[rsbac] Strange syslog-ng, logger, /dev/log behaviour
Javier Martínez
tazok.id0 at gmail.com
Sun Jun 15 10:36:17 CEST 2008
Hi all, I'm having some strange problems labelling all IPC's between
this two binaries and the /dev/log socket.
This is my policy related definitions
rc_set_item TYPE 4 type_fd_name "user_bin_t"
rc_set_item TYPE 5 type_fd_name "suser_bin_t"
rc_set_item TYPE 6 type_fd_name "secoff_bin_t"
rc_set_item TYPE 7 type_fd_name "perl_bin_t"
rc_set_item TYPE 8 type_fd_name "python_bin_t"
rc_set_item TYPE 9 type_fd_name "script_aux_t"
rc_set_item TYPE 10 type_fd_name "info_bin_t"
rc_set_item TYPE 11 type_fd_name "net_bin_t"
rc_set_item TYPE 12 type_fd_name "samhain_bin_t"
rc_set_item TYPE 13 type_fd_name "boot_bin_t"
rc_set_item TYPE 14 type_fd_name "kernel_data_t"
rc_set_item TYPE 15 type_fd_name "kernel_code_t"
rc_set_item TYPE 16 type_fd_name "libs"
rc_set_item TYPE 17 type_fd_name "pam_data"
rc_set_item TYPE 18 type_fd_name "pam_modules"
rc_set_item TYPE 19 type_fd_name "libopenssl"
rc_set_item TYPE 20 type_fd_name "rc_scripts"
rc_set_item TYPE 21 type_fd_name "runlevels"
rc_set_item TYPE 22 type_fd_name "init.d"
rc_set_item TYPE 23 type_fd_name "openssl_data"
rc_set_item TYPE 24 type_fd_name "config_gen"
rc_set_item TYPE 25 type_fd_name "libexec"
rc_set_item TYPE 26 type_fd_name "portage_data"
rc_set_item TYPE 27 type_fd_name "logs"
rc_set_item TYPE 28 type_fd_name "samhain"
rc_set_item TYPE 29 type_fd_name "localtime_cfg"
rc_set_item TYPE 30 type_fd_name "linker_cfg"
rc_set_item TYPE 31 type_fd_name "terminfo_cfg"
rc_set_item TYPE 32 type_fd_name "cron_cfg"
rc_set_item TYPE 33 type_fd_name "cron_bin"
rc_set_item TYPE 34 type_fd_name "cron_data"
rc_set_item TYPE 35 type_fd_name "/var"
rc_set_item TYPE 36 type_fd_name "/dev"
rc_set_item TYPE 37 type_fd_name "/"
rc_set_item TYPE 38 type_fd_name "/etc/syslog-ng"
rc_set_item TYPE 39 type_fd_name "/dev/log"
rc_set_item TYPE 3 type_process_name "cron_proc"
rc_set_item TYPE 4 type_process_name "syslog"
rc_set_item TYPE 3 type_dev_name "disk_devs"
rc_set_item TYPE 4 type_dev_name "urandom"
rc_set_item TYPE 5 type_dev_name "ttys"
rc_set_item TYPE 3 type_ipc_name "syslog"
rc_set_item TYPE 40 type_fd_name "syslog_files"
rc_set_item TYPE 41 type_fd_name "syslog_tty"
rc_set_item TYPE 5 type_process_name "logger"
rc_set_item TYPE 4 type_ipc_name "logger"
rc_set_item TYPE 6 type_dev_name "null"
rc_set_item TYPE 42 type_fd_name "initctl"
rc_set_item TYPE 5 type_ipc_name "init"
rc_set_item TYPE 6 type_process_name "init"
rc_set_item TYPE 43 type_fd_name "common_cfg"
rc_set_item TYPE 44 type_fd_name "conf.d"
rc_set_item TYPE 45 type_fd_name "tty"
rc_set_item TYPE 46 type_fd_name "utmp"
rc_set_item TYPE 47 type_fd_name "/var/run"
rc_set_item TYPE 6 type_ipc_name "cron_ipc"
rc_set_item TYPE 3 type_user_name "root"
rc_set_item TYPE 4 type_user_name "secoff"
rc_set_item TYPE 5 type_user_name "gen_users"
rc_set_item TYPE 7 type_ipc_name "/dev/log"
rc_set_item TYPE 48 type_fd_name "logger"
The assignations of my policy:
attr_set_file_dir RC FILE "/usr/sbin/syslog-ng" rc_force_role 9
attr_set_file_dir RC FILE "/usr/bin/logger" rc_force_role 18
attr_set_file_dir DIR "/etc/syslog-ng" rc_type_fd 38
and the policy related itself:
#logger
rc_set_item -a ROLE 18 def_process_create_type 5
rc_set_item -a ROLE 18 def_ipc_create_type 4
rc_set_item -a ROLE 18 type_comp_fd 39 SEARCH
rc_set_item -a ROLE 18 type_comp_fd 36 R
rc_set_item -a ROLE 18 type_comp_fd 37 R
rc_set_item -a ROLE 18 type_comp_fd 24 SEARCH
rc_set_item -a ROLE 18 type_comp_fd 30 R
rc_set_item -a ROLE 18 type_comp_fd 16 R MAP_EXEC
rc_set_item -a ROLE 18 type_comp_fd 29 R
rc_set_item -a ROLE 18 type_comp_dev 4 R
rc_set_item -a ROLE 18 def_unixsock_create_type 48
rc_set_item -a ROLE 18 type_comp_ipc 4 RW
#syslog-ng
rc_set_item -a ROLE 9 type_comp_fd 47 RW
rc_set_item -a ROLE 9 def_fd_create_type 40
rc_set_item -a ROLE 9 type_comp_fd 40 RW
rc_set_item -a ROLE 9 def_process_create_type 4
rc_set_item -a ROLE 9 def_ipc_create_type 4
rc_set_item -a ROLE 9 type_comp_ipc 3 CREATE
rc_set_item -a ROLE 9 type_comp_process 4 CLONE CREATE
rc_set_item -a ROLE 9 type_comp_fd 37 READ READ_OPEN SEARCH
rc_set_item -a ROLE 9 type_comp_fd 35 R CREATE
rc_set_item -a ROLE 9 type_comp_fd 36 SEARCH CREATE
rc_set_item -a ROLE 9 type_comp_fd 41 SEARCH CREATE CHANGE_OWNER
MODIFY_PERMISSIONS_DATA
rc_set_item -a ROLE 9 type_comp_fd 29 R
rc_set_item -a ROLE 9 type_comp_fd 24 SEARCH
for role in 2 9; do rc_set_item -a ROLE "$role" type_comp_dev 4 R; done
rc_set_item -a ROLE 9 type_comp_fd 16 R MAP_EXEC EXECUTE
rc_set_item -a ROLE 9 type_comp_dev 3 R
rc_set_item -a ROLE 9 type_comp_fd 30 R
rc_set_item -a ROLE 9 type_comp_fd 38 R
rc_set_item -a ROLE 9 type_comp_fd 27 RW
rc_set_item -a ROLE 9 type_comp_fd 39 RW
rc_set_item -a ROLE 9 type_comp_scd 7 GET_STATUS_DATA
rc_set_item -a ROLE 9 type_comp_dev 5 WRITE
rc_set_item -a ROLE 9 type_comp_ipc 4 RW
rc_set_item -a ROLE 9 def_unixsock_create_type 39
rc_set_item -a ROLE 9 type_comp_dev 5 W
rc_set_item -a ROLE 9 type_comp_dev 6 RW
In my logs appears this:
Jun 15 12:11:28 andromeda 0000010267|check_comp_rc(): pid 2323
(syslog-ng), owner 0, rc_role 9, PROCESS rc_type 0, request ACCEPT ->
NOT_GRANTED!
Jun 15 12:11:28 andromeda 0000010268|rsbac_adf_request(): request
ACCEPT, pid 2323, ppid 1, prog_name syslog-ng, prog_file
/usr/sbin/syslog-ng, uid 0, target_type UNIXSOCK, tid Device 03:01
Inode 496003 Path /dev/log, attr process, value 2322, result
NOT_GRANTED (Softmode) by RC
Jun 15 12:11:28 andromeda 0000010269|check_comp_rc(): pid 2323
(syslog-ng), owner 0, rc_role 9, IPC rc_type 0, request
MODIFY_SYSTEM_DATA -> NOT_GRANTED!
Jun 15 12:11:28 andromeda 0000010270|rsbac_adf_request(): request
MODIFY_SYSTEM_DATA, pid 2323, ppid 1, prog_name syslog-ng, prog_file
/usr/sbin/syslog-ng, uid 0, target_type IPC, tid AnonUnix-ID 3869,
attr setsockopt_level, value 1, result NOT_GRANTED (Softmode) by RC
Jun 15 12:11:27 andromeda 0000010204|check_comp_rc(): pid 2678
(logger), owner 0, rc_role 18, PROCESS rc_type 0, request SEND ->
NOT_GRANTED!
Jun 15 12:11:27 andromeda 0000010205|rsbac_adf_request(): request
SEND, pid 2678, ppid 2382, prog_name logger, prog_file
/usr/bin/logger, uid 0, target_type UNIXSOCK, tid Device 03:01 Inode
496003 Path /dev/log, attr process, value 2322, result NOT_GRANTED
(Softmode) by RC
I'm missing something¿?, why the process is of type 0 if I have
labeled it before¿?
More information about the rsbac
mailing list