[rsbac] script for initial RC policy to use with learning mode

Jens Kasten jens at kasten-edv.de
Thu Jan 7 16:56:05 CET 2016 

Hi Juan,

Today I would never use shell scipts for such tasks anymore.
There are good for testing but then it should be enough after the experimental phase. Python is for me the better shell :)

When thinking of RC roles then there have to be a good configsetup. For me e.g. an user install nginx server. Therefor must a modern configfile format exist that ship all information. Hardcoded rc types would be produce a conflict in the future because an independ developer could not write policies. 

Jens


Am 06.01.2016 17:36 schrieb Javier Juan Martínez Cabezón <tazok at rsbac.org>:
>
> -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA256 
>
>
>
> Hi all, last days I'm being specially cruel, and I'm mistreating Jens 
> code here to make his scripts do bad things 
> https://www.rsbac.org/wiki/experiences/igraltist/rc#toplevel_directories 
>
> I have planned to remove this uglys hacks that are TYPE and ROLE 
> variables and those stupid BASE_NUM and use arrays as here: 
> declare -a list_used_roles=$(rc_get_item list_roles |awk '{print $1}') 
> to get free roles to assign to new created roles. 
>
>
> Its planned too to use separate functions to emerge/dpkg/rpm or 
> whatinfernalpackagesystem exists to grant transactions to root 
> (previously autenticated against um to update with package system 
> owning his own role). We have to think if its better to grant 
> /etc/init.d and rc_initial_role or a rc_forced_role, for now it has 
> both :S 
>
> For now it eliminates in reset_caps all maximum capabilities to all 
> binaries to allow learning at boot, bootscriptsrc() create a new role 
> and a new type to each init.d script and to each cron task, names has 
> a 15 character limit (Amon I think this are too few), I have to 
> truncate them. 
>
> markrootdir() creates a new type to each / directory and assigns to them 
> markspecbinaries_role_type function assign a new type_fd and create 
> new roles to some special binaries (as /sbin/init or /bin/su) 
>
> It's not fully tested so it could make your system burn. 
>
> Amon, learning mode denies and then learns is this de desired 
> behaviour?. This means that to fully learn the same thing has to be 
> executed many times. 
>
> function reset_caps(){ 
> for file in /usr/local/bin/* /usr/local/sbin/* /sbin/* /usr/bin/* 
> /bin/* /usr/sbin/* /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/* 
> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* 
> /etc/cron.d/* /usr/libexec/**/*; do attr_set_file_dir FD "$file" 
> max_caps UA; done 
> } 
> function bootscriptsrc() 
> { 
> TYPE=100 
> ROLE=100 
> for NAME in /etc/init.d/* /etc/cron.daily/* /etc/cron.weekly/* 
> /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*; 
> do 
> NAMESPROV="$(basename $(echo $NAME))" 
> NAMESROL="$(echo $NAMESPROV |cut -c-11)" 
> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)" 
> # create role 
> rc_set_item ROLE ${ROLE} name ${NAMESROL} 
>
> # set rc_fd_types 
> rc_set_item TYPE ${TYPE} type_netdev_name "${NAMESTYPE}_NDEV" 
> rc_set_item TYPE ${TYPE} type_nettemp_name "${NAMESTYPE}_NDEV" 
> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ" 
> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR" 
> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP" 
> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC" 
> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC" 
> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD" 
>
> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291 
> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294 
> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294 
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE} 
> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE} 
> attr_set_file_dir FD ${NAME} rc_initial_role ${ROLE} 
> attr_set_file_dir FD ${NAME} rc_force_role ${ROLE} 
> ((ROLE++)) 
> ((TYPE++)) 
> done 
> } 
>
> function markrootdir() 
> { 
> BASE_NUM=10 
>
> for dir in /*; do 
> NAME="$(echo $dir)" 
> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME} 
> attr_set_file_dir FD ${dir} rc_type_fd ${BASE_NUM} 
> ((BASE_NUM++)) 
> done 
> } 
>
> function markothertypesfiles() 
> { 
> BASE_NUM=500 
> for file in /etc/conf.d /etc/default /etc/lilo.conf  /etc/fwknop 
> /etc/openvpn /etc/shadow /etc/gshadow /etc/dovecot /etc/grub.d 
> /etc/hiawatha /etc/openvpn /etc/pam.d /etc/privoxy /etc/tripwire /var/* 
> do 
>
> NAME="$(basename $(echo $(echo $file)'cfg'))" 
> rc_set_item TYPE ${BASE_NUM} type_fd_name ${NAME} 
> attr_set_file_dir FD ${file} rc_type_fd ${BASE_NUM} 
> ((BASE_NUM++)) 
> done 
> } 
>
> function markspecbinaries_roles_types() 
> { 
> TYPE=800 
> ROLE=800 
> for NAME in /sbin/agetty /bin/login /sbin/init /bin/su /sbin/lilo 
> do 
> NAMESPROV="$(basename $(echo $NAME))" 
> NAMESROL="$(echo $NAMESPROV |cut -c-11)" 
> NAMESTYPE="$(echo $NAMESPROV |cut -c -7)" 
> # create role 
> rc_set_item ROLE ${ROLE} name ${NAMESROL} 
>
> # set rc_fd_types 
> rc_set_item TYPE ${TYPE} type_netdev_name "${NAMESTYPE}_NDEV" 
> rc_set_item TYPE ${TYPE} type_nettemp_name "${NAMESTYPE}_NDEV" 
> rc_set_item TYPE ${TYPE} type_netobj_name "${NAMESTYPE}_NOBJ" 
> rc_set_item TYPE ${TYPE} type_user_name "${NAMESTYPE}_USR" 
> rc_set_item TYPE ${TYPE} type_group_name "${NAMESTYPE}_GRP" 
> rc_set_item TYPE ${TYPE} type_ipc_name "${NAMESTYPE}_IPC" 
> rc_set_item TYPE ${TYPE} type_process_name "${NAMESTYPE}_PRC" 
> rc_set_item TYPE ${TYPE} type_fd_name "${NAMESTYPE}_FD" 
>
> rc_set_item ROLE ${ROLE} def_user_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_process_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_process_chown_type 4294967291 
> rc_set_item ROLE ${ROLE} def_process_execute_type 4294967294 
> rc_set_item ROLE ${ROLE} def_ipc_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_group_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type ${TYPE} 4294967294 
> rc_set_item ROLE ${ROLE} def_unixsock_create_type ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /run ${TYPE} 
> rc_set_item ROLE ${ROLE} def_fd_ind_create_type /tmp ${TYPE} 
> attr_set_file_dir FD  ${NAME} rc_initial_role ${ROLE} 
> attr_set_file_dir FD ${NAME} rc_type_fd ${TYPE} 
> ((ROLE++)) 
> ((TYPE++)) 
> done 
> } 
> function trusted_path_execution() 
> { 
> echo 'dummy, to be written with arrays too :), dont get angry....yet' 
> } 
> reset_caps 
> bootscriptsrc 
> markothertypesfiles 
> markrootdir 
> markspecbinaries_roles_types 
> -----BEGIN PGP SIGNATURE----- 
> Version: GnuPG v2 
>
> iQIcBAEBCAAGBQJWjUKHAAoJEFfmTgt/w77fA/wQALm4i0LpRV4iQ8VXLEpIYXDo 
> G9COI/Va35PWCNFck/QePZICFaOyedUir8EOf6KEfUiHA89lWvdeSfdxBDLkkexQ 
> qixBI4Z/X5zLVPq8ttakDEJx3q7hfvY+KoL4TFtrTe2k70c4T2U7LckE10PKKvl8 
> jhLy5O4q/vS0ymxbwENsfGDDQ4LSgyBi2gzMf+HDS39v9POPiQB4vufmugjuLxUi 
> aM6b4agpJ8F7s8p8HBaTYPe+2FFLCdxOOwZiDn/3DkqB3uGHUEqL84T5ewUGSeTW 
> +f4ZBpLx5BMWfg7fXZsrXJhbyIHrLEf0W2POqYGKhepW3r9IEZGujZ35oOAqErlK 
> 5e25BF31VsSQlNkS9gLcfhxUf7en04PlBaTOxZua7pvJVMLbw4xp4G5fMyuupWll 
> wesgdfZDmcappJYpbk00yMmxfep+2oKU1gXZQVN09slPobPgnvxWV1X1R4Mg4JMR 
> 9gjIXoHpv/wSWIosIUI4/Xlv2HhaOdDMhICrznvd0R8QRa+zoCstfwxdKUFgK39R 
> V36fH6Q2Exc4Ye79dLkh087FG0XB6JfeKx5GGKjeOp+zrW0OOuTFLPzI6eI5Lemd 
> 3pqep4o4inNXgzipQ42AuNRHNjFFKZUcXUPjIL4U+WGrg6iDgtG8XGZzbeMUJd0u 
> 3RssrlvVjGVMGIjNn5DH 
> =uu+Z 
> -----END PGP SIGNATURE----- 
> _______________________________________________ 
> rsbac mailing list 
> rsbac at rsbac.org 
> http://www.rsbac.org/mailman/listinfo/rsbac

More information about the rsbac mailing list