Menu
▾
▴
Re: [Linux-ima-user] IMA policy with LSM rules not correctly loaded
|
From: Mimi Z. <zo...@li...> - 2009-10-13 13:04:57
|
On Tue, 2009-10-13 at 10:18 +0200, Roberto Sassu wrote: > On Tuesday 13 October 2009 01:24:17 Mimi Zohar wrote: > > On Mon, 2009-10-12 at 11:15 +0200, Roberto Sassu wrote: > > > Hi all > > > > > > i have tried to write an IMA policy in order to measure all files, in a > > > system with SELinux installed, accessed by subjects with security context > > > starting as "system_u:system_r" and to skip files with label > > > "initrc_var_run_t" (/var/run/utmp) which is the origin of multiple > > > violations. > > > The policy is: > > > > > > -------- > > > dont_measure obj_type=initrc_var_run_t > > > measure subj_user=system_u func=PATH_CHECK mask=MAY_READ > > > measure subj_role=system_r func=PATH_CHECK mask=MAY_READ > > > -------- > > > > The policy order, as you realized, is important. The action is based on > > the first rule matched. Are you running an SELinux targeted policy? To > > see the LSM labels associated with a process execute: ps -aeZ. With a > > targeted policy, a number of processes are run as unconfined. Instead of > > the above policy rules, please try these: > > > > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=initrc_var_run_t > > measure func=PATH_CHECK mask=MAY_READ uid=0 > > > > Thanks! > > > > Mimi > > > > I'm running Fedora 11 with the targeted policy in a virtual machine and i log > in with ssh. By enabling some system services i encountered other some > violations. One is caused by the service "pcsd" which i disabled for now. I > added other few exceptions in the policy you suggested, to clean the others: > > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=initrc_var_run_t > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=sendmail_var_run_t > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=hald_var_run_t > dont_measure func=PATH_CHECK mask=MAY_READ obj_type=consolekit_log_t > measure func=PATH_CHECK mask=MAY_READ uid=0 For now, with these types of rules we can eliminate the ToMToU/open_writers auditing messages and prevent invalidating the PCR, but before adding these types of rules, we should really understand the underlying problem. For example: ck-history opens for read /var/log/ConsoleKit/history, while console-kit-daemon has it open for write. (open-writers) # lsof +c 0 /var/log/ConsoleKit/history COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME console-kit-dae 2067 root 9w REG 8,2 1550104 1196033 /var/log/ConsoleKit/history So, is it necessary for console-kit-daemon to open for write and never close /var/log/ConsoleKit/history or should console-kit-daemon be modified? Mimi |
