From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] FW: Add support for the samhain program
Date: Wed, 17 Nov 2010 09:02:40 -0500 [thread overview]
Message-ID: <4CE3E080.9070109@tresys.com> (raw)
In-Reply-To: <SNT139-w50892A240BA2A05A929498AB370@phx.gbl>
On 11/16/10 02:11, HarryCiao wrote:
> Hi Chris,
>
> The attached is the v3 of the samhain.pp, I have been keeping improving
> it according to the suggestions from Dominick Grift. Now the sysadm and
> secadm could have a full control over the whole samhain application.
>
> Any other comments?
Comments inline.
> From 05eb3e1893917d5fbc83daddd37edb003281bd1d Mon Sep 17 00:00:00 2001
> From: Harry Ciao <qingtao.cao@windriver.com>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v3 PATCH 1/1] Add support for the samhain program.
>
> Note, extra privileges may need to be granted to the samhain domain
> if its configuration file(/etc/samhainrc) is changed.
>
> The samhain program could be used in the following way:
>
> (In secadm_r role)
> 1. Initialize filesystem signature database:
> newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
>
> 2. Start samhain deamon to check filesystem integrity
> newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
>
> 3. Update filesystem signature database:
> newrole -l s15:c0.c1023 -p -- -c "samhain -t update"
Sounds like there needs to be a range_transition in the run interface.
> (In sysadm_r role)
> 1. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
>
> 2. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
>
> 3. Check samhain daemon status:
> run_init /etc/init.d/samhain status
>
> 4. Read/write samhain log files:
> newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"
> newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log"
>
> 5. Remove samhain database files
> newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"
>
> Note:
> 1. Stop samhain daemon before updating signature database.
> 2. Don't try to start samhain daemon twice.
>
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/services/samhain.fc | 13 +++
> policy/modules/services/samhain.if | 186 +++++++++++++++++++++++++++++++++++
> policy/modules/services/samhain.te | 114 +++++++++++++++++++++
> policy/modules/system/userdomain.if | 4 +
> 5 files changed, 321 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/samhain.fc
> create mode 100644 policy/modules/services/samhain.if
> create mode 100644 policy/modules/services/samhain.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index d5e88be..0655d95 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -290,6 +290,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samhain_admin(sysadm_t)
> +')
> +
> +optional_policy(`
> screen_role_template(sysadm, sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain -- gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)
This should be s0, as there is nothing sensitive about this file.
> +/etc/samhainrc -- gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
Unless there is sensitive info in this file, it should be s0.
> +/usr/sbin/samhain -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd -- gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
Same thing, s0.
> +/var/lib/samhain(/.*)? gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log\.lock -- gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid -- gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..a7f2a48
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,186 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> + gen_require(`
> + type samhain_t, samhain_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute samhain in the samhain domain, and
> +## allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed to access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> + gen_require(`
> + type samhain_t;
> + ')
> +
> + samhain_domtrans($1)
> + role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> + gen_require(`
> + type samhain_etc_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> + gen_require(`
> + type samhain_db_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, samhain_db_t, samhain_db_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> + gen_require(`
> + type samhain_log_t;
> + ')
> +
> + logging_search_logs($1)
> + manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> + gen_require(`
> + type samhain_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +## Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`
samhain_manage_init_script_files()
> + gen_require(`
> + type samhain_initrc_exec_t;
> + ')
> +
> + files_search_etc($1)
> + manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +#######################################
> +## <summary>
> +## All of the rules required to administrate
> +## the samhain environment.
> +## </summary>
> +## <desc>
> +## <p>
> +## This interface makes the calling domain able to
> +## ptrace and send signals to the samhain domain,
> +## also able to manage all samhain userspace files,
> +## but assumes that the calling domain has been able to
> +## remove an entry from /var/lib/ or /var/log/.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samhain_admin',`
> + gen_require(`
> + type samhain_t, samhain_db_t, samhain_etc_t;
> + type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> + ')
> +
> + allow $1 samhain_t:process { ptrace signal_perms };
> + ps_process_pattern($1, samhain_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, samhain_db_t)
> +
> + files_list_etc($1)
> + admin_pattern($1, samhain_etc_t)
> + admin_pattern($1, samhain_initrc_exec_t)
> +
> + logging_list_logs($1)
> + admin_pattern($1, samhain_log_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, samhain_var_run_t)
> +
> + mls_file_write_all_levels($1)
No. The caller needs to pass MLS constraints on its own. This is too
big of a privilege.
> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..612795f
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,114 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)
Needs a new domain. There should be a domain for this as a service, and
a domain for command line access. Then hopefully that should allow the
service to only be allowed read-only access to the database.
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +# file = /tmp
> +# file = /proc
> +# file = /sys
> +# file = /selinux
> +# [IgnoreALL]
> +# dir = -1/tmp
> +# dir = -1/proc
> +# dir = -1/sys
> +# dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)
If the service is running at system high, I wouldn't expect that this is
necessary.
> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index ea7b47d..7a847eb 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
> ')
>
> optional_policy(`
> + samhain_run($1, $2)
> + ')
> +
> + optional_policy(`
> consoletype_exec($1)
> ')
>
> --
> 1.7.0.4
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2010-11-17 14:02 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-09 3:33 [refpolicy] Add support for the samhain program HarryCiao
[not found] ` <SNT139-w4060518B7D42FDC9CB94CEAB320@phx.gbl>
2010-11-11 12:18 ` [refpolicy] FW: " Dominick Grift
2010-11-12 10:27 ` HarryCiao
2010-11-12 11:53 ` Dominick Grift
2010-11-15 1:54 ` HarryCiao
2010-11-15 12:35 ` Dominick Grift
2010-11-16 7:03 ` HarryCiao
2010-11-16 7:11 ` HarryCiao
2010-11-17 14:02 ` Christopher J. PeBenito [this message]
2010-11-18 6:33 ` HarryCiao
2010-11-19 15:20 ` Christopher J. PeBenito
2010-11-22 10:57 ` HarryCiao
2010-11-30 15:07 ` Christopher J. PeBenito
2010-12-04 12:54 ` HarryCiao
2010-12-15 19:08 ` Christopher J. PeBenito
2010-12-16 10:17 ` HarryCiao
2010-12-16 13:28 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CE3E080.9070109@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.