Has anybody already done a policy file for Tripwire or its open-sourced replacement 'aide'?
Trying to run 'tripwire --check' from a cron job gets this:
Apr 27 04:03:37 orange kernel: audit(1083053017.355:0): avc: denied { write } for pid=14045 exe=/usr/sbin/tripwire name=tripwire dev=dm-5 ino=22529 scontext=system_u:system_r:system_crond_t tcontext=system_u:object_r:var_t tclass=dir
when trying to open the TEMPDIRECTORY directory:
# ls -ld --context /var/tripwire/ drwx------+ root root system_u:object_r:var_t /var/tripwire/
(The actual database files are here:
# ls --context /var/lib/tripwire -rw-------+ root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd -rw------- root root system_u:object_r:var_lib_t orange.cirt.vt.edu.twd.bak drwxr-xr-x+ root root system_u:object_r:var_lib_t report
It occurs to me that it would be simple but incorrect to just use setfilecon to coerce the contexts into something that works, and that a separate set of tripwire_t and/or aide_t contexts is probably desired. Having no wish to reinvent the wheel, has anybody done this already?
On Wed, 28 Apr 2004 03:52, Valdis.Kletnieks@vt.edu wrote:
Has anybody already done a policy file for Tripwire or its open-sourced replacement 'aide'?
Why not run it in the domain backup_t? Tripwire and backup programs both need read access to all files...
On Mon, 03 May 2004 02:45:39 +1000, Russell Coker said:
On Wed, 28 Apr 2004 03:52, Valdis.Kletnieks@vt.edu wrote:
Has anybody already done a policy file for Tripwire or its open-sourced replacement 'aide'?
Why not run it in the domain backup_t? Tripwire and backup programs both need read access to all files..
Good hint - I'll have to chase that. Looks like it's almost but not quite what I want - looks like a few lines of tweaking should suffice (I'm pretty sure that can_network can be heaved over the side of the .te file, and I need other directories labeled with backup_store_t in the .fc file).
On Tue, 4 May 2004 04:02, Valdis.Kletnieks@vt.edu wrote:
On Mon, 03 May 2004 02:45:39 +1000, Russell Coker said:
On Wed, 28 Apr 2004 03:52, Valdis.Kletnieks@vt.edu wrote:
Has anybody already done a policy file for Tripwire or its open-sourced replacement 'aide'?
Why not run it in the domain backup_t? Tripwire and backup programs both need read access to all files..
Good hint - I'll have to chase that. Looks like it's almost but not quite what I want - looks like a few lines of tweaking should suffice (I'm pretty sure that can_network can be heaved over the side of the .te file, and I need other directories labeled with backup_store_t in the .fc file).
However a tripwire program that sends md5 checksums over the wire could be handy.
If there are standard locations for the tripwire database and binaries then let me know and I'll add them to the policy.
On Tue, May 04, 2004 at 07:27:44AM +1000, Russell Coker wrote: ....
If there are standard locations for the tripwire database and binaries then let me know and I'll add them to the policy.
The below should be a fair start:
# rpm -qa | grep trip tripwire-2.3.1-17
========
# rpm -q --list tripwire-2.3.1-17 /etc/cron.daily/tripwire-check /etc/tripwire /etc/tripwire/twcfg.txt /etc/tripwire/twinstall.sh /etc/tripwire/twpol.txt /usr/sbin/siggen /usr/sbin/tripwire /usr/sbin/twadmin /usr/sbin/twprint /usr/share/doc/tripwire-2.3.1 /usr/share/doc/tripwire-2.3.1/COPYING /usr/share/doc/tripwire-2.3.1/ChangeLog /usr/share/doc/tripwire-2.3.1/README /usr/share/doc/tripwire-2.3.1/README.RPM /usr/share/doc/tripwire-2.3.1/Release_Notes /usr/share/doc/tripwire-2.3.1/TRADEMARK /usr/share/doc/tripwire-2.3.1/policyguide.txt /usr/share/doc/tripwire-2.3.1/quickstart.gif /usr/share/doc/tripwire-2.3.1/quickstart.txt /usr/share/man/man4/twconfig.4.gz /usr/share/man/man4/twpolicy.4.gz /usr/share/man/man5/twfiles.5.gz /usr/share/man/man8/siggen.8.gz /usr/share/man/man8/tripwire.8.gz /usr/share/man/man8/twadmin.8.gz /usr/share/man/man8/twintro.8.gz /usr/share/man/man8/twprint.8.gz /var/lib/tripwire /var/lib/tripwire/report
======== # cat /tmp/trip-stuff edited from "locate tripwire" /var/lib/tripwire /var/lib/tripwire/report /var/lib/tripwire/report/xtl2.xtl.tenegg.com-20040303-172709.twr .... /var/lib/tripwire/report/xtl2.xtl.tenegg.com-20040502-044143.twr /var/lib/tripwire/report /var/lib/tripwire/xtl2.xtl.tenegg.com.twd /var/lib/tripwire/xtl2.xtl.tenegg.com.twd.bak /var/lib/tripwire /etc/cron.daily/tripwire-check /etc/tripwire /etc/tripwire/twinstall.sh /etc/tripwire/twcfg.txt /etc/tripwire/site.key /etc/tripwire/twpol.txt /etc/tripwire/tw.cfg /etc/tripwire/tw.pol /etc/tripwire/tw.cfg.5383.bak /etc/tripwire/tw.pol.bak /etc/tripwire/xtl2.xtl.tenegg.com-local.key /etc/tripwire/tw.cfg.1891.bak /etc/tripwire /usr/sbin/tripwire
selinux@lists.fedoraproject.org
-
Russell Coker -
Tom Mitchell -
Valdis.Kletnieks@vt.edu