[PATCH] policy module for atop

[PATCH] policy module for atop

[Elia Pinto]

From: Elia Pinto <gitter.spiros@gmail.com>

---
 policy/modules/services/atopd.fc |    8 ++
 policy/modules/services/atopd.if |  133 ++++++++++++++++++++++++++++++++++++++
 policy/modules/services/atopd.te |   86 ++++++++++++++++++++++++
 3 files changed, 227 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/atopd.fc
 create mode 100644 policy/modules/services/atopd.if
 create mode 100644 policy/modules/services/atopd.te

diff --git a/policy/modules/services/atopd.fc b/policy/modules/services/atopd.fc
new file mode 100644
index 0000000..508a650
--- /dev/null
+++ b/policy/modules/services/atopd.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/atopd        --      gen_context(system_u:object_r:atopd_initrc_exec_t,s0)
+/usr/bin/atopd                  --      gen_context(system_u:object_r:atopd_exec_t,s0)
+/usr/bin/atop                   --      gen_context(system_u:object_r:atopd_exec_t,s0)
+
+/var/log/atop(/.*)?                     gen_context(system_u:object_r:atopd_log_t,s0)
+/var/run/atop\.pid              --      gen_context(system_u:object_r:atopd_var_run_t,s0)
+/tmp/atop.d(/.*)?                       gen_context(system_u:object_r:atopd_tmp_t,s0)
+
diff --git a/policy/modules/services/atopd.if b/policy/modules/services/atopd.if
new file mode 100644
index 0000000..8e9c1e4
--- /dev/null
+++ b/policy/modules/services/atopd.if
@@ -0,0 +1,133 @@
+## <summary>policy for atopd</summary>
+
+
+########################################
+## <summary>
+##      Execute a domain transition to run atopd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`atopd_domtrans',`
+        gen_require(`
+                type atopd_t, atopd_exec_t;
+        ')
+
+        domtrans_pattern($1, atopd_exec_t, atopd_t)
+')
+
+
+########################################
+## <summary>
+##      Allow the specified domain to read atopd's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`atopd_read_log',`
+        gen_require(`
+                type atopd_log_t;
+        ')
+
+        logging_search_logs($1)
+        read_files_pattern($1, atopd_log_t, atopd_log_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to append
+##      atopd log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`atopd_append_log',`
+        gen_require(`
+                type atopd_log_t;
+        ')
+
+        logging_search_logs($1)
+        append_files_pattern($1, atopd_log_t, atopd_log_t)
+')
+
+########################################
+## <summary>
+##      Allow domain to manage atopd log files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`atopd_manage_log',`
+        gen_require(`
+                type atopd_log_t;
+        ')
+
+        logging_search_logs($1)
+        manage_dirs_pattern($1, atopd_log_t, atopd_log_t)
+        manage_files_pattern($1, atopd_log_t, atopd_log_t)
+        manage_lnk_files_pattern($1, atopd_log_t, atopd_log_t)
+')
+
+########################################
+## <summary>
+##      All of the rules required to administrate
+##      an atopd environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`atopd_admin',`
+        gen_require(`
+                type atopd_t;
+                type atopd_log_t;
+        ')
+
+        allow $1 atopd_t:process { ptrace signal_perms };
+        ps_process_pattern($1, atopd_t)
+
+        logging_search_logs($1)
+        admin_pattern($1, atopd_log_t)
+
+')
+
+########################################
+## <summary>
+##    Allow domain signal atopd
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain to not audit.
+##    </summary>
+## </param>
+#
+interface(`atopd_signal',`
+    gen_require(`
+        type atopd_t;
+    ')
+
+    allow $1 atopd_t:process signal;
+')
+
+
diff --git a/policy/modules/services/atopd.te b/policy/modules/services/atopd.te
new file mode 100644
index 0000000..24a2c5d
--- /dev/null
+++ b/policy/modules/services/atopd.te
@@ -0,0 +1,86 @@
+policy_module(atopd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type atopd_t;
+type atopd_exec_t;
+init_daemon_domain(atopd_t, atopd_exec_t)
+
+
+type atopd_initrc_exec_t;
+init_script_file(atopd_initrc_exec_t)
+
+
+can_exec(atopd_t, atopd_exec_t)
+
+type atopd_log_t;
+logging_log_file(atopd_log_t)
+
+type atopd_var_run_t;
+files_pid_file(atopd_var_run_t)
+
+type atopd_tmp_t;
+files_tmp_file(atopd_tmp_t)
+
+
+
+gen_require(`
+    type logrotate_t;
+')
+
+########################################
+#
+# atopd local policy
+#
+
+allow atopd_t self:fifo_file rw_fifo_file_perms;
+allow atopd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow atopd_t self:sem create_sem_perms;
+allow atopd_t self:capability { net_admin setuid sys_nice sys_resource sys_ptrace ipc_lock sys_pacct };
+allow atopd_t self:process    { setsched sigkill setrlimit };
+
+manage_dirs_pattern(atopd_t, atopd_log_t, atopd_log_t)
+manage_files_pattern(atopd_t, atopd_log_t, atopd_log_t)
+logging_log_filetrans(atopd_t, atopd_log_t, { dir file } )
+
+domain_use_interactive_fds(atopd_t)
+
+files_read_etc_files(atopd_t)
+
+miscfiles_read_localization(atopd_t)
+
+
+# pid files
+manage_dirs_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
+manage_files_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
+files_pid_filetrans(atopd_t, atopd_var_run_t, { dir file  })
+
+# tmp files
+manage_dirs_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
+manage_files_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
+files_tmp_filetrans(atopd_t, atopd_tmp_t, { dir file  })
+
+
+
+auth_use_nsswitch(atopd_t)
+
+domain_read_all_domains_state(atopd_t)
+
+kernel_list_proc(atopd_t)
+kernel_read_network_state(atopd_t)
+kernel_read_system_state(atopd_t)
+
+fs_getattr_xattr_fs(atopd_t)
+
+corecmd_exec_bin(atopd_t)
+
+acct_manage_data(atopd_t)
+
+# add to logrotate
+
+atopd_signal(logrotate_t)
+
-- 
1.7.2.1.44.g721e7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] policy module for atop

[Elia Pinto]

From: Elia Pinto <gitter.spiros@gmail.com>

---
 policy/modules/admin/logrotate.te |    4 +
 policy/modules/services/atopd.fc  |    8 ++
 policy/modules/services/atopd.if  |  133 +++++++++++++++++++++++++++++++++++++
 policy/modules/services/atopd.te  |   77 +++++++++++++++++++++
 4 files changed, 222 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/atopd.fc
 create mode 100644 policy/modules/services/atopd.if
 create mode 100644 policy/modules/services/atopd.te

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 7090dae..6423b3c 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -182,6 +182,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	atopd_signal(logrotate_t)
+')
+
+optional_policy(`
 	mailman_domtrans(logrotate_t)
 	mailman_search_data(logrotate_t)
 	mailman_manage_log(logrotate_t)
diff --git a/policy/modules/services/atopd.fc b/policy/modules/services/atopd.fc
new file mode 100644
index 0000000..508a650
--- /dev/null
+++ b/policy/modules/services/atopd.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/atopd        --      gen_context(system_u:object_r:atopd_initrc_exec_t,s0)
+/usr/bin/atopd                  --      gen_context(system_u:object_r:atopd_exec_t,s0)
+/usr/bin/atop                   --      gen_context(system_u:object_r:atopd_exec_t,s0)
+
+/var/log/atop(/.*)?                     gen_context(system_u:object_r:atopd_log_t,s0)
+/var/run/atop\.pid              --      gen_context(system_u:object_r:atopd_var_run_t,s0)
+/tmp/atop.d(/.*)?                       gen_context(system_u:object_r:atopd_tmp_t,s0)
+
diff --git a/policy/modules/services/atopd.if b/policy/modules/services/atopd.if
new file mode 100644
index 0000000..8e9c1e4
--- /dev/null
+++ b/policy/modules/services/atopd.if
@@ -0,0 +1,133 @@
+## <summary>policy for atopd</summary>
+
+
+########################################
+## <summary>
+##      Execute a domain transition to run atopd.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`atopd_domtrans',`
+        gen_require(`
+                type atopd_t, atopd_exec_t;
+        ')
+
+        domtrans_pattern($1, atopd_exec_t, atopd_t)
+')
+
+
+########################################
+## <summary>
+##      Allow the specified domain to read atopd's log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`atopd_read_log',`
+        gen_require(`
+                type atopd_log_t;
+        ')
+
+        logging_search_logs($1)
+        read_files_pattern($1, atopd_log_t, atopd_log_t)
+')
+
+########################################
+## <summary>
+##      Allow the specified domain to append
+##      atopd log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`atopd_append_log',`
+        gen_require(`
+                type atopd_log_t;
+        ')
+
+        logging_search_logs($1)
+        append_files_pattern($1, atopd_log_t, atopd_log_t)
+')
+
+########################################
+## <summary>
+##      Allow domain to manage atopd log files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`atopd_manage_log',`
+        gen_require(`
+                type atopd_log_t;
+        ')
+
+        logging_search_logs($1)
+        manage_dirs_pattern($1, atopd_log_t, atopd_log_t)
+        manage_files_pattern($1, atopd_log_t, atopd_log_t)
+        manage_lnk_files_pattern($1, atopd_log_t, atopd_log_t)
+')
+
+########################################
+## <summary>
+##      All of the rules required to administrate
+##      an atopd environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`atopd_admin',`
+        gen_require(`
+                type atopd_t;
+                type atopd_log_t;
+        ')
+
+        allow $1 atopd_t:process { ptrace signal_perms };
+        ps_process_pattern($1, atopd_t)
+
+        logging_search_logs($1)
+        admin_pattern($1, atopd_log_t)
+
+')
+
+########################################
+## <summary>
+##    Allow domain signal atopd
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain to not audit.
+##    </summary>
+## </param>
+#
+interface(`atopd_signal',`
+    gen_require(`
+        type atopd_t;
+    ')
+
+    allow $1 atopd_t:process signal;
+')
+
+
diff --git a/policy/modules/services/atopd.te b/policy/modules/services/atopd.te
new file mode 100644
index 0000000..c53ecda
--- /dev/null
+++ b/policy/modules/services/atopd.te
@@ -0,0 +1,77 @@
+policy_module(atopd,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type atopd_t;
+type atopd_exec_t;
+init_daemon_domain(atopd_t, atopd_exec_t)
+
+
+type atopd_initrc_exec_t;
+init_script_file(atopd_initrc_exec_t)
+
+
+can_exec(atopd_t, atopd_exec_t)
+
+type atopd_log_t;
+logging_log_file(atopd_log_t)
+
+type atopd_var_run_t;
+files_pid_file(atopd_var_run_t)
+
+type atopd_tmp_t;
+files_tmp_file(atopd_tmp_t)
+
+
+
+########################################
+#
+# atopd local policy
+#
+
+allow atopd_t self:fifo_file rw_fifo_file_perms;
+allow atopd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow atopd_t self:sem create_sem_perms;
+allow atopd_t self:capability { net_admin setuid sys_nice sys_resource sys_ptrace ipc_lock sys_pacct };
+allow atopd_t self:process    { setsched sigkill setrlimit };
+
+manage_dirs_pattern(atopd_t, atopd_log_t, atopd_log_t)
+manage_files_pattern(atopd_t, atopd_log_t, atopd_log_t)
+logging_log_filetrans(atopd_t, atopd_log_t, { dir file } )
+
+domain_use_interactive_fds(atopd_t)
+
+files_read_etc_files(atopd_t)
+
+miscfiles_read_localization(atopd_t)
+
+
+# pid files
+manage_dirs_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
+manage_files_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
+files_pid_filetrans(atopd_t, atopd_var_run_t, { dir file  })
+
+# tmp files
+manage_dirs_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
+manage_files_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
+files_tmp_filetrans(atopd_t, atopd_tmp_t, { dir file  })
+
+
+
+auth_use_nsswitch(atopd_t)
+
+domain_read_all_domains_state(atopd_t)
+
+kernel_list_proc(atopd_t)
+kernel_read_network_state(atopd_t)
+kernel_read_system_state(atopd_t)
+
+fs_getattr_xattr_fs(atopd_t)
+
+corecmd_exec_bin(atopd_t)
+
+acct_manage_data(atopd_t)
-- 
1.7.2.1.44.g721e7


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] policy module for atop

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2011 04:03 PM, Elia Pinto wrote:

> +/usr/bin/atopd                  --      gen_context(system_u:object_r:atopd_exec_t,s0)
> +/usr/bin/atop                   --      gen_context(system_u:object_r:atopd_exec_t,s0)

Might want to consider running the daemon and client in seperate domains.

> +/tmp/atop.d(/.*)?                       gen_context(system_u:object_r:atopd_tmp_t,s0)

You do not have to specify file contexts for /tmp content because
fixfiles is not going to restore it anyways.


> +        domtrans_pattern($1, atopd_exec_t, atopd_t)

How does a calling domain get to /usr/bin/atop.* in the first place
without corecmd_search_bin($1)?


> +##      Allow the specified domain to read atopd's log files.

Minor personal comment. The "allow the specified domain" is not needed
in my view.

"Read atpod log files."

Or as i prefer it:

"Read atopd_log_t files."

> +########################################
> +## <summary>
> +##      Allow the specified domain to append
> +##      atopd log files.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +#
> +interface(`atopd_append_log',`
> +        gen_require(`
> +                type atopd_log_t;
> +        ')
> +
> +        logging_search_logs($1)
> +        append_files_pattern($1, atopd_log_t, atopd_log_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Allow domain to manage atopd log files
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain to not audit.
> +##      </summary>
> +## </param>
> +#
> +interface(`atopd_manage_log',`
> +        gen_require(`
> +                type atopd_log_t;
> +        ')
> +
> +        logging_search_logs($1)
> +        manage_dirs_pattern($1, atopd_log_t, atopd_log_t)
> +        manage_files_pattern($1, atopd_log_t, atopd_log_t)
> +        manage_lnk_files_pattern($1, atopd_log_t, atopd_log_t)
> +')

These above three do not seem to be used by anyone, so i guess they can
be removed.

> +########################################
> +## <summary>
> +##      All of the rules required to administrate
> +##      an atopd environment
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`atopd_admin',`
> +        gen_require(`
> +                type atopd_t;
> +                type atopd_log_t;
> +        ')
> +
> +        allow $1 atopd_t:process { ptrace signal_perms };
> +        ps_process_pattern($1, atopd_t)
> +
> +        logging_search_logs($1)
> +        admin_pattern($1, atopd_log_t)
> +
> +')

This template above allows confined administrators to "manage atopd".
This is achieved by labelling atopd's init script with a private type.

Just like you did below.

but you need to allow "atopd_admin" to start/stop/reload etc the atopd
init daemon:


	init_labeled_script_domtrans($1, atopd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 atopd_initrc_exec_t system_r;
	allow $2 system_r;

might also allow atopd_admin to manage atopd pids, and the i guess the
tmp file although i suspect the tmp file is created by the atop client
and so it should maybe not be here in the first place.

> +########################################
> +## <summary>
> +##    Allow domain signal atopd

"Send generic signals to atopd."

or i prefer:

"Send generic signals to atopd_t."

> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain to not audit.

"Domain allowed access."

> +##    </summary>
> +## </param>
> +#
> +interface(`atopd_signal',`
> +    gen_require(`
> +        type atopd_t;
> +    ')
> +
> +    allow $1 atopd_t:process signal;
> +')
> +
> +
> diff --git a/policy/modules/services/atopd.te b/policy/modules/services/atopd.te
> new file mode 100644
> index 0000000..c53ecda
> --- /dev/null
> +++ b/policy/modules/services/atopd.te
> @@ -0,0 +1,77 @@
> +policy_module(atopd,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type atopd_t;
> +type atopd_exec_t;
> +init_daemon_domain(atopd_t, atopd_exec_t)
> +
> +
> +type atopd_initrc_exec_t;
> +init_script_file(atopd_initrc_exec_t)
> +
> +
> +can_exec(atopd_t, atopd_exec_t)

This is not a declaration. What is executing what here? atopd -> atop?
or atopd -> atopd?

> +
> +type atopd_log_t;
> +logging_log_file(atopd_log_t)
> +
> +type atopd_var_run_t;
> +files_pid_file(atopd_var_run_t)
> +
> +type atopd_tmp_t;
> +files_tmp_file(atopd_tmp_t)

I suspect this tmp file is created by the client not the daemon.

> +
> +
> +
> +########################################
> +#
> +# atopd local policy
> +#
> +
> +allow atopd_t self:fifo_file rw_fifo_file_perms;
> +allow atopd_t self:unix_stream_socket create_stream_socket_perms;
> +
> +allow atopd_t self:sem create_sem_perms;
> +allow atopd_t self:capability { net_admin setuid sys_nice sys_resource sys_ptrace ipc_lock sys_pacct };
> +allow atopd_t self:process    { setsched sigkill setrlimit };

Capability and process go on top of the "self" block. What are all these
for? Might want to allow your domain to signal itself.

> +
> +manage_dirs_pattern(atopd_t, atopd_log_t, atopd_log_t)
> +manage_files_pattern(atopd_t, atopd_log_t, atopd_log_t)
> +logging_log_filetrans(atopd_t, atopd_log_t, { dir file } )

i think you can remove the "file" from { dir file }. Its likely storing
its log file in the dir so no need to type transition for file.

> +
> +domain_use_interactive_fds(atopd_t)
> +
> +files_read_etc_files(atopd_t)
> +
> +miscfiles_read_localization(atopd_t)

These interface calls go below where the others are.

> +
> +# pid files

We know already its a pid file.

> +manage_dirs_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
> +manage_files_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
> +files_pid_filetrans(atopd_t, atopd_var_run_t, { dir file  })

It is not creating any dir in /var/run. And if it does then your fc
context specifications do not reflect it.

> +# tmp files

we know already its a tmp file.

> +manage_dirs_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
> +manage_files_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
> +files_tmp_filetrans(atopd_t, atopd_tmp_t, { dir file  })

I suspect you can remove the file from { dir file }. I believe the file
is created in the dir and so you do not need a type transition for file.

> +
> +
> +
> +auth_use_nsswitch(atopd_t)

this goes below

> +domain_read_all_domains_state(atopd_t)

this goes below the corecmd call
> +
> +kernel_list_proc(atopd_t)
> +kernel_read_network_state(atopd_t)
> +kernel_read_system_state(atopd_t)

kernel interface calls go on top of the external interface calls stack.

> +
> +fs_getattr_xattr_fs(atopd_t)

this goes below the domain call.

> +
> +corecmd_exec_bin(atopd_t)

This goes below the kernel calls. What is it running?
> +
> +acct_manage_data(atopd_t)

I gather this is not optional?

Policy patches should be sent to refpolicy@oss.tresys.com maillist.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk25fs4ACgkQMlxVo39jgT+fEgCffFoBo2FXXgAtvD4qlU8lpP2S
jooAoKC7T9O3OjBUcGTzJimYWV6J6Alx
=OkS3
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] [PATCH] policy module for atop

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 01:04 PM, Elia Pinto wrote:

>> I have had the same idea, in reality, the daemon is a script that
>> calls atop. I did not know what was the most elegant solution and I
>> wanted to avoid the proliferation of types. But if i separate them for
>> atop - versus atopd - should use the interface init_daemon_domain
>> init_system_domain or application_domain?


i would probably consider leaving "/usr/bin/atop" type bin_t and allow
atopd to run bin_t files (corecmd_exec_bin()). Not sure how that would
pan out in practice though.

>> The interface file was generated from sepolgen. Look also to
>> icecast.if in ref policy for example. Not a answer to your question
>> however. I will look better for this. Perhaps an bug in sepolgen ?

Policy generators are not smart enough (at all).

It is a bug in sepolgen, but not one that is easily fixed.

You can just remove the atop_domtrans interface altogether since no one
calls it anyways.

>> Again this is what sepolgen generate : do you want to propose a patch :=) ?

Naw this just a personal nit. I bet refpolicy maintainer will not mind.


>> Always sepolgen generated . The possible patch starts to get long ....:=)


Naw just take note and leave it as is. I bet policy maintainer will not
mind.

>> No one can use there if these interfaces are not defined yet: insn't ?
>> Again generated by default from sepolgen

True but if you think like that, then you can create 1000's of
interfaces, because hey, who knows, someone some day might need one of
them ;)

So remove any unused interfaces. If someone needs to interact with your
atopd domain then they will add the required interfaces.

>> Ok, for this. For the rest , the interface atopd_admin (and all the
>> interfaces) was generated
>> from sepolgen

ok looks like a bug in sepolgen.

>> Ok

These are just small personal comments, no big deal. I bet the policy
maintainer will not mind.

>> In this case atop . But i think it is sensible to split the domain now

Maybe just label /usr/bin/atop bin_t and allow allow /usr/bin/atopd
corecmd_exec_bin()

>> Yes, it is.

So if you label /usr/bin/atop bin_t then you probably be able to remove
this?

> I gather this is not optional?
>> I will Look better

See if atop(d) depends on acct.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk26nu0ACgkQMlxVo39jgT8CTACfez/+HmICKah5sNr5zsko2jZ4
7UwAoJf6+bSUtUtlyGr5Vpo/ndoM3ret
=0mzK
-----END PGP SIGNATURE-----

Re: [PATCH] policy module for atop

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/28/2011 10:50 AM, Dominick Grift wrote:
> On 04/28/2011 04:03 PM, Elia Pinto wrote:
> 
>> +/usr/bin/atopd                  --      gen_context(system_u:object_r:atopd_exec_t,s0)
>> +/usr/bin/atop                   --      gen_context(system_u:object_r:atopd_exec_t,s0)
> 
> Might want to consider running the daemon and client in seperate domains.
> 
>> +/tmp/atop.d(/.*)?                       gen_context(system_u:object_r:atopd_tmp_t,s0)
> 
> You do not have to specify file contexts for /tmp content because
> fixfiles is not going to restore it anyways.
> 
> 
>> +        domtrans_pattern($1, atopd_exec_t, atopd_t)
> 
> How does a calling domain get to /usr/bin/atop.* in the first place
> without corecmd_search_bin($1)?
> 
> 
>> +##      Allow the specified domain to read atopd's log files.
> 
> Minor personal comment. The "allow the specified domain" is not needed
> in my view.
> 
> "Read atpod log files."
> 
> Or as i prefer it:
> 
> "Read atopd_log_t files."
> 
>> +########################################
>> +## <summary>
>> +##      Allow the specified domain to append
>> +##      atopd log files.
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      Domain allowed to transition.
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`atopd_append_log',`
>> +        gen_require(`
>> +                type atopd_log_t;
>> +        ')
>> +
>> +        logging_search_logs($1)
>> +        append_files_pattern($1, atopd_log_t, atopd_log_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##      Allow domain to manage atopd log files
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      Domain to not audit.
>> +##      </summary>
>> +## </param>
>> +#
>> +interface(`atopd_manage_log',`
>> +        gen_require(`
>> +                type atopd_log_t;
>> +        ')
>> +
>> +        logging_search_logs($1)
>> +        manage_dirs_pattern($1, atopd_log_t, atopd_log_t)
>> +        manage_files_pattern($1, atopd_log_t, atopd_log_t)
>> +        manage_lnk_files_pattern($1, atopd_log_t, atopd_log_t)
>> +')
> 
> These above three do not seem to be used by anyone, so i guess they can
> be removed.
> 
>> +########################################
>> +## <summary>
>> +##      All of the rules required to administrate
>> +##      an atopd environment
>> +## </summary>
>> +## <param name="domain">
>> +##      <summary>
>> +##      Domain allowed access.
>> +##      </summary>
>> +## </param>
>> +## <param name="role">
>> +##      <summary>
>> +##      Role allowed access.
>> +##      </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`atopd_admin',`
>> +        gen_require(`
>> +                type atopd_t;
>> +                type atopd_log_t;
>> +        ')
>> +
>> +        allow $1 atopd_t:process { ptrace signal_perms };
>> +        ps_process_pattern($1, atopd_t)
>> +
>> +        logging_search_logs($1)
>> +        admin_pattern($1, atopd_log_t)
>> +
>> +')
> 
> This template above allows confined administrators to "manage atopd".
> This is achieved by labelling atopd's init script with a private type.
> 
> Just like you did below.
> 
> but you need to allow "atopd_admin" to start/stop/reload etc the atopd
> init daemon:
> 
> 
> 	init_labeled_script_domtrans($1, atopd_initrc_exec_t)
> 	domain_system_change_exemption($1)
> 	role_transition $2 atopd_initrc_exec_t system_r;
> 	allow $2 system_r;
> 
> might also allow atopd_admin to manage atopd pids, and the i guess the
> tmp file although i suspect the tmp file is created by the atop client
> and so it should maybe not be here in the first place.
> 
>> +########################################
>> +## <summary>
>> +##    Allow domain signal atopd
> 
> "Send generic signals to atopd."
> 
> or i prefer:
> 
> "Send generic signals to atopd_t."
> 
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain to not audit.
> 
> "Domain allowed access."
> 
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`atopd_signal',`
>> +    gen_require(`
>> +        type atopd_t;
>> +    ')
>> +
>> +    allow $1 atopd_t:process signal;
>> +')
>> +
>> +
>> diff --git a/policy/modules/services/atopd.te b/policy/modules/services/atopd.te
>> new file mode 100644
>> index 0000000..c53ecda
>> --- /dev/null
>> +++ b/policy/modules/services/atopd.te
>> @@ -0,0 +1,77 @@
>> +policy_module(atopd,1.0.0)
>> +
>> +########################################
>> +#
>> +# Declarations
>> +#
>> +
>> +type atopd_t;
>> +type atopd_exec_t;
>> +init_daemon_domain(atopd_t, atopd_exec_t)
>> +
>> +
>> +type atopd_initrc_exec_t;
>> +init_script_file(atopd_initrc_exec_t)
>> +
>> +
>> +can_exec(atopd_t, atopd_exec_t)
> 
> This is not a declaration. What is executing what here? atopd -> atop?
> or atopd -> atopd?
> 
>> +
>> +type atopd_log_t;
>> +logging_log_file(atopd_log_t)
>> +
>> +type atopd_var_run_t;
>> +files_pid_file(atopd_var_run_t)
>> +
>> +type atopd_tmp_t;
>> +files_tmp_file(atopd_tmp_t)
> 
> I suspect this tmp file is created by the client not the daemon.
> 
>> +
>> +
>> +
>> +########################################
>> +#
>> +# atopd local policy
>> +#
>> +
>> +allow atopd_t self:fifo_file rw_fifo_file_perms;
>> +allow atopd_t self:unix_stream_socket create_stream_socket_perms;
>> +
>> +allow atopd_t self:sem create_sem_perms;
>> +allow atopd_t self:capability { net_admin setuid sys_nice sys_resource sys_ptrace ipc_lock sys_pacct };
>> +allow atopd_t self:process    { setsched sigkill setrlimit };
> 
> Capability and process go on top of the "self" block. What are all these
> for? Might want to allow your domain to signal itself.
> 
>> +
>> +manage_dirs_pattern(atopd_t, atopd_log_t, atopd_log_t)
>> +manage_files_pattern(atopd_t, atopd_log_t, atopd_log_t)
>> +logging_log_filetrans(atopd_t, atopd_log_t, { dir file } )
> 
> i think you can remove the "file" from { dir file }. Its likely storing
> its log file in the dir so no need to type transition for file.
> 
>> +
>> +domain_use_interactive_fds(atopd_t)
>> +
>> +files_read_etc_files(atopd_t)
>> +
>> +miscfiles_read_localization(atopd_t)
> 
> These interface calls go below where the others are.
> 
>> +
>> +# pid files
> 
> We know already its a pid file.
> 
>> +manage_dirs_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
>> +manage_files_pattern(atopd_t, atopd_var_run_t, atopd_var_run_t)
>> +files_pid_filetrans(atopd_t, atopd_var_run_t, { dir file  })
> 
> It is not creating any dir in /var/run. And if it does then your fc
> context specifications do not reflect it.
> 
>> +# tmp files
> 
> we know already its a tmp file.
> 
>> +manage_dirs_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
>> +manage_files_pattern(atopd_t, atopd_tmp_t, atopd_tmp_t)
>> +files_tmp_filetrans(atopd_t, atopd_tmp_t, { dir file  })
> 
> I suspect you can remove the file from { dir file }. I believe the file
> is created in the dir and so you do not need a type transition for file.
> 
>> +
>> +
>> +
>> +auth_use_nsswitch(atopd_t)
> 
> this goes below
> 
>> +domain_read_all_domains_state(atopd_t)
> 
> this goes below the corecmd call
>> +
>> +kernel_list_proc(atopd_t)
>> +kernel_read_network_state(atopd_t)
>> +kernel_read_system_state(atopd_t)
> 
> kernel interface calls go on top of the external interface calls stack.
> 
>> +
>> +fs_getattr_xattr_fs(atopd_t)
> 
> this goes below the domain call.
> 
>> +
>> +corecmd_exec_bin(atopd_t)
> 
> This goes below the kernel calls. What is it running?
>> +
>> +acct_manage_data(atopd_t)
> 
> I gather this is not optional?
> 
> Policy patches should be sent to refpolicy@oss.tresys.com maillist.
> 

- --
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.


I just went into sepolgen templates and fixed some of the comments from
here.

policycoreutils-2.0.86-7.fc16

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2635cACgkQrlYvE4MpobNF/gCgq+HBPniX4kRc+/60h0LAeOGN
MVoAnR+yVmIpTsUxj0O3QTSfA1O/IIun
=FLXp
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] [PATCH] policy module for atop

[Christopher J. PeBenito]

On 04/28/11 10:50, Dominick Grift wrote:
> On 04/28/2011 04:03 PM, Elia Pinto wrote:
> 
>> +/usr/bin/atopd                  --      gen_context(system_u:object_r:atopd_exec_t,s0)
>> +/usr/bin/atop                   --      gen_context(system_u:object_r:atopd_exec_t,s0)
> 
> Might want to consider running the daemon and client in seperate domains.

Dominick has given a good review.  The above is my biggest concern with
the module.  However, my guess would be that the client is probably best
left without a domain transition (i.e. run atop in the user's domain),
but there doesn't seem to be any added rules for client, so I'm not sure.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com