Re: Adding AV assertion to selinux policy in RHEL5

Re: Adding AV assertion to selinux policy in RHEL5

[Daniel J Walsh]

On 08/25/2009 06:43 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>  
> 
> We are looking for a well documented procedure to add AV assertion to
> selinux policy on RHEL5.
> So far all SELinux URL links refer to the fact that the AV assertion
> needs to be added to assert.te file under $SELINUX_SRC folder.
> This appears to be true only for RHEL4 not RHEL5 since there is no src
> folder under /etc/selinux/targeted that contains the source policies in
> RHEL5.
> We have installed and built the selinux-policy-2.4.6-248.el5.src.rpm on
> our RHEL5.4 box and we did not find any assert.te file.
> Can someone help us with the exact method as to what needs to be done to
> add an AV assertion rule to our policy.
> 
> Thanks
> Anamitra & Radha
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
questions like this should be asked on the SELinux <selinux@tycho.nsa.gov> Mail List.

I am not sure what you are asking for.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding AV assertion to selinux policy in RHEL5

[Joshua Brindle]

Daniel J Walsh wrote:
> On 08/25/2009 06:43 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>
>>
>> We are looking for a well documented procedure to add AV assertion to
>> selinux policy on RHEL5.
>> So far all SELinux URL links refer to the fact that the AV assertion
>> needs to be added to assert.te file under $SELINUX_SRC folder.
>> This appears to be true only for RHEL4 not RHEL5 since there is no src
>> folder under /etc/selinux/targeted that contains the source policies in
>> RHEL5.
>> We have installed and built the selinux-policy-2.4.6-248.el5.src.rpm on
>> our RHEL5.4 box and we did not find any assert.te file.
>> Can someone help us with the exact method as to what needs to be done to
>> add an AV assertion rule to our policy.
>>
>> Thanks
>> Anamitra&  Radha
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> questions like this should be asked on the SELinux<selinux@tycho.nsa.gov>  Mail List.
>
> I am not sure what you are asking for.


assert.te was the old place for neverallow rules in the example policy. In the 
reference policy neverallows are put in their appropriate place (you could grep 
for them in the source policy if you want to see).

However, with RHEL5 and greater distros you can just insert policy modules to 
add rules (including assertions). So just follow the RHEL5 instructions on 
adding a policy and you can add neverallows there.

You also need to enable assertion checking by adding this line to 
/etc/selinux/semanage.conf

expand-check = 1



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding AV assertion to selinux policy in RHEL5

[Daniel J Walsh]

On 08/26/2009 12:09 PM, Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> On 08/25/2009 06:43 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>
>>>
>>> We are looking for a well documented procedure to add AV assertion to
>>> selinux policy on RHEL5.
>>> So far all SELinux URL links refer to the fact that the AV assertion
>>> needs to be added to assert.te file under $SELINUX_SRC folder.
>>> This appears to be true only for RHEL4 not RHEL5 since there is no src
>>> folder under /etc/selinux/targeted that contains the source policies in
>>> RHEL5.
>>> We have installed and built the selinux-policy-2.4.6-248.el5.src.rpm on
>>> our RHEL5.4 box and we did not find any assert.te file.
>>> Can someone help us with the exact method as to what needs to be done to
>>> add an AV assertion rule to our policy.
>>>
>>> Thanks
>>> Anamitra&  Radha
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> questions like this should be asked on the
>> SELinux<selinux@tycho.nsa.gov>  Mail List.
>>
>> I am not sure what you are asking for.
> 
> 
> assert.te was the old place for neverallow rules in the example policy.
> In the reference policy neverallows are put in their appropriate place
> (you could grep for them in the source policy if you want to see).
> 
> However, with RHEL5 and greater distros you can just insert policy
> modules to add rules (including assertions). So just follow the RHEL5
> instructions on adding a policy and you can add neverallows there.
> 
> You also need to enable assertion checking by adding this line to
> /etc/selinux/semanage.conf
> 
> expand-check = 1
> 
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
Right but I am not sure they want a neverallow rule.  

I still would like to have them explain what they want for assertions.  Are they just looking to 
make sure that no one loads a policy module that allows a certain rule?  If yes then Josh is correct.
If they are looking to remove some access from a domain, like a DENY rule, then assertions will not do it, other then getting
the policy build to blow up (if expand-check is turnedon)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Adding AV assertion to selinux policy in RHEL5

[Joshua Brindle]

Anamitra Dutta Majumdar (anmajumd) wrote:
> Hi Daniel, Joshua,
>
> We need a neverallow rule to forbid all apps including the ones running
> as root and  except insmod and modprobe from acessing the /lib folder .
>

You can't do that with a neverallow rule. A neverallow rule is an assertion that 
will cause a policy build error if it is violated.

You will need to remove all of the offending rules from the policy, which is 
non-trivial.

Though I must say, I don't quite understand what security goal you are trying to 
attain.

> Thanks
> Anamitra
>
> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: Wednesday, August 26, 2009 10:14 AM
> To: Joshua Brindle
> Cc: Anamitra Dutta Majumdar (anmajumd); SE Linux
> Subject: Re: Adding AV assertion to selinux policy in RHEL5
>
> On 08/26/2009 12:09 PM, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> On 08/25/2009 06:43 PM, Anamitra Dutta Majumdar (anmajumd) wrote:
>>>>
>>>> We are looking for a well documented procedure to add AV assertion
>>>> to selinux policy on RHEL5.
>>>> So far all SELinux URL links refer to the fact that the AV assertion
>
>>>> needs to be added to assert.te file under $SELINUX_SRC folder.
>>>> This appears to be true only for RHEL4 not RHEL5 since there is no
>>>> src folder under /etc/selinux/targeted that contains the source
>>>> policies in RHEL5.
>>>> We have installed and built the selinux-policy-2.4.6-248.el5.src.rpm
>
>>>> on our RHEL5.4 box and we did not find any assert.te file.
>>>> Can someone help us with the exact method as to what needs to be
>>>> done to add an AV assertion rule to our policy.
>>>>
>>>> Thanks
>>>> Anamitra&   Radha
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> questions like this should be asked on the
>>> SELinux<selinux@tycho.nsa.gov>   Mail List.
>>>
>>> I am not sure what you are asking for.
>>
>> assert.te was the old place for neverallow rules in the example
> policy.
>> In the reference policy neverallows are put in their appropriate place
>
>> (you could grep for them in the source policy if you want to see).
>>
>> However, with RHEL5 and greater distros you can just insert policy
>> modules to add rules (including assertions). So just follow the RHEL5
>> instructions on adding a policy and you can add neverallows there.
>>
>> You also need to enable assertion checking by adding this line to
>> /etc/selinux/semanage.conf
>>
>> expand-check = 1
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing
> list.
>> If you no longer wish to subscribe, send mail to
>> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
>> quotes as the message.
>>
>>
> Right but I am not sure they want a neverallow rule.
>
> I still would like to have them explain what they want for assertions.
> Are they just looking to make sure that no one loads a policy module
> that allows a certain rule?  If yes then Josh is correct.
> If they are looking to remove some access from a domain, like a DENY
> rule, then assertions will not do it, other then getting the policy
> build to blow up (if expand-check is turnedon)
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.