Add support for the samhain program.

Note, extra privileges may need to be granted to the samhain domain if its default configuration file(/etc/samhainrc) is changed. The samhain program could be used in the following way: (In secadm_r role) 1. Initialize filesystem signature database: newrole -l s15:c0.c1023 -p -- -c "samhain -t init" (Note, the current secadm console will be blocked until the database is completed) 2. Start samhain deamon to check filesystem integrity newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D" 3. Update filesystem signature database: newrole -l s15:c0.c1023 -p -- -c "samhain -t update" (In sysadm_r role) 1. Start samhain in daemon mode: run_init /etc/init.d/samhain start 2. Stop samhain daemon: run_init /etc/init.d/samhain stop 3. Check samhain daemon status: run_init /etc/init.d/samhain status 4. Read/write samhain log files: newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log" 5. Remove samhain database files newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file" Note: 1. Stop samhain daemon before updating signature database. 2. Don't try to start samhain daemon twice. 3. Need to toggle SELinux into the Permissive mode in order to remove the samhain_log files from /var/log/. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2010-11-08 14:42:38 +08:00 · 2010-11-08 14:42:38 +08:00 · b2f8897d9c
parent c3cd3843fb
commit b2f8897d9c
5 changed files with 364 additions and 0 deletions
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -289,6 +289,10 @@ optional_policy(`
 	samba_run_winbind_helper(sysadm_t, sysadm_r)
 ')

+optional_policy(`
+	samhain_admin(sysadm_t)
+')
+
 optional_policy(`
 	screen_role_template(sysadm, sysadm_r, sysadm_t)
 ')
--- a/policy/modules/services/samhain.fc
+++ b/policy/modules/services/samhain.fc
@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/samhain	--	gen_context(system_u:object_r:samhain_initrc_exec_t,s0)
+
+/etc/samhainrc	--	gen_context(system_u:object_r:samhain_etc_t,mls_systemhigh)
+
+/usr/sbin/samhain	--	gen_context(system_u:object_r:samhain_exec_t,s0)
+/usr/sbin/samhain_setpwd	--	gen_context(system_u:object_r:samhain_exec_t,s0)
+
+/var/lib/samhain(/.*)?	gen_context(system_u:object_r:samhain_db_t,mls_systemhigh)
+
+/var/log/samhain_log	--	gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
+/var/log/samhain_log\.lock	--	gen_context(system_u:object_r:samhain_log_t,mls_systemhigh)
+
+/var/run/samhain\.pid	--	gen_context(system_u:object_r:samhain_var_run_t,mls_systemhigh)
--- a/policy/modules/services/samhain.if
+++ b/policy/modules/services/samhain.if
@ -0,0 +1,282 @@
+## <summary>Samhain - check file integrity</summary>
+
+#######################################
+## <summary>
+##	The template containing the most basic rules
+##	common to the samhain domains.
+## </summary>
+## <param name="samhaindomain_prefix">
+##	<summary>
+##	The prefix of the samhain domains(e.g., samhain
+##	for the domain of command line access, samhaind
+##	for the domain started by init script).
+##	</summary>
+## </param>
+## <rolebase/>
+#
+template(`samhain_service_template',`
+	gen_require(`
+		type etc_t, samhain_etc_t;
+		type samhain_log_t, samhain_var_run_t;
+	')
+
+	allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
+	dontaudit $1_t self:capability { sys_resource sys_ptrace };
+	allow $1_t self:fd use;
+	allow $1_t self:process { setsched setrlimit signull };
+
+	read_files_pattern($1_t, etc_t, samhain_etc_t)
+
+	# Samhain needs to get the attribute of /proc/kcore.
+	kernel_getattr_core_if($1_t)
+
+	corecmd_list_bin($1_t)
+	corecmd_read_bin_symlinks($1_t)
+
+	# To get entropy
+	dev_read_urand($1_t)
+	dev_dontaudit_read_rand($1_t)
+
+	manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
+	files_pid_filetrans($1_t, samhain_var_run_t, file)
+
+	manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
+	logging_log_filetrans($1_t, samhain_log_t, file)
+
+	# Samhain pid, log and log.lock files are all in directories of s0,
+	# while samhain daemon is running with the clearance level.
+	mls_file_write_all_levels($1_t)
+
+	# Read from utmp when monitoring login/logout events.
+	auth_read_login_records($1_t)
+
+	# Get the attributes of all kinds of files in the rootfs.
+	dev_getattr_all_blk_files($1_t)
+	dev_getattr_all_chr_files($1_t)
+	dev_getattr_generic_blk_files($1_t)
+	dev_getattr_generic_chr_files($1_t)
+
+	files_getattr_all_dirs($1_t)
+	files_getattr_all_files($1_t)
+	files_getattr_all_symlinks($1_t)
+
+	files_getattr_all_pipes($1_t)
+	files_getattr_all_sockets($1_t)
+	files_getattr_all_mountpoints($1_t)
+
+	files_read_all_files($1_t)
+	files_read_all_symlinks($1_t)
+
+	# Read from wtmp when monitoring login/logout events.
+	init_read_utmp($1_t)
+
+	# Get the attribute of other filesystems mountpoint, such as /selinux
+	# /proc, /sys and /tmp, but not the contents inside, which suggests
+	# that following rules should be set in samhain configuration file:
+	# [Attributes]
+	#    file = /tmp
+	#    file = /proc
+	#    file = /sys
+	#    file = /selinux
+	# [IgnoreALL]
+	#    dir = -1/tmp
+	#    dir = -1/proc
+	#    dir = -1/sys
+	#    dir = -1/selinux
+	fs_getattr_all_dirs($1_t)
+
+	logging_send_syslog_msg($1_t)
+')
+
+########################################
+## <summary>
+##	Execute samhain in the samhain domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`samhain_domtrans',`
+	gen_require(`
+		type samhain_t, samhain_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, samhain_exec_t, samhain_t)
+')
+
+########################################
+## <summary>
+##	Execute samhain in the samhain domain with the clearance security
+##	level and allow the specifiled role the samhain domain.
+## </summary>
+## <desc>
+##	<p>
+##	The range_transition rule used in this interface requires that
+##	the calling domain should have the clearance security level
+##	otherwise the MLS constraint for process transition would fail.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed to access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`samhain_run',`
+	gen_require(`
+		type samhain_t, samhain_exec_t;
+	')
+
+	samhain_domtrans($1)
+	role $2 types samhain_t;
+
+	ifdef(`enable_mls', `
+		range_transition $1 samhain_exec_t:process mls_systemhigh;
+	')
+')
+
+########################################
+## <summary>
+##	Manage samhain configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_config_files',`
+	gen_require(`
+		type samhain_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, samhain_etc_t, samhain_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage samhain database files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_db_files',`
+	gen_require(`
+		type samhain_db_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, samhain_db_t, samhain_db_t)
+')
+
+#######################################
+## <summary>
+##	Manage samhain init script files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_init_script_files',`
+	gen_require(`
+		type samhain_initrc_exec_t;
+	')
+
+	files_search_etc($1)
+	manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Manage samhain log and log.lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_log_files',`
+	gen_require(`
+		type samhain_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, samhain_log_t, samhain_log_t)
+')
+
+########################################
+## <summary>
+##	Manage samhain pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_manage_pid_files',`
+	gen_require(`
+		type samhain_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate
+##	the samhain environment.
+## </summary>
+## <desc>
+##	<p>
+##	This interface assumes that the calling domain has been able to
+##	remove an entry from /var/lib/ or /var/log/ and belongs to the
+##	mlsfilewrite attribute, since samhain files may be of clearance
+##	security level while their parent directories are of s0.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samhain_admin',`
+	gen_require(`
+		type samhain_t, samhain_db_t, samhain_etc_t;
+		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
+	')
+
+	allow $1 samhain_t:process { ptrace signal_perms };
+	ps_process_pattern($1, samhain_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, samhain_db_t)
+	
+	files_list_etc($1)
+	admin_pattern($1, samhain_etc_t)
+	admin_pattern($1, samhain_initrc_exec_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, samhain_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, samhain_var_run_t)
+')
--- a/policy/modules/services/samhain.te
+++ b/policy/modules/services/samhain.te
@ -0,0 +1,61 @@
+policy_module(samhain, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type samhain_etc_t;
+files_config_file(samhain_etc_t)
+
+type samhain_log_t;
+logging_log_file(samhain_log_t)
+
+# Filesystem signature database
+type samhain_db_t;
+files_type(samhain_db_t)
+
+type samhain_initrc_exec_t;
+init_script_file(samhain_initrc_exec_t)
+
+type samhain_var_run_t;
+files_pid_file(samhain_var_run_t)
+
+# Domain for samhain service started by samhain init script
+type samhaind_t;
+type samhain_exec_t;
+init_ranged_daemon_domain(samhaind_t, samhain_exec_t, mls_systemhigh)
+samhain_service_template(samhaind)
+
+# Domain for command line access
+type samhain_t;
+application_domain(samhain_t, samhain_exec_t)
+samhain_service_template(samhain)
+
+########################################
+#
+# Samhain local policy
+#
+
+manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
+files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
+
+domain_use_interactive_fds(samhain_t)
+
+seutil_sigchld_newrole(samhain_t)
+
+userdom_use_user_terminals(samhain_t)
+
+########################################
+#
+# Samhaind local policy
+#
+
+# Need signal_perms to send SIGABRT/SIGKILL to termiate samhain_t
+# Need signull to get the status of samhain_t
+allow samhaind_t { samhain_t self }:process signal_perms;
+
+# Only needed when starting samhain daemon from its init script.
+can_exec(samhaind_t, samhain_exec_t)
+
+read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1243,6 +1243,10 @@ template(`userdom_security_admin_template',`
 		aide_run($1,$2)
 	')

+	optional_policy(`
+		samhain_run($1, $2)
+	')
+
 	optional_policy(`
 		consoletype_exec($1)
 	')