SELinux Integrity Instrumentation (SII): Instrumenting SELinux for configuration auditing and integrity monitoring

Running head: SELINUX INTEGRITY INSTRUMENTATION

1

SELINUX INTEGRITY INSTRUMENTATION (SII): INSTRUMENTING SELINUX FOR CONFIGURATION AUDITING AND INTEGRITY

MONITORING.

A Dissertation Presented in Partial Fulfillment of the Requirements for the Degree of

Doctor of Computer Science

By

Mike Libassi

Colorado Technical University

June, 2015

All rights reserved

INFORMATION TO ALL USERSThe quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscriptand there are missing pages, these will be noted. Also, if material had to be removed,

a note will indicate the deletion.

Microform Edition © ProQuest LLC.All rights reserved. This work is protected against

unauthorized copying under Title 17, United States Code

ProQuest LLC.789 East Eisenhower Parkway

P.O. Box 1346Ann Arbor, MI 48106 - 1346

UMI 3717282

Published by ProQuest LLC (2015). Copyright in the Dissertation held by the Author.

UMI Number: 3717282

SELINUX INTEGRITY INSTRUMENTATION

2

Committee

__________________________________________ Dr. Henry Felch, Faculty Mentor, and Chair

__________________________________________ Dr. Steven Gosnell, Committee Member

__________________________________________ Dr. Richard Livingood, Committee Member

__________________________________________ Date Approved


i

© Mike Libassi, 2015


ii

Abstract

SELinux is lacking methods to prove compliance with security policies and detect

change. The SELinux Integrity Instrumentation (SII) parses key parts of SELinux and

the Linux operating system that provide a configuration baseline. SII uses sets of hashing

algorithms that allow snapshots to be taken and compared against the baseline.

Configuration changes to Services, Booleans, and File Context were detected, and

differences displayed. Further, the type (domain) is parsed, and relationships between

services, Booleans, and file context can be viewed based on the domain. SII offers a

foundation that can be explored for use standalone or integrated into existing SELinux

tools. SII can be used by security administrators to ensure configuration integrity and the

ability to audit configurations to security goals. It is critical to measure what needs to be

managed, and SII brings a unique and innovative way to help manage SELinux.

Keywords: SELinux, integrity, configuration


iii

Dedication

For Taylor and Sarah, if Dad can do it so can you.

For Lori, for the support to get it done.


iv

Acknowledgements

I would like to thank Dr. Henry Felch for mentorship through the process. I

would also like to thank my committee: Dr. Maurice Dawson and Dr. Rick Livingood for

the valuable feedback. I would like to thank Dr. Steven Gosnell in tasking me to prove

the relevance the research. Further thanks to Stephen Smalley for the discussion of the

validity of this research and to Daniel J Walsh, at Red Hat, for specific SELinux guidance

and help. I would like to thank Sinclair Community College CIS Chair Robert Sherman

for the approval of the CIS lab to run the research and Professor Regnar for help getting

the needed hardware. Further, I would like to thank Professor Martha Taylor, at Sinclair

College, for the guidance on getting into a doctorate program.


v

Table of Contents

Acknowledgements ............................................................................................ iv

Table of Contents ................................................................................................ v

List of Tables ...................................................................................................... x

List of Figures .................................................................................................... xi

Chapter One ............................................................................................................ 1

Topic Overview/Background .......................................................................... 1

Problem Opportunity Statement ..................................................................... 3

Purpose Statement ........................................................................................... 4

Research Question(s) ...................................................................................... 5

Propositions ..................................................................................................... 5

Theoretical Perspectives/Conceptual Framework ........................................... 6

Assumptions/Biases ........................................................................................ 6

Significance of the Study ................................................................................ 6

Delimitations ................................................................................................... 6

Limitations ...................................................................................................... 6

Definition of Terms ......................................................................................... 7

General Overview of the Research Design ..................................................... 7


vi

Summary of Chapter One ............................................................................... 8

Organization of Dissertation ............................................................................... 8

Chapter Two ............................................................................................................ 9

Seminal Works .............................................................................................. 11

Policy Analysis ............................................................................................. 17

Security Metrics ............................................................................................ 22

Measuring SELinux ...................................................................................... 28

Security Visualization ................................................................................... 35

Summary of Literature Review ..................................................................... 42

Chapter Three ........................................................................................................ 45

Research Tradition(s) .................................................................................... 45

Research Questions and Propositions ........................................................... 45

Research Design ............................................................................................ 46

SELinux System Relationships ..................................................................... 47

The SELinux Instrumentation Architecture .................................................. 49

Differential Framework ................................................................................ 51

Population and Sample ................................................................................. 52

Sampling Procedure ...................................................................................... 52

Instrumentation ............................................................................................. 53


vii

Validity ......................................................................................................... 53

Research Context .......................................................................................... 54

Resources Needed ......................................................................................... 54

When and where the research will be conducted. ......................................... 55

Any other participants involved in your research. ........................................ 55

Reliability ...................................................................................................... 55

Instrumentation ............................................................................................. 57

Data Collection ............................................................................................. 57

Tools for collection and analysis .................................................................. 58

Data Analysis ................................................................................................ 59

Summary of Chapter Three ........................................................................... 59

Chapter Four ......................................................................................................... 60

Presentation of the Data ................................................................................ 60

Presentation and Discussion of Findings ...................................................... 61

Algorithm One - Service Collection ............................................................. 64

Algorithm Two - File Context Collection ..................................................... 66

Algorithm Three - Boolean Collection ......................................................... 67

Algorithm Four - Fingerprint Hash ............................................................... 69

Algorithm Five - Results Collection ............................................................. 70


viii

Algorithm Six - Differential .......................................................................... 71

Domain Relationship Testing ....................................................................... 77

Presentation and Discussion of Findings .......................................................... 78

Summary of Chapter ..................................................................................... 79

Chapter Five .......................................................................................................... 80

Findings and Conclusions ............................................................................. 80

Relationship between Configuration Items ................................................... 93

Results ........................................................................................................... 95

Findings ......................................................................................................... 96

Limitations of the Study ................................................................................ 97

Implications for Practice ............................................................................... 97

Implications of Study and Recommendations for Future Research .............. 97

Conclusion .................................................................................................... 98

References ........................................................................................................... 100

Appendix A ......................................................................................................... 110

Appendix B ......................................................................................................... 125

Appendix C ......................................................................................................... 127

Appendix D ......................................................................................................... 137

Appendix E ......................................................................................................... 139


ix

Appendix F .......................................................................................................... 141

Appendix G ......................................................................................................... 151


x

List of Tables

Table 1 - Test Verification ................................................................................................ 58

Table 2 – Testing Hardware .............................................................................................. 61

Table 3 – Function Performance Summary ...................................................................... 76

Table 4 – Sample cProfile Performance ........................................................................... 77


xi

List of Figures

Figure 1 - Service to Object Relationship ......................................................................... 47

Figure 2 - Architecture ...................................................................................................... 50

Figure 3 - Data Collector Framework ............................................................................... 51

Figure 4 - Differential Analysis Reference Framework ................................................... 52

Figure 5 - Test Design ....................................................................................................... 54

Figure 6 – SII Collection Process ..................................................................................... 63

Figure 7 - Difference Testing ............................................................................................ 64

Figure 8 – Fingerprint Algorithm ..................................................................................... 70

Figure 9 - Diff Function Output ........................................................................................ 74

Figure 10 - Stackdiff function initial test .......................................................................... 74

Figure 11 - Stackdiff function count of items ................................................................... 75

Figure 12 - Stackdiff function Boolean httpd_use_nfs service config test 1 .................... 75

Figure 13 - Stackdiff function Boolean httpd_use_nfs service config test 2 .................... 75

Figure 14 - Test for relationship by domain httpd ............................................................ 78

Figure 15 - Algorithm Performance by SII function ........................................................ 82

Figure 16 - Test 2 system cent1 fingerprint change detections ........................................ 84

Figure 17 - Results from SII detection from domain change to Boolean mount_anyfile . 85

Figure 18 - Results from SII detection from domain change to Boolean httpd_use_nfs .. 86

Figure 19 - Results from SII detection from context change to file context to

/usr/sbin/puppetd ............................................................................................................... 87

Figure 20 - Results from SII fingerprints for cent1b ........................................................ 87

Figure 21 - Results from SII fingerprints for fedora2 ....................................................... 88


xii

Figure 22 - Results from SII fingerprints for cent1 test 3 ................................................. 89

Figure 23 - Results from SII test 3 removed service. ....................................................... 89

Figure 24 - Results from test 3a service fingerprint and added service detection ............ 90

Figure 25 - Results from SII context change to File Context item /var/www(/.*)? .......... 91

Figure 26 - Results from SII fingerprints for cent2 test 4 ................................................. 92

Figure 27 - Results from SII for cent1 httpd_use_nfs Boolean state change .................... 92

Figure 28 - Results from SII for cent1 ftp_home_dir Boolean state change .................... 93

Figure 29 - Cent 1 Relationship search based on domain results. .................................... 94

Figure 30 – Domain results for ftpd_t ............................................................................... 95


1

CHAPTER ONE

Security Enhanced Linux (SELinux) was developed under the GNU General

Public License by the National Security Agency (NSA) and released in 2003 with the

Linux 2.6 kernel. SELinux provides a deeper level of security using Mandatory Access

Control (MAC) architecture. MAC allows for fine grain security on the services, process,

ports and files with access rules (call policies).

Example of a policy:

• Potential security issue: A malicious process that inherits a user's rights and

access sensitive files. Firefox is compromised by a malicious add-on and

reads the user's private ssh keys even though it has no reason to do so.

• SELinux solution: A policy is developed constraining those programs

authorized to read the user's ssh directory to only the ssh service and ssh client

app; thus blocking the threat.

SELinux is a form of security reference monitor that provides mandatory access

controls (MAC) (Biba, 1977) and a key component in upholding policies that enforce the

security objectives.

Topic Overview/Background

SELinux provides a deeper level of security using Mandatory Access Control

(MAC) architecture. MAC allows for "fine grain" security on the services, process,

ports, and files with rules called policies. Many large companies and government

agencies currently use this security monitor.


2

The United States Department of Defense, National Security Agency,

Amazon.com, New York Stock Exchange and Large Hadron Collider are a few of the

larger Linux installations on a larger list of who is running Linux (“List of Linux adopters

- Wikipedia, the free encyclopedia,” n.d.). The Open Stack, an open source cloud

framework that uses Linux and SELinux, is being adopted by the NSA looking to build a

secure cloud for their use (Kerner, 2013).

All these installations have the open source security mechanism SELinux installed

and active by default. However, the complexity of SELinux is an issue that affects its

acceptance. Feedback from Stephen Smalley with the Trusted Systems Research Group,

NSA in a personal communication email on May10th, 2013 also agrees with the value of

this work:

I think that research into tools to aid the configuration and monitoring of SELinux would

be very relevant today. Despite being a default-enabled security feature of Red Hat and

derivative Linux distributions, it remains a challenge for typical Linux admins to go

beyond the stock security policy shipped with Red Hat and customize policy to their

specific environments and security goals.

SELinux is a security reference monitor and the seminal works call out the need

for reference monitor integrity; "is protected: its function may not be maliciously or

accidentally modified by unauthorized forces" (Biba, 1977. p.7). Unknown configuration

changes to SELinux are a security risk to systems.

A gap exists in current research; the need for a structure that helps with the

understanding and monitoring of the SELinux configuration for integrity audits. Such a

framework is not only applicable to today's system running SELinux; also with the future


3

of SELinux as it finds its way into virtualization solutions, like Xen hypervisor, PAAS

systems like Openshift.com and the mobile space with SELinux support into Android

(the SE for Android project).

Improper configuration of security systems is one of the top ten security issues as

per OWASP (Open Web Application Security Project (OWASP), 2010) and the fourth

recommendation of “Consider running scans and doing audits periodically to help detect

future misconfigurations or missing patches.” (Open Web Application Security Project

(OWASP), 2010, p. 12).

A problem with SELinux is the management of the hundreds of SELinux policies.

Past research documents over 1,500,000 flat rules involving 1,780 types (Marouf &

Shehab, 2011). The added SELinux complexity makes knowledge of SELinux coverage;

the service (like HTTP, ssh, and sftp), the ports and objects they access have the correct

configuration to protect them.

The existing research in SELinux policy analysis produces no measure of what

policies are protecting what services and the policy state. In addition, there is a need for

identifying services that are not being protected by SELinux.

Problem Opportunity Statement

Based on the problem background the following has been identified:

There is a lack of methods to ensure SELinux configuration compliance.

This problem is outlined by the National Institute of Standards and Technology (NIST)

Special Publication SP 800-55 Revision 1. The NIST SP 800-55 is a guide to help in the

development and implementation of measures for security control effectiveness. Section

six lists a few factors contributing to poor security:


4

“Configuration management practices—New or upgraded information systems

that are not configured with required information security settings and patches;” (Chew et

al., 2008, p. 46)

And

“Architectures—Poor information system and information security architectures

that render information systems vulnerable.” (Chew et al., 2008, p. 46)

In order to maintain system security, the integrity of the reference monitor is

crucial; details of its architecture and configuration are needed. One of the rules for a

reference monitor outlined by seminal works that “is protected: its function may not be

maliciously or accidentally modified by unauthorized forces” (Biba, 1977, p. 7). In

addition recent research also reflected the need for validation: “The Trusted Computing

Base not only includes the reference validation mechanism, but also encompasses all

other functionalities that directly or indirectly affect the correct operation of the reference

validation mechanism.” (Xu, Shehab, & Ahn, 2012, p. 157). So without a measure of

SELinux's state it fails to meet these requirements.

Purpose Statement

A 2012 usability study by Schreuders, McGill, and Payne shows that the usability

of SELinux has some problems; feedback from the study stated users were “Unclear or

confused about behaviour [sic]” of SELinux (Schreuders, McGill, & Payne, 2012, p. 63).

There is a need to validate the SELinux configuration to allow for concise auditing and

verification of the security settings to ensure they are aligned to security policies set for

by security administration. These problems are to be researched under the following

proposition.


5

Research Question(s)

RQ1. Does collecting the relationship of service to policy to object by domain

detect changes to services and indicate related policies and object context?


detect changes to policies and indicate related services and object context?


detect changes to object context and indicate related services and policies?


detect services not covered under any security policies?

Propositions

The research here proposes that:

New SELinux Integrity Instrumentation (SII) can prove compliance to security

policies through detection of change.

Research using a framework that detects changes of SELinux's configuration will

mitigate configuration uncertainties. In addition, the mapping of services, objects and

policies will allow for monitoring, auditing and reporting of the SELinux configuration.

This concurs with the current recommendations “Access control policies on a process or

a daemon should be presented so that users could easily see the entire picture, what the

process or daemon can do or cannot do. Scattered settings cause confusion.” (L. Hu,

Mayo, & Wallace, 2013, p. 291). Along with NIST recommendations:

“Monitor the security controls in the information system on an ongoing basis

including assessing control effectiveness, documenting changes to the system or its

environment of operation, conducting security impact analyses of the associated changes,


6

and reporting the security state of the system to designated organizational officials”

(National Institute of Standards and Technology & Aroms, 2012, p. 28)

Theoretical Perspectives/Conceptual Framework

Using the design science research perspective verification of unique artifacts was

done to evaluate their functionality. First the SII artifacts were validated against a series

of test cases, defined in chapter three, that will result in a pass, fail or partial. Second the

timing of the artifacts was measured to judge their performance.

Assumptions/Biases

The use of the Multi-Level Security (MLS) functionality in SELinux was

excluded from this research. Not all Linux systems run SELinux; however, a limited

heterogeneous install base was used for testing. The Android OS was excluded as part of

this research.

Significance of the Study

The artifacts developed from this research can be put into the open source

community for further use in SELinux administration and training. Exploration of the SII

algorithms outside of SELinux also is possible.

Delimitations

Open source contributions from the study was only verified against specific Linux

distributions; specifically Red Hat and Fedora based ones.

Limitations

Research will be limited to Red Hat and Fedora-based distributions of Linux.


7

Definition of Terms

Policy - The SELinux rule that allows or does not allow access to a service, port,

file or asset.

Service - The binary that runs as part of the Linux server. Examples include the

Apache web server (HTTP) and Secure File Transfer Protocol (sftp).

Object - In terms of the Linux operating system objects are items like; ports, files,

and directories. In SELinux, these are also known as file contexts.

Trusted Computer Base (TCB) - The set of all hardware, firmware, and/or

software components that are critical to its security. Parts of a computer system outside

the TCB must not be able to misbehave in a way that would leak any more privileges

than are granted to them in accordance with the security policy.

Integrity - The state of being whole and undivided. In this research the Common

Vulnerability Scoring System (CVSS) describes integrity as (Mell, Scarfone, &

Romanosky, 2007, p. 9) “Integrity refers to the trustworthiness and guaranteed veracity

of information.”

Evaluation - The process of assembling evidence that a system meets, or fails to

meet, prescribed assurance goals.

Context - In SELinux the context is composed of four parts; the user, role, type,

and level. The type setting is also referred to as domain.

General Overview of the Research Design

Develop algorithms that gather configuration data that will be used to prove

compliance of the SELinux configuration to security policies. Algorithms will be


8

implemented in an open-source framework that will collect and analyze the SELinux

configuration for one or more systems under test.

Summary of Chapter One

It is critical to be able to measure what we manage, and system and security

administrators should know the configuration of security systems. Security

Misconfiguration is number six on the OWASP top 10 security issues (Wichers, 2013)

and seminal works also set a basis for the need to maintain the integrity. The need to

verify SELinux has not been modified (either by accident or maliciously) is an

opportunity for a new framework that was the basis of the proposed research.

Organization of Dissertation

Chapter Two reviews seminal works in the area of security reference monitors

then reviews the research in policy analysis, security metrics, measuring SELinux and

security visualization with reference monitors.

Chapter Three outlines the research framework and summary of artifact design

and testing.

Chapter Four is the results from the research with conclusions and

recommendations in Chapter Five. The appendix has the artifacts, algorithms, and code,

as well as any additional data collected.


9

CHAPTER TWO

U.S. Military seminal research set the foundations for security integrity with

concepts of information flow and integrity that lead to the development of new

architectures such as Flask and SELinux. With the accession of new security

mechanisms so was the need for the ability to maintain their integrity.

Most of the current research has been in the area of security policy analysis. The

work here is important to help combat the complexity of SELinux at the policy level.

However, a larger perspective of the SELinux system is needed; one that aids with

SELinux administration and maintaining configuration integrity. The valuable research

into SELinux policy analysis is in the “Policy Analysis” section, in this chapter.

Generating useful measures of SELinux is core to maintaining its integrity.

Security metrics, itself still a new field, has research that is useful and may be of

guidance in the dissertation research on methods of measuring security. Beneficial

research in this section is presented in the “Security Metrics” section.

Metrics that leverage security mechanisms like SELinux is examined separately

from general security metrics. An example is using analysis of SELinux compared to

current threats resulting in a security measure. Current research like this yield valuable

methodologies that give different perspectives of SELinux configuration that are helpful

for this dissertation is reviewed in the section titled “Measuring SELinux.”

Security Visualization is another area that is examined as a possible component of

this dissertation research. A picture is not just worth a thousand words; it is an essential

piece in aiding to SELinux administration. Research that uses visualization of SELinux

is reviewed in the “Security Visualization” section.


10

The SANS Institute top cyber security risks states that misconfigured systems is a

major security issue and provides guidance on handling this by establishing and ensuring

standard secure configurations in the operating systems (Critical Control 3: Secure

Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,

and Servers, n.d.). How can an administrator adhere to this without a clear understanding

of SELinux configuration? Further, SANS Institute calls for configuration monitoring

that measures the elements for secure configuration (Critical Control 3: Secure

Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations,

and Servers, n.d.).

The SANS Institute concept of “Control 3 Metric” calls for change monitoring;

“The system must be capable of identifying any changes to an official hardened image

that may include modifications to key files, services, ports, configuration files, or any

software installed on the system.” (Critical Control 3: Secure Configurations for

Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, n.d.).

The integrity of the reference monitor requires more than understanding of the

configuration; it also calls for the need to identify changes to it.

Presented here is a gap in current research; one that is needed to combat the

complexity of SELinux. The work by Machon Gregory and Angela Reninger goes on to

support this view (Gregory & Reninger, 2009):

SELinux has a reputation for being difficult to use [15]. New security

technologies often face a user acceptance barrier because they are perceived by

users as reducing the functionality of the system in the service of the amorphous

(to users) goal of security. (p. 1)


11

This dissertation research was intended to address this issue with unique and

relevant concepts in SELinux configuration monitoring. The work here would not be

possible without the previous research in this field.

Seminal Works

Seminal research in security systems outlines the operations of security

mechanisms and the need for their integrity. A majority of the seminal works are

technical reports for the U.S. Military, who had a strong need for maintaining the security

of information. All the seminal works summarized here call out the need for integrity

monitoring of security mechanisms. Even though the specifics of the works are with

outdated systems, the principals for maintaining their integrity still holds true today.

Information validity and dissemination control is the basis of the 1977 work by

Biba. The result is a protection policy that is used in security configuration of the system

kernel and a reference monitor. Biba models two domains that a security policy acts with

subjects and objects. Interactions between the two have associated modes (observation,

modification and invocation) with the use of integrity levels managing the objects.

The model that was presented for security policy creation is theoretical and was

developed in the environment of the military security domain. The basis of the model

still applies to mandatory access control (MAC) and discretionary access control (DAC)

architectures used today.

The seminal works of (Biba, 1977) also sets standards for the security reference

monitor. Three rules that qualify a security monitor are

A reference monitor must satisfy three logical properties:

1. It is complete: all accesses by subjects to objects are monitored and enforced;


12

2. It is protected: its function may not be maliciously or accidentally modified by

unauthorized forces;

3. It has provably proper behavior: it must faithfully enforce the specified

protection policy. (Biba, 1977, p. 7)

SELinux is a security reference monitor, and the logical property of protection

from malicious or accidental modification sets the basis for the dissertation research.

The Department of Defense (DoD) has called out the need for ensuring proper

configuration of security controls. Documented trustworthiness is an important aspect

communicated in the DOD 8500.2 specifically called-out in section 3 on information

assurance implementation is:

E3.1.3.3. The ability to test and verify.

E3.1.3.5. The ability to manage changes to an established baseline in a secure

manner. (Information Assurance (IA) Implementation, 2003)

This measure of security controls is needed to maintain the robustness of the

system. Specific robustness is called out to measure the strength of security controls.

SELinux is the default security reference monitor in the Linux systems being used in the

DoD and NSA; the research here will help security administrators follow this guideline.

In addition, the standard IEC/ISO 27001:2013 sets a framework for security

guidelines and processes. The core of the 27001 calls for monitoring and auditing and

thus directly supports the validity of this research. Starting with risk assessments, section

6.1.2, the ISO states the need to produce repeatable, consistent and valid results.

Following the ISO 2700 section 7.5.1 on the need for documentation on the effectiveness

of the security management system; especially documenting the complexity of the


13

process and their interactions. Section nine on performance evaluation and internal

audits of the info security management system to ensure it is properly implemented and

maintained. Specifically; section A.9.1.1 on access control policies states “An access

control policy shall be established, documented and reviewed based on business and

information security requirements.” (IEC/ISO, 2013, p. 8). All these areas of the ISO

help point out the problem with missing integrity monitoring in SELinux.

The take away is the need for documentation and auditing of any security system.

This dissertation is based on the need for configuration documentation and monitoring of

a security mechanism, like SELinux, to ensure it properly enforces security policies. To

achieve this security systems need to be instrumented for verification. The 27001 section

A.14.2.3 states the need to review platform changes to ensure there are no adverse

impacts on security. Having a baseline configuration is needed to comply with Section

A.18.2.3 “Information systems shall be regularly reviewed for compliance with the

organization’s information security policies and standards.” (IEC/ISO, 2013, p. 22).

Currently, there is no baseline state metrics for SELinux configuration and thus no clear

method to detect changes and understand its current configuration.

The seminal work by Saltzer-Schroeder presents guidelines for information

security. One of the design principles is the economy of mechanism; it outlines how

complexity can cause security problems. Further, Saltzer-Schroeder state the guideline

“Keep the design as simple and small as possible.” (Saltzer & Schroeder, 1974, p. 11).

Importance is placed on how protection mechanisms should adhere to this principle.

Other principles covered are:


14

• Fail-safe defaults - to ensure permission defer to declined for system calls that

are not covered under a policy.

• Complete Mediation - Ensure all access is checked.

• Open Design - Security through obscurity is not a good measure of protection.

• Separation of Privilege - Ensure protection mechanisms require more than one

way to access. Make attackers breach multiple components to enter a system

unauthorized.

• Least Privilege - Ensure subjects and objects have the lowest privileges

needed to operate. If one is breached, it limits the potential damage.

• Least-common Mechanism - Limit the amount of shared objects between

subjects (users).

• Psychological Acceptability - Making a system understandable to use will

limit the possibility of misuse.

Out of these principles, the importance of psychological acceptability applies to

the research proposed here. One of the goals of the dissertation research is making

SELinux understandable as to identify configuration changes easily.

A model called the Bell-LaPadula model (or BLP) was developed in the domain

of military security in the mid-seventies. BLP, abstract in nature, was built for the

Multics operating system. The model assigns objects and subjects (i.e., document and

user) into classes of clearance and category. A “no-read-up” rule is implemented so a

subject cannot read objects above its clearance. The model also describes the *-Property

to cover scenarios where subject has access to objects of different clearance levels (Bell


15

& La Padula, 1976). BLP is used to prevent information from a higher class to be written

to the object of a lower classification; this is called the no-write-down rule. The work

goes on to prove the basic security theorem; if the system starts in a secure state and each

transaction abides by the rules and the system remains in a secure state.

BLP is an abstract model that could be extended beyond a computer system to

physical controls. The establishment of the subject and object is also a base in SELinux

and the theorem of maintaining a secure state further supports the need for understanding

and monitoring the SELinux configuration.

Rushby’s “Design and Verification of Secure Systems” puts forth the need to

verify the system in order to guarantee security. Guarantee security should be must done

to the whole of the trusted computing base (Rushby, 1981). Though it is not the intent of

this research to put SELinux as part of the TCB; the verification of the SELinux

configuration ensures its dependability to security.

Computer Security Technology Planning Study Volume one and two, by James P.

Anderson, alludes to the importance of the security monitor verification as it reference

must always be involved in system security (Anderson, 1972a). Further in Anderson

suggested tamper proofing of the reference monitor (Anderson, 1972b). Anderson's work

points out the need to ensure the correct SELinux configuration is being implemented;

that it is protecting pertinent services and being alerted when it has undergone any

changes.

Protection in Operating Systems, by (Harrison, Ruzzo, & Ullman, 1976), provides

guidelines for security protection systems. Harrison’s section on safety states that even

no protection system is safe so we must consider a weaker condition that says, in effect,


16

that a particular system enables one to keep one's own protection objects under control

(Harrison et al., 1976). In order to maintain the integrity; there is an underline need to

know of the system objects and their current state. With the SELinux acting as a

protection system, this need is not completely satisfied. The dissertation research here

fills this need.

The note from Lampson on confinement issues states that certification of the

system is a sure way to ensure security by making a distinction between confined and

unconfined programs (Lampson, 1973). Though the Lampson article focuses on the

problems around information confinement; it also eludes that knowledge of the state of

the service and its related security policies are critical to its integrity; especially new

services that may be running unconfined to any security policies. This specific check is

missing in current SELinux framework.

SELinux is built upon, or some consider an extension of, the Flask, security

monitor. The risks of unknown configuration changes to Flask is stated “Since policy

changes may be interleaved with the execution of controlled operations, there is the risk

that the system will enforce access rights according to an obsolete policy.” (Lepreau et

al., 1999, p. 3). An unknown change to policy state is a risk to system security in Flask

and SELinux and needs to be addressed.

Seminal works that have set the stage for protection mechanisms, like SELinux,

also call out some of the issues with their management. The importance of their integrity

is best summarized by paraphrasing (Biba, 1977) in the three logical properties a

reference monitor must satisfy: it is complete, protected and can demonstrate proper


17

behavior. Integrity would not achievable without the previous research; however not

complete without the dissertation work presented here.

Policy Analysis

One of the most common areas of SELinux research is in the area of policy

analysis. The SELinux policy is one area known for its complexity (Jaeger, Sailer, &

Zhang, 2003; Sarna-Starosta & Stoller, 2004; Sasturkar, Yang, Stoller, & Ramakrishnan,

2011) and the psychological acceptability (Saltzer & Schroeder, 1974) of SELinux is

most of the basis for policy research. Other reasons for SELinux policy analysis are to

ensure the policies uphold security goals, have integrity in their current state and can

protect the system against current security threats.

The research by (Jaeger et al., 2003) into the SELinux type enforcement (TE)

policy analysis integrity introduces the Gokyo tool. The Gokyo tool is used to assist

security administrators in creating SELinux policies to meet security goals. Jaeger

proposes further research in the effectiveness of audits in managing security; thus

supporting the dissertation research.

The exploratory research into SELinux policies by (Zhai et al., 2009) does

extensive policy analysis to find policy loopholes. This research also supports the need

for other tools to aid in security administration. The additional research section states:

“powerful tool for SELinux policy configuration ought to be build up, which can not only

provide semantic analysis and integrity analysis statically, but also provide such analysis

dynamically in time.” (Zhai et al., 2009, p. 451).


18

Existing approaches for analyzing integrity protection of the SELinux security

policy is significant to the dissertation research. The security policy is at the core of

SELinux, and existing research in this area is as follows.

Work in policy analysis by Sarna-Starosta & Stoller in 2004 concentrated on

empowering the end user to determine if SELinux policies are meeting security goals.

The development of the Policy Analysis using Logic-Programming (PAL) allows the

logic-programming XSB (a logic-programming system based on tabled resolution)

language queries to be used in SELinux analysis. The security administrator could ask

questions like; show information flow between object X and process Y that do not pass

through policy Z. The ability to verify policy settings does support administration of

SELinux. However, this still needs the administrator to be sure they are asking the correct

questions.

The work on policy to object relationships is similar to other research with

SELinux policy analysis. However, it is still relevant to this dissertation as it sets up the

security context using tuples of “security contexts as tuples [T, R,U], where T, R, and U

represent a type, role, and user, respectively.” (Sarna-Starosta & Stoller, 2004, p. 7). The

use of the domain attribute for process classification is applicable to the dissertation

methodology.

The policy integrity analysis (PAL) query algorithms and the information flow

graphs are a valuable reference to the dissertation research. However, the process itself

still can be expanded upon to a larger view of the SELinux configuration.

Hicks, Rueda, Jaeger, and McDaniel researched integrating SELinux with a

security-typed language in 2007; the work combines the security Java extension of JIF (a


19

security-typed language) with SELinux. The work is with application integration with

the SELinux multi-level security (MLS): whereas this dissertation research is with Type

Enforcement analysis. The methods of policy extraction and analysis used in the research

are relevant to this dissertation research. In addition, the conclusion states a need for

compliance with the operating system and application information flow (Hicks, Rueda,

Jaeger, & McDaniel, 2007). The dissertation research here is in that direction to ensure

the integrity of the SELinux configuration with system services.

The research by Blanc and Lalande in 2012 is on implementing SELinux

protection in HPCC clusters; where new risks are encountered due to shared resources.

In the process of implementation of SELinux into HPCC; policy contexts are mapped to

the objects as part of the process that addresses confidentiality with the use of shared

resources. Though most of the research does not directly apply to this dissertation;

specifically integration with HPCC and analysis of SELinux logs; the policy mapping

procedure is worthy of background study in this dissertation research. Also stated as

additional research: ”the administrator needs new tools to perform safe updates and to

verify that the new policy will not introduce security issues.” (Blanc & Lalande, 2012, p.

9). This further supports the dissertation research here with a new toolset to ensure the

integrity of SELinux configuration after system updates.

The 2003 research by Jaeger, Sailer and Zhang conveys the complexity of policy

analysis in the SELinux type enforcement (TE) environment. To aid with the inherent

complexity of SELinux the policy analysis tool, called Gokyo, was introduced. Gokyo is

designed to identify and enable resolution of Biba integrity violations between the trusted

computer base subjects and the rest of the SELinux example policy. The research is at


20

the policy level; however, the processes used to map type transition hierarchy are

applicable in this dissertation research. The Gokyo tool output can be further analyzed to

see if it could be leveraged in the research here. As in previous works, (Jaeger et al.,

2003), proposes further research on the effectiveness of audits in managing security; thus

supporting this dissertation research.

In 2007 LeMay, Fatemieh and Gunter developed the PolicyMorph tool to offer

assistance with policy validation and give suggestions for conflict resolution. The

research demonstrates its use in assisting administrators in the policy analysis process.

As with previous research with policy analysis, the work is at the atomic level when

compared to this dissertation research. However, the mathematical descriptions of the

SELinux policies are good background and worthy of review. The future work section

stated the develop a graphical interface to assist with control policy design and

maintenance (LeMay, Fatemieh, & Gunter, 2007). This work was part of the influenced

the inclusion visualization as a possible part of the SII framework of included as future

work.

The exploratory research into SELinux policies by Zhai, Ma, Tian, Yang, Liu and

Yang in 2009 is designed to help security managers with security policy configurations.

A design is proposed for a prototype tool to assist security managers and administrators

to detect and eliminate security loopholes. It’s commented with this approach the

analysis needs refinement for scale and complex security policy configurations (Zhai et

al., 2009). The dissertation research here is an approach to analyzing only the policies

that apply to the current running services to narrow the amount of analysis. The overall

design outlined by Zhai is worthy of study; especially the process used in the extraction


21

of policy information and the construction of the access control space for subjects. The

further recommendation of extracting and analyzing the Boolean values as part of the

analysis was left out in this research. The analysis of the policy Boolean is planned as

part of the dissertation research. The further research section fully supports the need for

additional tools, especially ones for integrity analysis of SELinux policy configuration in

not only semantic analysis, also provide such analysis dynamically in time (Zhai et al.,

2009).

The 2012 research of Anand, Saniie and Oruklu uses the Six Sigma framework in

the SELinux policy management. The analysis provides areas of improvement to

existing policies and identification of new security threats. Sets of external threat data,

policy data, and system service data is collected and processed into the Six-Sigma

framework. Six-Sigma is not in the scope of this dissertation research. However, like

previous research discussed here the initial process also pulls service and policy data, and

this is a good background for the dissertation research. (Anand, Saniie, & Oruklu, 2012)

To tackle the complexity of SELinux Bai and Zhai 2012 work developed a

descriptive language, using C, for security policy configuration. This is a summary

paper. However, it does give valuable direction in its conclusion for simplified measures;

“For example, Boolean variables and a few special signs and macro blocks are ignored

during the analysis. All these details ought to be fully considered in the future research.”

(Bai & Zhai, 2012, p. 100). Policy Booleans are part of the dissertation research.

The 2011 research by Sasturkar, Yang, Stoller, and Ramakrishnan is into

problems of Role-Based Access Control (RBAC) policy analysis and delivers an

algorithm for measuring their complexity. Results found a simple analysis of


22

uncomplicated RBAC policy changes is difficult to achieve in NP-time. Though this

research is not specific to SELinux, the research is current (2011), and it references

related SELinux analysis works. The work is theoretical based. However, the

reachability algorithms and theorems give insight to the complexity of analyzing an

RBAC system. Further, it also states the importance of policy management and the need

for additional work with the analysis of security policies has been a long problem

(Sasturkar et al., 2011). The additional work further justifies future research into

SELinux analysis.

The SELinux policy is one of the most complex, and most researched, areas of

SELinux. The research with policy analysis and information flow has been in aid of

administration and ensuring SELinux matches security goals. Much of the literature on

SELinux policy analysis uses formal expressions that will be used in the dissertation

research framework. A study of their use in policy analysis models is important to the

research in this dissertation. Though most research processes system subjects and objects

into different forms of mappings; the view is still too atomic, and a larger view of the

SELinux configuration is still needed. The valuable works will be an important base to

build the dissertation research on.

Security Metrics

The call for further research into security metrics is an area acknowledged by the

Department of Homeland Security, “What is the marginal change in our security (for

better or for worse), given the use of a new tool or practice?” (Department of Homeland

Security, 2009, p. 13). To measure any changes in security posture, we must be able to

establish a baseline to measure too. In addition, the National Security Agency also


23

recognizes the need for SELinux improvements with enhanced tools and infrastructure

(SELinux Future Work, 2009) This dissertation research supports the decree; you cannot

manage what you do not measure, and SELinux needs tools and measures to help manage

it.

Presented in “Verifying information flow goals in Security-Enhanced Linux” by

(Guttman, Herzog, Ramsdell, & Skorupka, 2005) is a framework for the monitoring of

information flows. The goal is to provide a systematic way to ensure SELinux meets

security goals. Analysis of SELinux policies is completed with a tuple of the; type, role,

and user. The relationships between the different tuples are analyzed to verify access

controls are aligned to security goals. The algorithmic model does an analysis of the

system configuration and ensures it meets security goals. However, there is no formal

visualization presented in this work. The work is with policy analysis and security goals;

this is not in the realm of this dissertation research. However, a derivative of the

framework presented by Guttman et al., is worthy of a basis to build upon or study as

background on policy analysis.

The research by Smari, Spalazzi and Zemali is with security in the high-

performance computing (HPC) field. The paper discusses the use of SELinux in the run-

time security monitoring, as an executable reference monitor, to block the execution of

code that is not in line with security policies. The work here is not parallel to the

dissertation research, however, an important concept is stated: “Configuration flaws: at

installation time/run time, system installation and configuration do not satisfy

specifications (e.g., many software are installed with a standard configuration, simple for

the user, but not secure).” (Smari, Spalazzi, & Zemali, 2013, p. 2). This further supports


24

the need for configuration monitoring of SELinux. Not knowing the configuration of the

reference monitor is a problem for security integrity.

An increasing need to identify and monitor software on remote systems is

researched in “Design and implementation of a TCG-based integrity measurement

architecture” by (Sailer, Zhang, Jaeger, & Van Doorn, 2004). The research looks at

extending the Trusted Computing Group (TCG) measurement from the BIOS up to the

dynamic executable content in the application layer. The work was specifically aimed at

an external system to take these measurements in a grid-computing environment.

Though the measurement is outside the scope of SELinux; the research integrates

the integrity architecture on top of SELinux. Section 2.1 has reference to the importance

of integrity as a binary property that depends on the verifier's view of the ability of a

programs protection (Sailer et al., 2004, p. 3). The “verifier’s view” is an important part

of this statement; as there is no complete view of SELinux configuration to allow for

such verification. Along with that point, “An Integrity Validation Mechanism, validating

that the measurement list is complete, non-tampered, and fresh as well as validating that

all individual measurement entries of runtime components describe trustworthy code or

configuration files.” (Sailer et al., 2004, p. 7). This general statement of integrity further

supports the need to a framework to allow this validation of SELinux.

Adaptive Access Policy for the Linux Kernel, by (Horie, Harada, & Tanaka,

2012), presents thoughts and possible architecture for using the SELinux monitoring and

logging as an intrusion detection system (IDS). Methods of building a reference database

used as a Kernel level IDS bear further research for possible use in the dissertation


25

research framework. The data structure of the proposed “strict” statement may be

leveraged in policy analysis measurements, in this dissertation's research.

strict <subject> <object>:<class> <permissions> ;

Ex) strict ftpd_t shell_exec_t:file { execute } ;

... defines detection of shell execution by ftpd. (Horie et al., 2012, p. 84)

The conclusion states for further work to allow alerts from other security tools,

and the framework in the research here is one of those tools. The research adds an

important note on the ability to integrate with other security tools is beneficial and should

be considered in the research here.

SELinux is mentioned in the work by (Cirstea, Moreau, & de Oliveira, 2009) that

proposes a methodology that merges declarative and imperative methods to detect

violations in information flow. The work does a review of the Bell-LaPadula (BLP) and

McLean models. The model reviews can be a good resource for reference and

background on those subjects. Section 4.1 data structures may be of value, either as a

reference or used in a derivative manner for the dissertation research. Specifically the

subject, recourse, and access models may be leveraged in some fashion.

BIFI: Architectural Support for Information Flow Integrity Measurement, by (H.

Hu & Feng, 2008), researches modifications to SELinux for the Biba-invoke based

Information Flow Integrity (BIFI) framework. The architecture changes to SELinux are

beyond the research here. However, sections of the paper cover some information flow

concepts that may be useful in some form. An example is definition from H. Hu & Feng

on how information flows shows how data flows among system subjects (H. Hu & Feng,


26

2008). Algorithmic measurement of information flows; like from subject s1 to subject s2

(s1, s2 ∈ S) and if s2 reads an object (o ∈ O) that s1 can modify then:

∀ s1, s2 ∈ S, o∈O

flow(s1, s2) := modify(s1,o) ∧ observe(s2,o)

An adaptation of this logic may be useful in the methodology of this dissertation

research. Though information flow analysis is not exactly what may be needed here,

logical relationships between subject and objects may be leveraged. Specifically useful is

the research around the logic of subject to the object via policy, with policy state and

subject and object security context.

Sankalp Singh’s 2012 doctoral dissertation, University of Illinois at Urbana-

Champaign, proposes a framework for performing security analysis and automatically

obtaining snapshots of an access control policies to check for compliance with a

specification of the global access policy. The research uses a compliance checking

algorithm and focuses on firewalls. This work also offers some interesting use of

visualization in the host layer rule graph that is close to the dissertation research; however

the work by Shigh uses model checking and focuses on network and firewall policies.

The dissertation supports the problem of administration and misconfiguration

“However, it has been shown in empirical studies that misconfiguration of access control

enforcement points is common.” (Singh, 2012, p. 3).

The future work further the design and implementation of algorithms to perform

compliance checking when the changes in the configuration (Singh, 2012). The SII

research here is directly in this area.


27

The importance of power grid security is the driver of the research into auditing,

account management, risk assessment and configuration management with a proposed

Cyber-Physical Topology Language (CPTL). As more computational based devices are

used in the nation's power grid, the North American Electric Reliability Corporation’s

Critical Infrastructure Protection (NERC CIP) audits have become more complex and

labor intensive. Though CPTL is at a much larger level of analysis and visualization, the

configuration management aspect is in line with this dissertation research direction;

SELinux configuration management.

The definitions of the graphs attributes are good study and though not SELinux,

may be useful background on methods of visualization with the node leaf algorithm. The

reference to GraphML (http://graphml.graphdrawing.org/index.html) did get bookmarked

as a possible implementation language for the future work in this area. The importance

of audits and configuration management also echoes the importance of the research

proposed in this dissertation as configuration management is essential to understanding

configuration (Weaver, Cheh, Rogers, Sanders, & Gammel, 2013). Instrumentation of

SELinux is needed to help with its configuration management and auditing.

Security metrics is an area of some current research that indirectly valuable to the

dissertation research here. Even though, security metrics is still a young research area; it

can yield many benefits. One common thread that echoes in the research is the need for

these metrics and new tools, in maintaining the integrity of the security infrastructure.


28

Measuring SELinux

Specific measures were taken of, and with, SELinux is an important area to

review. The dissection of the complex body of SELinux yields in understanding how it

works and how it can be monitored for integrity in this dissertation research.

Applying model checking to SELinux policies is part of a doctoral dissertation;

titled “Constraint-based analysis of security properties: Methods for specifying and

resolving security policy compliance problems” by (Sarna-Starosta, 2005). As well as

supporting statements on the issues with managing SELinux due to its complexity;

Rodriguez uses specific measures using a policy analysis language (PAL) to see if the

policy meets the security goals. The work does seem to miss the policy state as part of

the analysis. Still the examination of PAL and the Rodriguez algorithms is essential for

the research here. Page 56 of the dissertation has a great example of an SELinux policy

that is useful for reference.

The 2011 dissertation “Methods for specifying and resolving security policy

compliance problems” by Rueda Rodriguez, echoes the need for tools to assist

administrators configure and deploy distributed MAC systems to mitigate security

vulnerabilities (Rueda Rodriguez, 2011). The work done in the 2011 dissertation

introduces a framework called Program Integrity Dominates System Integrity (PIDSI).

PIDSI builds a snapshot, using logrotate, of a tamperproof policy. The PIDSI work uses

visualization for the information flow. The policy analysis and graphs are in the realm of

the dissertation research here. However, the PIDSI is not looking at the policy state and a

few other aspects where the research here is planned to do analysis and monitoring. Still,

aspects of the PIDSI work are useful to build upon or use as a reference. The process of


29

building the tamperproof policy in PIDSI, an analysis is completed on parts of the

underline configuration. Further review of this may yield artifacts that can be built upon;

an example is Table 4.2 may be leveraged as a hash table in the methodology here.

Research into information flow with multi-level security (MLS) policies is the

core of the research by (Hicks, Rueda, Clair, Jaeger, & McDaniel, 2010). MLS adds

control of information flow by adding confidentiality levels (i.e. secret, company

confidential) to SELinux. The dissertation research here is using SELinux in the default

Type Enforcement mode (TE) and not MLS mode. However, the definition of

information flow offers a generic framework that is valuable for non-MLS analysis.

A policy consists of a set of security levels arranged in a lattice with partial order ⊑ and a

set of statements determining each subject’s read/write permissions for a given object

based on the security levels of the subject and object (and possibly also on other factors

such as the class of the object). (Hicks et al., 2010, p. 7)

As with other SELinux works the methods of configuration analysis are a good

background for the research done here.

Study on SELinux in a cluster environment in “Work in Progress: RASS

Framework for a Cluster-Aware SELinux” by (Darivemula, Leangsuksun, Tikotekar, &

Pourzandi, 2006). The research was in Reliability, Availability, Serviceability and

Security (RASS) for cluster-wide security with a distributed security policy. Work with

distributing security policies to all systems in a cluster does mapping of type enforcement

(TE) rules to policies. This mapping bears further study as a similar process can be

leveraged in the research proposed here.


30

The research here is to combat the SELinux policy issues that are apparent from

policy expansion of the m4 macro processor. The m4 macro processor is use to

circumvent issues that arise from the sheer complexity and size of the SELinux example

policy (version 1.26 of the monolithic example policy specifies 2,024 types, 66,676

access vector rules, and 2,095 type transitions) by adding an abstraction layer. Policy

analysis is one of the larger areas of SELinux research; the main reason to ensure

SELinux policy supports an institution's security goals.

SENG is an experimental method for policy analysis that builds upon the existing

language and offers an abstraction layer that uncomplicated the policy analysis process.

SENG language is done using class sets and permission sets to remove the details needed

that are removed by the m4 processor.

Where SENG is intended for policy analysis and creation, it is worth the approach

SENG uses may be mirrored, in some parts, to the level of this dissertation research. The

use of class sets is close to the proposed methods of creating tuples of service to object

configurations (also create a hash table to allow for verification and monitoring). It is a

short paper, possibly due to being a symposium submission, however, ends up being a

good reference and some methods can be investigated for use in the research framework.

Model-based safety analysis of SELinux security policies, by (Amthor,

Kuhnhauser, & al, 2011), focuses on the analysis of access control policies of the

operating system. The research captures each state of a Harrison, Ruzzo, Ullman (HRU)

model. The HRU is a snapshot of the system's access control matrix (ACM), and

transitions are triggered by application-specific1 operations that modify the model's

subject set, object set or cells of the ACM. An HRU model defines a protection system


31

consisting of a set of generic rights R and a set of commands C. A formalized security

policy of an SELinux “allow” policy is described with a 14-tuple defined as follows:

(E,C,U,RO,T,P,ur,am,r_def,r_trans,cf,uf,rf,tf)

The details of the “allow” policy tuple and monitoring set an important basis of

work with the dissertation research here. Similar methodology with different variables

may be employed in the dissertation research.

Information flow in operating systems: Eager formal methods, by (Herzog,

Ramsdell, & Guttman, 2003), develops an abstract model of the SELinux access control

mechanism. It also does an analysis of the system configuration and labels transitions

representing possible information flows. A proposed temporal logic diagram to state

security goals is very good; however is not the envisioned visualization sought after in

this dissertation. The description of the model checking to determine whether goals are

enforced by the particular SELinux configuration is helpful. The framework of the

security context tuple; consisting of three components; type, role, and user is a good

reference. The work is an excellent background for the research in this dissertation.

Comparing current vulnerabilities to the access control mechanisms (ACM); as

SELinux, AppArmor and Windows 7 DAC is the basis of the research in “Quantitatively

Measure Access Control Mechanisms across Different Operating Systems” by (Cheng,

Zhang, & Han, 2013). Using a framework, called ACVAL, a quality of protection (QOP)

is derived from analysis of the systems ACM. Attack patterns are inferred, and a

vulnerability coefficient allows the analysis to be cross-platform.

Though the vulnerability assessment is not in line with the dissertation research

here; the initial part of the ACVAL framework is a collection mechanism called “Fact


32

Collector” that “collects the information about system state related to access control and

security policies, such as uid/gid, files and running processes, and encodes them as

Prolog facts.” (Cheng et al., 2013, p. 54). A closer analysis of the fact collector showed

that it used less than 100 lines of bash scripts to collect information (Cheng et al., 2013).

SII may leveraged calls to simple bash scripts in data collection.

The research brings up the point on how and when to use internal commands for

SELinux analysis in the implementation of the dissertation research. SELinux output

from commands like semanage offers easy access to configuration state data. However,

relying on commands that could be changed or deprecated could be an issue. Further

examination of the ACVAL bash scripts, not included in the paper, are worth further

investigation. This is similar to the quantitative measure of access control mechanisms

research in with the description of the “Fact Collector” and description of the use of the

checkpolicy command for use in data collection; these commands may find use in the

dissertation research data collection process (Cheng et al., 2014).

The doctorate dissertation by Thomas in 2011 explores how Mandatory Access

Controls (MAC) mechanisms can be made available to regular users of the operating

system by extending SELinux enforcement. The goal is to close the gap between

discretionary access control (DAC) and mandatory access control (MAC) systems. The

dissertation by Thomas is a similar approach to the process in this dissertation; a

hypothesis proven with a prototype framework built upon SELinux.

Part of the background also states the need for SELinux integrity; “Third, the

reference validation mechanism must be an assured piece of software; in Andersons


33

words, it must be small enough to be subject to analysis and tests, the completeness of

which can be assured.” (Thomas, 2011, p. 19).

An analysis of the relationships of SELinux context, the meta-variables used and

the definitions for the prototype; specifically definition number 3.1.4 on the “Type”

object is considered. The type is used to group objects by resource type while the type is

used to group objects by security domain (Thomas, 2011). Grouping objects by SELinux

domain is valuable background for the research done in this dissertation. Type / domain

may be the binding value to build the service to policy to object relationships.

System hardening from host comprises the development of security policies. The

research presented in this article demonstrates the Vulnerability Scanning Tool

(VulSAN). VulSAN allows for security policy validations against possible attack paths.

Though the purpose of VulSAN in not directly in this research topic, it is in vulnerability

analysis. The policy analysis part of the tool is worthy of review for algorithms that may

be leveraged in this research.

Not only is the quality of protection is critical there is a need is to understand and

compare the quality of protection (QoP) offered from them (H. Chen, Li, & Mao, 2009).

Chen observed differences that call for collecting configuration data from all systems

Chen noted policies in different distributions offer different levels of protection even

when they use the same protections mechanisms (Chen 2009). The work here supports

the dissertation research, on SELinux configuration monitoring and possible

visualization. Not only is it important to know the configuration of a single system, to

ensure it’s protecting the excepted services and alert to changes, knowing all systems


34

running SELinux are configured to an expected baseline is critical; especially in a

heterogeneous environment.

Using software active monitoring (SAM) to predict future system behavior

against security goals is a main focus of the 2011 work by Zhao, C., Dong, W., Leucker,

M. And Qi, Z. “Security Goals Assurance Based on Software Active Monitoring.” The

research supports the common thread on the complexity of SELinux power and

complexity. The complexity makes it difficult to the verification process “It is extremely

difficult to verify the consistency between the security policies and the security goals

desired by applications.” (Zhao et al., 2011, p. 70). The dissertation research is with

integrity (consistency) of the SELinux configuration, and it parallels the work here in

many aspects.

Methods for monitoring information flow within SELinux are a valuable

reference to the dissertation research. There is a similarity is the goals of the work here

(Zhao et al., 2011, p. 74) “Protecting these resources entails ensuring that information

flowing from one place to another must traverse specific points along its path” and

dissertations proposed research; the paths between services, policies and objects. The

simulation path alludes to the visual modeling that is planned in this dissertation research

with semantic substrates and dendrograms.

The N-step ahead projection is an interesting model to predict system behavior in

the context of the security policy. The linear temporal logic (LTL), LTL is an infinite

sequence of states where points in the timeline have unique successors, is worth review.

Using linear temporal logic (LTL) a description is given of the applications and objects

used and an N-Step projection is used to predict future behavior of the model.


35

The use of LTL with predicate sets (observed and controlled) is an interesting

way to cluster the process steps that we can write an information flow in a visual form

(Zhao et al., 2011). Further the use of the state diagram visualization “We can view an

information flow graph as an assertion about all sequences of state transitions leading

from a state in σ0 to a state in σn which must encounter the σi in the given order” (Zhao

et al., 2011, p. 74). This work is comparable to the proposed research with visualization

of the service to policy to object. Even though Zhao’s work is policy-centric, as most

works have been; it gives a unique view of a measure of SELinux that is valuable to the

dissertation research.

Much of the existing work on SELinux metrics are of value; however most

formally verify the correctness of SELinux policies or compare configuration to security

goals or possible attack scenarios. Parts of the process used in the collection and analysis

of SELinux configuration are valuable for this dissertation research. However, a larger

framework with a larger view of the SELinux configuration is still needed. This missing

view of SELinux is researched here in the dissertation with the SII framework.

Security Visualization

If a picture is worth a thousand words, then it must be worth several thousand log

lines. The field of security visualization offers several aspects that can be employed for

effective visualization of the SELinux configuration. Not the whole field of security

visualization is reviewed here; only focused research with visualization of SELinux is.

Two specific works that focus on SELinux; (Marouf & Shehab, 2011) with SEGrapher

and (Clemente, Kaba, & Rouzaud-Cornabas, 2012) with SPTrack, employee visualization

of parts of SELinux and lend to the dissertation research. As with previous areas


36

reviewed in this chapter the foundation of the research here is important, however, still

missing a new analysis of SELinux that is needed today.

SEGrapher work by (Marouf & Shehab, 2011) is very relevant to the dissertation

future research. The SEGrapher tool generates cluster analysis and graphs policy

relationships. The result is a visual aid to be used by the security or system administrator.

The policy relationship analysis is valuable for security management as issues arise with

policy interactions (like overlapping or matching) that cause unintended information

flows. The SEGrapher is a Java application that runs in a graphical under interface

(GUI). The problem with requiring a GUI is most enterprise systems run without the

GUI enabled. The direction of the work with SEGrapher is influential that visual aids in

administration are a needed area of research. Algorithms for policy analysis and

clustering are worthy of further analysis; as well as the graphing process used in

SEGrapher. The future work also referenced lends to the direction of this research with a

further focus on additional methods of visualization (Marouf & Shehab, 2011). An

influence of SEGrapher on this dissertation research is; any visualization and analysis can

be done off the system. An example is a central security workstation, with a GUI; that

interrogates external servers for status. The analysis and display can then be done on the

workstation. A text logging function also can be on or off the servers to allow for

automated alerting of configuration changes.

SPTrack by (Clemente et al., 2012) also offers a graphical display of information

flow in regards to its SELinux policy. Visual graphing from actual attacks collected from

a honeypot system is presented, and the live attack data is used in testing. Although

SPTrack focus is not in the realm of the research here the tool presents a visualization of


37

information flows between the SELinux policies; this aspect of SPTrack is worthy of

review for its methodology.

The quote by Xu, Shehab, and Ahn on the importance of visualization supports

the need to see the SELinux configuration; (Xu, Shehab, & Ahn, 2008, p. 1),

“Information visualization [8] enables users to explore, analyze, reason, and explain

abstract information by taking advantage of their visual cognition.” Xu et al., explore a

visualization-based policy analysis framework for SELinux using semantic substrates

(Xu et al., 2008) Page 169.

This is a possibility for future research, and though it may not be directly applied

here, the outstanding work done by Xu, Shehab and Ahnto will be a big influence. The

dissertation research is taking a different view of SELinux, with visualization of

configuration and state monitoring, yet it will supplement tools like the one presented

here.

Ph.D. dissertation by (H. Chen, 2009) introduces the Vulnerability Surface

ANalyzer (VuLSAN) tool and the Windows Access Control Configuration Analyzer

(WACCA) tool for analysis of security policies under specific attack scenarios. The

research in this dissertation parallels the doctoral work by Chen in many aspects.

However, the VuLSAN tool takes the direction of analysis of threats to policy

configuration. Aspects of the research are valuable to this dissertation: specifically

parsing of the SELinux policy configuration and its analysis. For example, use of the

Lampson access matrix in representing the process (as rows) and the objects (as columns)

may be built upon in the work here.


38

Chen also states the issues of complexities of the configurations of access control

mechanisms and its hindrance to security administration. This complexity leads to

misconfigurations with serious security consequences. The tools covered in Chen’s

dissertation is intended to allow the every-day system administrator understand their

security policy configurations. However, a gap still exists; Chen observes an assumption

of the assurance of access control systems. (H. Chen, 2009). Chen further comments on

the need for work in this area (H. Chen, 2009):

In general software, assurance is another open and challenging problem. Particularly in

access control, some systems employ the approach called reference monitor [35] to

improve assurance reference monitor is a module in the system that is responsible to

control all accesses in the system. (p. 20)

The work in this dissertation goes on to address this need for an assurance

framework that aids the every-day system administrator in combating the complexities of

SELinux.

Systematic Policy Analysis for High-assurance Services in SELinux, by (Ahn,

Xu, & Zhang, 2008), presents a formal SELinux policy analysis framework. The

framework looks at both parts inside and outside the trusted computer base (TCB). A

rule set is established and used to detect possible policy violations. The methods for

policy analysis offer a logical view of the information flow relations between subjects

and objects.

The logic behind the information flow relationships and the utilization of Colored

Petri Nets for graphing are worthy of further examination for visualization research.


39

Further work proposed is “Developing a fully automatic and dynamic approach

for policy analysis remains as our future work since manual analysis is still needed to

identify real violations after the CPN-based analysis in our method.” (Ahn et al., 2008, p.

10). The further work points out the need for an automated solution to aid with SELinux

administration. The work influences this dissertation research to ensure it can be used in

an automated fashion.

Security reference monitor policies are difficult to administrate due to their

complexity. In this paper a visualization tool and process, called Policy Visualization

Framework (PVF), which visualizes the reference monitor policies with the goal to aid

administrators. A role-mapping algorithm is used to bucket the RBAC policy into the

domains of the user, role, and permission. The process is outlined by Pan, L., Liu, N., &

Zi, X. 2013 work “Visualization framework for inter-domain access control policy

integration.”

The semantic substrate is used in this paper maps the; user, role and permission

results from the algorithm used in the role mapping step of the PVF process. The three

groups are Spatially arranged in the semantic substrate (top down) then the relationship

between these is indicated with red, green and blue lines that correlate with the role

assignments. The mappings are also clustered in each horizontal region (user, role,

permission) into vertical domains.

After a review, the semantic substrate is found to be a great tool to visualize

relationships in a spatial hierarchical view. The research by Pan, Liu and Zi is valuable

for further study on the role mapping algorithm.


40

The work also states the need for security administration tools; “… currently it is

still lack of useful visualization management tools for the average administrator.” (Pan,

Liu, & Zi, 2013, p. 74). The call for future work also supports this dissertations problem

statement. The research, by Pan et al., in role mapping and use of the semantic substrates

for policy visualization offers direction for future SII research.

The security visualization reference by Herman, I., Melançon, G., & Marshall

offers guidelines that help with the dissertation research; starting with (Herman,

Melançon, & Marshall, 2000, p. 1), “Is there an inherent relation among the data

elements to be visualized?” That question helps ensure the visualization methodology in

future research here is in the proper direction. In a summary answer; yes, the accurate

mapping of the inherent relationships between services, policies and objects have

relationships that can be visualized. The section on node metrics for clustering also may

offer further guidance.

The output in the work by (Fang, Miller, & Kupsch, 2012) using Graphviz and

SVG has concepts that can be leveraged. Concepts like; the use of XML allows for

flexibility of the output and the use if open source visualization tool, as Graphviz. The

diagram construction process and samples generated by SecSTAR offer a vision on

visualization of a complex system.

This paper describes DTEvisual, a system that leverages Domain Type

Enforcement (DTE) visualization for education. The focus of DTEvisual is system and

security administration education. The DTEvisual tool is useful for classroom

presentations, homework assignments, and self-study. The paper supports the claim of

SELinux complexity, “These modern systems are very complex. A strict access control


41

policy can contain tens of thousands of rules.” (Y. Li, Carr, Mayo, Shene, & Wang, 2012,

p. 1). The use of ellipses and rectangles give a good sample of visualization, and the

implementation of Python and Qt is a good example of development. The work also

shows the potential benefits of this dissertation research for education.

The short article does a good job on summarization of the history and components

of SELinux. The review lays a good path for ways, to summarize, the complexity of the

system. It also goes further stating the effects of SELinux complexity the article gives a

good quote; “The difficulty of configuration has maybe been the reason why most people

have not taken SELinux in use” (Nimbalkar, Patel, & Meshram, 2013, p. 11).

The complexity of SELinux poses many issues, and one is adoption. Though no

plans to do any adoption measures or surveys directly; the design an algorithmic

framework, in the research, to audit and administer SELinux does partially address the

issue raised in the article.

The 2014 research by Qian, Z., and Chen, Y. Titled “Fluency of visualizations:

linking spatiotemporal visualizations to improve cybersecurity visual analytics” is

directed toward spatiotemporal data generated for security analysis. Even though, the

article demonstrates a proposed visual analytics system, Semantic Prism, with two use

cases; preliminary investigation on visualization gives good guidance for the dissertation

research. Ensuring any visualization helps the administrator gain situational awareness

through identification of a systems components visualizations of when, where, and what

for cybersecurity situational awareness (Qian & Chen, 2014). These guidelines are

helpful when creating algorithms for finding relationships in SELinux configuration

components for future work.


42

Visualization will enable the SELinux administrator to identify new patterns and

recognize current and new relationships within the configuration. The visualization of

the SELinux configuration using semantic substrates is a component of the dissertation

research framework with the same goal stated in (Aris & Shneiderman, 2007):

Successful network visualization tools enable domain experts to carry out key tasks such

as recognizing clusters, identifying interesting nodes, discovering patterns of links, and

detecting unusual relationships.(p. 1)

Aris’s and Shneiderman’s 2007 paper is based on the use of the Network

Visualization by Semantic Substrates (NVSS) application. Though the NVSS tool is not

available for use in this dissertation's research (the NVSS authors did not want to share

the NVSS outside of their organization) the article is a useful reference for semantic

substrate development. The five design guidelines on page 16 and 17 will be a valuable

reference to the algorithms designs in the dissertation research.

Much of the current visualization works offer methods that can be leveraged in

this dissertations algorithm development. Visualization is a critical component to aid in

administration and education of the SELinux configuration. Even though a text log is

needed to allow for automation of alerting on configuration changes; the visual

component makes for easy identification of changes. The importance of visualization as

it enables users to explore, analyze, reason and explain abstract information by taking

advantage of their visual cognition (Xu et al., 2008).

Summary of Literature Review

A key aspect of information security is integrity. Integrity means that the security

assets, such as SELinux, can be verified of configuration and alerted to unknown


43

modifications. Seminal works have set the basis for integrity monitoring for a trusted

computer base. There has been successful research done with policy analysis and

leveraging SELinux in measuring possible security issues. Also, much of these works

make statements concerning SELinux complexity. The complexity causes low adoption

of SELinux and issues with its configuration. There is a need for security and system

administrators to understand the SELinux configuration and monitor it for change.

The current research supports the issues stats in this dissertation: Unknown

configuration changes to SELinux are a risk to system security. Even with the excellent

current research with SELinux policies there remains a gap and the proposition, New

SELinux Integrity Instrumentation (SII) can prove compliance with security policies

through detection of change, is valid. Quantitative results from algorithms that can be

use used in detecting configuration change of SELinux will help fill the research gap.

The importance of usability has been stated in the seminal works with the design

principal of Psychological acceptability (Saltzer & Schroeder, 1974) and demonstrated in

the 2011 work by Schreuders, McGill, and Payne in their results of a usability study of

SELinux; “usability has long been acknowledged as an important aspect in the design of

security systems.” (Schreuders, McGill, & Payne, 2011, p. 2) . Specifically this

observation “Some participants forgot to manually set the policy to be enforced, meaning

that these policies were not enforced” shows the need for a visualization of the security

system configuration. Policy analysis is critical however the SELinux body of

knowledge has a gap for a larger scale view of the configuration the study here confirms

that gap and the proposed dissertation research is to add to that particular area

(Schreuders, McGill, & Payne, 2011, p. 18).


44

The conclusions of Loscocco and Smalley further support the need for tools in aid

of administration, “Complexity can be further managed through policy specification

language enhancements and the development of policy specification and analysis tools.”

(Loscocco & Smalley, 2001, p. 10). Previous works have helped here. However, a

different view of SELinux is needed for administration and monitoring; the dissertation

research supports this effort.


45

CHAPTER THREE

Algorithmic analysis of specific parts of the Linux system and SELinux allows for

configuration validation. In this section, a formal framework for evaluating the SELinux

configuration is described.

Research Tradition(s)

Most of SELinux research has been in an effort to manage its underline

complexity. The seminal works in security reference monitors point out the need to

upkeep their integrity. Algorithms will be employed in the SELinux research as an aid to

understanding the SELinux policy and its protection as compared to security goals. The

SELinux configuration is a living, complex environment that mathematical models can be

employed to overcome its complexity. Using a Python framework, the new SII methods

will be verified by its ability to parse configuration data into valuable information to

ensure SELinux configuration compliance and detect change.

Research Questions and Propositions

This research was executed via the design science research model testing the SII

algorithms and framework under the following research questions:


detect changes to services and indicate related policies and object context?


detect changes to policies and indicate related services and object context?


detect changes to object context and indicate related services and policies?


46


detect services not covered under any security policies?

The dissertation research that the new SELinux Integrity Instrumentation (SII) can

prove compliance to security policies through detection of change.

Under design science research, the SII framework was verified to detecting of

configuration changes and produced a baseline of the SELinux configuration to mitigate

further configuration uncertainties by the mapping of services, objects and policies. SII

was further tested for the ability for reporting for SELinux auditing.

Research Design

The design and creation of artifacts that collect the SELinux configuration are the

basis of the research. Using quantitative observations on algorithm performance and

precision are taken from testing changes to SELinux configurations will be used to prove

the SII design.

Testing will use heterogeneous modern Linux operating systems that currently use

SELinux as the default security reference monitor. Tests will entail real-world

configuration changes to a set of test systems. Reference monitor configuration data will

be collected from both test and bases systems. Bases system will be matched operating

system with no changes performed.

In addition, algorithm-timing data from test and base will be collected to

determine algorithm performance. The monitoring system will collect timings to gauge

the practically of the monitoring artifacts.


47

SELinux System Relationships

All running services on the system have an SELinux security context and possibly

an SELinux policy. Each SELinux policy has a state of “allow on” or “allow off.” Each

service is related to an object, either through the control of the policy (or not) and each

object also has a security context.

Figure 1 - Service to Object Relationship

An important step is to understand the relationships and the components that will

be used in the analysis. Figure 1 shows the service to policy to object relationships with

data about object context and policy state. The security context of SELinux is made-up

of (user, role, type, and level). The type is also known as domain and is a critical data

point in establishing relationships of all the parts.

Proposition 1. All services (S) have a security context (C).


48

Where:

S = Service

C = SELinux security context that consist of user, role, type and level. The type

is also referred to as domain and in type enforcement configuration, the default if

SELinux, it is used to control access and execution on objects by services.

Proposition 2. All policies (p) have an allow state (t)

Where:

p = SELinux security policy

t = SELinux policy state. The states are: Allow on and Allow off.

Proposition 3. Some services (S) have a policy (p).

Where:

S = Service


Proposition 4. Some services (S) have a policy state (t) or no policy.

Where:

S = Service

t = SELinux policy state. The states are: Allow on and Allow off.


∀S∃C

∀p∃t

∃S∃p

∃S∃t¬p


49

Proposition 5. All services (S) have objects (O)

Where:

S = Service

O = Object

Proposition 6. All objects (O) have a security context (C)

Where:

S = Service

C = Security Context

The SELinux Instrumentation Architecture

The instrumentation architecture consists of a collection, analysis, and output. A

general overview of the process for instrumentation is:

• Collection of data by type; like system, date, version, service, policy, object

mappings

• Establish hash tables

• Clustering relationships by domain type

• Build status and relationships

• Build lists of changes detected

• Output data for verification

Based on the relationship rules first step is data collection of the systems under

analysis. The security context is made up of (user, role, type, and level). Domain or type

∀S∃O

∀O∃C


50

domain is also known as the “type” component of the security context. The level is

collected however it is used as part of the multi-level security (MLS); MLS is not in the

scope of this research.

This is outlined in Figure 2:

Figure 2 - Architecture

The output is key to successfully monitoring SELinux and contains core processes

of data collection and detection of the SELinux configuration. These areas of SELinux

are pulled for analysis: active services, SELinux policies, objects accessed by the services

for a list of systems under analysis. The data collection architecture is as follows:


51

Figure 3 - Data Collector Framework

Differential Framework

With baseline state tests, using the same collection framework pulls new sets of

updated configuration data. The new tuples are also hashed and recorded as a test set that

can be compared to the baseline set. An overview of the differential framework is:


52

Figure 4 - Differential Analysis Reference Framework

The hash comparisons give a fast analysis and only data on the changes are read

from the tables to add details of the change. This output will be to log format to allow

tracking of test results.

Population and Sample

No analysis of pre-existing data or human surveys is performed in this research.

The work is purely algorithmic analysis of the SELinux system in the framework of

graph theory for security configuration integrity. A population of test systems will be

used, and sampling of test metadata will be done.

Sampling Procedure

Collection of algorithm performance and test results on all test system during data

collection is planned.


53

Instrumentation

A running log of the analysis system also is kept to allow for alerting tools to be

used when configuration changes occur. The results log will an important part of testing

the instrumentation and can be used if deployed for use in a live production environment.

Validity

The proposed setup will be in a lab environment consisting of a monitor control

system (MCS) with a connection to a cloud service to backup all data, code and test

scripts. A series of test systems will be put under specific test scenarios applied too. The

MCS will have SSH key authorized to be able to pull data from each system before and

after tests are performed. MCS will also be running with a control interface to allow for

control of systems to be tested.

The following propositions will be proved with test cases:

Proposition 1:

SII detected changes for a policy state change is equal to the number of policy

state changes on all test systems.

Proposition 2:

SII detected changes for services are equal to the services impacted by a policy

state change based on services related to the policy by the security context of the domain.

Proposition 3:

SII detected changes for object context change is equal to the number of object

changes on the test systems.

Proposition 4:


54

SII detected changes for policies are equal to the policies impacted by an object

state change based on objects related to the policy by the security context of the domain.

Proposition 5:

SII detected changes for services change is equal to the number of services

introduced to the test systems without any corresponding policies changes on the test

systems.

Figure 5 - Test Design

Research Context

The research will be conducted in a lab environment. SII testing was in a

framework developed with the algorithms outlined in the methodology section of the

dissertation. The output of the prototype testing is examined to answer the research

questions and prove the proposition.

Resources Needed

Hardware and software consisting of one monitoring systems with a range of test

and base systems to run Linux distributions that use SELinux on by default; like Fedora

and CentOS. Possible two of each so one to be run baseline and one for testing changes


55

to the system. One security server will be used for the prototype framework, with Python

and database framework, and used to send commands to the test systems and collect data.

When and where the research will be conducted.

Use of a CIS lab at Sinclair Community College that has 18 to 20 lab PCs has

been approved. An alternative environment for research is a series of four virtual

machines with a fifth system, to run as the collection and analysis system, in a personal

environment.

Any other participants involved in your research.

No human participation or study is required for this research.

Reliability

Testing of the SII system will be run on live Linux systems. The following tests

will be run to prove SII. With the following Linux services:

• HTTP – The Apache web server

• sshd – The secure shell server

• ftpd – The file transfer protocol server

• smbd – The Samba file server

• Plex - A free Media server

Test 1: Initial baseline - Tests ran to ensure collection and process of existing

configuration. Process times and resources are also recorded the output is validated for

accuracy.

Subtests include:

1a - Data collection timings and resources used.


56

1b - Validation of data collected. – Summary of data collected is exported from

the database and summarized into count and size.

1c – Hash tables of the baseline are created and saved.

Test 2: System Change - A collection and analysis is run after a series of system

updates. This is to include an update to the SELinux base policy followed by security

updated and later application updates. After each change, an updated data collection and

analysis will be running for an indication of detected configuration changes.

Subtests include:

2a - Service update test – Using “sudo yum update to the httpd service”

2b - Policy file update test – Using “sudo yum update to the selinux-policy-

targeted”

Test 3: System Change - Changes to system services are done; specifically

security contexts change to a service and some of its objects. New unprotected service

will be added, and a service removed from the system. After each change, a updated data

collection and analysis will be running with a validation of any configuration changes.

Subtests include:

3a - New unprotected service – Install of the Plex service. Using “sudo yum

install plex-<version>.rpm”

3b - Service removed – Removal of the Samba service. Using “sudo yum erase

smb” also shutting down the server before removal.

3c – Object context change – Change to http document root domain context from

httpd_sys_content_t to httpd_log_t . Using “sudo semanange fcontext -a -t httpd_log_t

"/var/www(/.*)?"”


57

Test 4: Policy Changes - A series of changes to existing SELinux policies will be

done. After each change a updated data collection and analysis to test for the indication

of any indication of configuration changes.

Subtests include:

4a - Policy state change – Changes to allow state on an existing policy. Using:

“sudo setsebool ftp_home_dir=on” for a temporary change to allow state and “sudo

setsebool -P httpd_use_nfs=on” for a change to allow state and the default state.

4b - Policy alteration – Create a policy from an AVC denial.

Instrumentation

For the algorithm performance, the Python cProfiler package will be installed and

be used for collecting asymptotic running times during testing.

Data Collection

Algorithms will be developed to collect and produce tuples of data from several

areas of the Linux system configuration and SELinux settings; as well as other metadata.

The areas of collection are:

• Service data - Data on the service (status and security context) for the current

system.

• Policy data - Details on policies for the service (context and state).

• Object data - Security context of objects related to the service.

From the data, a service to policy to object relationship is analyzed and may

produce additional output. Test metadata such as system information, date time,

algorithmic processing times, used for analysis, will be captured.


58

The tuples of configuration data, with a hash of the tuple, are collected and built

into data tables. Relationships between service, policy and object are built and also put

into the tables. The hash table will allow for indexing, lookup, and differential analysis.

Data, like table sizes and item counts, in the hash tables, will be collected.

The output is structured data of the configuration of SELinux and any differences

recorded into a log file.

Results from the test cases will be collected as pass, fail or partial along with the

algorithm performance data collected from the testing. Further data on processing time

and memory use will also be collected. These results are verified against the validation

propositions as follows.

Table 1 - Test Verification

Proposition 1 Proposition 2 Proposition 3 Proposition 4 Proposition 5

Test 1 Test 1a/1b/1c Test 1a/1b/1c Test 1a/1b/1c Test 1a/1b/1c Test 1a/1b/1c

Test 2 Test 2b Test 2a/2b Test 2b

Test 3 Test 3a/3b/3c Test 3c Test 3c Test 3a/3b

Test 4 Test 4a/4b Test 4a/4b

Tools for collection and analysis

Data collection and analysis will use an open source language like Python

language and/or shell scripting. Data retention will be in a flat files and an open-source

MongoDB for data housing and querying. Any test metadata analysis like; algorithmic

processing time or number of calls use will be analyzed using R for the averages recorded

from testing.


59

Data Analysis

Data analysis will be performed on the results of the test cases, as well as an

empirical evaluation of algorithms, will be performed.

Summary of Chapter Three

A series of algorithms will be developed and tested in a prototype framework that

is tested with real system data. This instrumentation will be validated that it can detect

changes to the SELinux configuration. Chapter four will have full details of all

algorithms designed during the experimentation, and all code will be presented in the

appendix. Results of the algorithms will be presented as well as the output and the

algorithm performance as well as any additional observations.


60

CHAPTER FOUR

There are problems with validating SELinux configuration that can lead to

security administration issues. To allow for concise auditing and verification settings a

series of algorithms, the SELinux Integrity Instrumentation (SII), was created and

implemented into a testing framework. The SII framework was coded in Python (SII.py

in Appendix A) and ran in a CIS lab with testing results consisting of captured data on

algorithm precision and performance. This chapter reviews the testing environment,

methods and the details of the SII algorithms. Included are samples of the results and SII

framework output from each algorithm.

Presentation of the Data

Evaluation of SII precession and performance was performed in the Computer

Information System Lab at Sinclair Community College. The lab hardware consisted of

six HP Compaq workstations with the following specifications:

• CPU: Intel Core 2 E8400 3Ghz

• Memory: 3,713,328Kb (3.7 GB)

• Disk: 320 GB 2.5 inch USB 2.0 SATA Drive Enclosure

• Disk Format: XFS file systems on CentOS ext4 on Fedora

• Test and Base system disk Partitioning:

§ /home 250GB

§ /boot 500MB

§ / 51GB

§ swap 3.25GB

Operating Systems used:


61

• CentOS 7.0 64 Bit (3.10.0-123.e17.x86_64)

• Fedora 20 64 Bit (3.11.10-301.fc20.x86_64)

A total of six workstations were setup for the testing. One system was a main

workstation to remote, via SSH, into test and base systems to run the testing and collect

data. Three CentOS 7.0 and three Fedora 20 systems were configured one each for a test

system (where configuration changes were done) one each for base (where no changes

were done) and one each as a backup in the event of hardware or software failure during

testing.

Table 2 – Testing Hardware

System Name

OS Station # Role

research1 CentOS 7.0 64 bit 5043WS25 Main system to run research from. Not part of the testing.

cent1 CentOS 7.0 64 bit 5043WS10 Test system. Test system went configuration changes outlined in Chapter 3 tests

cent2 CentOS 7.0 64 bit 5043WS04 Base system. The base system did not get any configuration changes. Testing started off with cent2 however due to errors was moved to cent1b.

cent1b CentOS 7.0 64 bit 5043WS18 Base system. Later used for re-testing test cases 3a and 4a.

fedora1 Fedora 20 60 bit 5043WS22 Test system. Test system went configuration changes outlined in Chapter 3 tests

fedora2 Fedora 20 60 bit 5043WS17 Base system. The base system did not get any configuration changes. Later used for re-testing test cases 3a and 4a.

Presentation and Discussion of Findings

The following SII algorithms were coded in a Python testing framework (SII.py in

Appendix A) using the nonSQL database, MongoDB, for JavaScript Object Notation


62

(JSON) records as a database. The SII framework collected data during testing from the

following areas of the Linux operating system with an active SELinux:

• Service data - Collected status and security context data on the running

services for the test and base systems.

• Policy data - Configuration details on the SELinux Booleans.

• File Context data - Details on context on SELinux File Context configuration.

• Also recorded were the system name and the test number for each test. This

was manually inputted during SII execution.

The hash values were computed for:

• Each configuration tuple for the Service (S), Boolean/Policy (P), and File

Context (C) from the test and base system.

• A chain hash of each tuple hash for S, B and C was computed. This was

called the fingerprint hash (fp) for each area: fpS, fpB, and fpC.

Collection of the configuration data was triggered by the SII.py to external shell

scripts (Appendix B) that ran calls to systemctl, semanage and sesearch with results

stored in text files under a local directory named after the test ID. The SII framework

then opened and parsed these files for configuration data. The SII collection process is

seen in Figure 6.


63

Figure 6 – SII Collection Process

The results from two tests go through an analysis flow (Figure 7) that compares

the fingerprints then the whole array of hash values, call a hash stack, for each

configuration area of Service, Boolean and File Context.


64

Figure 7 - Difference Testing

The following is a sample of the parsed results generated from the testing of each

SII algorithm with the algorithm description a sample of code and any example results.

Algorithm One - Service Collection

For each test and base system, the service configuration data was collected and

hashed into tuples and stored in a service collection (table) per test.

Algorithm One

Inputs: - System Name {N} - Test Number {T} Outputs: 1. For each system in system data: a. Get service name {S};


65

b. Get service security context {C}; c. Get service domain {D}; d. Hash <— {S, D, C}; 2. Tuple of {N, T, S, C, D, Hash, Date/Time}

SII.py code for the algorithm

The SII framework that generated the hash values were part of the serviceparse

function with the specific lines performing the hashing:

tohash = service+sdomain+Context Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Service": service, "Domain": sdomain, "Context": Context, "Hash": Hash, "date": datetime.datetime.utcnow()} db.service.insert(docinsert)

Sample of results

System service configuration items of; name, domain and SELinux context, which

were parsed and an MD5 hash generated for the tuple. The results were stored in a

collection for that test; in the sample JSON record below is an entry for system cent1 test

number 1 for the Apache (httpd) web service.

{ "_id" : ObjectId("54b167c9350a2b15f1a49f10"), "Domain" : "httpd_t", "Hash" : "10b2c74a673065f708d93efb72595df2", "Service" : "httpd", "Sys" : "cent1", "Context" : "system_u:system_r:httpd_t:s0", "date" : ISODate("2015-01-10T12:56:25.917-05:00"), "testnum" : "1" }

The sample JSON record shows the SELinux context “Domain” of httpd_t was

parsed from the context of the Apache (httpd) service. The resulting hash was an MD5

computed value for the combined service name, domain, and context. The data elements


66

of the system (Sys) and the test number (testnum) were saved from the user input. The

dB collection contained one record for each active service on all base and test systems. A

total of 43 services, later 42 on test systems due to test cases, were collected with full

results are in Appendix D.

Algorithm Two - File Context Collection

From the raw file context output data on the path, type and context were extracted

to build the tuple and hashed.

Algorithm Two

Inputs: - System Name {N} - Test Number {T} Outputs: 1. For each context in context data: a. Get Path {P}; b. Get object type {Ot}; c. Get object security context {C}; d. Get object domain {D}; e. Get object (O) name {On}; 2. Hash <— {P, Ot, C}; a. Tuple of {N, T, P, Ot, C, D, Hash, Date/Time}


The SII function “fonctextparse” setup text parsing and the following code in the

function creates the tuple and MD5 hash:

tohash = fpath+ftype+fcontext Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Path": fpath, "Type": ftype, "Domain": domain, "Context": fcontext, "Hash": Hash, "date": datetime.datetime.utcnow()} db.fcontext.insert(docinsert)

Sample of Results

Sample JSON record for system cent1 test 1 is as follows:


67

{ "_id" : ObjectId("54b167d0350a2b15f1a4b5e6"), "Sys" : "cent1", "Domain" : "httpd_sys_content_t", "Hash" : "13dd68cf3ab5aaa3ae580dd8b2f948c5", "Context" : "system_u:object_r:httpd_sys_content_t:s0", "date" : ISODate("2015-01-10T12:56:32.512-05:00"), "Path" : "/var/www(/.*)?", "testnum" : "1", "Type" : "allfiles" }

From the SELinux file context configuration the SELinux context (domain parsed

separately), as well as “type” and “path, ” was parsed. The path, type, and context were

used in the MD5 hash generation, and the results are stored in a collection by test

number. An average of 5,555 items was parsed this making the file context the largest

collection generated and analyzed during testing. The full results are in Appendix D.

Algorithm Three - Boolean Collection

From raw Boolean data, the tuple was generated from extracting Boolean

configuration items and creating a hash on them.

Algorithm Three

Inputs: - System Name (N) - Test Number (T) Outputs: 1. For each context in context data: a. Get Boolean name {p}; b. Get Boolean Description {D}; c. Get Boolean state {t}; d. Get Boolean default state {Dt}; e. Get Boolean domain {D}; f. Hash <— {p, Dt, t, D}; 2. Tuple of {N, T, p, Dt, t, D, Hash, Date/Time}



68

The SII framework “booleanparse” function generated the tuple with the Boolean

name, the default state; current state and domain were created, and an MD5 hash

generated for the values. The tuple and hash code is as follows:

tohash = Boolean+Default+State+Domain Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Boolean": Boolean, "Description": Description,"Default": Default,"State": State, "Hash": Hash, "Domain": Domain, "date": datetime.datetime.utcnow()} db.booleans.insert(docinsert)

Sample of Results

Sample Boolean record from system cent1 test number1 is as follows:

{ "_id" : ObjectId("54b167cc350a2b15f1a49f4a"), "Sys" : "cent1", "date" : ISODate("2015-01-10T12:56:28.110-05:00"), "State" : "on", "Boolean" : "httpd_enable_cgi", "Hash" : "01e6da02834fbe05909ec54d822c70ec", "Description" : "Allow httpd to enable cgi", "Default" : "on", "testnum" : "1", "Domain" : "httpd_suexec_t" }

Policy name “Boolean” the description, context, domain, default and current state

along with test data (system, test number a date/time and the generated hash) are

contained in a JSON record in a collection by test. An average of 278 Booleans was

recorded for each system. This varied for test systems as configuration changes

happened under test cases. Full results are listed in Appendix D.


69

Algorithm Four - Fingerprint Hash

For each area, (Service, Policy and Context) generate a unique hash (fingerprint)

based on a chain-hash of each tuple hash value of that area (Service, Boolean, File

Context).

Algorithm Four

Inputs: - System Name {N} - Test Number {T} - Array, sorted by name, of hashes for

the area (S, P, C) Outputs: 1. For the first item in hash array: a. Set H1 = ""; b. Set H2 = item from array; 2. H1 || H2 <-- Hash as new H1 a. For item +1 to N; b. H1 = item; c. H2 = Previous H1; d. H1 || H2 < -- Hash 3. {Fp} <-- final hash

Flow diagram for fingerprint hash generation


70

Figure 8 – Fingerprint Algorithm

Algorithm Five - Results Collection

Results from tests were stored in a results MongoDB collection to be later used in

testing for differences.

Algorithm Five

Inputs: - System Name {N} - Date/Time {DT} - Test {T} - Service Fingerprint {SFP} - Policy Fingerprint {PFP} - Context Fingerprint {CFP} - Service Count {Sc} - Policy Count {Pc} - Context Count {Cc} Outputs: - Tuple of {N, DT, T, SFP, PFP, CFP, Sc, Pc, Cc}

Sample of the results


71

File Context, Service, and Boolean hash fingerprints were generated and saved to

the results table. Examples are listed below and were used to detect changes between two

tests. The sample JSON records are from system cent1 showing records for test 1.

{ "_id" : ObjectId("54b1683e350a2b15f1a4b622"), "contextFP" : "d680d3862526ccab257cf4cba8120a86", "Sys" : "cent1", "serviceFP" : "3db923b4e92df96202c5647b09c6c920", "booleanFP" : "09433755b60e36621246da3bbc20d298", "date" : ISODate("2015-01-10T12:58:22.535-05:00"), "testnum" : "1" }

JSON results contained the “_id” assigned by MongoDB then the system “Sys”,

test number “testnum”, the fingerprints generated by the fingerprint algorithm as well as a

date/time stamp. Appendix D has full output.

Algorithm Six - Differential

The two-part algorithm that evaluates the fingerprints, generate from algorithm

five, and displayed a no diff or a diff for each configuration area (service, Boolean or file

context) of the configuration between two tests indicated. If a difference is found a

deeper analysis of each item in the configuration areas with details of what was changed

between the two tests.

Algorithm Six

1. Compare test (T) fingerprint {Tfp} with baseline (B) fingerprint {Bfp} for x (where x = pfp, sfp, cfp) Bfp(x) == Tfp(x)? If no difference return (no diff) else:

2. Compare hash stacks for base (B) and test (T): a. Pull B(x)fp (pull _id, Hash) Baseline hash = Bh b. Pull T(x)fp (pull _id, Hash) Test Hash = Th c. If Bh != Th then diff = 1


72

Else diff = 0

3. Pull Diff data a. For each Diff == 1 Pull data tuple by _id

4. List differences a. By Service, Policy, FContext


Two functions called diffs and stackdiff run the two parts of the algorithm. The

three configuration areas were pulled from MongoDB for each test. Example code for

the service is listed:

t1svcStack = list(db.service.find({},{"Service":1 ,"Sys":1,"Context":1,"Hash":1}).sort("Service"))

An item count was done to allow for the indication of list length differences

between tests.

t1svclength = len(t1svcStack) t2svclength = len(t2svcStack) # Service test1svc_dic = {} for line1 in t1svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test1svc_dic[svcname] = svchash test2svc_dic = {} for line1 in t2svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test2svc_dic[svcname] = svchash # Service Checks svcdiff = test1svc_dic.viewitems()^

test2svc_dic.viewitems() for diffitem in svcdiff: dname = diffitem[1] for xitem in t1svcStack: if xitem["Hash"] == dname: print "----------------- Test 1-----------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid")


73

for yitem in t2svcStack: if yitem["Hash"] == dname: print "------------------ Test 2 ------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------" if t1svclength != t1svclength: print "Service Count difference" print "Set1:",t1svclength," vs ",t2svclength for k,v in test1svc_dic.iteritems(): if k not in list(test2svc_dic.keys()): print "Not in test2 service:" print k,v else: print "Both Service tests have same count of:",

t1svclength print "-------------------------------------------"

Sample of Results

SII framework took an input for two test numbers to search for differences then

first performed a fingerprint comparison. The fingerprints were stored in the database

and pulled and compared as well as outputted to the screen as seen in Figure 9. The

output used SPF for server fingerprint, BPF for Boolean fingerprint and CFP for context

file fingerprint with a “NO Diff” or a “********** FP DIFF!!” (Figure 9 shows a

Boolean FP difference) presented in the output. The actual fingerprint hash values were

also displayed for both tests in the output for test verification.


74

Figure 9 - Diff Function Output

For the testing framework a yes no check to run a full hash stack analysis was

presented. On a yes the call to the “stackdiff” function is performed (Figure 9) to

determine the individual items that have changed between the two tests. Base systems,

where no fingerprint differences were found, the “stackdiff” function, were still executed

to allow capture of performance data.

Figure 10 - Stackdiff function initial test

Part of the “stackdiff” is a comparison of the total items in each area and test.

Figure 11 is an example of Boolean count check. If a count difference was detected the

item is missing from a test is displayed on the output.


75

Figure 11 - Stackdiff function count of items

The configuration tuples from each test are listed where there was a hash

difference detected. Figure 12 and 13 are examples of two Booleans where this occurred,

and the full tuple was displayed.

Figure 12 - Stackdiff function Boolean httpd_use_nfs service config test 1

Figure 13 - Stackdiff function Boolean httpd_use_nfs service config test 2


76

Test one shows the settings for the httpd_use_nfs Boolean where in test two the

Default and State were set to “on” causing the hash to differ from the hash value

computed in test 1. The full output from all tests is presented in Appendix C.

Performance

Fingerprint diff and hash stack diff performance results were measured using

cProfile wrappers in SII.py code. The two functions listed are “diffs” that did the

comparison between test fingerprints and “stackdiff” that did a deep analysis to find

individual items that have changed. For the base systems (where no changes were done)

the “stackdiff” was always run to capture the performance. Sample of the summary data

collected from cProfile shows number of function calls and total time in seconds to

complete execution.

Table 3 – Function Performance Summary

Function Performance Summary Test Number

diffs 189 function calls in 0.001 seconds 2

stackdiff 235878 function calls in 1.173 seconds 2





Full test results are in Appendix E.

Detail cProfile data from each system and test was captured and saved in CSV

and a binary format for detailed analysis. An example of cent1 test 2 stackdiff function is

as follows:


77

Table 4 – Sample cProfile Performance

ncalls tottime percall cumtime percall filename:lineno(function) 47995 0.031 0 0.031 0 {isinstance} 29940 0.023 0 0.023 0 {method-get-of-dict-objects} 24523 0.012 0 0.012 0 {len} 11912 0.007 0 0.007 0 collection.py:182(database) 11878 0.045 0 0.31 0 cursor.py:1054(next) 11872 0.017 0 0.083 0 objectid.py:70(__init__) 11872 0.006 0 0.006 0 {method-popleft-of-

collections.deque-objects} 11872 0.037 0 0.066 0 objectid.py:174(__validate) 11872 0.016 0 0.016 0 database.py:271(_fix_outgoin

g) 5866 0.685 0 0.685 0 {method-keys-of-dict-

objects} 4376 0.008 0 0.008 0 {hasattr}

Domain Relationship Testing

Test five was to see if relationships between service, Boolean, and file context

could be obtained. Based on the model in chapter three (Figure 1 Service to Object

Relationship) searching on domain gives output on Services, Booleans and File Context

that were related to the search string inputted. This was coded into SII with a search

function called “searchrel” to gather and search across the dictionaries created from the

data pulled from the database.


78

Figure 14 - Test for relationship by domain httpd

The example in Figure 14 was from system cent1 and conducted as part of a test

to search the different configuration areas of Service, Boolean and File Context based on

a domain. Full SII output for this testing is located in Appendix F.

Presentation and Discussion of Findings

Six SII algorithms were coded into a Python framework that interacted with

external shell commands and a nonSQL database, MongoDB, on four CIS lab systems,

running Linux with SELinux active, running paired tests. Test systems underwent a

series of configuration changes where the base systems did not. SII ran a series of tests

on both test and base systems with data collected in the database, exported to flat-files

and terminal output captured for analysis.


79

Key algorithmic functions of SII were tested, and data from individual

configuration tuples were hashed as well as the SELinux areas of Service, Boolean and

File Context with fingerprint (chain-hashes) generated and recorded.

Summary of Chapter

SII testing framework was used in a series of configuration changes on test

systems with results captured on precision and performance. The results of the tests are

reviewed in chapter five along with observations and future work.


80

CHAPTER FIVE

The SII framework was verified against the research questions with a series of

tests on test systems that underwent various OS and SELinux configuration changes.

Two similar base systems did not get any changes however still has the SII framework

loaded and run with each test. The findings and conclusions give results of the test

scenarios against the SII framework with sample output and full output in the appendices.

Findings and Conclusions

Testing was performed with the following conditions on the test systems with

results collected on both test and base systems.

Test 1: Initial baseline - Tests ran on all systems with verification of collection

and process of configuration. Process times and resources were also validated to be

recorded. These were performed in the following sub-tests:

1a - Data collection timings and resources used. SII.py framework successfully

used the cProfile package to record timings and calls by the algorithms.

1b - Validation of data collected. – Summary of data collected is exported from

the database, and framework output was recorded in Appendix C.

1c - Hash tables of baseline were created and saved. Appendix D has the SII

export of the data tables.

1b and 1c – SII framework successfully collected configuration tuples of Services,

Booleans, and File Context configuration on test and base systems. Individual tuples

were successfully generated, and hash values generated for configuration items to

monitor for change. The following JSON record was for the SELinux Boolean


81

httpd_enable_cgi and values like default state; current state and domain were parsed and

used in the MD5 hash generation.

{ "_id" : ObjectId("54b167cc350a2b15f1a49f4a"), "Sys" : "cent1", "date" : ISODate("2015-01-10T12:56:28.110-05:00"), "State" : "on", "Boolean" : "httpd_enable_cgi", "Hash" : "01e6da02834fbe05909ec54d822c70ec", "Description" : "Allow httpd to enable cgi", "Default" : "on", "testnum" : "1", "Domain" : "httpd_suexec_t" }

Each configuration area (Services, Booleans and File Context) successfully had

fingerprint hash generated and recorded and recorded for each test in the results

collection. The following example JSON record:

{ "_id" : ObjectId("54b1683e350a2b15f1a4b622"), "contextFP" : "d680d3862526ccab257cf4cba8120a86", "Sys" : "cent1", "serviceFP" : "3db923b4e92df96202c5647b09c6c920", "booleanFP" : "09433755b60e36621246da3bbc20d298", "date" : ISODate("2015-01-10T12:58:22.535-05:00"), "testnum" : "1" }

The performance collected by the cProfile package in the SII.py and was

summarized by each function for all systems and tests.


82

Figure 15 - Algorithm Performance by SII function

The performance summary (Figure 19) is the mean time in milliseconds for each

function over all tests. Functions that processed a larger amount of items took a longer

time. The File Context fingerprint with an average of 5,555 file context tuples and the

“stackdiff” function with 628K calls. Even the mean time for the larger processing of the

File Context fingerprint still completed in a reasonable time of 1.2 seconds or less on

both test and base systems.

Test 2: System Change - A collection and analysis were run after updates the

SELinux base policy followed by security in the following sub-tests:

Test 2a - Update the Apache service

Test 2b - Update to the selinux-policy-targeted package.


83

Cent1

Test 2a Apache update did not change any of the Apache (httpd) SELinux service

configuration captured. The httpd JSON data indicated no changes to the domain or

context. Thus the hash did not change as shown in the following tuples:

JSON Cent1 Test 1 httpd:

{ "_id" : ObjectId("54b167c9350a2b15f1a49f10"), "Domain" : "httpd_t", "Hash" : "10b2c74a673065f708d93efb72595df2", "Service" : "httpd", "Sys" : "cent1", "Context" : "system_u:system_r:httpd_t:s0", "date" : ISODate("2015-01-10T12:56:25.917-05:00"), "testnum" : "1" }

JSON Cent1 Test2 httpd:

{ "_id" : ObjectId("54b16f8c350a2b58f855f769"), "Domain" : "httpd_t", "Hash" : "10b2c74a673065f708d93efb72595df2", "Service" : "httpd", "Sys" : "cent1", "Context" : "system_u:system_r:httpd_t:s0", "date" : ISODate("2015-01-10T13:29:32.035-05:00"), "testnum" : "2" }


84

Test 2b was an update to the SELinux targeted policy, and the update triggered

fingerprint detections for Boolean and File Context.

Figure 16 - Test 2 system cent1 fingerprint change detections

Many Boolean changes were found post policy update and SII stackdiff has too

much for here (Appendix G has the full difference, and Appendix C has full SII output).

A few examples of the differences detected were:

SELinux policy update changed the Boolean mount_anyfile domain from

automount_t to mount_t, and this was reflected in the hash change and was detected.


85

Figure 17 - Results from SII detection from domain change to Boolean mount_anyfile

The targeted policy update created any updated. However, the test scenarios

revolved around the following services:

• httpd – The Apache web server

• sshd – The secure shell server

• ftpd – The file transfer protocol server

• smbd – The Samba file server

• Plex - A free Media server

Moreover, the ability to detect any changes that may occur to them.

The Apache web service did see Boolean updates; an example is the ability to

allow Apache to use NFS experienced a domain change from httpd_suexec_t to httpd_t

(Figure 18).


86

Figure 18 - Results from SII detection from domain change to Boolean httpd_use_nfs

File Context also underwent many changes from the policy update with

modifications, additions and removals of file context entries. System cent1 file context

collections for both test 1 and test 2 were exported (via mongoexport to CSV) and pulled

through the comparison application (Beyond Compare 4.0.5) with a full report on

Appendix G. An example of a configuration change to the security context of the path

/usr/sbin/puppetd was observed in testing:


87

Figure 19 - Results from SII detection from context change to file context to /usr/sbin/puppetd

Fedora1, a test system that underwent the update, also observed large amounts of

SELinux changes from the policy update. The full list of the differences is in Appendix

G.

Cent1b

Cent1b was a base system and did not undergo any configuration changes, and the

expected results were no changes detected in the fingerprints were obtained (Figure 20).

Figure 20 - Results from SII fingerprints for cent1b


88

Fedora 2 was also a base system that achieved the expected results of no fingerprint

differences detected (Figure 21).

Figure 21 - Results from SII fingerprints for fedora2

The large impact of an SELinux policy update led to numerous changes to

Booleans and File Context configurations. Release notes for the update may not have

uncovered any possible impacts however with the addition of SII running the update on a

test system allowed for details of what changed from the current baseline. An important

part of the test was no changes were detected in the two base systems thus demonstrating

the stability of the tuple and fingerprint hashing algorithms.

Test 3: System Change - The following changes to system services were done;

specifically security contexts changed to a service and some of its objects. A new

unprotected service was added, and an existing service removed with the following sub-

tests:

3a - New unprotected service – Installation of the Plex media service.

3b - Service removed – Removal of the Samba service.

3c - Object context change to http document root domain context from

httpd_sys_content_t to httpd_log_t .

The fingerprint hash values differences indicated service and file context

differences in both test systems, cent1, and fedora1. The sample results from test system

cent1 are as follows (Figure 22):


89

Figure 22 - Results from SII fingerprints for cent1 test 3

The “stackdiff” results for service indicated only Samba (smb) present in test 1

(baseline) and not in test 2 as a result of service the removal. SII test framework output

(Figure 23) listed Samba (smb) in test 1. Similar output was observed for similar test

system fedora1 with only Samba (smb) shown in test 1.

Figure 23 - Results from SII test 3 removed service.

Test 3a was the addition of a new service and for the research the Plex media

server was installed on the two test systems.


90

Figure 24 - Results from test 3a service fingerprint and added service detection

For test 3a, the Plex media service was installed and set to run. The service

fingerprint (Figure 24) and the new service listed in test 2 results show the

“plexmediaserver” running with no SELinux context (<<none>>). An important

observation was the newly installed services that are not active were not detected; the SII

framework only detected running services.

Test 3c encompassed a domain change, to httpd_log_t from httpd_sys_contet_t, to

the Apache home (/var/www) was detected in the File Context on test systems cent1 and

fedora1. The example SII test framework output for system cent1, in figure 25, shows

the Context from test 1 and test 2. This was detected from the hash difference during SII

analysis.


91

Figure 25 - Results from SII context change to File Context item /var/www(/.*)?

As with other tests, SII ran on the base systems (where no changes were done),

and no differences were detected.

Test 4: Policy Changes - A series of changes to existing SELinux policies were

done in the following sub-tests:

4a - Policy state changes – A temporary allow on change to the httpd_use_nfs

Boolean and a default state change to on for the ftp_home_dir Boolean.

4b - Policy alteration – A policy created from an AVC denial message using the

audit2allow.

The Boolean changes were detected in the fingerprint comparisons between the

baseline (test 3) and the update (test 4). Example SII output from system cent2 (note: SII

test numbers and test case numbers may differ):


92

Figure 26 - Results from SII fingerprints for cent2 test 4

Detailed differences found the two policies from sub-test 4a were detected.

Figure 27 - Results from SII for cent1 httpd_use_nfs Boolean state change

Figure 27 has the results from the difference for the httpd_use_nfs Boolean. The

state change, from off in test 1 to on in test 2, caused the tuple hash to change that was

then detected in the Boolean fingerprint hash. Figure 28 shows the detected changes to

the ftp_home_dir Boolean for both Boolean state and default to on.


93

Figure 28 - Results from SII for cent1 ftp_home_dir Boolean state change

The audit2allow was only run on cent1, as Fedora1 did not have any AVC denials

in the audit log file that were usable. The audit2allow change was not detected by SII in

either the areas collected and analyzed. SII did not detect and differences in both base

systems (fedora2 and cent1b), where no configuration changes occurred.

Relationship between Configuration Items

A feature of the SII algorithm design is to allow for searching on a domain to

view all the Services, Booleans and File Context objects associated with it. The SII

framework used a lose Python search (searching with a “like” context). Results from

testing queries with ftpd (figure 29) and ftpd_t (figure 30) allowed for viewing the related

Services, Booleans and File Context related to the domain input.


94

Figure 29 - Cent 1 Relationship search based on domain results.

The results returned were based on a loose search in Python (similar to a like) file

context type / domain names differed from the ones seen in Boolean and services. This

may return results, especially from file context, which may not directly apply. A more

exact search (search for ftpd_t over ftpd) produced the same relationships between

Booleans and the vsftp service, however, gave no file context results.


95

Figure 30 – Domain results for ftpd_t

Further work to build a translation table for File Context to the Booleans and

services is a possibility.

Results

In a comparison of the test results to the research questions, the following was

observed. Tests 1 passed with verification of initial baselines were successful.

RQ1. Did collecting the relationship of service to policy to object by domain detect

changes to services and indicate related policies and object context?

Test 2a, an update to an existing service, passed from testing.

Test 3a, a new unprotected service, passed.

Test 3b, removal of an existing service, passed.


changes to policies and indicate related services and object context?


96

Test 4a, change to two Booleans with a temporary allow and persistent change,

both passed in testing.

Test 4b, policy creation from AVC denial, failed during testing. Any Audit2allow

changes during testing were not detected.

RQ3. Did collecting the relationship of service to policy (Boolean) to object by

domain detect changes to object context and indicate related services and policies?

Test 3c, file object context change, passed. Searching by domain allows to see

the relationship between services and Booleans.


services not covered under any security policies?

Test 3a, a new unprotected service, passed. Services with the domain of

<<none>> were listed on the search.

Test 2b, SELinux targeted policy update, incurred a large amount of changes to

Booleans and File Context. Search on domain did successfully return a service, Boolean

to file context relationship.

Findings

SII algorithms successfully parsed configuration data and established a tuple for

each item with a hash of the tuple to allow identification of change between tests in

realistic processing times. A fingerprint hash was successfully generated for each

configuration area of Service, Boolean, and File Context. All tuple and areas hashing

was completed in under 500ms timeframes. Change detection was successful for items

parsed. Change using audit2allow and addition of an inactive service did not trigger any

change detection. Possible changes to the service parsing to add inactive services may


97

allow for the additional service to be detected. In the scope of the test cases and with

fingerprint differences detected at 1.17ms and the larger stackdiff, to find individual

differences between configuration items, completing at an average of 1325ms.

Limitations of the Study

The base configuration data was initially pulled with a specific set of shell scripts

and parsing in the SII Python framework. Test results show that may have limited the

data input as later detection.

Implications for Practice

The SII algorithms can be adapted to an automated system to run with other

integrity tools, like Tripwire, to broaden the monitoring. Security and system

administrators of Linux systems using SELinux will find value in the ability to

understand the SELinux configuration and know of any changes to it.

Implications of Study and Recommendations for Future Research

Visualization of the relationships in aid of configuration auditing, management

and training is an area for possible work. The possibility exists of exporting the

relationship results to a semantic substrate or cluster dendrogram as part of the

visualization as suggested by Xu. Et al; “Information visualization [8] enables users to

explore, analyze, reason, and explain abstract information by taking advantage of their

visual cognition.” (Xu, Shehab, & Ahn, 2008, p. 1).

Refinements to parsing and detection with the addition of visualization of the

configuration relationships between the services, the Boolean and corresponding file

context.


98

There is potential to code the SII into the semanage (policycoreutils-python)

application or as a standalone binary. Either implementation the fingerprint output could

be added to the /proc file system to allow it to be leveraged by external scripts or other

tools. Other possibilities are to leave SII in Python and move the dB to use the SQLite3

library to leverage a lightweight database that doesn’t require a separate server process.

SII opens the door to automation of the testing configuration to a baseline value

set to allow for scheduled automated audits with notification triggered by any fingerprint

difference. Further research and be done with extending SII by collection of remote data

to a central security monitoring system and possible evaluation the configuration against

possible threats, like pulling Metasploit information in, to look for security holes against

current threats.

Areas of improvement to SII that can be looked include; further testing with

audit2allow scenarios to determine if a new policy can be detected. Refine data

collection for all installed services not just running ones. Collect more domain

information from the Booleans, the source and target domain and collect deeper SELinux

configuration, like MLS settings, ports, and users.

Conclusion

The integrity of any security mechanism is vital, and SELinux is lacking facilities

to judge its configuration to current security goals. The algorithmic collection of service,

Boolean and file context settings to establish a baseline, detect changes and search

relationships based on SELinux domain is the core of the SELinux Integrity

Instrumentation (SII). SII algorithms were tested in a Python framework and have the

potential for deeper monitoring and automation that can be folded in with other open-


99

source SELinux tools like sesearch or setools. SII combats complexity to ensure the

security reference monitor, “is protected: its function may not be maliciously or

accidentally modified by unauthorized forces.” (Biba, 1977, p. 7).


100

REFERENCES

Ahn, G.-J. J., Xu, W., & Zhang, X. (2008). Systematic policy analysis for high-assurance

services in SELinux (pp. 3–10). Presented at the Proceedings of the 2006 IEEE

Workshop on Information Assurance, IEEE.

Amthor, P., Kuhnhauser, W. E., & al, E. (2011). Model-based safety analysis of SELinux

security policies, 208–215.

Anand, V., Saniie, J., & Oruklu, E. (2012). Security Policy Management Process within

Six Sigma Framework. Journal of Information Security, 3(1), 49–58.

Anderson, J. P. (1972a). Computer Security Technology Planning Study. Volume 1 (No.

ESD-TR-73-51) (Vol. 1). Hanscom AFB, Bedford, MA: DTIC Document.

Anderson, J. P. (1972b). Computer Security Technology Planning Study. Volume 2.

Aris, A., & Shneiderman, B. (2007). Designing semantic substrates for visual network

exploration. Information Visualization, 6(4), 281–300.

doi:10.1057/palgrave.ivs.9500162

Bai, J., & Zhai, G. (2012). Study on analysis for SELinux security policy (pp. 1231–

1235). Presented at the Systems and Informatics (ICSAI), 2012 International

Conference on.

Bell, D. E., & La Padula, L. J. (1976). Secure computer system: Unified exposition and

multics interpretation (No. ESDTR-75-306). Technical Report ESDTR-75-306,

The Mitre Corporation (1st ed.). Bedford, MA: The Mitre Corporation.

Biba, K. J. (1977). Integrity considerations for secure computer systems (No. ESDTR-76-

373). Technical Report ESDTR-76-373, The Mitre Corporation (1st ed.). Bedford


101

MA, USA: Technical Report ESDTR-76-373, The Mitre Corporation, Bedford

MA, USA.

Blanc, M., & Lalande, J. F. (2012). Improving Mandatory Access Control for HPC

Clusters. Future Generation Computer Systems.

Chen, H. (2009). Analysis of access control policies in operating systems. ProQuest

Dissertations and Theses. Purdue University, Ann Arbor.

Chen, H., Li, N., & Mao, Z. (2009). Analyzing and comparing the protection quality of

security enhanced operating systems. Presented at the Proceedings of the 16th

Annual Network & Distributed System Security Symposium.

Cheng, L., Zhang, Y., & Han, Z. (2013). Quantitatively Measure Access Control

Mechanisms across Different Operating Systems (pp. 50–59). Presented at the

Software Security and Reliability (SERE), 2013 IEEE 7th International

Conference on IS - SN - VO -, IEEE. doi:10.1109/SERE.2013.12

Cheng, L., Zhang, Y., Han, Z., Deng, Y., Sun, X., & Feng, D. (2014). Evaluating and

comparing the quality of access control in different operating systems. Computers

& Security VL -, (0 SP - EP - PY - T2 -). doi:10.1016/j.cose.2014.05.001

Chew, E., Swanson, M., Stine, K. M., Bartol, N., Brown, A., & Robinson, W. (2008). SP

800-55 Rev. 1. Performance Measurement Guide for Information Security.

Cirstea, H., Moreau, P.-E., & de Oliveira, A. S. (2009). Rewrite Based Specification of

Access Control Policies. Electronic Notes in Theoretical Computer Science, 234,

37–54. doi:10.1016/j.entcs.2009.02.071


102

Clemente, P., Kaba, B., & Rouzaud-Cornabas, J. (2012). SPTrack: Visual Analysis of

Information Flows within SELinux Policies and Attack Logs. Active Media

Technology, 7669 2012.

Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices,

Laptops, Workstations, and Servers. (n.d.). Critical Control 3: Secure

Configurations for Hardware and Software on Mobile Devices, Laptops,

Workstations, and Servers. Sans.org. Retrieved October 20, 2013, from

http://www.sans.org/critical-security-controls/control.php?id=3

Darivemula, A., Leangsuksun, C., Tikotekar, A., & Pourzandi, M. (2006). Work in

Progress: RASS Framework for a Cluster-Aware SELinux. (p. 29). Presented at

the Proceedings of the Sixth IEEE International Symposium on Cluster

Computing and the Grid Workshops (CCGRIDW'06).

doi:10.1109/CCGRID.2006.184

Department of Homeland Security. (2009, December 18). A Roadmap for Cybersecurity

Research. Retrieved November 19, 2012, from

Fang, W., Miller, B. P., & Kupsch, J. A. (2012). Automated tracing and visualization of

software security structure and properties (pp. 9–16). Presented at the Proceedings

of the Ninth International Symposium on Visualization for Cyber Security, ACM.

Gregory, M. B., & Reninger, A. S. (2009). Teaching SELinux in Introductory

Information Assurance Classes. (pp. 1–8). Presented at the Proceedings of the

42nd Hawaii International Conference on System Sciences.

doi:10.1109/HICSS.2009.419


103

Guttman, J. D., Herzog, A. L., Ramsdell, J. D., & Skorupka, C. W. (2005). Verifying

information flow goals in Security‐Enhanced Linux. Journal of Computer

Security, 13(1), 115–134. doi:Article

Harrison, M. A., Ruzzo, W. L., & Ullman, J. D. (1976). Protection in operating systems.

Communications of the ACM.

Herman, I., Melançon, G., & Marshall, M. S. (2000). Graph visualization and navigation

in information visualization: A survey. Visualization and Computer Graphics,

IEEE Transactions on, 6(1), 24–43.

Herzog, A. L., Ramsdell, J. D., & Guttman, J. D. (2003). Information flow in operating

systems: Eager formal methods. Presented at the Proceedings of the Workshop on

Issues in the Theory of Security (WITS).

Hicks, B., Rueda, S., Clair, L. S., Jaeger, T., & McDaniel, P. (2010). A logical

specification and analysis for SELinux MLS policy (Vol. 13, p. 26). Presented at

the ACM Transactions on Information and System Security (TISSEC).

Hicks, B., Rueda, S., Jaeger, T., & McDaniel, P. (2007). Integrating SELinux with

security-typed languages. Presented at the Proceedings of the 3rd SELinux

Symposium.

Horie, T., Harada, T., & Tanaka, K. (2012). Adaptive access policy for the Linux kernel

(pp. 82–88). Presented at the Applications and the Internet, 2005. Proceedings.

The 2005 Symposium on. doi:10.1109/SAINT.2005.11


104

Hu, H., & Feng, D. (2008). BIFI: Architectural Support for Information Flow Integrity

Measurement (pp. 605–609). Presented at the 2008 International Conference on

Computer Science and Software Engineering, IEEE. doi:10.1109/CSSE.2008.738

Hu, L., Mayo, J., & Wallace, C. (2013). An empirical study of three access control

systems (pp. 287–291). Presented at the the 6th International Conference, New

York, New York, USA: ACM Press. doi:10.1145/2523514.2523550

IEC/ISO. (2013). ISO/IEC 27001:2013 Information technology — Security techniques

— Information security management systems — Requirements. Iso/Iec.

Information Assurance (IA) Implementation. (2003). Information Assurance (IA)

Implementation. Retrieved from http://www.cac.mil/docs/DoDD-8500.2.pdf

Jaeger, T., Sailer, R., & Zhang, X. (2003). Analyzing integrity protection in the SELinux

example policy (Vol. 6). Presented at the Proceedings of the 12th USENIX

Security Symposium.

Kerner, S. M. (2013, April 17). NSA Building a Secure Version of OpenStack - Open

Source Software Institute. Oss-Institute.org. Retrieved June 17, 2013, from

http://www.oss-institute.org/latest-news/751-nsa-building-a-secure-version-of-

openstack

Lampson, B. W. (1973). A note on the confinement problem. Communications of the

ACM, 16(10), 613–615.

LeMay, M., Fatemieh, O., & Gunter, C. A. (2007). PolicyMorph: interactive policy

transformations for a logical attribute-based access control framework. Presented

at the SACMAT '07: Proceedings of the 12th ACM symposium on Access control


105

models and technologies, ACM Request Permissions.

doi:10.1145/1266840.1266874

Lepreau, J., Spencer, R., Smalley, S. D., Loscocco, P., Hibler, M., & Andersen, D.

(1999). The Flask Security Architecture: System Support for Diverse Security

Policies (pp. 11–11). Presented at the Proceedings of the 8th USENIX Security

Symposium, SECURE COMPUTING CORP SAINT PAUL MN. Retrieved from

http://dl.acm.org/citation.cfm?id=1251421.1251432

Li, Y., Carr, S., Mayo, J., Shene, C.-K., & Wang, C. (2012). DTEvisual: a visualization

system for teaching access control using Domain Type Enforcement. Journal of

Computing Sciences in Colleges, 28(1), 125–132.

List of Linux adopters - Wikipedia, the free encyclopedia. (n.d.). List of Linux adopters -

Wikipedia, the free encyclopedia. En.Wikipedia.org. Retrieved June 17, 2013,

from https://en.wikipedia.org/wiki/List_of_Linux_adopters

Loscocco, P., & Smalley, S. D. (2001). Meeting critical security objectives with Security-

Enhanced Linux. Presented at the Ottawa Linux Symposium 2001.

Marouf, S., & Shehab, M. (2011). SEGrapher: Visualization-based SELinux policy

analysis (pp. 1–8). Presented at the 2011 4th Symposium on Configuration

Analytics and Automation (SAFECONFIG).

doi:10.1109/SafeConfig.2011.6111675

Mell, P., Scarfone, K., & Romanosky, S. (2007). A complete guide to the common

vulnerability scoring system version 2.0, 1–23.

National Institute of Standards and Technology, & Aroms, E. NIST Special Publication

800-53 Revision 3 Recommended Security Controls for Federal Information


106

Systems and Organizations, NIST Special Publication 800-53 Revision 3

Recommended Security Controls for Federal Information Systems and

Organizations (3rd ed.). U.S. Department of Commerce.

Nimbalkar, R., Patel, P., & Meshram, B. B. (2013). Advanced Linux Security. American

Journal of Engineering Research (AJER), 02(03), 07–12.

Open Web Application Security Project (OWASP). (2010, October 16). Open Web

Application Security Project (OWASP). Retrieved January 13, 2013, from

http://www.owasp.org

Pan, L., Liu, N., & Zi, X. (2013). Visualization framework for inter-domain access

control policy integration. Communications, China, 10(3), 67–75.

doi:10.1109/CC.2013.6488831

Qian, Z., & Chen, Y. (2014). Fluency of visualizations: linking spatiotemporal

visualizations to improve cybersecurity visual analytics. Security Informatics,

3(1), 6. doi:10.1002/for.3980070102

Rueda Rodriguez, S. J. (2011). Methods for specifying and resolving security policy

compliance problems. ProQuest Dissertations and Theses. The Pennsylvania

State University, Ann Arbor.

Rushby, J. M. (1981). Design and verification of secure systems. Presented at the SOSP

'81: Proceedings of the eighth ACM symposium on Operating systems

principles, ACM Request Permissions. doi:10.1145/800216.806586

Sailer, R., Zhang, X., Jaeger, T., & Van Doorn, L. (2004). Design and implementation of

a TCG-based integrity measurement architecture. Presented at the Proceedings of

the 13th USENIX Security Symposium.


107

Saltzer, J. H., & Schroeder, M. D. (1974). The protection of information in computer

systems. Communications of the ACM, 17(7).

Sarna-Starosta, B. (2005). Constraint-based analysis of security properties. ProQuest

Dissertations and Theses. State University of New York at Stony Brook, Ann

Arbor.

Sarna-Starosta, B., & Stoller, S. D. (2004). Policy analysis for security-enhanced linux.

Presented at the Proceedings of the Workshop on Issues in the Theory of Security

(WITS).

Sasturkar, A., Yang, P., Stoller, S. D., & Ramakrishnan, C. R. (2011). Policy analysis for

Administrative Role-Based Access Control. Theoretical Computer Science,

412(44), 6208–6234. doi:10.1016/j.tcs.2011.05.009

Schreuders, Z. C., McGill, T. J., & Payne, C. (2012). Towards usable application-

oriented access controls: qualitative results from a usability study of SELinux,

AppArmor and FBAC-LSM. International Journal of Information Security and

Privacy, 6(1), 57–76.

Schreuders, Z. C., McGill, T., & Payne, C. (2011). Empowering End Users to Confine

Their Own Applications: The Results of a Usability Study Comparing SELinux,

AppArmor, and FBAC-LSM. ACM Transactions on Information and System

Security, 14(2), 1–28. doi:10.1145/2019599.2019604

SELinux Future Work. (2009). SELinux Future Work. The National Security Agency.

Retrieved December 8, 2012, from

http://www.nsa.gov/research/selinux/todo.shtml


108

Singh, S. (2012, November 10). Automatic verification of security policy

implementations. University of Illinois at Urbana-Champaign.

Smari, W. W., Spalazzi, L., & Zemali, Y. (2013). Recent developments in high

performance computing and security: An editorial. Future Generation Computer

Systems, 29(3), 782–787. doi:10.1016/j.future.2012.08.006

Thomas, J. D. (2011). Accommodative mandatory access control. ProQuest Dissertations

and Theses. Purdue University, Ann Arbor.

Weaver, G. A., Cheh, C., Rogers, E. J., Sanders, W. H., & Gammel, D. (2013). Toward a

cyber-physical topology language: applications to NERC CIP audit. Presented at

the SEGS '13: Proceedings of the first ACM workshop on Smart energy grid

security, ACM Request Permissions. doi:10.1145/2516930.2516934

Wichers, D. (2013). The 2013 OWASP Top 10. AppSec USA 2013.

Xu, W., Shehab, M., & Ahn, G.-J. J. (2008). Visualization based policy analysis: case

study in SELinux. Presented at the SACMAT '08: Proceedings of the 13th ACM

symposium on Access control models and technologies.

Xu, W., Shehab, M., & Ahn, G.-J. J. (2012). Visualization-based policy analysis for

SELinux: framework and user study. International Journal of Information

Security, 12(3), 155–171. doi:10.1007/s10207-012-0180-7

Zhai, G., Ma, W., Tian, M., Yang, N., Liu, C., & Yang, H. (2009). Design and

implementation of a tool for analyzing SELinux secure policy (pp. 446–451).

Presented at the Proceedings of the 2nd International Conference on Interaction

Sciences: Information Technology, Culture and Human, ACM.


109

Zhao, C., Dong, W., Leucker, M., & Qi, Z. (2011). Security Goals Assurance Based on

Software Active Monitoring (pp. 70–79). Presented at the Secure Software

Integration and Reliability Improvement (SSIRI), 2011 Fifth International

Conference on IS - SN - VO -, IEEE. doi:10.1109/SSIRI.2011.34


110

APPENDIX A

SII.py code # ################################################################ # SELinux Integrity Instrumentation # Mike Libassi # 2015 # Code source: https://github.com/mikejl/research # Feb2015 # - Fix to tab/space in collect function # - Fix Boolean parsing for default # ################################################################ # ################################################################ # Load environmental items # ################################################################ import md5 import os, sys import datetime import subprocess from pymongo import MongoClient import timeit import cProfile, StringIO ,pstats from tabulate import tabulate import csv # ################################################################ # Set Initial Vars # ################################################################ system = "localhost" testnum = 0 ip = "local" client = MongoClient('localhost', 27017) sfp = 0 cfp = 0 pfp = 0 # ################################################################ # Functions # ################################################################ # ################################################################ # Main menu Print # ################################################################ def printmm(): print "##############################################" print " SELinux Integrity Instrumentation (SII) " print "##############################################" print "Current Test#: ", testnum, "Test System: ", system print "--------------------------------------------------------------------------" print "Main Menu" print "1. Enter Test #" print "2. Enter System Name" print "3. Run Collect Scripts" print "4. Run Parsing (boolens, service and context)" print "5. Run / View Finger Prints" print "6. Search / View Diffs" print "7. Search / View Relationships" print "8. Tools and Utilities" print "9. Exit" print "--------------------------------------------------------------------------" return # ################################################################ # Fingerprint sub menu # ################################################################ def printfbsub(): print "Fingerprint menu" print "1 = Policy Finger Print" print "2 = FContext Finger Print" print "3 = Service Finger Print" print "4 = Save Results to dB" print "5 = Return to Main Menu"


111

print "-------------------------" return # ################################################################ # Collect Raw Data from shell scripts # ################################################################ def collect(runanswer): if runanswer == "Y": print "Running collection scripts for system:", system, " Test#:", testnum # ------------------------------------- args = ['sudo', '/home/mike/research/boolean_collect.sh', testnum, 'stdout=None', 'stderr=None'] str_args = [ str(x) for x in args ] bstatus = subprocess.call(str_args) if bstatus == 0: print "Boolean Collection Done" else: print "Error in shell script" # ------------------------------------- args = ['sudo', '/home/mike/research/fcontext_collect.sh', testnum] str_args = [ str(x) for x in args ] cstatus = subprocess.call(str_args) if cstatus == 0: print "File Context Collection Done" else: print "Error in shell script" # ------------------------------------- args = ['sudo', '/home/mike/research/service_collect.sh', testnum] str_args = [ str(x) for x in args ] sstatus = subprocess.call(str_args) if sstatus == 0: print "Service Collection Done" else: print "Error in shell script" print "Script Colection Done" else: print "Test NOT run" return # ################################################################ # Hash Function - not using .. needs extra tuple joins # ################################################################ #def tohash(*hashstring): # htuple = [''.join(x) for x in hashstring] # htuple2 = ''.join(htuple) # return(md5.new(htuple2).hexdigest()) # ################################################################ # Boolean Parse and Load # ################################################################ def booleanparse(): #client = MongoClient('localhost', 27017) #db = client.booleans client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) # paths path = "/home/mike/" + str(testnum) + "/boolean.txt" dir_name='/home/mike/'+ str(testnum) + "/" base_filename='boolean_file' filename_suffix = '.domain' for text in open(path, 'r'): ## Parse the boolean.txt fields1 = text.split() fields2 = text.split(')', 1) #fields3 = text.split(',', 1) fields4 = text.rsplit('(') defaultb = fields4[1].split(',', 1) stateb = fields4[1].split(',', 1) Boolean = fields1[0].strip() Description = fields2[1].strip() #Default = defaultb[0].strip() # Parsing issue # Added to fix parse issue Default2 = defaultb[1].split(',', 2)


112

Default3 = Default2[0].split(')') Default = Default3[0].strip() State = stateb[0].strip() base_filename = Boolean domain1 = open(os.path.join(dir_name, base_filename + filename_suffix), 'r') Domain = domain1.read().strip() tohash = Boolean+Default+State+Domain Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Boolean": Boolean, "Description": Description,"Default": Default,"State": State, "Hash": Hash, "Domain": Domain, "date": datetime.datetime.utcnow()} db.booleans.insert(docinsert) print "loaded into booleans: ", db.booleans.count() return # ################################################################ ## File context parse and load # ################################################################ def fcontextpase(): #client = MongoClient('localhost', 27017) #db = client.fcontext client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) path = "/home/mike/" + str(testnum) + "/fcontext.txt" for text in open(path, 'r'): fields1 = text.split() textlen = len(fields1) if textlen == 3: fpath = fields1[0] ftype = fields1[1] ftype2 = fields1[2] if "<<None>>" in fields1[2]: fcontext = "<<None>>" domain = "<<None>>" else: fcontext = fields1[2] if "<<None>>" in fcontext: domain = "<<None>>" else: dfield = fcontext.split(":") domain = dfield[2] elif textlen == 4: fpath = fields1[0] ftype = fields1[1] ftype2 = fields1[2] if not ":" in ftype2: ftype = ftype+ftype2 if "<<None>>" in fields1[2]: fcontext = "<<None>>" domain = "<<None>>" else: fcontext = fields1[3] if "<<None>>" in fcontext: domain = "<<None>>" else: dfield = fcontext.split(":") domain = dfield[2] tohash = fpath+ftype+fcontext Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Path": fpath, "Type": ftype, "Domain": domain, "Context": fcontext, "Hash": Hash, "date": datetime.datetime.utcnow()} db.fcontext.insert(docinsert) print "loaded into fcontext: ", db.fcontext.count() return # ################################################################ # Service data Parse and Load # ################################################################


113

def serviceparse(): #client = MongoClient('localhost', 27017) #db = client.service client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) path = "/home/mike/" + str(testnum) + "/service.running" for service in open(path, 'r'): field1 = service.split() dfile1 = field1[0] dfile2 = dfile1.split('.') dfile3 = dfile2[0] dfile4 = dfile3 + ".info" fpath = "/home/mike/" + str(testnum) + "/" + dfile4 if os.path.exists(fpath): dfile5 = open(fpath,'r') dfile6 = dfile5.read().strip() if not dfile6: sdomain = "<<none>>" Context = "<<none>>" else: context1 = dfile6.split() for i in context1: context1 = i #print i break con = i.split(":") Context = i sdomain = con[2] #sdomain = "<<none>>" service = dfile2[0] tohash = service+sdomain+Context Hash = md5.new(tohash).hexdigest() docinsert = {"Sys": system, "testnum": testnum, "Service": service, "Domain": sdomain, "Context": Context, "Hash": Hash, "date": datetime.datetime.utcnow()} db.service.insert(docinsert) else: print "Done" #sdomain = "<<none>>" print "loaded into service: ", db.service.count() return # ################################################################ # Build fingerprints of service, policy and context # # ################################################################ # ################################################################ # MongoDB booleans collection # ################################################################ def boolsfp(): #client = MongoClient('localhost', 27017) #db = client.booleans client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) global pfp hash1 = "" hash2 = "" # perf wrapper start (i)pr where i=function # bpr = cProfile.Profile() bpr.enable() #start # Finger Print Hash Algorithm # sort? db.booleans.find({},{"Hash": 1}).sort(["Boolean"]) for item in db.booleans.find({},{"Hash": 1}):


114

hash1 = item['Hash'] tohash = hash1+hash2 pfp = md5.new(tohash).hexdigest() hash2 = pfp bpr.disable() #stop boolcount = db.booleans.find().count() s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(bpr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() bfpPerfs = s.getvalue() print "***************************************************" print "Policy Finger Print: ", pfp print "Item Count: ", boolcount print "***************************************************" # Store results to dB ######## # note the xxxPerfs is a type <str> bfpPerfs1 = bfpPerfs.lstrip() perfline = bfpPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Perfdata": bfpPerfs, "Perfsmry": smry, "Count": boolcount, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # printfbsub() return # ################################################################ # fContext collection # ################################################################ def fcontextfp(): #client = MongoClient('localhost', 27017) #db = client.fcontext client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) global cfp hash1 = "" hash2 = "" # perf wrapper start (i)pr where i=function # fcpr = cProfile.Profile() fcpr.enable() #start # Finger Print Hash Algorithm for item in db.fcontext.find({},{"Hash": 1}): hash1 = item['Hash'] tohash = hash1+hash2 cfp = md5.new(tohash).hexdigest() hash2 = cfp fcpr.disable() #stop fcontextcount = db.fcontext.find().count() s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(fcpr, stream=s).sort_stats(sortby).strip_dirs()


115

ps.print_stats() fcfpPerfs = s.getvalue() print "***************************************************" print "FContext Finger Print: ", cfp print "Item Count: ", fcontextcount print "***************************************************" # Store results to dB ######## # note the xxxPerfs is a type <str> # File Output fcfpPerfs1 = fcfpPerfs.lstrip() perfline = fcfpPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # DB Input db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": fcontextcount, "Perfdata": fcfpPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # printfbsub() return # ################################################################ # service collection # ################################################################ def servicefp(): client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) global sfp hash1 = "" hash2 = "" # perf wrapper start (i)pr where i=function # spr = cProfile.Profile() spr.enable() #start # Finger Print Hash Algorithm for item in db.service.find({},{"Hash": 1}): hash1 = item['Hash'] tohash = hash1+hash2 sfp = md5.new(tohash).hexdigest() hash2 = sfp spr.disable() #stop servicefpcount = db.service.find().count() s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(spr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() sfpPerfs = s.getvalue() print "***************************************************" print "Service Finger Print: ", sfp print "Item Count: ", servicefpcount print "***************************************************" # Store results to dB ######## # note the xxxPerfs is a type <str> sfpPerfs1 = sfpPerfs.lstrip() perfline = sfpPerfs1.splitlines() smry = perfline[0]


116

function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": servicefpcount, "Perfdata": sfpPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # printfbsub() return # ################################################################ # Save data to results table # ################################################################ def saveres(): client = MongoClient('localhost', 27017) db = client.results print "Enter test results for: ", system, "Test: ", testnum print "Current FPs. ServiceFP:",sfp," PolicyFP:",pfp," ContextFP:",cfp dbYN=raw_input("Y/N: ") if dbYN == "Y": docinsert = {"Sys": system, "testnum": testnum, "serviceFP": sfp, "booleanFP": pfp, "contextFP": cfp, "date": datetime.datetime.utcnow()} print "Saving...", docinsert db.results.insert(docinsert) printfbsub() return # ################################################################ # Fingerprint submenu # ################################################################ def fpsub(): #os.system('clear') printfbsub() while True: is_valid=0 while not is_valid : try : sel = int ( raw_input('Enter your choice [1-5] : ') ) is_valid = 1 ## set it to 1 to validate input and to terminate the while..not loop except ValueError, e : print ("'%s' is not a valid integer." % e.args[0].split(": ")[1]) if sel == 1: boolsfp() continue if sel == 2: fcontextfp() continue if sel == 3: servicefp() continue if sel == 4: saveres() elif sel == 5: return() return() # ################################################################ # Set Test Number # ################################################################ def settestnum(): global testnum print "Current test # is: ", testnum print "Enter Test Number"


117

testnum=raw_input("test: ") if not testnum: raise ValueError('empty string') testnum = testnum print "Test Number set at: ", testnum return(testnum) # ################################################################ # Set system name # ################################################################ def setsysname(): global system print "Current System Name: ", system print "Enter New System Name or Q to keep" name=raw_input("Name: ") if name == "Q": print "Keeping current name" return system = name print "Test system name set at: ", system return(system) # ################################################################ # Run collect scripts # ################################################################ def runscripts(): print "Run input scripts" runanswer=raw_input("Y or N: ") if not runanswer: raise ValueError('empty string') if runanswer == "Y": collect(runanswer) return # ################################################################ # Run parsing # ################################################################ def runsparse(): print "Select Parse to Run" print "1. Service" print "2. Boolean" print "3. File Context" print "4. Back to Main" while True: sel=raw_input("Selection: ") if sel == "1": serviceparse() continue elif sel == "2": booleanparse() continue elif sel == "3": fcontextpase() continue elif sel == "4": print "Bye" break return # ################################################################ # Search Relationships # ################################################################ def searchrel(): #client = MongoClient('localhost', 27017) client = MongoClient('localhost', 27017) str(testnum) dbstr = testnum DBNAME = dbstr db = getattr(client,dbstr) # Service #db = client.service serviceres = list(db.service.find({},{"Service":1 ,"Domain":1,"Context":1,"_id":0})) distinctsvc = list(db.service.distinct('Domain')) # Poicy #db = client.booleans


118

boolres = list(db.booleans.find({},{"Boolean":1 ,"Domain":1,"State":1, "Default":1, "Description":1,"_id":0})) distinctbols = list(db.booleans.distinct('Domain')) # File Context #db = client.fcontext contextres = list(db.fcontext.find({},{"Path":1 ,"Domain":1,"Context":1, "Type":1,"_id":0})) distinctfc = list(db.fcontext.distinct('Domain')) print "------------------------------------------------------------------------------------" print "Current Domains for test: " , testnum print "------------------------------------------------------------------------------------" print "Services Domains Found:" for item in distinctsvc: print item #print "----------" #print "Booleans:" #for item in distinctbols: # print item #print "----------" #print "File Context:" #for item in distinctfc: # print item print "------------------------------------------------------------------------------------" print "Enter domain to search for" dsel = raw_input("Domain: ") # Print Results print " " print "------------------------------------------------------------------------------------" print "Services:" print "------------------------------------------------------------------------------------" svc_matches = [svc for svc in serviceres if dsel in str(svc['Domain'])] print tabulate(svc_matches, headers="keys", tablefmt="pipe") print " " print "------------------------------------------------------------------------------------" print "Booleans:" print "------------------------------------------------------------------------------------" bol_matches = [bol for bol in boolres if dsel in str(bol['Domain'])] print tabulate(bol_matches, headers="keys", tablefmt="pipe") print " " print "------------------------------------------------------------------------------------" print "File Contexts:" print "------------------------------------------------------------------------------------" fc_matches = [fc for fc in contextres if dsel in str(fc['Domain'])] print tabulate(fc_matches, headers="keys", tablefmt="pipe") print "------------------------------------------------------------------------------------" return # ################################################################ # Diff Functions # ################################################################ def stackdiff(): client = MongoClient('localhost', 27017) # perf wrapper start (i)pr where i=function # stackpr = cProfile.Profile() stackpr.enable() #start #test set 1 data str(test1) dbstr = test1 DBNAME = dbstr db = getattr(client,dbstr) # Service t1svcStack = list(db.service.find({},{"Service":1 ,"Sys":1,"Context":1,"Hash":1}).sort("Service")) # Poicy t1bolStack = list(db.booleans.find({},{"Boolean":1 ,"Domain":1,"State":1, "Default":1,"Hash":1}).sort("Boolean")) # File Context t1fcStack = list(db.fcontext.find({},{"testnum":1 ,"Sys":1,"Context":1,"Path":1,"Hash":1}).sort("Path")) # Test set 2 data str(test2) dbstr = test2 DBNAME = dbstr db = getattr(client,dbstr) # Service t2svcStack = list(db.service.find({},{"Service":1 ,"Sys":1,"Context":1,"Hash":1}).sort("Service")) # Poicy


119

t2bolStack = list(db.booleans.find({},{"Boolean":1 ,"Domain":1,"State":1, "Default":1,"Hash":1}).sort("Boolean")) # File Context t2fcStack = list(db.fcontext.find({},{"testnum":1 ,"Sys":1,"Context":1,"Path":1,"Hash":1}).sort("Path")) #Check for diffs in Service / Policy / File Context # Get count for each stack t1fclength = len(t1fcStack) t2fclength = len(t2fcStack) t1svclength = len(t1svcStack) t2svclength = len(t2svcStack) t1bollength = len(t1bolStack) t2bollength = len(t2bolStack) # Build dict objects for each test(1 AND 2) # Service test1svc_dic = {} for line1 in t1svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test1svc_dic[svcname] = svchash test2svc_dic = {} for line1 in t2svcStack: svcname = line1.get("Service") svchash = line1.get("Hash") test2svc_dic[svcname] = svchash # Booleans test1bol_dic = {} for line1 in t1bolStack: bolname = line1.get("Boolean") bolhash = line1.get("Hash") test1bol_dic[bolname] = bolhash test2bol_dic = {} for line1 in t2bolStack: bolname = line1.get("Boolean") bolhash = line1.get("Hash") test2bol_dic[bolname] = bolhash # fcontext test1fc_dic = {} for line1 in t1fcStack: fcpath = line1.get("Path") fchash = line1.get("Hash") test1fc_dic[fcpath] = fchash test2fc_dic = {} for line1 in t2fcStack: fcpath = line1.get("Path") fchash = line1.get("Hash") test2fc_dic[fcpath] = fchash # Service Checks print "########## Service Compare Test 1 to Test 2 ##########" svcdiff = test1svc_dic.viewitems()^ test2svc_dic.viewitems() #print tabulate(svcdiff) for diffitem in svcdiff: dname = diffitem[1] for xitem in t1svcStack: if xitem["Hash"] == dname: print "-------------------------- Test 1--------------------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid") for yitem in t2svcStack: if yitem["Hash"] == dname: print "-------------------------- Test 2 --------------------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------------------------------" if t1svclength != t1svclength: print "Service Count difference" print "Set1:",t1svclength," vs ",t2svclength


120

for k,v in test1svc_dic.iteritems(): if k not in list(test2svc_dic.keys()): print "Not in test2 service:" print k,v else: print "Both Service tests have same count of:", t1svclength print "---------------------------------------------------------------------" # Boolean checks print "########## Boolean Compare Test 1 to Test 2 ##########" boldiff = test1bol_dic.viewitems()^ test2bol_dic.viewitems() #print tabulate(boldiff) for diffitem in boldiff: dname = diffitem[1] for xitem in t1bolStack: if xitem["Hash"] == dname: print "-------------------------- Test 1--------------------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid") for yitem in t2bolStack: if yitem["Hash"] == dname: print "-------------------------- Test 2 --------------------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------------------------------" if t1bollength != t2bollength: print "Boolean Service Count difference" print "Set1:",t1bollength," vs ",t2bollength for k,v in test1bol_dic.iteritems(): if k not in list(test2bol_dic.keys()): print "Not in test2 booleans:" print k,v else: print "Both Boolean Sets Same Count of:", t1bollength print "---------------------------------------------------------------------" # File Context checks print "########## File Context Compare Test 1 to Test 2 ##########" fcdiff = test1fc_dic.viewitems()^ test2fc_dic.viewitems() #print tabulate(fcdiff) for diffitem in fcdiff: dname = diffitem[1] for xitem in t1fcStack: if xitem["Hash"] == dname: print "-------------------------- Test 1--------------------------" outitemsx = xitem.items() print tabulate(outitemsx,tablefmt="grid") for yitem in t2fcStack: if yitem["Hash"] == dname: print "-------------------------- Test 2 --------------------------" outitemsy = yitem.items() print tabulate(outitemsy,tablefmt="grid") print "---------------------------------------------------------------------" if t1fclength != t2fclength: print "Fcontext Count difference" print "Set1:",t1fclength," vs ",t2fclength for k,v in test1fc_dic.iteritems(): if k not in list(test2fc_dic.keys()): print "Not in test2:" print k,v else: print "Both File Context test have same count of", t1fclength print "---------------------------------------------------------------------" stackpr.disable() #stop s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(stackpr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() stackDiffPerfs = s.getvalue() # Store results to dB ######## stackDiffPerfs1 = stackDiffPerfs.lstrip() perfline = stackDiffPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name


121

outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": 0, "Perfdata": stackDiffPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) # perf wrapper end # return # ################################################################ # FP Diffs. Test main fingerprints for two tests. # ################################################################ def diffs(): global test1 global test2 # Get test1 and test 2 from input # print "Enter test # for test1" test1 = raw_input("Test1:") print "Enter test # for test2" test2 = raw_input("Test2:") print "Running main diffs for finger prints on test:",test1," vs test:",test2 # Connect to results client = MongoClient('localhost', 27017) db = client.results # perf wrapper start (i)pr where i=function # diffpr = cProfile.Profile() diffpr.enable() #start # Pull testresults data testres = list(db.results.find({},{"testnum":1 ,"contextFP":1,"serviceFP":1,"booleanFP":1, "_id":0})) resSet1 = [res for res in testres if test1 in str(res['testnum'])] resSet2 = [res for res in testres if test2 in str(res['testnum'])] # Main diff between both tests maindiff = cmp(resSet1, resSet2) #Extract fingerprints t1sfp = resSet1[0].get("serviceFP") t1bfp = resSet1[0].get("booleanFP") t1cfp = resSet1[0].get("contextFP") t2sfp = resSet2[0].get("serviceFP") t2bfp = resSet2[0].get("booleanFP") t2cfp = resSet2[0].get("contextFP") if maindiff != 0: sfpdiff = cmp(t1sfp,t2sfp) if sfpdiff != 0: print "************ Service FP DIFF!!" print "Run SPF stack diff" else: print "NO SPF Diff" bfpdiff = cmp(t1bfp,t2bfp) if bfpdiff != 0: print "************ Boolean FP DIFF!!" print "Run BPF stack diff" else: print "NO BFP Diff" cfpdiff = cmp(t1cfp,t2cfp)


122

if cfpdiff != 0: print "************ File Context FP DIFF!!" print "Run CFP stack diff?" else: print "NO CFP Diff" else: print "NO DIFFs" diffpr.disable() #stop s = StringIO.StringIO() sortby = 'calls' ps = pstats.Stats(diffpr, stream=s).sort_stats(sortby).strip_dirs() ps.print_stats() DiffPerfs = s.getvalue() print "#####################################################" print "Finger Prints" print "#####################################################" print "Test 1" print tabulate(resSet1, headers="keys", tablefmt="pipe") print "Test 2" print tabulate(resSet2, headers="keys", tablefmt="pipe") print "" print "#####################################################" DiffPerfs1 = DiffPerfs.lstrip() perfline = DiffPerfs1.splitlines() smry = perfline[0] function_name = sys._getframe().f_code.co_name outFileName = system+"-"+function_name+"-"+"test"+testnum+".csv" with open(outFileName, "wb") as f: writer = csv.writer(f, delimiter=',', quotechar='|') for line in perfline: linepart = line.split() writer.writerow(linepart) # raw file outProfileName = system+"-"+function_name+"-"+"test"+testnum+".profile" ps.dump_stats(outProfileName) # Db db = client.prefdata print "Store cProfile results to perfdata dB?" YN=raw_input("Y/N: ") if YN == "Y": docinsert = {"Sys": system, "Testnum": testnum, "Function": function_name, "Count": 0, "Perfdata": DiffPerfs, "Perfsmry": smry, "Date": datetime.datetime.utcnow()} print "Saving..." db.prefdata.insert(docinsert) print "Run Hash Stack Analysis?" runanswer=raw_input("Y or N: ") if not runanswer: raise ValueError('empty string') if runanswer == "Y": stackdiff() return # ################################################################ # Tools - sub menu (put in items like clear db, backup results, etc) # ################################################################ #TODO def tools(): print "Tools menu - TODO" print "1. Export Results as CSV" print "2. Backup full dB" print "3. Clear DB!!" print "4. Return to Main" while True: sel=raw_input("Selection: ") if sel == "1": print "CSV export for test:", testnum #subprocess.call(['mongoexport --host localhost -d service -c service --csv -f "Sys,Service,Domain,Hash,date" > service.csv'], shell=True) str(testnum) soutcsvfile = system+"-"+"service"+"-"+"test"+testnum+".csv"


123

svcexprt = 'mongoexport --host localhost -d' + " " + testnum + " " + '-c service --csv -f "Service,Domain,Hash,date" >' + " " + soutcsvfile subprocess.call([svcexprt], shell=True) #subprocess.call(['mongoexport --host localhost -d booleans -c booleans --csv -f "Boolean,Description,Default,State,Hash,date" > boolean.csv'], shell=True) boutcsvfile = system+"-"+"booleans"+"-"+"test"+testnum+".csv" bolexprt = 'mongoexport --host localhost -d' + " " + testnum + " " + '-c booleans --csv -f "Boolean,Description,Default,State,Hash,date" >' + " " + boutcsvfile subprocess.call([bolexprt], shell=True) #subprocess.call(['mongoexport --host localhost -d fcontext -c fcontext --csv -f "Path,Type,Context,Hash,date" > fcontext.csv'] fcoutcsvfile = system+"-"+"fcontext"+"-"+"test"+testnum+".csv" fcexprt = 'mongoexport --host localhost -d' + " " + testnum + " " + '-c fcontext --csv -f "Path,Type,Context,Hash,date" >' + " " + fcoutcsvfile subprocess.call([fcexprt], shell=True) #prefdata pdoutcsvfile = system+"-"+"prefdata"+"-"+"test"+testnum+".csv" pdexprt = 'mongoexport --host localhost -d' + " " + "prefdata" + " " + '-c prefdata --csv -f "Function,Count,Perfsmry,Testnum,Date" >' + " " + pdoutcsvfile subprocess.call([pdexprt], shell=True) #results routcsvfile = system+"-"+"results"+"-"+"test"+testnum+".csv" rexprt = 'mongoexport --host localhost -d' + " " + "results" + " " + '-c results --csv -f "contextFP,serviceFP,booleanFP,testnum,date" >' + " " + routcsvfile subprocess.call([rexprt], shell=True) continue elif sel == "2": print "run mongodump -o <hostname>" args = ['mongodump', '-o', system] str_args = [ str(x) for x in args ] dbexprt = subprocess.call(str_args) if dbexprt == 0: print "Mongodump Done" else: print "Error" continue elif sel == "3": print "Clear db" continue elif sel == "4": print "..." break return # ################################################################ # Main menu # ################################################################ #1. Enter Test #" #2. Enter System name" #3. Run Collect Scripts" #4. Run parsing (boolens, service and context) sub-menu " #5. Run / view finger prints" #6. Run / View Diffs" #7. Search / View Relationships" #8. Tools" #9. Exit" # ################################################################ def main(): while True: printmm() is_valid=0 while not is_valid : try : sel = int ( raw_input('Enter your choice [1-9] : ') ) is_valid = 1 ## set it to 1 to validate input and to terminate the while..not loop except ValueError, e : print ("'%s' is not a valid integer." % e.args[0].split(": ")[1]) if sel == 1: settestnum() continue elif sel == 2: setsysname() continue elif sel == 3: runscripts() continue


124

elif sel == 4: runsparse() continue elif sel == 5: fpsub() continue elif sel == 6: diffs() continue elif sel == 7: searchrel() continue elif sel == 8: tools() continue elif sel == 9: print "Bye" break else: print "bad entry .. try agin" continue # ################################################################ # MAIN # ################################################################ if __name__ == "__main__": main() # ################################################################ # END OF CODE # ################################################################


125

APPENDIX B

External Shell Scripts called from SII.py

boolean_collect.sh

#!/bin/bash #Pass in IPaddr TARGET=$1 #Working Dir cd /home/mike if [ ! -d "$TARGET" ]; then mkdir $TARGET fi cd $TARGET #ssh root@$TARGET "semanage boolean -ln" > boolean.txt && ssh root@$TARGET "semanage fcontext -ln" > fcontext.txt semanage boolean -ln > boolean.txt semanage fcontext -ln > fcontext.txt #List of bools for host cat boolean.txt | awk {'print $1'} > bools.list for p in $(cat bools.list) do #ssh root@$TARGET "sesearch -b $p -AC" > $p.info sesearch -b $p -AC > $p.info PD=`cat $p.info | head -2 | tail -1 | awk {'print $3'}` echo $PD > $p.domain echo $p","$PD >> boolean.dlist done # **** END OF CODE **** service_collect.sh #!/bin/bash # look at ps Z -C <service name> or ps Z -p <pid> TARGET=$1 cd /home/mike if [ ! -d "$TARGET" ]; then mkdir $TARGET fi cd $TARGET #ssh root@$TARGET "systemctl --type=service --no-legend" > service.txt systemctl --type=service --no-legend > service.txt # Chkconfig not needed with systemd may need it for SysVinit #ssh root@$TARGET "chkconfig --list" > chkconfig.txt #ssh root@$TARGET "ps -efZ" > psZ.txt ps -efZ > psZ.txt # this cuts off some of the information. Use psZ and service.txt #ssh root@$TARGET "ps axo pid,fname,context" > psaxo.txt cat service.txt | awk {'print $1'} > service.names cat service.txt | grep "running" | awk {'print $1'} > service.running cut -d. -f1 service.running > service.psnames for s in $(cat service.psnames)


126

do #ssh root@$TARGET "ps -ejHZ | grep $s" > $s.info ps -ejHZ | grep $s > $s.info #ssh root@$TARGET "ps Z -C $s" > $s.info2 ps Z -C $s > $s.info2 done # **** END OF CODE **** fcontext_collect.sh #!/bin/bash TARGET=$1 cd /home/mike if [ ! -d "$TARGET" ]; then mkdir $TARGET fi cd $TARGET #ssh root@$TARGET "semanage fcontext -ln" > fcontext.org semanage fcontext -ln > fcontext.org cat fcontext.org | grep -v "=" > fcontext.txt # **** END OF CODE ****


127

APPENDIX C

SII.py full output from second round of testing on system cent1b. ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 0 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 1 Current test # is: 0 Enter Test Number test: 2 Test Number set at: 2 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 2 Current System Name: localhost Enter New System Name or Q to keep Name: cent2 Test system name set at: cent2 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 3 Run input scripts Y or N: Y Running collection scripts for system: cent2 Test#: 2 cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe Boolean Collection Done File Context Collection Done Service Collection Done ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships


128

8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 4 Select Parse to Run 1. Service 2. Boolean 3. File Context 4. Back to Main Selection: 1 Done loaded into service: 42 Selection: 2 loaded into booleans: 285 Selection: 3 loaded into fcontext: 5625 Selection: 4 Bye ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 5 Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 1 *************************************************** Policy Finger Print: 7068b6ea02cf222f57b64d3e66bd9a37 Item Count: 285 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 2 *************************************************** FContext Finger Print: 822fe95f4803ad021685cc5741a62a1a Item Count: 5625 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 3 *************************************************** Service Finger Print: c7a7aeabbb0bff18d8e7313b6669d4b5 Item Count: 42 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 4 Enter test results for: cent2 Test: 2 Current FPs. ServiceFP: c7a7aeabbb0bff18d8e7313b6669d4b5 PolicyFP: 7068b6ea02cf222f57b64d3e66bd9a37 ContextFP: 822fe95f4803ad021685cc5741a62a1a


129

Y/N: Y Saving... {'contextFP': '822fe95f4803ad021685cc5741a62a1a', 'Sys': 'cent2', 'serviceFP': 'c7a7aeabbb0bff18d8e7313b6669d4b5', 'booleanFP': '7068b6ea02cf222f57b64d3e66bd9a37', 'date': datetime.datetime(2015, 2, 7, 15, 48, 29, 180670), 'testnum': '2'} Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 5 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 2 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 9 Bye … ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 0 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 1 Current test # is: 0 Enter Test Number test: 3 Test Number set at: 3 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 2 Current System Name: localhost Enter New System Name or Q to keep Name: cent2 Test system name set at: cent2 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 3 Run input scripts


130

Y or N: Y Running collection scripts for system: cent2 Test#: 3 cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe cat: write error: Broken pipe Boolean Collection Done File Context Collection Done Service Collection Done ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 4 Select Parse to Run 1. Service 2. Boolean 3. File Context 4. Back to Main Selection: 1 Done loaded into service: 43 Selection: 2 loaded into booleans: 285 Selection: 3 loaded into fcontext: 5625 Selection: 4 Bye ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 5 Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 1 *************************************************** Policy Finger Print: 7653dc4122f79f313551769d41a9f49a Item Count: 285 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 2 *************************************************** FContext Finger Print: 822fe95f4803ad021685cc5741a62a1a Item Count: 5625 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print


131

3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 3 *************************************************** Service Finger Print: e47528c7306dfe55e37ba70806187411 Item Count: 43 *************************************************** Store cProfile results to perfdata dB? Y/N: Y Saving... Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 4 Enter test results for: cent2 Test: 3 Current FPs. ServiceFP: e47528c7306dfe55e37ba70806187411 PolicyFP: 7653dc4122f79f313551769d41a9f49a ContextFP: 822fe95f4803ad021685cc5741a62a1a Y/N: Y Saving... {'contextFP': '822fe95f4803ad021685cc5741a62a1a', 'Sys': 'cent2', 'serviceFP': 'e47528c7306dfe55e37ba70806187411', 'booleanFP': '7653dc4122f79f313551769d41a9f49a', 'date': datetime.datetime(2015, 2, 7, 16, 0, 10, 610261), 'testnum': '3'} Fingerprint menu 1 = Policy Finger Print 2 = FContext Finger Print 3 = Service Finger Print 4 = Save Results to dB 5 = Return to Main Menu ------------------------- Enter your choice [1-5] : 5 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 6 Enter test # for test1 Test1:2 Enter test # for test2 Test2:3 Running main diffs for finger prints on test: 2 vs test: 3 ************ Service FP DIFF!! Run SPF stack diff ************ Boolean FP DIFF!! Run BPF stack diff NO CFP Diff ##################################################### Finger Prints ##################################################### Test 1 | testnum | serviceFP | contextFP | booleanFP | |----------:|:---------------------------------|:---------------------------------|:---------------------------------| | 2 | c7a7aeabbb0bff18d8e7313b6669d4b5 | 822fe95f4803ad021685cc5741a62a1a | 7068b6ea02cf222f57b64d3e66bd9a37 | Test 2 | testnum | serviceFP | contextFP | booleanFP | |----------:|:---------------------------------|:---------------------------------|:---------------------------------| | 3 | e47528c7306dfe55e37ba70806187411 | 822fe95f4803ad021685cc5741a62a1a | 7653dc4122f79f313551769d41a9f49a | ##################################################### Store cProfile results to perfdata dB? Y/N: Y Saving... Run Hash Stack Analysis? Y or N: Y ########## Service Compare Test 1 to Test 2 ########## -------------------------- Test 2 -------------------------- +---------+----------------------------------+ | Sys | cent2 | +---------+----------------------------------+ | _id | 54d6364aaeff00204e22b0bc | +---------+----------------------------------+ | Hash | d944c93efbdb7327fa62e9a88fb84816 | +---------+----------------------------------+ | Context | <<none>> | +---------+----------------------------------+


132

| Service | plexmediaserver | +---------+----------------------------------+ --------------------------------------------------------------------- Both Service tests have same count of: 42 --------------------------------------------------------------------- ########## Boolean Compare Test 1 to Test 2 ########## -------------------------- Test 2 -------------------------- +---------+----------------------------------+ | Domain | httpd_t | +---------+----------------------------------+ | Hash | be9964d2661ff42a34456a85da168f5f | +---------+----------------------------------+ | Default | off | +---------+----------------------------------+ | State | on | +---------+----------------------------------+ | Boolean | httpd_use_nfs | +---------+----------------------------------+ | _id | 54d6364daeff00204e22b17e | +---------+----------------------------------+ -------------------------- Test 1-------------------------- +---------+----------------------------------+ | Domain | ftpd_t | +---------+----------------------------------+ | Hash | 2c06ad6f4e46c31b3e243e3443f24ab8 | +---------+----------------------------------+ | Default | off | +---------+----------------------------------+ | State | off | +---------+----------------------------------+ | Boolean | ftp_home_dir | +---------+----------------------------------+ | _id | 54d633a7aeff00149c8085dd | +---------+----------------------------------+ -------------------------- Test 2 -------------------------- +---------+----------------------------------+ | Domain | ftpd_t | +---------+----------------------------------+ | Hash | 74fd67e4b4ed34d01c637242f93639d6 | +---------+----------------------------------+ | Default | on | +---------+----------------------------------+ | State | on | +---------+----------------------------------+ | Boolean | ftp_home_dir | +---------+----------------------------------+ | _id | 54d6364caeff00204e22b0cb | +---------+----------------------------------+ -------------------------- Test 1-------------------------- +---------+----------------------------------+ | Domain | httpd_t | +---------+----------------------------------+ | Hash | 5ba20c11dc96406cbea97d502bb1902c | +---------+----------------------------------+ | Default | off | +---------+----------------------------------+ | State | off | +---------+----------------------------------+ | Boolean | httpd_use_nfs | +---------+----------------------------------+ | _id | 54d633a7aeff00149c808690 | +---------+----------------------------------+ --------------------------------------------------------------------- Both Boolean Sets Same Count of: 285 --------------------------------------------------------------------- ########## File Context Compare Test 1 to Test 2 ########## --------------------------------------------------------------------- Both File Context test have same count of 5625 --------------------------------------------------------------------- Store cProfile results to perfdata dB? Y/N: Y Saving... ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3


133

------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: <<none>> ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------|:-----------------| | <<none>> | <<none>> | abrt-oops | | <<none>> | <<none>> | abrt-xorg | | <<none>> | <<none>> | alsa-state | | <<none>> | <<none>> | libstoragemgmt | | <<none>> | <<none>> | lvm2-lvmetad | | <<none>> | <<none>> | nfs-lock | | <<none>> | <<none>> | plexmediaserver | | <<none>> | <<none>> | systemd-journald | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t


134

avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: httpd_t ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:-----------------------------|:----------| | httpd_t | system_u:system_r:httpd_t:s0 | httpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:---------|:--------|:----------------------------------|:-------------------------------------------| | off | httpd_t | off | httpd_can_network_relay | Allow httpd to can network relay | | off | httpd_t | off | httpd_use_gpg | Allow httpd to use gpg | | off | httpd_t | off | httpd_can_connect_mythtv | Allow httpd to can connect mythtv | | off | httpd_t | off | httpd_can_network_connect_db | Allow httpd to can network connect db | | off | httpd_t | off | httpd_dbus_sssd | Allow httpd to dbus sssd | | off | httpd_t | off | httpd_verify_dns | Allow httpd to verify dns | | off | httpd_t | off | git_system_use_cifs | Allow git to system use cifs | | off | httpd_t | off | httpd_anon_write | Allow httpd to anon write | | off | httpd_t | off | httpd_use_cifs | Allow httpd to use cifs | | off | httpd_t | off | httpd_enable_homedirs | Allow httpd to enable homedirs | | off | httpd_t | off | git_system_use_nfs | Allow git to system use nfs | | off | httpd_t | off | httpd_run_stickshift | Allow httpd to run stickshift | | off | httpd_t | off | httpd_use_fusefs | Allow httpd to use fusefs | | off | httpd_t | off | httpd_can_connect_ldap | Allow httpd to can connect ldap | | off | httpd_t | off | httpd_use_sasl | Allow httpd to use sasl | | on | httpd_t | on | httpd_graceful_shutdown | Allow httpd to graceful shutdown | | off | httpd_t | off | httpd_can_connect_ftp | Allow httpd to can connect ftp | | off | httpd_t | off | httpd_read_user_content | Allow httpd to read user content | | off | httpd_t | on | httpd_use_nfs | Allow httpd to use nfs | | off | httpd_t | off | httpd_can_connect_zabbix | Allow httpd to can connect zabbix | | off | httpd_t | off | httpd_manage_ipa | Allow httpd to manage ipa | | on | httpd_t | on | httpd_builtin_scripting | Allow httpd to builtin scripting | | off | httpd_t | off | httpd_can_check_spam | Allow httpd to can check spam | | off | httpd_t | off | httpd_can_network_memcache | Allow httpd to can network memcache | | off | httpd_t | off | httpd_can_network_connect_cobbler | Allow httpd to can network connect cobbler | | off | httpd_t | off | httpd_serve_cobbler_files | Allow httpd to serve cobbler files | | off | httpd_t | off | httpd_execmem | Allow httpd to execmem | | off | httpd_t | off | httpd_ssi_exec | Allow httpd to ssi exec | | off | httpd_t | off | httpd_enable_ftp_server | Allow httpd to enable ftp server | | off | httpd_t | off | httpd_setrlimit | Allow httpd to setrlimit | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:-------------------------------------|:------------|:---------|:---------------------------------| | /var/run/user/apache(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | | /var/www/openshift/console/tmp(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name


135

3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: ftpd_t ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | ftpd_t | system_u:system_r:ftpd_t:s0-s0:c0.c1023 | vsftpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:-------------|:--------|:----------------------------|:-------------------------------------| | on | ftpd_t | on | ftp_home_dir | Allow ftp to home dir | | off | ftpd_t | off | ftpd_use_cifs | Allow ftpd to use cifs | | off | ftpd_t | off | ftpd_use_fusefs | Allow ftpd to use fusefs | | off | ftpd_t | off | ftpd_connect_db | Allow ftpd to connect db | | off | ftpd_t | off | ftpd_full_access | Allow ftpd to full access | | off | tftpd_t | off | tftp_home_dir | Allow tftp to home dir | | off | sftpd_t | off | sftpd_enable_homedirs | Allow sftpd to enable homedirs | | off | ftpd_t | off | ftpd_use_passive_mode | Allow ftpd to use passive mode | | off | sftpd_t | off | sftpd_write_ssh_home | Allow sftpd to write ssh home | | off | ftpd_t | off | ftpd_use_nfs | Allow ftpd to use nfs | | off | ftpd_t | off | ftpd_connect_all_unreserved | Allow ftpd to connect all unreserved | | off | sftpd_t | off | sftpd_full_access | Allow sftpd to full access | | off | tftpd_t | off | tftp_anon_write | Allow tftp to anon write | | off | ftpd_t | off | ftpd_anon_write | Allow ftpd to anon write | | off | anon_sftpd_t | off | sftpd_anon_write | Allow sftpd to anon write | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test #


136

2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 3 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: sshd_t ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | sshd_t | system_u:system_r:sshd_t:s0-s0:c0.c1023 | sshd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 3 Test System: cent2 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 8 …


137

APPENDIX D

Sample MongoDB table data exported to csv. Cent2 results table. The fingerprint hash results for each test. contextFP serviceFP booleanFP test

num date

d680d3862526ccab257cf4cba8120a86

3db923b4e92df96202c5647b09c6c920

09433755b60e36621246da3bbc20d298

1 2015-01-10T17:58:57.934Z

822fe95f4803ad021685cc5741a62a1a

c7a7aeabbb0bff18d8e7313b6669d4b5

7068b6ea02cf222f57b64d3e66bd9a37

2 2015-02-07T15:48:29.180Z

822fe95f4803ad021685cc5741a62a1a

e47528c7306dfe55e37ba70806187411

7653dc4122f79f313551769d41a9f49a

3 2015-02-07T16:00:10.610Z

Sample service table. Service Domain Hash date

abrt-oops <<none>> c0f3eba7ca2c3089d41e452c792a5c5b 2015-02-07T15:59:06.246Z

abrt-xorg <<none>> 83060677d68bb6773155410c9bb656cc 2015-02-07T15:59:06.509Z

abrtd abrt_t a2601acb8e80ec21f9555e7b08a123d7 2015-02-07T15:59:06.533Z

accounts-daemon accountsd_t ed902b24eab3329af763eb21fc7ed8fc 2015-02-07T15:59:06.534Z

alsa-state <<none>> 05fe8cce403c8445125d611b94603814 2015-02-07T15:59:06.534Z

atd crond_t fa547e4a43fde1347c5f401d7782b924 2015-02-07T15:59:06.535Z

auditd kernel_t 0e443efc27d06c1f8652801693e617d2 2015-02-07T15:59:06.535Z

avahi-daemon avahi_t c38399f183307798cf531201b7fd246c 2015-02-07T15:59:06.535Z

bluetooth bluetooth_t 833118869c9efa390d1bfd8a82967d8a 2015-02-07T15:59:06.536Z

chronyd chronyd_t ccd08a6edc254c0f67eb29b8b426e4c4 2015-02-07T15:59:06.536Z

colord colord_t b153ee572a63dccbb7c8486fd1cd604d 2015-02-07T15:59:06.537Z

crond crond_t 68a8833df7b4cde967dc693d257b47d0 2015-02-07T15:59:06.537Z

cups cupsd_t e48351516b79759851fe02140a059a35 2015-02-07T15:59:06.538Z

dbus system_dbusd_t e872d7a4bff572613ea9d7335fd764ef 2015-02-07T15:59:06.538Z

firewalld firewalld_t 958c9fe04fa7932e05fdb4a4b1e822e7 2015-02-07T15:59:06.538Z

gdm xdm_t 49521359b641730d260017ab6670413a 2015-02-07T15:59:06.539Z

httpd httpd_t 10b2c74a673065f708d93efb72595df2 2015-02-07T15:59:06.539Z

… Sample Booleans table Boolean Description Defau

lt State

Hash date

ftp_home_dir Allow ftp to home dir on on 74fd67e4b4ed34d01c637242f93639d6

2015-02-07T15:59:08.963Z

smartmon_3ware Allow smartmon to 3ware off off 5aa39e46316f7349a24005568758857e

2015-02-07T15:59:08.964Z

mpd_enable_homedirs Allow mpd to enable homedirs off off 8d19c3441ddbff54a363a615a1f6aacc

2015-02-07T15:59:08.965Z

xdm_sysadm_login Allow xdm to sysadm login off off 87dbb38184a1de87293e47da95e2410d

2015-02-07T15:59:08.965Z

xen_use_nfs Allow xen to use nfs off off ea11be95861625b64982793b67c3603a

2015-02-07T15:59:08.966Z

mozilla_read_content Allow mozilla to read content

off off ca2fca3ef49d3f71a9abaecd2d0671a3

2015-02-07T15:59:08.966Z

ssh_chroot_rw_homedirs

Allow ssh to chroot rw homedirs

off off 80e199d7f89070f154f20551a4679eef

2015-02-07T15:59:08.967Z

mount_anyfile Allow mount to anyfile on on 3f5a9c614b54461d785c70a86345b519

2015-02-07T15:59:08.967Z


138

icecast_use_any_tcp_ports

Allow icecast to use any tcp ports

off off 7f97779733cf1a4d6a68f386a74d2b2a

2015-02-07T15:59:08.967Z

openvpn_can_network_connect

Allow openvpn to can network connect

on on 9741d188cdd9a278410f367a3e6796b5

2015-02-07T15:59:08.968Z

zoneminder_anon_write Allow zoneminder to anon write

off off 23a654335f625e53fac2aa54f49da547

2015-02-07T15:59:08.968Z

telepathy_connect_all_ports

Allow telepathy to connect all ports

off off afeabce2bd6120071d7490f39cb0f119

2015-02-07T15:59:08.969Z

spamassassin_can_network

Allow spamassassin to can network

off off 98e840a8a2fd8bd0f1031e435ece8f57

2015-02-07T15:59:08.969Z

gluster_anon_write Allow gluster to anon write off off 546e78de9aa489d16876cc6936e7238c

2015-02-07T15:59:08.970Z

deny_ptrace Allow deny to ptrace off off 77ecf1f8501acdcd5a350ce947208cfb

2015-02-07T15:59:08.970Z

selinuxuser_execmod Allow selinuxuser to execmod on on 271cad3b3f7ea71ec88eaf13af1d5691

2015-02-07T15:59:08.970Z

httpd_can_network_relay

Allow httpd to can network relay

off off a119a95d17afb10078dbc4d252e01438

2015-02-07T15:59:08.971Z

openvpn_enable_homedirs

Allow openvpn to enable homedirs

on on a471ee8f490585cc90df36ea87db8213

2015-02-07T15:59:08.971Z

glance_use_execmem Allow glance to use execmem off off 54b2e96aa5f4bdb5fc713b3ce5cf2919

2015-02-07T15:59:08.972Z

… Sample File Context table export Path Type Context Hash date

/ directory system_u:object_r:root_t:s0 78205059f0d2071e0ee9f830bb75792e

2015-02-07T15:59:10.803Z

/.* allfiles system_u:object_r:default_t:s0 e177694205972e449b3ced95ca1a908f

2015-02-07T15:59:10.804Z

/[^/]+ regularfile

system_u:object_r:etc_runtime_t:s0

82a29596e66462a8191852c8532bc7cc

2015-02-07T15:59:10.805Z

/\.autofsck regularfile


899c90cc1d328ff31668d6135038d23d

2015-02-07T15:59:10.805Z

/\.autorelabel regularfile


3c4ad866a36d966deb8cd88360201639

2015-02-07T15:59:10.805Z

/\.ismount-test-file

regularfile

system_u:object_r:sosreport_tmp_t:s0

83ed14222ed312be535352a6875a78c8

2015-02-07T15:59:10.806Z

/\.journal allfiles <<None>> e12afb87a8e70230276e7badd6461a96

2015-02-07T15:59:10.806Z

/\.suspended regularfile


e105d93ddef4f0140ac730b15c117dc2

2015-02-07T15:59:10.806Z

/a?quota\.(user|group)

regularfile

system_u:object_r:quota_db_t:s0

43828c1c294d281cc220dff2f07a8a00

2015-02-07T15:59:10.807Z

/afs directory system_u:object_r:mnt_t:s0 465100e28fee95ac5a4a7bb07ca60603

2015-02-07T15:59:10.807Z

/bacula(/.*)? allfiles system_u:object_r:bacula_store_t:s0

d768a5f9086eed57b7440959cc923d4c

2015-02-07T15:59:10.808Z

/bin allfiles system_u:object_r:bin_t:s0 5e87a2443d9c78788b797930d6490b02

2015-02-07T15:59:10.808Z

/bin/.* allfiles system_u:object_r:bin_t:s0 3e16636cfa6449cc8596374ad7dc9387

2015-02-07T15:59:10.808Z

/bin/alsaunmute regularfile

system_u:object_r:alsa_exec_t:s0

aa378f13633d0a2471a1bdc90bfb3206

2015-02-07T15:59:10.809Z

/bin/bash regularfile

system_u:object_r:shell_exec_t:s0

58602325457d9085e4b39d31f681814d

2015-02-07T15:59:10.809Z

…


139

APPENDIX E

Profile output (Python cProfle performance output from cent1 tests) and summary

performance results prefdata table.

Sample csv export of cProfile 1079993 function calls (1079975 primitive calls) in 1.849 seconds

Random listing order was used

ncalls tottime percall cumtime percall filename:lineno(function)

20 0 0 0 0 {time.time}

30 0 0 0 0 son.py:122(__iter__)

10 0 0 0 0 {method-random-of-_random.Random-objects}

10 0 0 0 0 {method-add-of-set-objects}

8 0 0 0 0 common.py:431(__get_write_concern)

107787 0.054 0 0.054 0 {len}

24089 0.019 0 0.019 0 {method-get-of-dict-objects}

18 0 0 0 0 mongo_client.py:505(__member_property)

11965 0.036 0 0.126 0 __init__.py:213(_get_oid)

34 0 0 0 0 tabulate.py:455(_format)

18 0 0 0 0 son.py:102(__setitem__)

71709 0.179 0 1.475 0 __init__.py:314(_element_to_dict)

20 0 0 0 0 thread_util.py:49(acquire)

… Prefdata table from system cent1 Function Count Perfsmry Testnum Date

boolsfp 280 3900 function calls in 0.009 seconds 1 2015-01-10T17:58:02.896Z

fcontextfp 5596 73012 function calls in 0.128 seconds 1 2015-01-10T17:58:09.991Z

servicefp 43 728 function calls in 0.002 seconds 1 2015-01-10T17:58:15.567Z




diffs 0 189 function calls in 0.001 seconds 2 2015-01-10T18:33:09.407Z

stackdiff 0 235878 function calls in 1.173 seconds 2 2015-01-10T18:33:54.238Z








140






141

APPENDIX F

Full Relation Test Output from system cent1 test

############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 0 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 1 Current test # is: 0 Enter Test Number test: 4 Test Number set at: 4 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: localhost -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 2 Current System Name: localhost Enter New System Name or Q to keep Name: cent1 Test system name set at: cent1 ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: httpd ------------------------------------------------------------------------------------


142

Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:-----------------------------|:----------| | httpd_t | system_u:system_r:httpd_t:s0 | httpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:--------------------|:--------|:----------------------------------|:-------------------------------------------| | off | httpd_t | off | httpd_can_network_relay | Allow httpd to can network relay | | off | httpd_t | off | httpd_use_gpg | Allow httpd to use gpg | | off | httpd_t | off | httpd_can_connect_mythtv | Allow httpd to can connect mythtv | | off | httpd_t | off | httpd_can_network_connect_db | Allow httpd to can network connect db | | off | httpd_t | off | httpd_dbus_sssd | Allow httpd to dbus sssd | | on | httpd_suexec_t | on | httpd_enable_cgi | Allow httpd to enable cgi | | off | httpd_t | off | httpd_verify_dns | Allow httpd to verify dns | | off | httpd_git_script_t | off | git_cgi_enable_homedirs | Allow git to cgi enable homedirs | | off | httpd_t | off | git_system_use_cifs | Allow git to system use cifs | | off | httpd_t | off | httpd_anon_write | Allow httpd to anon write | | off | httpd_t | off | httpd_use_cifs | Allow httpd to use cifs | | off | httpd_t | off | httpd_enable_homedirs | Allow httpd to enable homedirs | | off | httpd_t | off | git_system_use_nfs | Allow git to system use nfs | | off | httpd_user_script_t | off | httpd_unified | Allow httpd to unified | | off | httpd_t | off | httpd_run_stickshift | Allow httpd to run stickshift | | off | httpd_t | off | httpd_use_fusefs | Allow httpd to use fusefs | | off | httpd_t | off | httpd_can_connect_ldap | Allow httpd to can connect ldap | | off | httpd_suexec_t | off | httpd_can_network_connect | Allow httpd to can network connect | | off | httpd_t | off | httpd_use_sasl | Allow httpd to use sasl | | off | httpd_suexec_t | off | httpd_tty_comm | Allow httpd to tty comm | | off | httpd_sys_script_t | off | httpd_sys_script_anon_write | Allow httpd to sys script anon write | | off | httpd_git_script_t | off | git_cgi_use_nfs | Allow git to cgi use nfs | | on | httpd_t | on | httpd_graceful_shutdown | Allow httpd to graceful shutdown | | off | httpd_t | off | httpd_can_connect_ftp | Allow httpd to can connect ftp | | off | httpd_t | off | httpd_read_user_content | Allow httpd to read user content | | on | httpd_t | on | httpd_use_nfs | Allow httpd to use nfs | | off | httpd_t | off | httpd_can_connect_zabbix | Allow httpd to can connect zabbix | | off | httpd_sys_script_t | off | httpd_tmp_exec | Allow httpd to tmp exec | | off | httpd_t | off | httpd_manage_ipa | Allow httpd to manage ipa | | off | httpd_suexec_t | off | httpd_can_sendmail | Allow httpd to can sendmail | | on | httpd_t | on | httpd_builtin_scripting | Allow httpd to builtin scripting | | off | httpd_t | off | httpd_can_check_spam | Allow httpd to can check spam | | off | httpd_t | off | httpd_can_network_memcache | Allow httpd to can network memcache | | off | httpd_t | off | httpd_can_network_connect_cobbler | Allow httpd to can network connect cobbler | | off | httpd_t | off | httpd_serve_cobbler_files | Allow httpd to serve cobbler files | | off | httpd_git_script_t | off | git_cgi_use_cifs | Allow git to cgi use cifs | | off | httpd_t | off | httpd_execmem | Allow httpd to execmem | | off | httpd_t | off | httpd_ssi_exec | Allow httpd to ssi exec | | off | httpd_sys_script_t | off | httpd_use_openstack | Allow httpd to use openstack | | off | httpd_t | off | httpd_enable_ftp_server | Allow httpd to enable ftp server | | off | httpd_t | off | httpd_setrlimit | Allow httpd to setrlimit | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:------------------------------------------------|:----------------------------------|:------------|:-------------------------------------------------------| | /etc/WebCalendar(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/apache(2)?(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/apache-ssl(2)?(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/cherokee(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/drupal.* | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/glpi(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/horde(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/htdig(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /etc/httpd(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/httpd/conf/keytab | httpd_keytab_t | regularfile | system_u:object_r:httpd_keytab_t:s0 | | /etc/httpd/logs | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /etc/httpd/modules | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /etc/init\.d/cherokee | httpd_initrc_exec_t | regularfile | system_u:object_r:httpd_initrc_exec_t:s0 | | /etc/lighttpd(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/mock/koji(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/nginx(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /etc/owncloud(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/rc\.d/init\.d/httpd | httpd_initrc_exec_t | regularfile | system_u:object_r:httpd_initrc_exec_t:s0 | | /etc/rc\.d/init\.d/lighttpd | httpd_initrc_exec_t | regularfile | system_u:object_r:httpd_initrc_exec_t:s0 | | /etc/thttpd\.conf | httpd_config_t | regularfile | system_u:object_r:httpd_config_t:s0 | | /etc/vhosts | httpd_config_t | regularfile | system_u:object_r:httpd_config_t:s0 | | /etc/z-push(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /etc/zabbix/web(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /opt/.*\.cgi | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 |


143

| /srv/([^/]*/)?www(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /srv/([^/]*/)?www/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /srv/gallery2(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /srv/gallery2/smarty(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/.*\.cgi | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/bin/htsslpass | httpd_helper_exec_t | regularfile | system_u:object_r:httpd_helper_exec_t:s0 | | /usr/bin/mojomojo_fastcgi\.pl | httpd_mojomojo_script_exec_t | regularfile | system_u:object_r:httpd_mojomojo_script_exec_t:s0 | | /usr/bin/mongrel_rails | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/lib/apache(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/apache(2)?/suexec(2)? | httpd_suexec_exec_t | regularfile | system_u:object_r:httpd_suexec_exec_t:s0 | | /usr/lib/apache-ssl/.+ | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/lib/apache2/modules(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/lib/cgi-bin/(nph-)?cgiwrap(d)? | httpd_suexec_exec_t | regularfile | system_u:object_r:httpd_suexec_exec_t:s0 | | /usr/lib/cgi-bin/check | httpd_w3c_validator_script_exec_t | allfiles | system_u:object_r:httpd_w3c_validator_script_exec_t:s0 | | /usr/lib/cgi-bin/nagios(/.+)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/cgi-bin/netsaint(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/cherokee(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/dirsrv/cgi-bin(/.*)? | httpd_dirsrvadmin_script_exec_t | allfiles | system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 | | /usr/lib/dirsrv/dsgw-cgi-bin(/.*)? | httpd_dirsrvadmin_script_exec_t | allfiles | system_u:object_r:httpd_dirsrvadmin_script_exec_t:s0 | | /usr/lib/httpd(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/icinga/cgi(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/lighttpd(/.*)? | httpd_modules_t | allfiles | system_u:object_r:httpd_modules_t:s0 | | /usr/lib/man2html/cgi-bin/man/man2html | httpd_man2html_script_exec_t | regularfile | system_u:object_r:httpd_man2html_script_exec_t:s0 | | /usr/lib/man2html/cgi-bin/man/mansec | httpd_man2html_script_exec_t | regularfile | system_u:object_r:httpd_man2html_script_exec_t:s0 | | /usr/lib/man2html/cgi-bin/man/manwhatis | httpd_man2html_script_exec_t | regularfile | system_u:object_r:httpd_man2html_script_exec_t:s0 | | /usr/lib/mediawiki/math/texvc | httpd_mediawiki_script_exec_t | regularfile | system_u:object_r:httpd_mediawiki_script_exec_t:s0 | | /usr/lib/mediawiki/math/texvc_tes | httpd_mediawiki_script_exec_t | regularfile | system_u:object_r:httpd_mediawiki_script_exec_t:s0 | | /usr/lib/mediawiki/math/texvc_tex | httpd_mediawiki_script_exec_t | regularfile | system_u:object_r:httpd_mediawiki_script_exec_t:s0 | | /usr/lib/nagios/cgi(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/nagios/cgi-bin(/.*)? | httpd_nagios_script_exec_t | allfiles | system_u:object_r:httpd_nagios_script_exec_t:s0 | | /usr/lib/squid/cachemgr\.cgi | httpd_squid_script_exec_t | regularfile | system_u:object_r:httpd_squid_script_exec_t:s0 | | /usr/lib/systemd/system/httpd.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/lib/systemd/system/jetty.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/lib/systemd/system/nginx.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/lib/systemd/system/php-fpm.* | httpd_unit_file_t | regularfile | system_u:object_r:httpd_unit_file_t:s0 | | /usr/libexec/httpd-ssl-pass-dialog | httpd_passwd_exec_t | regularfile | system_u:object_r:httpd_passwd_exec_t:s0 | | /usr/libexec/zoneminder/cgi-bin(/.*)? | httpd_zoneminder_script_exec_t | allfiles | system_u:object_r:httpd_zoneminder_script_exec_t:s0 | | /usr/s?bin/(oo|rhc)-restorer-wrapper.sh | httpd_openshift_script_exec_t | regularfile | system_u:object_r:httpd_openshift_script_exec_t:s0 | | /usr/sbin/apache(2)? | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/apache-ssl(2)? | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/cherokee | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/htcacheclean | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/httpd(\.worker)? | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/httpd\.event | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/lighttpd | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/nginx | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/php-fpm | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/sbin/rotatelogs | httpd_rotatelogs_exec_t | regularfile | system_u:object_r:httpd_rotatelogs_exec_t:s0 | | /usr/sbin/suexec | httpd_suexec_exec_t | regularfile | system_u:object_r:httpd_suexec_exec_t:s0 | | /usr/sbin/thttpd | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/share/awstats/wwwroot(/.*)? | httpd_awstats_content_t | allfiles | system_u:object_r:httpd_awstats_content_t:s0 | | /usr/share/awstats/wwwroot/cgi-bin(/.*)? | httpd_awstats_script_exec_t | allfiles | system_u:object_r:httpd_awstats_script_exec_t:s0 | | /usr/share/bugzilla(/.*)? | httpd_bugzilla_content_t | allfiles | system_u:object_r:httpd_bugzilla_content_t:s0 | | /usr/share/bugzilla/.*\.cgi | httpd_bugzilla_script_exec_t | regularfile | system_u:object_r:httpd_bugzilla_script_exec_t:s0 |


144

| /usr/share/collectd/collection3/bin/.*\.cgi | httpd_collectd_script_exec_t | regularfile | system_u:object_r:httpd_collectd_script_exec_t:s0 | | /usr/share/cvsweb/cvsweb\.cgi | httpd_cvs_script_exec_t | regularfile | system_u:object_r:httpd_cvs_script_exec_t:s0 | | /usr/share/doc/ghc/html(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/drupal.* | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/dspam-web/dspam\.cgi | httpd_dspam_script_exec_t | regularfile | system_u:object_r:httpd_dspam_script_exec_t:s0 | | /usr/share/glpi(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/htdig(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/icecast(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/jetty/bin/jetty.sh | httpd_exec_t | regularfile | system_u:object_r:httpd_exec_t:s0 | | /usr/share/joomla(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/lightsquid/cgi(/.*)? | httpd_squid_script_exec_t | allfiles | system_u:object_r:httpd_squid_script_exec_t:s0 | | /usr/share/mediawiki(/.*)? | httpd_mediawiki_content_t | allfiles | system_u:object_r:httpd_mediawiki_content_t:s0 | | /usr/share/mojomojo/root(/.*)? | httpd_mojomojo_content_t | allfiles | system_u:object_r:httpd_mojomojo_content_t:s0 | | /usr/share/mythtv(/.*)? | httpd_mythtv_content_t | allfiles | system_u:object_r:httpd_mythtv_content_t:s0 | | /usr/share/mythtv/mythweather/scripts(/.*)? | httpd_mythtv_script_exec_t | allfiles | system_u:object_r:httpd_mythtv_script_exec_t:s0 | | /usr/share/mythweb(/.*)? | httpd_mythtv_content_t | allfiles | system_u:object_r:httpd_mythtv_content_t:s0 | | /usr/share/mythweb/mythweb\.pl | httpd_mythtv_script_exec_t | regularfile | system_u:object_r:httpd_mythtv_script_exec_t:s0 | | /usr/share/ntop/html(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/openca/htdocs(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/prewikka/cgi-bin(/.*)? | httpd_prewikka_script_exec_t | allfiles | system_u:object_r:httpd_prewikka_script_exec_t:s0 | | /usr/share/selinux-policy[^/]*/html(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /usr/share/smokeping/cgi(/.*)? | httpd_smokeping_cgi_script_exec_t | allfiles | system_u:object_r:httpd_smokeping_cgi_script_exec_t:s0 | | /usr/share/w3c-markup-validator(/.*)? | httpd_w3c_validator_content_t | allfiles | system_u:object_r:httpd_w3c_validator_content_t:s0 | | /usr/share/w3c-markup-validator/cgi-bin(/.*)? | httpd_w3c_validator_script_exec_t | allfiles | system_u:object_r:httpd_w3c_validator_script_exec_t:s0 | | /usr/share/wordpress-mu/wp-config\.php | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/share/wordpress-mu/wp-content(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/wordpress/.*\.php | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/share/wordpress/wp-content/upgrade(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/wordpress/wp-content/uploads(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /usr/share/wordpress/wp-includes/.*\.php | httpd_sys_script_exec_t | regularfile | system_u:object_r:httpd_sys_script_exec_t:s0 | | /usr/share/z-push(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/cache/cgit(/.*)? | httpd_git_rw_content_t | allfiles | system_u:object_r:httpd_git_rw_content_t:s0 | | /var/cache/gitweb-caching(/.*)? | httpd_git_rw_content_t | allfiles | system_u:object_r:httpd_git_rw_content_t:s0 | | /var/cache/httpd(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/lighttpd(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/man2html(/.*)? | httpd_man2html_script_cache_t | allfiles | system_u:object_r:httpd_man2html_script_cache_t:s0 | | /var/cache/mason(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mediawiki(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_.* | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_gnutls(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_proxy(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/mod_ssl(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/php-.* | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/php-eaccelerator(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/php-mmcache(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/rt(3|4)(/.*)? | httpd_cache_t | allfiles | system_u:object_r:httpd_cache_t:s0 | | /var/cache/ssl.*\.sem | httpd_cache_t | regularfile | system_u:object_r:httpd_cache_t:s0 | | /var/lib/bugzilla(/.*)? | httpd_bugzilla_rw_content_t | allfiles | system_u:object_r:httpd_bugzilla_rw_content_t:s0 | | /var/lib/cacti/rra(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/lib/cherokee(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/dav(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/dokuwiki(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/drupal.* | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/dspam/data(/.*)? | httpd_dspam_rw_content_t | allfiles | system_u:object_r:httpd_dspam_rw_content_t:s0 | | /var/lib/glpi(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 |


145

| /var/lib/htdig(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/lib/httpd(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/lighttpd(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/mod_security(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/mojomojo(/.*)? | httpd_mojomojo_rw_content_t | allfiles | system_u:object_r:httpd_mojomojo_rw_content_t:s0 | | /var/lib/moodle(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/nginx(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/openshift/\.httpd\.d(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /var/lib/openshift/\.log/httpd(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/lib/owncloud(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/php(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/php/session(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/lib/php/wsdlcache(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/lib/pootle/po(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/rt(3|4)/data/RT-Shredder(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/lib/squirrelmail/prefs(/.*)? | httpd_squirrelmail_t | allfiles | system_u:object_r:httpd_squirrelmail_t:s0 | | /var/lib/stickshift/\.httpd\.d(/.*)? | httpd_config_t | allfiles | system_u:object_r:httpd_config_t:s0 | | /var/lib/svn(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/lib/trac(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/lib/z-push(/.*)? | httpd_var_lib_t | allfiles | system_u:object_r:httpd_var_lib_t:s0 | | /var/log/apache(2)?(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/apache-ssl(2)?(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/cacti(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/cgiwrap\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/cherokee(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/dirsrv/admin-serv(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/glpi(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/horizon(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/httpd(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/lighttpd(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/nginx(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/php-fpm(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/php_errors\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/roundcubemail(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/log/suphp\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/thttpd\.log.* | httpd_log_t | regularfile | system_u:object_r:httpd_log_t:s0 | | /var/log/z-push(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/run/apache.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/cherokee\.pid | httpd_var_run_t | regularfile | system_u:object_r:httpd_var_run_t:s0 | | /var/run/dirsrv/admin-serv.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/gcache_port | httpd_var_run_t | socket | system_u:object_r:httpd_var_run_t:s0 | | /var/run/httpd.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/lighttpd(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/mod_.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/nginx.* | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/php-fpm(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/run/thttpd\.pid | httpd_var_run_t | regularfile | system_u:object_r:httpd_var_run_t:s0 | | /var/run/user/apache(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | | /var/run/wsgi.* | httpd_var_run_t | socket | system_u:object_r:httpd_var_run_t:s0 | | /var/spool/gosa(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/spool/viewvc(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www(/.*)?/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/[^/]*/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/apcupsd/multimon\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 |


146

| /var/www/apcupsd/upsfstats\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/apcupsd/upsimage\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/apcupsd/upsstats\.cgi | httpd_apcupsd_cgi_script_exec_t | regularfile | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/cgi-bin/apcgui(/.*)? | httpd_apcupsd_cgi_script_exec_t | allfiles | system_u:object_r:httpd_apcupsd_cgi_script_exec_t:s0 | | /var/www/cgi-bin/cgit | httpd_git_script_exec_t | regularfile | system_u:object_r:httpd_git_script_exec_t:s0 | | /var/www/cgi-bin/cvsweb\.cgi | httpd_cvs_script_exec_t | regularfile | system_u:object_r:httpd_cvs_script_exec_t:s0 | | /var/www/cgi-bin/munin.* | httpd_munin_script_exec_t | allfiles | system_u:object_r:httpd_munin_script_exec_t:s0 | | /var/www/dspam(/.*?) | httpd_dspam_content_t | allfiles | system_u:object_r:httpd_dspam_content_t:s0 | | /var/www/dspam/.*\.cgi | httpd_dspam_script_exec_t | regularfile | system_u:object_r:httpd_dspam_script_exec_t:s0 | | /var/www/gallery/albums(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/git(/.*)? | httpd_git_content_t | allfiles | system_u:object_r:httpd_git_content_t:s0 | | /var/www/git/gitweb\.cgi | httpd_git_script_exec_t | regularfile | system_u:object_r:httpd_git_script_exec_t:s0 | | /var/www/gitweb-caching/gitweb\.cgi | httpd_git_script_exec_t | regularfile | system_u:object_r:httpd_git_script_exec_t:s0 | | /var/www/html(/.*)?/sites/default/files(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html(/.*)?/sites/default/settings\.php | httpd_sys_rw_content_t | regularfile | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html(/.*)?/uploads(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html(/.*)?/wp-content(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html/[^/]*/cgi-bin(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/html/cgi/munin.* | httpd_munin_script_exec_t | allfiles | system_u:object_r:httpd_munin_script_exec_t:s0 | | /var/www/html/configuration\.php | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/html/munin(/.*)? | httpd_munin_content_t | allfiles | system_u:object_r:httpd_munin_content_t:s0 | | /var/www/html/munin/cgi(/.*)? | httpd_munin_script_exec_t | allfiles | system_u:object_r:httpd_munin_script_exec_t:s0 | | /var/www/html/owncloud/data(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/icons(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/www/miq/vmdb/log(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/moodle/data(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/moodledata(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/nut-cgi-bin/upsimage\.cgi | httpd_nutups_cgi_script_exec_t | regularfile | system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 | | /var/www/nut-cgi-bin/upsset\.cgi | httpd_nutups_cgi_script_exec_t | regularfile | system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 | | /var/www/nut-cgi-bin/upsstats\.cgi | httpd_nutups_cgi_script_exec_t | regularfile | system_u:object_r:httpd_nutups_cgi_script_exec_t:s0 | | /var/www/openshift/broker/httpd/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/openshift/broker/httpd/run(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/www/openshift/console/httpd/logs(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/openshift/console/httpd/run(/.*)? | httpd_var_run_t | allfiles | system_u:object_r:httpd_var_run_t:s0 | | /var/www/openshift/console/log(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/openshift/console/tmp(/.*)? | httpd_tmp_t | allfiles | system_u:object_r:httpd_tmp_t:s0 | | /var/www/perl(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/stickshift/[^/]*/log(/.*)? | httpd_log_t | allfiles | system_u:object_r:httpd_log_t:s0 | | /var/www/svn(/.*)? | httpd_sys_rw_content_t | allfiles | system_u:object_r:httpd_sys_rw_content_t:s0 | | /var/www/svn/conf(/.*)? | httpd_sys_content_t | allfiles | system_u:object_r:httpd_sys_content_t:s0 | | /var/www/svn/hooks(/.*)? | httpd_sys_script_exec_t | allfiles | system_u:object_r:httpd_sys_script_exec_t:s0 | | /var/www/usage(/.*)? | httpd_webalizer_content_t | allfiles | system_u:object_r:httpd_webalizer_content_t:s0 | | /var/www/wiki(/.*)? | httpd_mediawiki_rw_content_t | allfiles | system_u:object_r:httpd_mediawiki_rw_content_t:s0 | | /var/www/wiki/.*\.php | httpd_mediawiki_content_t | regularfile | system_u:object_r:httpd_mediawiki_content_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4


147

------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: ftpd ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | ftpd_t | system_u:system_r:ftpd_t:s0-s0:c0.c1023 | vsftpd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:-------------|:--------|:----------------------------|:-------------------------------------| | on | ftpd_t | on | ftp_home_dir | Allow ftp to home dir | | off | ftpd_t | off | ftpd_use_cifs | Allow ftpd to use cifs | | off | ftpd_t | off | ftpd_use_fusefs | Allow ftpd to use fusefs | | off | ftpd_t | off | ftpd_connect_db | Allow ftpd to connect db | | off | ftpd_t | off | ftpd_full_access | Allow ftpd to full access | | off | tftpd_t | off | tftp_home_dir | Allow tftp to home dir | | off | sftpd_t | off | sftpd_enable_homedirs | Allow sftpd to enable homedirs | | off | ftpd_t | off | ftpd_use_passive_mode | Allow ftpd to use passive mode | | off | sftpd_t | off | sftpd_write_ssh_home | Allow sftpd to write ssh home | | off | ftpd_t | off | ftpd_use_nfs | Allow ftpd to use nfs | | off | ftpd_t | off | ftpd_connect_all_unreserved | Allow ftpd to connect all unreserved | | off | sftpd_t | off | sftpd_full_access | Allow sftpd to full access | | off | tftpd_t | off | tftp_anon_write | Allow tftp to anon write | | off | ftpd_t | off | ftpd_anon_write | Allow ftpd to anon write | | off | anon_sftpd_t | off | sftpd_anon_write | Allow sftpd to anon write | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:---------------------------|:-------------------|:------------|:----------------------------------------| | /etc/cron\.monthly/proftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /etc/proftpd\.conf | ftpd_etc_t | regularfile | system_u:object_r:ftpd_etc_t:s0 | | /etc/rc\.d/init\.d/proftpd | ftpd_initrc_exec_t | regularfile | system_u:object_r:ftpd_initrc_exec_t:s0 | | /etc/rc\.d/init\.d/vsftpd | ftpd_initrc_exec_t | regularfile | system_u:object_r:ftpd_initrc_exec_t:s0 | | /etc/xinetd\.d/tftp | tftpd_etc_t | regularfile | system_u:object_r:tftpd_etc_t:s0 | | /tftpboot | tftpdir_t | directory | system_u:object_r:tftpdir_t:s0 | | /tftpboot/.* | tftpdir_t | allfiles | system_u:object_r:tftpdir_t:s0 | | /usr/bin/ftpdctl | ftpdctl_exec_t | regularfile | system_u:object_r:ftpdctl_exec_t:s0 | | /usr/kerberos/sbin/ftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/atftpd | tftpd_exec_t | regularfile | system_u:object_r:tftpd_exec_t:s0 | | /usr/sbin/ftpwho | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/in\.ftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/in\.tftpd | tftpd_exec_t | regularfile | system_u:object_r:tftpd_exec_t:s0 | | /usr/sbin/muddleftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/proftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /usr/sbin/vsftpd | ftpd_exec_t | regularfile | system_u:object_r:ftpd_exec_t:s0 | | /var/lib/tftpboot(/.*)? | tftpdir_rw_t | allfiles | system_u:object_r:tftpdir_rw_t:s0 | | /var/lock/subsys/*.ftpd | ftpd_lock_t | regularfile | system_u:object_r:ftpd_lock_t:s0 | | /var/run/proftpd.* | ftpd_var_run_t | allfiles | system_u:object_r:ftpd_var_run_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------


148

Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: unconfined ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:-------------|:------------------------------------------------------|:----------| | unconfined_t | unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 | udisks2 | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:-------------|:--------|:-------------------------------------|:----------------------------------------------| | on | unconfined_t | on | unconfined_mozilla_plugin_transition | Allow unconfined to mozilla plugin transition | | off | unconfined_t | off | docker_transition_unconfined | Allow docker to transition unconfined | | on | unconfined_t | on | unconfined_login | Allow unconfined to login | | on | unconfined_t | on | unconfined_chrome_sandbox_transition | Allow unconfined to chrome sandbox transition | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:-------------------------------------------|:-------------------------------------|:------------|:----------------------------------------------------------| | /etc/[mg]dm/Init(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/[mg]dm/PostLogin(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/[mg]dm/PostSession(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/[mg]dm/PreSession(/.*)? | xdm_unconfined_exec_t | allfiles | system_u:object_r:xdm_unconfined_exec_t:s0 | | /etc/openvpn/scripts(/.*)? | openvpn_unconfined_script_exec_t | allfiles | system_u:object_r:openvpn_unconfined_script_exec_t:s0 | | /etc/qemu-ga/fsfreeze-hook.d(/.*)? | virt_qemu_ga_unconfined_exec_t | allfiles | system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 | | /etc/watchdog\.d(/.*)? | watchdog_unconfined_exec_t | allfiles | system_u:object_r:watchdog_unconfined_exec_t:s0 | | /usr/bin/vncserver | unconfined_exec_t | regularfile | system_u:object_r:unconfined_exec_t:s0 | | /usr/lib/dirsrv/cgi-bin/ds_create | dirsrvadmin_unconfined_script_exec_t | regularfile | system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 | | /usr/lib/dirsrv/cgi-bin/ds_remove | dirsrvadmin_unconfined_script_exec_t | regularfile | system_u:object_r:dirsrvadmin_unconfined_script_exec_t:s0 | | /usr/lib/ipa/certmonger(/.*)? | certmonger_unconfined_exec_t | allfiles | system_u:object_r:certmonger_unconfined_exec_t:s0 | | /usr/lib/nagios/plugins/.* | nagios_unconfined_plugin_exec_t | regularfile | system_u:object_r:nagios_unconfined_plugin_exec_t:s0 | | /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? | virt_qemu_ga_unconfined_exec_t | allfiles | system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 | | /usr/libexec/watchdog/scripts(/.*)? | watchdog_unconfined_exec_t | allfiles | system_u:object_r:watchdog_unconfined_exec_t:s0 | | /usr/sbin/xrdp | unconfined_exec_t | regularfile | system_u:object_r:unconfined_exec_t:s0 | | /usr/sbin/xrdp-sesman | unconfined_exec_t | regularfile | system_u:object_r:unconfined_exec_t:s0 | | /usr/share/munin/plugins/.* | unconfined_munin_plugin_exec_t | regularfile | system_u:object_r:unconfined_munin_plugin_exec_t:s0 | | /var/lib/samba/scripts(/.*)? | samba_unconfined_script_exec_t | allfiles | system_u:object_r:samba_unconfined_script_exec_t:s0 | | /var/run/qemu-ga/fsfreeze-hook.d(/.*)? | virt_qemu_ga_unconfined_exec_t | allfiles | system_u:object_r:virt_qemu_ga_unconfined_exec_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test #


149

2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: sshd ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | sshd_t | system_u:system_r:sshd_t:s0-s0:c0.c1023 | sshd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | k | e | y | s | || ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:--------------------------------------|:------------------------|:------------|:---------------------------------------------| | /etc/rc\.d/init\.d/sshd | sshd_initrc_exec_t | regularfile | system_u:object_r:sshd_initrc_exec_t:s0 | | /etc/ssh/primes | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key\.pub | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /usr/lib/systemd/system/sshd-keygen.* | sshd_keygen_unit_file_t | regularfile | system_u:object_r:sshd_keygen_unit_file_t:s0 | | /usr/lib/systemd/system/sshd.* | sshd_unit_file_t | regularfile | system_u:object_r:sshd_unit_file_t:s0 | | /usr/sbin/gsisshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd-keygen | sshd_keygen_exec_t | regularfile | system_u:object_r:sshd_keygen_exec_t:s0 | | /var/run/sshd\.init\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | | /var/run/sshd\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 7 ------------------------------------------------------------------------------------ Current Domains for test: 4 ------------------------------------------------------------------------------------ Services Domains Found: <<none>> abrt_t accountsd_t crond_t kernel_t avahi_t bluetooth_t chronyd_t


150

colord_t cupsd_t system_dbusd_t firewalld_t xdm_t httpd_t mdadm_t ksmtuned_t virtd_t modemmanager_t mongod_t NetworkManager_t policykit_t postfix_master_t rpcbind_t syslogd_t rtkit_daemon_t fsdaemon_t sshd_t systemd_logind_t udev_t tuned_t unconfined_t devicekit_power_t ftpd_t ------------------------------------------------------------------------------------ Enter domain to search for Domain: ssh ------------------------------------------------------------------------------------ Services: ------------------------------------------------------------------------------------ | Domain | Context | Service | |:---------|:----------------------------------------|:----------| | sshd_t | system_u:system_r:sshd_t:s0-s0:c0.c1023 | sshd | ------------------------------------------------------------------------------------ Booleans: ------------------------------------------------------------------------------------ | Default | Domain | State | Boolean | Description | |:----------|:--------------|:--------|:------------|:---------------------| | off | ssh_t | off | ssh_keysign | Allow ssh to keysign | | off | sge_job_ssh_t | off | sge_use_nfs | Allow sge to use nfs | ------------------------------------------------------------------------------------ File Contexts: ------------------------------------------------------------------------------------ | Path | Domain | Type | Context | |:------------------------------------------|:--------------------------|:------------|:-----------------------------------------------| | /etc/rc\.d/init\.d/sshd | sshd_initrc_exec_t | regularfile | system_u:object_r:sshd_initrc_exec_t:s0 | | /etc/ssh/primes | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /etc/ssh/ssh_host.*_key\.pub | sshd_key_t | regularfile | system_u:object_r:sshd_key_t:s0 | | /opt/NX/home/nx/\.ssh(/.*)? | nx_server_home_ssh_t | allfiles | system_u:object_r:nx_server_home_ssh_t:s0 | | /root/\.shosts | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /root/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /usr/NX/home/nx/\.ssh(/.*)? | nx_server_home_ssh_t | allfiles | system_u:object_r:nx_server_home_ssh_t:s0 | | /usr/bin/rssh | rssh_exec_t | regularfile | system_u:object_r:rssh_exec_t:s0 | | /usr/bin/ssh | ssh_exec_t | regularfile | system_u:object_r:ssh_exec_t:s0 | | /usr/bin/ssh-agent | ssh_agent_exec_t | regularfile | system_u:object_r:ssh_agent_exec_t:s0 | | /usr/bin/ssh-keygen | ssh_keygen_exec_t | regularfile | system_u:object_r:ssh_keygen_exec_t:s0 | | /usr/lib/openssh/ssh-keysign | ssh_keysign_exec_t | regularfile | system_u:object_r:ssh_keysign_exec_t:s0 | | /usr/lib/systemd/system/sshd-keygen.* | sshd_keygen_unit_file_t | regularfile | system_u:object_r:sshd_keygen_unit_file_t:s0 | | /usr/lib/systemd/system/sshd.* | sshd_unit_file_t | regularfile | system_u:object_r:sshd_unit_file_t:s0 | | /usr/libexec/nm-ssh-service | ssh_exec_t | regularfile | system_u:object_r:ssh_exec_t:s0 | | /usr/libexec/openssh/ssh-keysign | ssh_keysign_exec_t | regularfile | system_u:object_r:ssh_keysign_exec_t:s0 | | /usr/libexec/rssh_chroot_helper | rssh_chroot_helper_exec_t | regularfile | system_u:object_r:rssh_chroot_helper_exec_t:s0 | | /usr/sbin/gsisshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd | sshd_exec_t | regularfile | system_u:object_r:sshd_exec_t:s0 | | /usr/sbin/sshd-keygen | sshd_keygen_exec_t | regularfile | system_u:object_r:sshd_keygen_exec_t:s0 | | /var/lib/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/amanda/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/gitolite/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/gitolite3/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/nocpulse/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/nxserver/home/.ssh(/.*)? | nx_server_home_ssh_t | allfiles | system_u:object_r:nx_server_home_ssh_t:s0 | | /var/lib/one/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/openshift/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/openshift/gear/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/pgsql/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/lib/stickshift/[^/]+/\.ssh(/.*)? | ssh_home_t | allfiles | system_u:object_r:ssh_home_t:s0 | | /var/run/sshd\.init\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | | /var/run/sshd\.pid | sshd_var_run_t | regularfile | system_u:object_r:sshd_var_run_t:s0 | ------------------------------------------------------------------------------------ ############################################## SELinux Integrity Instrumentation (SII) ############################################## Current Test#: 4 Test System: cent1 -------------------------------------------------------------------------- Main Menu 1. Enter Test # 2. Enter System Name 3. Run Collect Scripts 4. Run Parsing (boolens, service and context) 5. Run / View Finger Prints 6. Search / View Diffs 7. Search / View Relationships 8. Tools and Utilities 9. Exit -------------------------------------------------------------------------- Enter your choice [1-9] : 9 Bye


151

APPENDIX G

SELinux policy update differences Booleans table analysis output from Beyond Compare

4.0 application.

Cent1 Test 1 vs Test 2 File Context Diff Produced: 2/20/15 3:34:39 PM Mode: Differences Left file: /Users/mike/Dropbox/SII-results/cent1-booleans-test1.csv Right file: /Users/mike/Dropbox/SII-results/cent1-booleans-test2.csv mount_anyfile,Allow mount to anyfile,on,on,3a9bbf4882abec1d75cff73096138ae2

<> mount_anyfile,Allow mount to anyfile,on,on,3f5a9c614b54461d785c70a86345b519

telepathy_connect_all_ports,Allow telepathy to connect all ports,off,off,4b9cec82afe240449b7ab476c9763f61

<> telepathy_connect_all_ports,Allow telepathy to connect all ports,off,off,afeabce2bd6120071d7490f39cb0f119

deny_ptrace,Allow deny to ptrace,off,off,50b2b805ca2720a21eede6c3d852f662

<> deny_ptrace,Allow deny to ptrace,off,off,77ecf1f8501acdcd5a350ce947208cfb

selinuxuser_execmod,Allow selinuxuser to execmod,on,on,38b8a18285cba4595c3439f6bae28001

selinuxuser_execmod,Allow selinuxuser to execmod,on,on,271cad3b3f7ea71ec88eaf13af1d5691

gpg_agent_env_file,Allow gpg to agent env file,off,off,bd42004d6f629ef91738a0de5d63c562

<> glance_use_execmem,Allow glance to use execmem,off,off,54b2e96aa5f4bdb5fc713b3ce5cf2919

telepathy_tcp_connect_generic_network_ports,Allow telepathy to tcp connect generic network ports,on,on,18ae66133dd10c8ddab179350d6484c0

telepathy_tcp_connect_generic_network_ports,Allow telepathy to tcp connect generic network ports,on,on,f882650ec774d0402f5daef03bf944d2

httpd_can_network_connect_db,Allow httpd to can network connect db,off,off,a9344e3da9abf314d11aff85b81ca78b

<> httpd_can_network_connect_db,Allow httpd to can network connect db,off,off,7d9eafc8bd6cc88dd59fa4d5c29ef045

use_ecryptfs_home_dirs,Allow use to ecryptfs home dirs,off,off,27a6cd311e3076c0d9412200c46fc3af

use_ecryptfs_home_dirs,Allow use to ecryptfs home dirs,off,off,2037467d374e3c6d0f3922a15e303d4c

xserver_clients_write_xshm,Allow xserver to clients write xshm,off,off,51a1b18744e6ab53e9ef4fe6a356526a

<> xserver_clients_write_xshm,Allow xserver to clients write xshm,off,off,47a016166429f8c6e4e1b095d4bdb062

virt_use_nfs,Allow virt to use nfs,off,off,39a41e011de9f0056677723702ef209b

<> virt_use_nfs,Allow virt to use nfs,off,off,e49c7e72f73e671b608fd46b24202990

irssi_use_full_network,Allow irssi to use full network,off,off,e94922c7972a8d0a956a2f6f7beacd52

<> swift_can_network,Allow swift to can network,off,off,ef3b9c219af25cabeba8ef90066fa587

git_system_use_cifs,Allow git to system use cifs,off,off,5ecf56ce6f5e33720c1c65f6f71636f3

<> git_system_use_cifs,Allow git to system use cifs,off,off,c4a369ef997ffa033ec8095420d9789d

nscd_use_shm,Allow nscd to use shm,on,on,4c52f198d509cbaa2c0f05d451eccf87

<> nscd_use_shm,Allow nscd to use shm,on,on,1148fe3f9a6e1e92d69eb1bac50dd490

httpd_use_cifs,Allow httpd to use cifs,off,off,83b3f3d917b5bf54fd9bf1caf83f4e67

<> httpd_use_cifs,Allow httpd to use cifs,off,off,7c272a2ec2b0bc2fb149e06d538e1739

secure_mode,Allow secure to mode,off,off,cf1e4cbdae8d07686a2541ce839ae7b5

<> secure_mode,Allow secure to mode,off,off,bcacbc1b61f67dbd6e664eebe5ec5026

use_samba_home_dirs,Allow use to samba home dirs,off,off,87024ff36b4cd45ae147e5fc0a8fb3bc

<> use_samba_home_dirs,Allow use to samba home dirs,off,off,340120715cfb16490eb8ed7c4c5ec133

selinuxuser_rw_noexattrfile,Allow selinuxuser to rw noexattrfile,on,on,3998a0b20bfbfd713670bd00f040216f

<> selinuxuser_rw_noexattrfile,Allow selinuxuser to rw noexattrfile,on,on,e1653bc16ce84f3651b9113c5f376b52

authlogin_nsswitch_use_ldap,Allow authlogin to nsswitch use ldap,off,off,eb1fd04d6e8075286374f835248bcbc3

authlogin_nsswitch_use_ldap,Allow authlogin to nsswitch use ldap,off,off,aa884f61038b96c0cd0f4bf7fd579946

zabbix_can_network,Allow zabbix to can network,off,off,7aece7c32a26fd6bf8a2c7a88a18752d

<> zabbix_can_network,Allow zabbix to can network,off,off,e4ca9552d6a207959ee0e0f05ef3e9bc

httpd_enable_homedirs,Allow httpd to enable homedirs,off,off,86abba1237d377c0927905c5b8b0c06d

<> httpd_enable_homedirs,Allow httpd to enable homedirs,off,off,65ca8266c570042a13b69e97f52cbd34

-+ glance_use_fusefs,Allow glance to use

fusefs,off,off,bd691cc5b517671d9e49c11d36f2519e pppd_for_user,Allow pppd to for user,off,off,93cdeb7ba3c996faa98937f28629197e

<> pppd_for_user,Allow pppd to for user,off,off,71bb6b90b0798780a88b5b5e00662850

selinuxuser_use_ssh_chroot,Allow selinuxuser to use ssh chroot,off,off,7b0f3d5fe7113caef098ace0f2112ec6

selinuxuser_use_ssh_chroot,Allow selinuxuser to use ssh chroot,off,off,4aacee0812c0cdbdd1443d9ed2e62aea

fips_mode,Allow fips to <> fips_mode,Allow fips to


152

mode,on,on,77f1704cd47819ad0540f56a036d9dda mode,on,on,ae18970fe41e27d85ccdfeae04f66a3c git_system_use_nfs,Allow git to system use nfs,off,off,a9000283f5edf6e3634c85a4349c0a2f

<> git_system_use_nfs,Allow git to system use nfs,off,off,f5c7a2953231bdf2aa78c9b4f49c6e24

httpd_unified,Allow httpd to unified,off,off,e528887c28c32ea0fbc50c0bc7352463

<> httpd_unified,Allow httpd to unified,off,off,599c4d182ba0e1c1e4c5fdca34144b1e

httpd_mod_auth_pam,Allow httpd to mod auth pam,off,off,72e634592fa8f5ec708faf90b0b5f03d

<> httpd_mod_auth_pam,Allow httpd to mod auth pam,off,off,70c359586aeed6d17830aba6d224313e

-+ gpg_agent_env_file,Allow gpg to agent env

file,off,off,bd42004d6f629ef91738a0de5d63c562 authlogin_yubikey,Allow authlogin to yubikey,off,off,61a9378dd0bf22a72246efd7580e3efd

<> authlogin_yubikey,Allow authlogin to yubikey,off,off,9f1b1c3bc18f37ad8fe1e9c31ba1a1e3

httpd_use_fusefs,Allow httpd to use fusefs,off,off,41ed8c8e9b3cc60ec94c7624eeecfd3a

<> httpd_use_fusefs,Allow httpd to use fusefs,off,off,eaf43c5d6cd2218a0c58c076153436db

httpd_can_network_connect,Allow httpd to can network connect,off,off,6e0a73f08d434ea87741e607e6f86009

<> httpd_can_network_connect,Allow httpd to can network connect,off,off,c132e0f9cb4ddffcf0dfffa34a3799d4

login_console_enabled,Allow login to console enabled,on,on,770cd3d292a353076a6c9e2c362c52c2

login_console_enabled,Allow login to console enabled,on,on,b2bcd0ca8385140d13da6d96ca17d3f0

selinuxuser_postgresql_connect_enabled,Allow selinuxuser to postgresql connect enabled,off,off,5f0885a97d1b59a87bd9fe4f3f19f557

<> selinuxuser_postgresql_connect_enabled,Allow selinuxuser to postgresql connect enabled,off,off,00a521e2ee74c0b22718294a4f64c81e

mplayer_execstack,Allow mplayer to execstack,off,off,396db8058b18233ab42061211e779ae3

<> mplayer_execstack,Allow mplayer to execstack,off,off,26486eb6048c204545c35b72ec92c009

use_fusefs_home_dirs,Allow use to fusefs home dirs,off,off,df479c1916e9d9c83e998fc9ca52f625

<> use_fusefs_home_dirs,Allow use to fusefs home dirs,off,off,37fec8a1518d61bc1c4107c366d2177d

selinuxuser_execheap,Allow selinuxuser to execheap,off,off,1c8fc0fe6b5c8ac1924c00ab2009f4dc

selinuxuser_execheap,Allow selinuxuser to execheap,off,off,bb89d1fdfd3ae184dcc586640ef4e27a

nis_enabled,Allow nis to enabled,off,off,82696bc74fa8a3cf162701fbebd81c78

<> nis_enabled,Allow nis to enabled,off,off,d6383c9ec1bdad41445e4836963f29fd

unconfined_login,Allow unconfined to login,on,on,72a5aff28835e535da4f51116e526654

unconfined_login,Allow unconfined to login,on,on,d00f1966d0b8288fe371fb2b171c5d66

secure_mode_insmod,Allow secure to mode insmod,off,off,9ee41c0014a1b5057b1db4671b213598

secure_mode_insmod,Allow secure to mode insmod,off,off,bbca0a2e14e3a3c9ab5190de1b893e81

selinuxuser_execstack,Allow selinuxuser to execstack,on,on,e8c34c10844243b4ce726a4f8b6919da

<> selinuxuser_execstack,Allow selinuxuser to execstack,on,on,742d9c909a8eada15cdf25ab8be868f7

samba_domain_controller,Allow samba to domain controller,off,off,9913d50ca70a1d6560a630c92fe1d398

samba_domain_controller,Allow samba to domain controller,off,off,de7544884183d2fdc362bec08caba7c3

pcp_bind_all_unreserved_ports,Allow pcp to bind all unreserved ports,off,off,f478d1a020b16f1bdb36d8fbfac15021

<> puppetagent_manage_all_files,Allow puppetagent to manage all files,off,off,0dbe309e3f4125c0cf7c299bdec5b8bb

httpd_read_user_content,Allow httpd to read user content,off,off,f4b4bf5fe392e40e83b33bcaaa9ab482

httpd_read_user_content,Allow httpd to read user content,off,off,650fcf28b3c64df987798c566ec11cf6

httpd_use_nfs,Allow httpd to use nfs,off,off,2876e5b8f3af4fd51d975d2b6643e82f

httpd_use_nfs,Allow httpd to use nfs,off,off,5ba20c11dc96406cbea97d502bb1902c

unconfined_chrome_sandbox_transition,Allow unconfined to chrome sandbox transition,on,on,b9aca9f962a59f732163c6afede313df

unconfined_chrome_sandbox_transition,Allow unconfined to chrome sandbox transition,on,on,3bbfbd4318b207c23a858497cd468bc3

sge_use_nfs,Allow sge to use nfs,off,off,41cc9bedff9fbd376303a70601f11ad1

<> sge_use_nfs,Allow sge to use nfs,off,off,0c8bafdb2acf5ffbd7fb2046fa46b76d

xguest_use_bluetooth,Allow xguest to use bluetooth,on,on,f72704d690d01ac5b2a368bbdfb01370

xguest_use_bluetooth,Allow xguest to use bluetooth,on,on,1f3c1fa1cd7fff70680f5b638541962c

zarafa_setrlimit,Allow zarafa to setrlimit,off,off,086a860273db7e927dd4340a91cf44dd

<> zarafa_setrlimit,Allow zarafa to setrlimit,off,off,35b1a387e3b4798a20e526771ebfee4e

httpd_can_sendmail,Allow httpd to can sendmail,off,off,272e440c86469f3e081c40f47c7d0ff2

<> httpd_can_sendmail,Allow httpd to can sendmail,off,off,cc1f66a346c741fc63406fdc3e80c778

mmap_low_allowed,Allow mmap to low allowed,off,off,3457855f76f217fe7d2b417ccf4a2d29

<> mmap_low_allowed,Allow mmap to low allowed,off,off,f497f9c15ea4f743ea904e0d309b71ca

httpd_dbus_avahi,Allow httpd to dbus avahi,off,off,47529560281dc3c404987f233c2ea765

<> httpd_dbus_avahi,Allow httpd to dbus avahi,off,off,efe97f4efc548ec3d300bb924b57b6dd

kerberos_enabled,Allow kerberos to enabled,on,on,b3f43272df238d74267636c6ced48cf6

<> kerberos_enabled,Allow kerberos to enabled,on,on,fcccd8277d190a7f22bd5626c48de9d9

git_session_users,Allow git to session users,off,off,918928fdc82abb674ff042db478da8fa

<> git_session_users,Allow git to session users,off,off,4f65bcd99c51b06a3bc55e03e63216ec

deny_execmem,Allow deny to execmem,off,off,1570f8b009f49299a2991c1a1e9960c3

<> deny_execmem,Allow deny to execmem,off,off,1caf42e3e1cc6dcfd4c362e6bb575855


153

<> neutron_can_network,Allow neutron to can

network,off,off,cdd31abf4b22b3270e126ee8ae73c139 use_nfs_home_dirs,Allow use to nfs home dirs,off,off,16ea2dc1effc6e1a07f7281922a5d4fb

use_nfs_home_dirs,Allow use to nfs home dirs,off,off,c3a637d5ad147409722341768f30ff32

-+ glance_api_can_network,Allow glance to api can

network,off,off,2b782af7a2de6c516a2aa8b14b7791b9 abrt_handle_event,Allow abrt to handle event,off,off,5a6a245cbd8bf9c63f29855211761a1d

<> abrt_handle_event,Allow abrt to handle event,off,off,b8fbeb4db31a6a444402f7ecfbf510c7

httpd_execmem,Allow httpd to execmem,off,off,fcf0a58fad9864d4683850b037b3e3b4

<> httpd_execmem,Allow httpd to execmem,off,off,b46e478ad1e174c4325e6622c67e29dd

puppet_manage_all_files,Allow puppet to manage all files,off,off,e60b550a1e0abc275fea4ced8ab62720

+-

-+ irssi_use_full_network,Allow irssi to use full

network,off,off,e94922c7972a8d0a956a2f6f7beacd52 -+ pcp_bind_all_unreserved_ports,Allow pcp to bind all

unreserved ports,off,off,f478d1a020b16f1bdb36d8fbfac15021

ssh_sysadm_login,Allow ssh to sysadm login,off,off,cd0d99826562c95d5319a93cc7b11a11

<> ssh_sysadm_login,Allow ssh to sysadm login,off,off,67e5a30d89c26ad950de79671ecb717d

virt_use_samba,Allow virt to use samba,off,off,0304fe6dbe779d540b4d523c2791007a

<> virt_use_samba,Allow virt to use samba,off,off,ed38e4f5f254b64ef2ea1a9f37e1c5cd

cluster_use_execmem,Allow cluster to use execmem,off,off,539ac2074243be58362dcad041a5853e

cluster_use_execmem,Allow cluster to use execmem,off,off,4d281049346b7501471abef638ed689b

sftpd_anon_write,Allow sftpd to anon write,off,off,3801baff8ee1a921f6cafb6890a84d83

<> sftpd_anon_write,Allow sftpd to anon write,off,off,b96418d8735ae576f3e1461955dd2134

Documents

SELinux Integrity Instrumentation (SII): Instrumenting SELinux for configuration auditing and integrity monitoring