From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 17 Nov 2010 09:02:40 -0500
Subject: [refpolicy] FW:  Add support for the samhain program
In-Reply-To: <SNT139-w50892A240BA2A05A929498AB370@phx.gbl>
References: <SNT139-w647DF2426616B71E050D74AB300@phx.gbl>, ,
	<SNT139-w4060518B7D42FDC9CB94CEAB320@phx.gbl>, ,
	<20101111121804.GA17316@localhost.localdomain>, ,
	<SNT139-w213FD19EAD76DC3550A145AB330@phx.gbl>, ,
	<20101112115307.GB21277@localhost.localdomain>, ,
	<SNT139-w55B9EB8BDF20294BF8BEADAB360@phx.gbl>, ,
	<20101115123522.GE21277@localhost.localdomain>,
	<SNT139-W1FA33A53FC8EFFEF36CC9AB370@phx.gbl>
	<SNT139-w50892A240BA2A05A929498AB370@phx.gbl>
Message-ID: <4CE3E080.9070109@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/16/10 02:11, HarryCiao wrote:
> Hi Chris,
> 
> The attached is the v3 of the samhain.pp, I have been keeping improving
> it according to the suggestions from Dominick Grift. Now the sysadm and
> secadm could have a full control over the whole samhain application.
> 
> Any other comments?

Comments inline.

> From 05eb3e1893917d5fbc83daddd37edb003281bd1d Mon Sep 17 00:00:00 2001
> From: Harry Ciao <qingtao.cao@windriver.com>
> Date: Mon, 8 Nov 2010 14:42:38 +0800
> Subject: [v3 PATCH 1/1] Add support for the samhain program.
> 
> Note, extra privileges may need to be granted to the samhain domain
> if its configuration file(/etc/samhainrc) is changed.
> 
> The samhain program could be used in the following way:
> 
> (In secadm_r role)
> 1. Initialize filesystem signature database:
> newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
> 
> 2. Start samhain deamon to check filesystem integrity
> newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
> 
> 3. Update filesystem signature database:
> newrole -l s15:c0.c1023 -p -- -c "samhain -t update"

Sounds like there needs to be a range_transition in the run interface.

> (In sysadm_r role)
> 1. Start samhain in daemon mode:
> run_init /etc/init.d/samhain start
> 
> 2. Stop samhain daemon:
> run_init /etc/init.d/samhain stop
> 
> 3. Check samhain daemon status:
> run_init /etc/init.d/samhain status
> 
> 4. Read/write samhain log files:
> newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"
> newrole -l s15:c0.c1023 -p -- -c "rm /var/log/samhain_log"
> 
> 5. Remove samhain database files
> newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"
> 
> Note:
> 1. Stop samhain daemon before updating signature database.
> 2. Don't try to start samhain daemon twice.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
>  policy/modules/roles/sysadm.te      |    4 +
>  policy/modules/services/samhain.fc  |   13 +++
>  policy/modules/services/samhain.if  |  186 +++++++++++++++++++++++++++++++++++
>  policy/modules/services/samhain.te  |  114 +++++++++++++++++++++
>  policy/modules/system/userdomain.if |    4 +
>  5 files changed, 321 insertions(+), 0 deletions(-)
>  create mode 100644 policy/modules/services/samhain.fc
>  create mode 100644 policy/modules/services/samhain.if
>  create mode 100644 policy/modules/services/samhain.te
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index d5e88be..0655d95 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -290,6 +290,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	samhain_admin(sysadm_t)
> +')
> +
> +optional_policy(`
>  	screen_role_template(sysadm, sysadm_r, sysadm_t)
>  ')
>  
> diff --git a/policy/modules/services/samhain.fc b/policy/modules/services/samhain.fc
> new file mode 100644
> index 0000000..b0ac8a5
> --- /dev/null
> +++ b/policy/modules/services/samhain.fc
> @@ -0,0 +1,13 @@
> +/etc/rc\.d/init\.d/samhain	--	gen_context(system_u:object_r:samhain_initrc_exec_t,mls_systemhigh)

This should be s0, as there is nothing sensitive about this file.

> +/etc/samhainrc	--	gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)

Unless there is sensitive info in this file, it should be s0.

> +/usr/sbin/samhain	--	gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)
> +/usr/sbin/samhain_setpwd	--	gen_context(system_u:object_r:samhain_exec_t,mls_systemhigh)

Same thing, s0.

> +/var/lib/samhain(/.*)?	gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
> +
> +/var/log/samhain_log	--	gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +/var/log/samhain_log\.lock	--	gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
> +
> +/var/run/samhain\.pid	--	gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
> diff --git a/policy/modules/services/samhain.if b/policy/modules/services/samhain.if
> new file mode 100644
> index 0000000..a7f2a48
> --- /dev/null
> +++ b/policy/modules/services/samhain.if
> @@ -0,0 +1,186 @@
> +## <summary>Samhain - check file integrity</summary>
> +
> +########################################
> +## <summary>
> +##	Execute samhain in the samhain domain
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_domtrans',`
> +	gen_require(`
> +		type samhain_t, samhain_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, samhain_exec_t, samhain_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute samhain in the samhain domain, and
> +##	allow the specifiled role the samhain domain
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed to access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`samhain_run',`
> +	gen_require(`
> +		type samhain_t;
> +	')
> +
> +	samhain_domtrans($1)
> +	role $2 types samhain_t;
> +')
> +
> +########################################
> +## <summary>
> +##	Manage samhain configuration files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_manage_config_files',`
> +	gen_require(`
> +		type samhain_etc_t;
> +	')
> +
> +	files_search_etc($1)
> +	manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage samhain database files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_manage_db_files',`
> +	gen_require(`
> +		type samhain_db_t;
> +	')
> +
> +	files_search_var_lib($1)
> +	manage_files_pattern($1, samhain_db_t, samhain_db_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage samhain log and log.lock files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_manage_log_files',`
> +	gen_require(`
> +		type samhain_log_t;
> +	')
> +
> +	logging_search_logs($1)
> +	manage_files_pattern($1, samhain_log_t, samhain_log_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage samhain pid files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_manage_pid_files',`
> +	gen_require(`
> +		type samhain_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
> +')
> +
> +#######################################
> +## <summary>
> +##	Manage samhain rc script files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_manage_rc_script_files',`

samhain_manage_init_script_files()

> +	gen_require(`
> +		type samhain_initrc_exec_t;
> +	')
> +
> +	files_search_etc($1)
> +	manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
> +')
> +
> +#######################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	the samhain environment.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	This interface makes the calling domain able to
> +##	ptrace and send signals to the samhain domain,
> +##	also able to manage all samhain userspace files,
> +##	but assumes that the calling domain has been able to
> +##	remove an entry from /var/lib/ or /var/log/.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`samhain_admin',`
> +	gen_require(`
> +		type samhain_t, samhain_db_t, samhain_etc_t;
> +		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
> +	')
> +
> +	allow $1 samhain_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, samhain_t)
> +
> +	files_list_var_lib($1)
> +	admin_pattern($1, samhain_db_t)
> +	
> +	files_list_etc($1)
> +	admin_pattern($1, samhain_etc_t)
> +	admin_pattern($1, samhain_initrc_exec_t)
> +
> +	logging_list_logs($1)
> +	admin_pattern($1, samhain_log_t)
> +
> +	files_list_pids($1)
> +	admin_pattern($1, samhain_var_run_t)
> +	
> +	mls_file_write_all_levels($1)

No.  The caller needs to pass MLS constraints on its own.  This is too
big of a privilege.

> +')
> diff --git a/policy/modules/services/samhain.te b/policy/modules/services/samhain.te
> new file mode 100644
> index 0000000..612795f
> --- /dev/null
> +++ b/policy/modules/services/samhain.te
> @@ -0,0 +1,114 @@
> +policy_module(samhain, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type samhain_etc_t;
> +files_config_file(samhain_etc_t)
> +
> +type samhain_log_t;
> +logging_log_file(samhain_log_t)
> +
> +# Filesystem signature database
> +type samhain_db_t;
> +files_type(samhain_db_t)
> +
> +type samhain_initrc_exec_t;
> +init_script_file(samhain_initrc_exec_t)
> +
> +type samhain_var_run_t;
> +files_pid_file(samhain_var_run_t)
> +
> +type samhain_t;
> +type samhain_exec_t;
> +init_ranged_daemon_domain(samhain_t, samhain_exec_t, mls_systemhigh)

Needs a new domain.  There should be a domain for this as a service, and
a domain for command line access.  Then hopefully that should allow the
service to only be allowed read-only access to the database.

> +########################################
> +#
> +# Local policy
> +#
> +
> +allow samhain_t self:capability { dac_override dac_read_search fowner ipc_lock };
> +dontaudit samhain_t self:capability sys_resource;
> +allow samhain_t self:fd use;
> +# Need signal_perms to send SIGABRT/SIGKILL to termiate the samhain daemon
> +allow samhain_t self:process { setsched setrlimit signal_perms };
> +
> +allow samhain_t samhain_etc_t:file read_file_perms;
> +
> +# Only needed when starting samhain daemon from its init script.
> +can_exec(samhain_t, samhain_exec_t)
> +
> +# Samhain needs to get the attribute of /proc/kcore.
> +kernel_getattr_core_if(samhain_t)
> +
> +corecmd_list_bin(samhain_t)
> +corecmd_read_bin_symlinks(samhain_t)
> +
> +# To get entropy
> +dev_read_urand(samhain_t)
> +dev_dontaudit_read_rand(samhain_t)
> +
> +domain_use_interactive_fds(samhain_t)
> +
> +files_search_etc(samhain_t)
> +
> +manage_files_pattern(samhain_t, samhain_var_run_t, samhain_var_run_t)
> +files_pid_filetrans(samhain_t, samhain_var_run_t, file)
> +
> +manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
> +files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
> +
> +manage_files_pattern(samhain_t, samhain_log_t, samhain_log_t)
> +logging_log_filetrans(samhain_t, samhain_log_t, file)
> +
> +# Samhain's pid, log and log.lock files are all in directories of s0,
> +# while samhain daemon is running with the clearance level.
> +mls_file_write_all_levels(samhain_t)
> +
> +# Read from utmp when monitoring login/logout events
> +auth_read_login_records(samhain_t)
> +
> +# Get the attributes of all kinds of files in the rootfs
> +dev_getattr_all_blk_files(samhain_t)
> +dev_getattr_all_chr_files(samhain_t)
> +dev_getattr_generic_blk_files(samhain_t)
> +dev_getattr_generic_chr_files(samhain_t)
> +
> +files_getattr_all_dirs(samhain_t)
> +files_getattr_all_files(samhain_t)
> +files_getattr_all_symlinks(samhain_t)
> +files_getattr_all_pipes(samhain_t)
> +files_getattr_all_sockets(samhain_t)
> +files_getattr_all_mountpoints(samhain_t)
> +
> +# Read from the file_type attribute and the lnk_file class
> +files_read_all_files(samhain_t)
> +files_read_all_symlinks(samhain_t)
> +
> +# Read from wtmp when monitoring login/logout events
> +init_read_utmp(samhain_t)
> +
> +# Get the attribute of other filesystem's mountpoint, such as /selinux
> +# /proc, /sys and /tmp, but not the contents inside, which suggests
> +# that following rules should be set in samhain configuration file:
> +# [Attributes]
> +#    file = /tmp
> +#    file = /proc
> +#    file = /sys
> +#    file = /selinux
> +# [IgnoreALL]
> +#    dir = -1/tmp
> +#    dir = -1/proc
> +#    dir = -1/sys
> +#    dir = -1/selinux
> +fs_getattr_all_dirs(samhain_t)
> +
> +# Get attribute of files with variant sensitivity levels
> +mls_file_read_all_levels(samhain_t)

If the service is running at system high, I wouldn't expect that this is
necessary.

> +logging_send_syslog_msg(samhain_t)
> +
> +userdom_use_user_terminals(samhain_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index ea7b47d..7a847eb 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1249,6 +1249,10 @@ template(`userdom_security_admin_template',`
>  	')
>  
>  	optional_policy(`
> +		samhain_run($1, $2)
> +	')
> +
> +	optional_policy(`
>  		consoletype_exec($1)
>  	')
>  
> -- 
> 1.7.0.4


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com