[Open-scap] SELinux policy for oscap tool

[Petr Lautrbach]

Hello,

I started work on confining the oscap probes with SELinux. My first version
can be found here [1].

The first goal was to run oscap tool with oscap_t type and all
probes with oscap_probe_t type.

Right now, oscap_t is unconfined domain to allow write results anywhere,
but for future I would enable oscap tool write only to oscap_public_t or
something like that.

oscap_probe_t domain can read all files and filesystems. It can only write to
netlink and udp socket what is needed for system_info, iflistener and inetlisteningservers
probes. These rules should to be split into more oscap_probe* types what is
goal for next phase.

Usage:

[root at f17-devel ~]# tar xfvz openscap-policy.tgz
openscap-policy/oscap.te
openscap-policy/oscap.fc
openscap-policy/oscap.if
openscap-policy/oscap.sh

[root at f17-devel ~]# cd openscap-policy

[root at f17-devel openscap-policy]# ./oscap.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted oscap module
/usr/bin/checkmodule:  loading policy configuration from tmp/oscap.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 15) to tmp/oscap.mod
Creating targeted oscap.pp policy package
rm tmp/oscap.mod.fc tmp/oscap.mod
+ /usr/sbin/semodule -i oscap.pp
+ /sbin/restorecon -F -R -v /usr/bin/oscap
/sbin/restorecon reset /usr/bin/oscap context system_u:object_r:bin_t:s0->system_u:object_r:oscap_exec_t:s0

[root at f17-devel openscap-policy]# restorecon -R -v /usr/libexec/openscap/probe_*
restorecon reset /usr/libexec/openscap/probe_dnscache context system_u:object_r:bin_t:s0->system_u:object_r:oscap_probe_exec_t:s0
restorecon reset /usr/libexec/openscap/probe_environmentvariable context system_u:object_r:bin_t:s0->system_u:object_r:oscap_probe_exec_t:s0




[1] http://plautrba.fedorapeople.org/openscap/openscap-policy.tgz


Petr
-- 
Petr Lautrbach, Red Hat, Inc.
http://cz.redhat.com