to
applications. The audit_control permission means that they can potentially delete
audit rules or change the loginuid. That should not be handed out like candy. 

The interfaces that Dan created allows the exact kind of permission to be applied
without having to copy and paste individual permissions which is error prone.
(There are only 4 use cases of the audit system.) Part of what makes it error
prone is the naming convention for all the pieces. Example: "audit_write" is that
for the capability, the netlink interface, or audit logs?

-Steve

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote:
> >I'm not convinced that these are necessary.
> 
> The audit policy seems very broken. It allows way too much permission to
> applications.

I'm certainly not arguing that excessive permissions shouldn't be fixed.
I was just saying that I didn't agree with the method in this case.

>  The audit_control permission means that they can potentially delete
> audit rules or change the loginuid. That should not be handed out like candy. 

This is not really a compelling argument for assertions as there are far
worse things that have much farther reaching consequences that don't
have assertions, such as writing to shlib_t, bin_t, and shell_exec_t
files.

> The interfaces that Dan created allows the exact kind of permission to be applied
> without having to copy and paste individual permissions which is error prone.
> (There are only 4 use cases of the audit system.) Part of what makes it error
> prone is the naming convention for all the pieces. Example: "audit_write" is that
> for the capability, the netlink interface, or audit logs?

This is the reason policy patterns exist.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Karl MacMillan]

On Mon, 2007-04-30 at 16:53 +0000, Christopher J. PeBenito wrote:
> On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote:

<snip>

> 
> > The interfaces that Dan created allows the exact kind of permission to be applied
> > without having to copy and paste individual permissions which is error prone.
> > (There are only 4 use cases of the audit system.) Part of what makes it error
> > prone is the naming convention for all the pieces. Example: "audit_write" is that
> > for the capability, the netlink interface, or audit logs?
> 
> This is the reason policy patterns exist.
> 

So far the policy patterns have been very hard to automatically generate
using sepolgen. Note that this deficiency is not something that I can
address - it is a problem with the patterns themselves. Given that and
my concerns over their clarity I would prefer that no more patterns be
introduced.

Can I ask why you are so against these audit interfaces and would prefer
patterns?

Karl



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote:
> On Mon, 2007-04-30 at 16:53 +0000, Christopher J. PeBenito wrote:
> > On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote:
> 
> <snip>
> 
> > 
> > > The interfaces that Dan created allows the exact kind of permission to be applied
> > > without having to copy and paste individual permissions which is error prone.
> > > (There are only 4 use cases of the audit system.) Part of what makes it error
> > > prone is the naming convention for all the pieces. Example: "audit_write" is that
> > > for the capability, the netlink interface, or audit logs?
> > 
> > This is the reason policy patterns exist.
> > 
> 
> So far the policy patterns have been very hard to automatically generate
> using sepolgen. Note that this deficiency is not something that I can
> address - it is a problem with the patterns themselves.

I don't see how it could be any more complex than matching rules to an
interface.

>  Given that and
> my concerns over their clarity I would prefer that no more patterns be
> introduced.
> 
> Can I ask why you are so against these audit interfaces and would prefer
> patterns?

I don't agree with the assertions which means the attributes are
dropped, so that just leaves the rules, which don't refer to any types
in the logging module.  They only refer to resources in the current
module (all self rules), so its not an interface, its a pattern.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Karl MacMillan]

On Tue, 2007-05-01 at 13:31 +0000, Christopher J. PeBenito wrote:
> On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote:
> > On Mon, 2007-04-30 at 16:53 +0000, Christopher J. PeBenito wrote:
> > > On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote:
> > 
> > <snip>
> > 
> > > 
> > > > The interfaces that Dan created allows the exact kind of permission to be applied
> > > > without having to copy and paste individual permissions which is error prone.
> > > > (There are only 4 use cases of the audit system.) Part of what makes it error
> > > > prone is the naming convention for all the pieces. Example: "audit_write" is that
> > > > for the capability, the netlink interface, or audit logs?
> > > 
> > > This is the reason policy patterns exist.
> > > 
> > 
> > So far the policy patterns have been very hard to automatically generate
> > using sepolgen. Note that this deficiency is not something that I can
> > address - it is a problem with the patterns themselves.
> 
> I don't see how it could be any more complex than matching rules to an
> interface.
> 

http://www.nsa.gov/selinux/list-archive/0701/18939.cfm

Summary - patterns that contain unrelated types cannot be reliably
generated. This - to me - is a major drawback. Whether that will apply
here is not clear.

> >  Given that and
> > my concerns over their clarity I would prefer that no more patterns be
> > introduced.
> > 
> > Can I ask why you are so against these audit interfaces and would prefer
> > patterns?
> 
> I don't agree with the assertions which means the attributes are
> dropped, so that just leaves the rules, which don't refer to any types
> in the logging module.  They only refer to resources in the current
> module (all self rules), so its not an interface, its a pattern.
> 

I think that distinction is not useful to a policy writer. As a policy
writer I think it would be natural to look for audit interfaces in
logging - by making these patterns they are harder to find.

So - why make this distinction?

Karl



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Tue, 2007-05-01 at 11:21 -0400, Karl MacMillan wrote:
> On Tue, 2007-05-01 at 13:31 +0000, Christopher J. PeBenito wrote:
> > On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote:
> > > On Mon, 2007-04-30 at 16:53 +0000, Christopher J. PeBenito wrote:
> > > > On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote:
> > > > > The interfaces that Dan created allows the exact kind of permission to be applied
> > > > > without having to copy and paste individual permissions which is error prone.
> > > > > (There are only 4 use cases of the audit system.) Part of what makes it error
> > > > > prone is the naming convention for all the pieces. Example: "audit_write" is that
> > > > > for the capability, the netlink interface, or audit logs?
> > > > 
> > > > This is the reason policy patterns exist.
> > > > 
> > > 
> > > So far the policy patterns have been very hard to automatically generate
> > > using sepolgen. Note that this deficiency is not something that I can
> > > address - it is a problem with the patterns themselves.
> > 
> > I don't see how it could be any more complex than matching rules to an
> > interface.
> > 
> 
> http://www.nsa.gov/selinux/list-archive/0701/18939.cfm
> 
> Summary - patterns that contain unrelated types cannot be reliably
> generated. This - to me - is a major drawback. Whether that will apply
> here is not clear.

Even if they can't be generated, I don't see how that negates their
usefulness.

> > >  Given that and
> > > my concerns over their clarity I would prefer that no more patterns be
> > > introduced.
> > > 
> > > Can I ask why you are so against these audit interfaces and would prefer
> > > patterns?
> > 
> > I don't agree with the assertions which means the attributes are
> > dropped, so that just leaves the rules, which don't refer to any types
> > in the logging module.  They only refer to resources in the current
> > module (all self rules), so its not an interface, its a pattern.
> > 
> 
> I think that distinction is not useful to a policy writer. As a policy
> writer I think it would be natural to look for audit interfaces in
> logging - by making these patterns they are harder to find.
> 
> So - why make this distinction?

Its always been the definition of an interface.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Karl MacMillan]

On Wed, 2007-05-02 at 13:08 -0400, Christopher J. PeBenito wrote:
> On Tue, 2007-05-01 at 11:21 -0400, Karl MacMillan wrote:
> > On Tue, 2007-05-01 at 13:31 +0000, Christopher J. PeBenito wrote:
> > > On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote:
> > > > On Mon, 2007-04-30 at 16:53 +0000, Christopher J. PeBenito wrote:
> > > > > On Mon, 2007-04-30 at 07:59 -0700, Steve G wrote:
> > > > > > The interfaces that Dan created allows the exact kind of permission to be applied
> > > > > > without having to copy and paste individual permissions which is error prone.
> > > > > > (There are only 4 use cases of the audit system.) Part of what makes it error
> > > > > > prone is the naming convention for all the pieces. Example: "audit_write" is that
> > > > > > for the capability, the netlink interface, or audit logs?
> > > > > 
> > > > > This is the reason policy patterns exist.
> > > > > 
> > > > 
> > > > So far the policy patterns have been very hard to automatically generate
> > > > using sepolgen. Note that this deficiency is not something that I can
> > > > address - it is a problem with the patterns themselves.
> > > 
> > > I don't see how it could be any more complex than matching rules to an
> > > interface.
> > > 
> > 
> > http://www.nsa.gov/selinux/list-archive/0701/18939.cfm
> > 
> > Summary - patterns that contain unrelated types cannot be reliably
> > generated. This - to me - is a major drawback. Whether that will apply
> > here is not clear.
> 
> Even if they can't be generated, I don't see how that negates their
> usefulness.
> 

It doesn't negate it - it limits it.

> > > >  Given that and
> > > > my concerns over their clarity I would prefer that no more patterns be
> > > > introduced.
> > > > 
> > > > Can I ask why you are so against these audit interfaces and would prefer
> > > > patterns?
> > > 
> > > I don't agree with the assertions which means the attributes are
> > > dropped, so that just leaves the rules, which don't refer to any types
> > > in the logging module.  They only refer to resources in the current
> > > module (all self rules), so its not an interface, its a pattern.
> > > 
> > 
> > I think that distinction is not useful to a policy writer. As a policy
> > writer I think it would be natural to look for audit interfaces in
> > logging - by making these patterns they are harder to find.
> > 
> > So - why make this distinction?
> 
> Its always been the definition of an interface.
> 

Great - so why has that always been the definition and what is the
motivation for separating the patterns and the interfaces in this
circumstance. What value does this provide to the policy writer?

My assertion is that in this case the separation is harmful to the
readability of the policy without advantage.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Christopher J. PeBenito]

On Wed, 2007-05-02 at 13:18 -0400, Karl MacMillan wrote:
> On Wed, 2007-05-02 at 13:08 -0400, Christopher J. PeBenito wrote:
> > On Tue, 2007-05-01 at 11:21 -0400, Karl MacMillan wrote:
> > > On Tue, 2007-05-01 at 13:31 +0000, Christopher J. PeBenito wrote:
> > > > On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote:
> > > > >  Given that and
> > > > > my concerns over their clarity I would prefer that no more patterns be
> > > > > introduced.
> > > > > 
> > > > > Can I ask why you are so against these audit interfaces and would prefer
> > > > > patterns?
> > > > 
> > > > I don't agree with the assertions which means the attributes are
> > > > dropped, so that just leaves the rules, which don't refer to any types
> > > > in the logging module.  They only refer to resources in the current
> > > > module (all self rules), so its not an interface, its a pattern.
> > > > 
> > > 
> > > I think that distinction is not useful to a policy writer. As a policy
> > > writer I think it would be natural to look for audit interfaces in
> > > logging - by making these patterns they are harder to find.
> > > 
> > > So - why make this distinction?
> > 
> > Its always been the definition of an interface.
> > 
> 
> Great - so why has that always been the definition

Not sure how you can ask that since interfaces providing access to a
module's private resource is a fundamental principle.

>  and what is the
> motivation for separating the patterns and the interfaces in this
> circumstance. What value does this provide to the policy writer?

Indeed that is a good question, which is why I said it was compelling in
the other thread.

> My assertion is that in this case the separation is harmful to the
> readability of the policy without advantage.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Daniel J Walsh]

I agree with Karl here.  I think while these are different types of 
interfaces, they are definitely related to doing auditing.  As a policy 
writer I would look into the logging.if for these interfaces and not 
seeing them would write them by hand, probably badly.  (As we have seen 
by the number of times it was done wrong.)  I would not think to look in 
a random directory labeled support with misc_patterns.te or 
file_patterns.te. 

I think the use of constraints should be increased as a way to "assert" 
the policy writer is doing the right thing.    So removing the 
assertions, because we have other places where we don't use constraints 
is an invalid argument.  Lets define assertions there and stop policy 
writers from doing

allow mydomain_t etc_t:file rw_file_perms

and other clearly security problematic code.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch to cleanup audit handling in policy.

[Karl MacMillan]

On Thu, 2007-05-03 at 12:17 +0000, Christopher J. PeBenito wrote:
> On Wed, 2007-05-02 at 13:18 -0400, Karl MacMillan wrote:
> > On Wed, 2007-05-02 at 13:08 -0400, Christopher J. PeBenito wrote:
> > > On Tue, 2007-05-01 at 11:21 -0400, Karl MacMillan wrote:
> > > > On Tue, 2007-05-01 at 13:31 +0000, Christopher J. PeBenito wrote:
> > > > > On Mon, 2007-04-30 at 20:49 -0400, Karl MacMillan wrote:
> > > > > >  Given that and
> > > > > > my concerns over their clarity I would prefer that no more patterns be
> > > > > > introduced.
> > > > > > 
> > > > > > Can I ask why you are so against these audit interfaces and would prefer
> > > > > > patterns?
> > > > > 
> > > > > I don't agree with the assertions which means the attributes are
> > > > > dropped, so that just leaves the rules, which don't refer to any types
> > > > > in the logging module.  They only refer to resources in the current
> > > > > module (all self rules), so its not an interface, its a pattern.
> > > > > 
> > > > 
> > > > I think that distinction is not useful to a policy writer. As a policy
> > > > writer I think it would be natural to look for audit interfaces in
> > > > logging - by making these patterns they are harder to find.
> > > > 
> > > > So - why make this distinction?
> > > 
> > > Its always been the definition of an interface.
> > > 
> > 
> > Great - so why has that always been the definition
> 
> Not sure how you can ask that since interfaces providing access to a
> module's private resource is a fundamental principle.
> 

I agree that interfaces are the only way to provide access to a modules
types, but I don't think that is their only purpose. They are also for
grouping and organizing related access.

> >  and what is the
> > motivation for separating the patterns and the interfaces in this
> > circumstance. What value does this provide to the policy writer?
> 
> Indeed that is a good question, which is why I said it was compelling in
> the other thread.
> 

I would suggest that for most of the patterns they don't have any other
logical grouping - the access being allowed is private to the module.

These audit rules seem different. The access is really about allowing a
domain access to the audit subsystem. It is not simply private access
that cannot be further grouped. That the access is allowed purely via
permissions on module private types is an unimportant implementation
detail.

So, taking the broader definition of interfaces as grouping related
access, it seems natural to make these audit interfaces and put them in
logging.if.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.