[patch] Full relabel audit event

[patch] Full relabel audit event

[James Antill]

[-- Attachment #1.1.1: Type: text/plain, Size: 445 bytes --]


 The attached patch implements the full relabel audit event (Ie. an
audit event occurs when a full relabel occurs, ie. when /.autorelabel
exists at boot).
 Note that although the code is correct, this patch doesn't actually
work due to kernel bugs[1].

 It'll be in Fedora development as part of policycoreutils-1.30.10-3
onwards.

[1] see the thread on linux-audit if you want the details.

-- 
James Antill <jantill@redhat.com>

[-- Attachment #1.1.2: policycoreutils-1.30.10-audit-mass-relabel.patch --]
[-- Type: text/x-patch, Size: 2689 bytes --]

diff -ru policycoreutils-1.30.10-orig/setfiles/setfiles.c policycoreutils-1.30.10/setfiles/setfiles.c
--- policycoreutils-1.30.10-orig/setfiles/setfiles.c	2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/setfiles.c	2006-05-24 16:49:03.000000000 -0400
@@ -75,6 +75,11 @@
 #include <selinux/selinux.h>
 #include <syslog.h> 
 #include <libgen.h>
+#include <libaudit.h>
+
+#ifndef AUDIT_FS_RELABEL
+#define AUDIT_FS_RELABEL 2309
+#endif
 
 static int add_assoc = 1;
 static FILE *outfile=NULL;
@@ -395,7 +400,7 @@
 
 	/* trim trailing /, if present */
 	len = strlen(rootpath);
-	while ('/' == rootpath[len - 1])
+	while (len && ('/' == rootpath[len - 1]))
 		rootpath[--len] = 0;
 	rootpathlen = len;
 }
@@ -443,11 +448,35 @@
   return 0;
 }
 
+static void maybe_audit_mass_relabel(int done_root, int errs)
+{
+  int audit_fd = -1;
+  int rc = 0;
+  
+  if (!done_root) /* only audit a forced full relabel */
+    return;
+  
+  audit_fd = audit_open();
+
+  if (audit_fd < 0) {
+    fprintf(stderr, "Error connecting to audit system.\n");
+    return;
+  }
+
+  rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL,
+                              "op=mass relabel", NULL, NULL, NULL, !errs);
+  if (rc <= 0) {
+    fprintf(stderr, "Error sending audit message: %s.\n", strerror(errno));
+  }
+  audit_close(audit_fd);
+}
+
 int main(int argc, char **argv)
 {
 	struct stat sb;
 	int opt, rc, i;
-
+        int done_root = 0; /* have we processed the / directory as an arg */
+        
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Validate all file contexts during matchpathcon_init. */
@@ -618,6 +647,8 @@
 	}
 	else for (; optind < argc; optind++)
 	{
+                done_root |= !strcmp(argv[optind], "/");
+                
 		if (NULL != rootpath) {
 			qprintf("%s:  labeling files, pretending %s is /\n",
 				argv[0], rootpath);
@@ -648,6 +679,7 @@
 				fprintf(stderr,
 				"%s:  error while labeling files under %s\n",
 				argv[0], argv[optind]);
+				maybe_audit_mass_relabel(done_root, 1);
 				exit(1);
 			}
 		}
@@ -664,6 +696,8 @@
 		matchpathcon_filespec_destroy();
 	}
 
+        maybe_audit_mass_relabel(done_root, 0);
+
 	if (warn_no_match)
 		matchpathcon_checkmatches(argv[0]);
 
--- policycoreutils-1.30.10-orig/setfiles/Makefile	2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/Makefile	2006-05-24 18:10:41.000000000 -0400
@@ -7,6 +7,7 @@
 CFLAGS = -Werror -Wall -W 
 override CFLAGS += -D_FILE_OFFSET_BITS=64 -I$(PREFIX)/include
 LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+LDLIBS += -laudit
 
 all: setfiles
 

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

[-- Attachment #2: Type: text/plain, Size: 103 bytes --]

--
redhat-lspp mailing list
redhat-lspp@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp

Re: [patch] Full relabel audit event

[Stephen Smalley]

On Thu, 2006-05-25 at 17:01 -0400, James Antill wrote:
>  The attached patch implements the full relabel audit event (Ie. an
> audit event occurs when a full relabel occurs, ie. when /.autorelabel
> exists at boot).
>  Note that although the code is correct, this patch doesn't actually
> work due to kernel bugs[1].
> 
>  It'll be in Fedora development as part of policycoreutils-1.30.10-3
> onwards.
> 
> [1] see the thread on linux-audit if you want the details.

Hmmm...what is it that you actually want to do here?  If you only care
about auditing autorelabel events, then I'd suggest generating the audit
message from the autorelabel portion of rc.sysinit (via a helper, I
suppose), not from setfiles itself.  If you want to audit all full
relabels, then you need to instrument more than setfiles (e.g.
restorecon -R / works just as well), and of course, you potentially need
to do something at the kernel level with audit filters or auditallow
rules in policy if you truly want to capture all relabels.  And, of
course, just auditing it when they happen to pass "/" as an argument
isn't very reliable.

Not sure which thread you are referring to; I don't see prior discussion
of a relabel audit event in the linux-audit archives.

-- 
Stephen Smalley
National Security Agency

Re: [patch] Full relabel audit event

[James Antill]

[-- Attachment #1.1: Type: text/plain, Size: 1406 bytes --]

On Fri, 2006-05-26 at 13:05 -0400, Stephen Smalley wrote:
> On Thu, 2006-05-25 at 17:01 -0400, James Antill wrote:
> >  The attached patch implements the full relabel audit event (Ie. an
> > audit event occurs when a full relabel occurs, ie. when /.autorelabel
> > exists at boot).
> >  Note that although the code is correct, this patch doesn't actually
> > work due to kernel bugs[1].
> > 
> >  It'll be in Fedora development as part of policycoreutils-1.30.10-3
> > onwards.
> > 
> > [1] see the thread on linux-audit if you want the details.
> 
> Hmmm...what is it that you actually want to do here?  If you only care
> about auditing autorelabel events, then I'd suggest generating the audit
> message from the autorelabel portion of rc.sysinit (via a helper, I
> suppose), not from setfiles itself.

 This is all that we care about, but the solution of creating a helper
to just be called before setfiles was considered suboptimal against just
putting the code inside setfiles (I know Steve is very much against
anything which acts like logger for the audit subsystem).

> Not sure which thread you are referring to; I don't see prior discussion
> of a relabel audit event in the linux-audit archives.

 The thread is for the kernel problem that makes the above patch not
actually work, see the thread "Re: audit 1.2.2 released".

-- 
James Antill <jantill@redhat.com>

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: [redhat-lspp] Re: [patch] Full relabel audit event

[Stephen Smalley]

On Fri, 2006-05-26 at 13:47 -0400, James Antill wrote:
> On Fri, 2006-05-26 at 13:05 -0400, Stephen Smalley wrote:
> > Hmmm...what is it that you actually want to do here?  If you only care
> > about auditing autorelabel events, then I'd suggest generating the audit
> > message from the autorelabel portion of rc.sysinit (via a helper, I
> > suppose), not from setfiles itself.
> 
>  This is all that we care about, but the solution of creating a helper
> to just be called before setfiles was considered suboptimal against just
> putting the code inside setfiles (I know Steve is very much against
> anything which acts like logger for the audit subsystem).

I don't see the point when a) you only want it in that one case, b) it
doesn't prevent trivial bypass in any way (e.g. by using restorecon, by
rolling your own program to do it, by running setfiles on /* rather than
just /, ...), and c) you aren't capturing any information that cannot be
determined by the caller of setfiles in the first place (just the fact
of a mass relabel and the final exit status).

Note btw that setfiles already provides three different ways to log
actual changes in file contexts, the original -v verbose mode, and the
-l (log via syslog) and -o <file> (log to file) modes introduced later
by Red Hat.  That at least provides detailed information that the caller
couldn't determine otherwise.

>  The thread is for the kernel problem that makes the above patch not
> actually work, see the thread "Re: audit 1.2.2 released".

-- 
Stephen Smalley
National Security Agency

Re: Re: [patch] Full relabel audit event

[Steve Grubb]

On Friday 26 May 2006 13:05, Stephen Smalley wrote:
> Hmmm...what is it that you actually want to do here?

We need to meet the requirements for LSPP where there is a relabel on boot, 
but we do not want a record for each file that was touched. It was discussed 
on the LSPP telecon a while back that just one record was sufficient.

> If you only care about auditing autorelabel events, then I'd suggest
> generating the audit message from the autorelabel portion of rc.sysinit (via
> a helper, I suppose), not from setfiles itself.

This is a shell script and cannot connect to libaudit.

> If you want to audit all full relabels, then you need to instrument more
> than setfiles (e.g. restorecon -R / works just as well), and of course, you
> potentially need to do something at the kernel level with audit filters or
> auditallow rules in policy if you truly want to capture all relabels. 

We get relabels by monitoring the setxattr syscall. But during bootup before 
going interactive, we just want 1 message.

-Steve

--
redhat-lspp mailing list
redhat-lspp@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp

Re: Re: [patch] Full relabel audit event

[Steve Grubb]

On Friday 26 May 2006 14:03, Stephen Smalley wrote:
> I don't see the point when a) you only want it in that one case,

We do this already in several places. For example, we instrumented usermod, 
but not chage. It was documented in the Security Target that usermod should 
be used to alter user account attributes.

> b) it doesn't prevent trivial bypass in any way (e.g. by using restorecon,
> by rolling your own program to do it, by running setfiles on /* rather than
> just /, ...), and 

Its not meant to be bulletproof. Its purpose is to document that a full 
relabel has occurred before any user can log in. During the boot process, no 
one can log in so nothing evil should happen.

> Note btw that setfiles already provides three different ways to log
> actual changes in file contexts, the original -v verbose mode, and the
> -l (log via syslog) and -o <file> (log to file) modes introduced later
> by Red Hat.  That at least provides detailed information that the caller
> couldn't determine otherwise.

It was determined that we only need 1 record, not all the changes.

-Steve

--
redhat-lspp mailing list
redhat-lspp@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp