2006年12月15日

[selinux-users:01808] seeditを使用して F-SecureAnti-Virus Linux Gateway の新規ドメインの作成について


はじめまして、ふるかわと申します。

CentOS4.4 で、F-Secure Anti-Virus Linux Gateway(Ver 2.20) を使用しています。

seedit を利用して、F-Secure Anti-Virus Linux Gateway用の新規ドメインの作成を
試みようとしてます。
警告ログからポリシーの作成を行おうとしているのですが、上手くいかないようです。

何かアドバイスいただけないでしょうか?

以下が audit2spdl -al の結果です。
------------------------------------------
# audit2spdl -al
Warning: no CWD %sogress:28/41
['type=AVC_PATH msg=audit(1166105031.478:53): path=2F535953563030303030336538202864656C6574656429\n', 'type=SYSCALL msg=audit(1166105031.478:53): arch=40000003 syscall=117 per=400000 success=yes exit=0 a0=15 a1=90000 a2=0 a3=bfffe4f4 items=0 pid=5192 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="virusgw_admin" exe="/home/virusgw/virusgw"\n', 'type=AVC msg=audit(1166105031.478:53): avc: denied { execute } for pid=5192 comm="virusgw_admin" name="SYSV000003e8" dev=tmpfs ino=589824 scontext=root:system_r:virusgw_t tcontext=root:object_r:virusgw_tmpfs_t tclass=file\n']
##Guessing fullpath by locate:type=AVC msg=audit(1166105031.478:53): avc: denied { execute } for pid=5192 comm="virusgw_admin" name="SYSV000003e8" dev=tmpfs ino=589824 scontext=root:system_r:virusgw_t tcontext=root:object_r:virusgw_tmpfs_t tclass=file

#Analyzing log. Progress:Done1
-------------------------
#SELinux deny log:
type=AVC msg=audit(1166105031.478:53): avc: denied { execute } for pid=5192 comm="virusgw_admin" name="SYSV000003e8" dev=tmpfs ino=589824 scontext=root:system_r:virusgw_t tcontext=root:object_r:virusgw_tmpfs_t tclass=file
#Suggested configuration
File virusgw_t.sp:
#Failed to generate, because failed to obtain fullpath.
#allow SYSV000003e8 x,r,s;

------------------------------------------

エラーメッセージで、フルパスが取得できないとでていますが、
SYSV000003e8 というファイルは find コマンドで探しても見つからないです。

auditedは稼働していて、updatedb を実行しても
同様の結果でした。

seedit用のポリシーファイルは以下のようになります。
---------------------------------------------------
# cat virusgw_t.sp

{
domain virusgw_t;
program /home/virusgw/virusgw;
include common-relaxed.sp;
include daemon.sp;
include logfile.sp;
include nameservice.sp;

#Write access control here....

allow /home/virusgw/** s,r,w,x;
allownet -protocol tcp -port 8080 server;
allownet -protocol tcp -port 9012 server;
allownet -protocol tcp -port 8021 server;

#Add by seedit-generator
allow etc_runtime_t r,s;
}
----------------------------------------------------

ためしに、
allow SYSV000003e8 x,r,s;
を、/etc/seedit/policy/virusgw_t.sp
に追加して、ポリシーの反映を行い
マシンを再起動してから、
audit2spdl -al
を実行しても、同様の結果となりました。

参考になるかわかりませんが、
過去のメーリングリストで、selpawというのを見付けたので
実行してみた結果が以下になります。
結果を見ても、どうやっていいかスキルがないのでこれから
調べようかとおもっています。

--audit.logの結果-------------------------------------

##############################################################################
##There are 11 denied lines in this log.
##This is a raw policy.
##You may allow these if you really want to permit them to.
##############################################################################

module my_module_by_selpaw 0.01;

require {

class dir { search };
class file { execute };
class file { read };
class sock_file { unlink };

type sshd_t;
type virusgw_t;
type dir_home_virusgw_t;
type dir_homedir_dssh_t;
type etc_t;
type home_virusgw_t;
type homedir_rootdir_t;
type ldconfig_cache_t;
type var_tmp_t;
type virusgw_tmpfs_t;

}
allow sshd_t dir_homedir_dssh_t:dir { search };
allow sshd_t homedir_rootdir_t:file { read };
allow virusgw_t dir_home_virusgw_t:dir { search };
allow virusgw_t etc_t:dir { search };
allow virusgw_t home_virusgw_t:dir { search };
allow virusgw_t home_virusgw_t:file { read };
allow virusgw_t ldconfig_cache_t:file { execute };
allow virusgw_t var_tmp_t:sock_file { unlink };
allow virusgw_t virusgw_tmpfs_t:file { execute };

##############################################################################
##You may allow above more efficiently by using interfaces written down below.
##Alert: This is a soft policy.An error may occure on filetrans interface.
##Please comment out those lines. All you have to do is just make this file,
##and load. :)
##You may use hard policy if you want your system much secure.
##There are 28 interfaces you can use.
##############################################################################

module my_module_by_selpaw 0.01;

require {

class capability dac_override;
class capability { setuid setgid dac_override };
class dbus send_msg;
class dbus { send_msg acquire_svc };
class dir getattr;
class dir search;
class dir setattr;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
class dir { getattr read search };
class dir { getattr read };
class dir { getattr search read lock ioctl };
class dir { getattr search };
class dir { read getattr lock search ioctl add_name remove_name write };
class dir { read getattr lock search ioctl };
class fd use;
class fifo_file { getattr read write append ioctl lock };
class fifo_file { write getattr };
class file r{ getattr execute };
class file unlink;
class file { create getattr setattr read write append rename link unlink ioctl lock };
class file { create ioctl read getattr lock write setattr append link unlink rename };
class file { getattr read write append ioctl lock };
class file { getattr read write };
class file { getattr read };
class file { read getattr lock ioctl };
class file { read getattr };
class file { relabelfrom relabelto };
class lnk_file { getattr read };
class lnk_file { read getattr lock ioctl };
class netlink_audit_socket { { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write } nlmsg_relay };
class netlink_selinux_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
class process sigchld;
class process signal;
class process { getattr sigkill signal };
class process { sigkill signal };
class process { { sigchld sigkill sigstop signull signal } setpgid };
class sock_file write;
class tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
class tcp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
class udp_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
class unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
class unix_stream_socket connectto;
class unix_stream_socket { connectto { ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept } };
class unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };

type 1_dbusd_t;
type 1_dbusd_tmp_t;
type 1_t;
type 2;
type cupsd_etc_t;
type cupsd_rw_etc_t;
type dbusd_etc_t;
type dhcp_etc_t;
type etc_runtime_t;
type etc_t;
type hotplug_etc_t;
type innd_etc_t;
type lvm_etc_t;
type mysqld_etc_t;
type postfix_etc_t;
type postfix_exec_t;
type postfix_master_t;
type postfix_public_t;
type postfix_spool_t;
type postfix_user_domtrans;
type postfix_var_run_t;
type postgresql_etc_t;
type self;
type sshd_t;
type system_dbusd_t;
type system_dbusd_var_run_t;
type virusgw_t;
type xdm_rw_etc_t;

}
cups_read_config(virusgw_t)
cups_read_rw_config(virusgw_t)
dbus_stub(virusgw_t)
files_delete_etc_files(virusgw_t)
files_etc_filetrans(virusgw_t)
files_exec_etc_files(virusgw_t)
files_list_etc(virusgw_t)
files_manage_etc_files(virusgw_t)
files_manage_etc_runtime_files(virusgw_t)
files_read_etc_files(virusgw_t)
files_read_etc_runtime_files(virusgw_t)
files_relabel_etc_files(virusgw_t)
files_rw_etc_files(virusgw_t)
files_rw_etc_runtime_files(virusgw_t)
files_search_etc(virusgw_t)
files_setattr_etc_dirs(virusgw_t)
hotplug_getattr_config_dirs(virusgw_t)
hotplug_read_config(virusgw_t)
hotplug_search_config(virusgw_t)
inn_read_config(virusgw_t)
lvm_read_config(virusgw_t)
mysql_read_config(virusgw_t)
postfix_config_filetrans(virusgw_t)
postfix_read_config(virusgw_t)
postfix_stub(virusgw_t)
postgresql_read_config(virusgw_t)
sysnet_read_dhcp_config(virusgw_t)
xserver_read_xdm_rw_config(virusgw_t)


##############################################################################
##This is a hard policy. You can replace interfaces remaining require brackets.
##If you want to allow more interfaces for the future, you may use soft policy above.
##There are 23 interfaces you can use.
##############################################################################

module my_module_by_selpaw 0.01;

cups_read_config(virusgw_t)
cups_read_rw_config(virusgw_t)
dbus_stub(virusgw_t)
files_delete_etc_files(virusgw_t)
files_etc_filetrans(virusgw_t)
files_exec_etc_files(virusgw_t)
files_list_etc(virusgw_t)
files_manage_etc_files(virusgw_t)
files_manage_etc_runtime_files(virusgw_t)
files_read_etc_files(virusgw_t)
files_read_etc_runtime_files(virusgw_t)
files_relabel_etc_files(virusgw_t)
files_rw_etc_files(virusgw_t)
files_rw_etc_runtime_files(virusgw_t)
hotplug_read_config(virusgw_t)
hotplug_search_config(virusgw_t)
inn_read_config(virusgw_t)
lvm_read_config(virusgw_t)
mysql_read_config(virusgw_t)
postfix_config_filetrans(virusgw_t)
postfix_read_config(virusgw_t)
postfix_stub(virusgw_t)
postgresql_read_config(virusgw_t)


--/var/log/messages の結果-------------------------------------

##############################################################################
##There are 30 denied lines in this log.
##This is a raw policy.
##You may allow these if you really want to permit them to.
##############################################################################

module my_module_by_selpaw 0.01;

require {

class dir { search };
class file { append };
class file { execute };
class file { execute_no_trans };
class file { read };
class lnk_file { read };
class sock_file { unlink };
class tcp_socket { name_bind };

type syslogd_t;
type virusgw_t;
type dir_dev_t;
type dir_home_virusgw_t;
type etc_runtime_t;
type home_virusgw_t;
type unpriv_tcp_port_t;
type var_tmp_t;
type virusgw_tmpfs_t;

}
allow syslogd_t dir_dev_t:sock_file { unlink };
allow virusgw_t dir_home_virusgw_t:dir { search };
allow virusgw_t etc_runtime_t:file { read };
allow virusgw_t home_virusgw_t:dir { search };
allow virusgw_t home_virusgw_t:file { append };
allow virusgw_t home_virusgw_t:file { execute };
allow virusgw_t home_virusgw_t:file { execute_no_trans };
allow virusgw_t home_virusgw_t:file { read };
allow virusgw_t home_virusgw_t:lnk_file { read };
allow virusgw_t unpriv_tcp_port_t:tcp_socket { name_bind };
allow virusgw_t var_tmp_t:sock_file { unlink };
allow virusgw_t virusgw_tmpfs_t:file { execute };

##############################################################################
##You may allow above more efficiently by using interfaces written down below.
##Alert: This is a soft policy.An error may occure on filetrans interface.
##Please comment out those lines. All you have to do is just make this file,
##and load. :)
##You may use hard policy if you want your system much secure.
##There are 4 interfaces you can use.
##############################################################################

module my_module_by_selpaw 0.01;

require {

class dir { read getattr lock search ioctl add_name remove_name write };
class dir { read getattr lock search ioctl };
class file { create ioctl read getattr lock write setattr append link unlink rename };
class file { create read write setattr unlink };
class file { getattr read write append ioctl lock };
class file { read getattr lock ioctl };
class lnk_file { getattr read };

type etc_runtime_t;
type etc_t;
type root_t;
type syslogd_t;
type virusgw_t;

}
files_create_boot_flag(virusgw_t)
files_manage_etc_runtime_files(virusgw_t)
files_read_etc_runtime_files(virusgw_t)
files_rw_etc_runtime_files(virusgw_t)


##############################################################################
##This is a hard policy. You can replace interfaces remaining require brackets.
##If you want to allow more interfaces for the future, you may use soft policy above.
##There are 4 interfaces you can use.
##############################################################################

module my_module_by_selpaw 0.01;

files_create_boot_flag(virusgw_t)
files_manage_etc_runtime_files(virusgw_t)
files_read_etc_runtime_files(virusgw_t)
files_rw_etc_runtime_files(virusgw_t)

投稿者 xml-rpc : 2006年12月15日 14:39
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/51121
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。