Re: About the polgengui in FC7

Re: About the polgengui in FC7

[Ian jonhson]

Dear Daniel,

Thank you very much for your answering.


As you said in your article, I follows the steps to build my policy module:

Step 1:

1.Name of application to be confined
 - use the linux command, rwho, which I yum and installed my FC7
livecd version.
 - path: /usr/bin/rwho
2. Application type
 - Web Application/Script (CGI). I choose the item. In fact, I don't
know which one is correct.
3.Incoming network port connections
 - UDP port 513
4.Outgoing network port connections
 - UDP port 513
5.Common application traits
 - application uses syslog to log messages. I choose this one beacuse
I want to see something information feelback in syslog.
6.Files and directories (where the application will write)
 - Add file: I added my application, my_test, from /root/selinux_test/.
 - Add directories: my work directory, /root/selinux_test.
7.Generate policy in this directory
 - Policy Directory: /root/selinux_test/policy

Step 2: Apply the new policy module

I enter into my work directory, /root/selinux_test/, and execute the
shell script:

# cd /root/selinux_test
# sh rwho.sh

It prompts a error message:

--------- dump of screen ----------
make: /usr/share/selinux/devel/Makefile: No such file or directory
make: *** No rule to make target '/usr/share/selinux/devel/Makefile', stop.
/usr/sbin/semodule: Could not read file 'rwho.pp':
/sbin/restorecon reset /usr/bin/rwho context
system_u:object_r:bin_t:s0 -> system_u:object_r:bin_t:s0
...
-----------------------------------

I called the ls to see what happed, however nothing created in current
directory.

Step 3: Debug and complete the policy module

As you recommended in your article, I run in permissive mode.

# setenforce 0
# service rwho restart
rwho: unrecongnized service
#

It looks like that something is wrong when I installed the rwho. I
installed rwho by yum, and I don't know where is the problem.

I also look into the /etc/selinux, but I didn't find any new files or
directories created here.

Another aspect I care about is "In the future we will be adding a
mechanism for writing policy to actually confine a logged in user".
You mean that current version does not support the case, in which I
set customized policy for my executable program. For example, I build
a executable program, named my_test_pg, in /root/selinux_test/. Then,
I set a policy module for my_test_pg, which can access a file, named
test_file_1, but cannot access another file, named test_file_2. If I
have to implemented the example, what to do?


Thank you very much!

Your article and advices are very helpful to my jobs. :-)


Ian

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: About the polgengui in FC7

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian jonhson wrote:
> Dear Daniel,
> 
> Thank you very much for your answering.
> 
> 
> As you said in your article, I follows the steps to build my policy module:
> 
> Step 1:
> 
> 1.Name of application to be confined
>  - use the linux command, rwho, which I yum and installed my FC7
> livecd version.
>  - path: /usr/bin/rwho
> 2. Application type
>  - Web Application/Script (CGI). I choose the item. In fact, I don't
> know which one is correct.
> 3.Incoming network port connections
>  - UDP port 513
> 4.Outgoing network port connections
>  - UDP port 513
> 5.Common application traits
>  - application uses syslog to log messages. I choose this one beacuse
> I want to see something information feelback in syslog.
> 6.Files and directories (where the application will write)
>  - Add file: I added my application, my_test, from /root/selinux_test/.
>  - Add directories: my work directory, /root/selinux_test.
> 7.Generate policy in this directory
>  - Policy Directory: /root/selinux_test/policy
> 
> Step 2: Apply the new policy module
> 
> I enter into my work directory, /root/selinux_test/, and execute the
> shell script:
> 
> # cd /root/selinux_test
> # sh rwho.sh
> 
> It prompts a error message:
> 
> --------- dump of screen ----------
> make: /usr/share/selinux/devel/Makefile: No such file or directory
> make: *** No rule to make target '/usr/share/selinux/devel/Makefile', stop.
> /usr/sbin/semodule: Could not read file 'rwho.pp':
> /sbin/restorecon reset /usr/bin/rwho context
> system_u:object_r:bin_t:s0 -> system_u:object_r:bin_t:s0
> ...
yum install selinux-policy-devel
Then run the script again

> -----------------------------------
> 
> I called the ls to see what happed, however nothing created in current
> directory.
> 
> Step 3: Debug and complete the policy module
> 
> As you recommended in your article, I run in permissive mode.
> 
> # setenforce 0
> # service rwho restart
> rwho: unrecongnized service
> #
service rwhod restart
> 
> It looks like that something is wrong when I installed the rwho. I
> installed rwho by yum, and I don't know where is the problem.
> 
> I also look into the /etc/selinux, but I didn't find any new files or
> directories created here.
> 
> Another aspect I care about is "In the future we will be adding a
> mechanism for writing policy to actually confine a logged in user".
> You mean that current version does not support the case, in which I
> set customized policy for my executable program. For example, I build
> a executable program, named my_test_pg, in /root/selinux_test/. Then,
> I set a policy module for my_test_pg, which can access a file, named
> test_file_1, but cannot access another file, named test_file_2. If I
> have to implemented the example, what to do?
> 
yes you can do this,  The extension that I am adding, is to setup logged
in users who can not talk to the network, or only one port on the
network.  These users will not be able to run any setuid applications or
 even execute files in the home directories.
> 
> Thank you very much!
> 
> Your article and advices are very helpful to my jobs. :-)
> 
> 
> Ian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG1+YZrlYvE4MpobMRAlLtAJ9/Z7r0F6lNGNzSE4jD2sDRlJWwLQCfSg0C
MdEXXQJDChngRAbH8u23BN0=
=y2bC
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: About the polgengui in FC7

[Ian jonhson]

> yum install selinux-policy-devel
> Then run the script again
>

I still met some problem in running the script. The message are as follows:

------------- dump screen --------------
[root@Fedora7 policy]# sh rwho.sh
rwho.if:14: Error: duplicate definition of rwho_domtrans(). Original
definition on 14.
Compiling targeted rwho module
/usr/bin/checkmodule:  loading policy configuration from tmp/rwho.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/rwho.mod
Creating targeted rwho.pp policy package
rm tmp/rwho.mod tmp/rwho.mod.fc
/sbin/restorecon reset /usr/bin/rwho context
system_u:object_r:rwho_exec_t:s0->system_u:object_r:rwho_exec_t:s0
[root@Fedora7 policy]# setenforce 0
bash: setenforce: command not found
...
------------------------------------------------

I am not sure whether the duplicate definition would affect the policy
creation, but I got the difference from description in article. Also,
I can not execute setenforce, and not find the the command.

When I run the audit2allow, the output messages are:

----------  dump screen ------------------
[root@Fedora7 tmp]# grep rwho /var/log/audit/audit.log | audit2allow -R

require {
       type rwho_t;
}

#============= rwho_t ==============
files_search_spool(rwho_t)


[root@Fedora7 tmp]# grep rwho /var/log/audit/audit.log
type=AVC msg=audit(1188717730.985:106): avc:  denied  { search } for
pid=3753 comm="rwhod" name="spool" dev=dm-0 ino=130473
scontext=user_u:system_r:rwho_t:s0
tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1188717730.985:106): arch=40000003 syscall=12
success=no exit=-13 a0=8000270c a1=2 a2=80003b5c a3=1 items=0
ppid=3752 pid=3753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="rwhod" exe="/usr/sbin/rwhod"
subj=user_u:system_r:rwho_t:s0 key=(null)
[root@Fedora7 tmp]#
--------------------------------------------------

Did I forget anything?


> yes you can do this,  The extension that I am adding, is to setup logged
> in users who can not talk to the network, or only one port on the
> network.  These users will not be able to run any setuid applications or
>  even execute files in the home directories.

Very good, but in current FC7, that functionalities are not supported,
right? If the polgengui in FC7 does not support the above
functionality, can I do my jobs by editing policy source files
manually? what to do?

Thank you very much !!



Best regards,

ian

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: About the polgengui in FC7

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ian jonhson wrote:
>> yum install selinux-policy-devel
>> Then run the script again
>>
> 
> I still met some problem in running the script. The message are as follows:
> 
> ------------- dump screen --------------
> [root@Fedora7 policy]# sh rwho.sh
> rwho.if:14: Error: duplicate definition of rwho_domtrans(). Original
> definition on 14.
> Compiling targeted rwho module
> /usr/bin/checkmodule:  loading policy configuration from tmp/rwho.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 6) to tmp/rwho.mod
> Creating targeted rwho.pp policy package
> rm tmp/rwho.mod tmp/rwho.mod.fc
> /sbin/restorecon reset /usr/bin/rwho context
> system_u:object_r:rwho_exec_t:s0->system_u:object_r:rwho_exec_t:s0
> [root@Fedora7 policy]# setenforce 0
> bash: setenforce: command not found
> ...
/usr/sbin/setenforce 0

> ------------------------------------------------
> 
> I am not sure whether the duplicate definition would affect the policy
> creation, but I got the difference from description in article. Also,
> I can not execute setenforce, and not find the the command.
> 
> When I run the audit2allow, the output messages are:
> 
> ----------  dump screen ------------------
> [root@Fedora7 tmp]# grep rwho /var/log/audit/audit.log | audit2allow -R
> 
> require {
>        type rwho_t;
> }
> 
> #============= rwho_t ==============
> files_search_spool(rwho_t)
> 
> 
> [root@Fedora7 tmp]# grep rwho /var/log/audit/audit.log
> type=AVC msg=audit(1188717730.985:106): avc:  denied  { search } for
> pid=3753 comm="rwhod" name="spool" dev=dm-0 ino=130473
> scontext=user_u:system_r:rwho_t:s0
> tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
> type=SYSCALL msg=audit(1188717730.985:106): arch=40000003 syscall=12
> success=no exit=-13 a0=8000270c a1=2 a2=80003b5c a3=1 items=0
> ppid=3752 pid=3753 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="rwhod" exe="/usr/sbin/rwhod"
> subj=user_u:system_r:rwho_t:s0 key=(null)
> [root@Fedora7 tmp]#
> --------------------------------------------------
> 
> Did I forget anything?
> 
No, Now you would add the line
files_search_spool(rwho_t)
to the te file and rerun the sh script.

> 
>> yes you can do this,  The extension that I am adding, is to setup logged
>> in users who can not talk to the network, or only one port on the
>> network.  These users will not be able to run any setuid applications or
>>  even execute files in the home directories.
> 
> Very good, but in current FC7, that functionalities are not supported,
> right? If the polgengui in FC7 does not support the above
> functionality, can I do my jobs by editing policy source files
> manually? what to do?
> 
> Thank you very much !!
> 
> 
> 
> Best regards,
> 
> ian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG3a6CrlYvE4MpobMRArgaAKCbqyU6Cx2GUeMWJ5UvKoIE/dsHrwCeLKL+
YccsQL6ZFkhO3lsy1IbGJmg=
=O47U
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.