[Open-scap] SELinux policy for oscap tool

[Petr Lautrbach]

Hello,

I've uploaded an updated SElinux module for the oscap tool and probes [1].

Changes:
- all oscap probes are labelled as unconfined_oscap_probe_t now.
unconfined_oscap_probe_t is unconfined domain and it's base/starting type for ongoing process
of confining certain probes.

- there is a new type - oscap_tmp_t
this type is used for files generated by oscap_t in /tmp and /var/tmp.
There will be a new fix feature in the oscap tool soon and we can use this type for remediation
script so we can prevent other confined domains to read or change it.

- only unconfined_t and sysadm_t are transited to oscap_t domain in order not to
allow other confined domains use quite strong privileges of oscap_t and unconfined_oscap_probe_t

thanks to Mirek Grepl for module review and suggestions

[1] http://plautrba.fedorapeople.org/openscap/openscap-policy-20130206.tgz

Petr


On 03/29/2012 03:16 PM, Petr Lautrbach wrote:
> Hello,
>
> I started work on confining the oscap probes with SELinux. My first version
> can be found here [1].
>
> The first goal was to run oscap tool with oscap_t type and all
> probes with oscap_probe_t type.
>
> Right now, oscap_t is unconfined domain to allow write results anywhere,
> but for future I would enable oscap tool write only to oscap_public_t or
> something like that.
>
> oscap_probe_t domain can read all files and filesystems. It can only write to
> netlink and udp socket what is needed for system_info, iflistener and inetlisteningservers
> probes. These rules should to be split into more oscap_probe* types what is
> goal for next phase.
>
> Usage:
>
> [root at f17-devel ~]# tar xfvz openscap-policy.tgz
> openscap-policy/oscap.te
> openscap-policy/oscap.fc
> openscap-policy/oscap.if
> openscap-policy/oscap.sh
>
> [root at f17-devel ~]# cd openscap-policy
>
> [root at f17-devel openscap-policy]# ./oscap.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile
> Compiling targeted oscap module
> /usr/bin/checkmodule: loading policy configuration from tmp/oscap.tmp
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 15) to tmp/oscap.mod
> Creating targeted oscap.pp policy package
> rm tmp/oscap.mod.fc tmp/oscap.mod
> + /usr/sbin/semodule -i oscap.pp
> + /sbin/restorecon -F -R -v /usr/bin/oscap
> /sbin/restorecon reset /usr/bin/oscap context system_u:object_r:bin_t:s0->system_u:object_r:oscap_exec_t:s0
>
> [root at f17-devel openscap-policy]# restorecon -R -v /usr/libexec/openscap/probe_*
> restorecon reset /usr/libexec/openscap/probe_dnscache context system_u:object_r:bin_t:s0->system_u:object_r:oscap_probe_exec_t:s0
> restorecon reset /usr/libexec/openscap/probe_environmentvariable context system_u:object_r:bin_t:s0->system_u:object_r:oscap_probe_exec_t:s0
>
>
>
>
> [1] http://plautrba.fedorapeople.org/openscap/openscap-policy.tgz
>
>
> Petr