* Inputs w.r.t understanding of selinux notification and systemcall
@ 2020-12-27 8:47 Ashish Mishra
2021-01-01 7:15 ` Ashish Mishra
0 siblings, 1 reply; 3+ messages in thread
From: Ashish Mishra @ 2020-12-27 8:47 UTC (permalink / raw)
To: SElinux list
Hi All ,
For one of our internal projects we wanted to evaluate the functionality below .
Can group member please share any input w.r.t below aspect can be
implemented or any pointers on same :
a) Is there any mechanism to generate an event / notification for
selinux denials
( like say we have an action which is denied , so instead of user
reading log
file if there is any notification mechanism which can be used )
b) If there is any mechanism to block calling of certain system call's
/ library calls .
( idea is to discourage certain instances of container to avoid calling some
predefined system call & library functions )
Any pointers or comments or feedback on these two points will be helpful .
Thanks ,
Ashish
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Inputs w.r.t understanding of selinux notification and systemcall
2020-12-27 8:47 Inputs w.r.t understanding of selinux notification and systemcall Ashish Mishra
@ 2021-01-01 7:15 ` Ashish Mishra
2021-01-01 11:57 ` Richard Haines
0 siblings, 1 reply; 3+ messages in thread
From: Ashish Mishra @ 2021-01-01 7:15 UTC (permalink / raw)
To: SElinux list, Paul Moore
Hi Group Members ,
Good Morning & Happy new Year !
Can group member please provide any input / feedback for below
functionality support in SELINUX :
a) Is there any mechanism to generate an event / notification for
selinux denials
I came across Logstash, Logentries and Splunk , which i am
currently looking at.
Is there any selinux equivalent plugin or any other way for
selinux specific.
b) Is there any mechanism to block certain system call / library calls ?
I came across "seccomp" from https://lwn.net/Articles/656307/
But is there any selinux equivalent plugin or any other way for
selinux specific.
or "seccomp" should be the preferred way for this task .
Any pointer / feedback / inputs will be helpful on the same
Thanks ,
Ashish
Thanks ,
Ashish
On Sun, Dec 27, 2020 at 2:17 PM Ashish Mishra <ashishm@mvista.com> wrote:
>
> Hi All ,
>
> For one of our internal projects we wanted to evaluate the functionality below .
> Can group member please share any input w.r.t below aspect can be
> implemented or any pointers on same :
>
> a) Is there any mechanism to generate an event / notification for
> selinux denials
> ( like say we have an action which is denied , so instead of user
> reading log
> file if there is any notification mechanism which can be used )
>
> b) If there is any mechanism to block calling of certain system call's
> / library calls .
> ( idea is to discourage certain instances of container to avoid calling some
> predefined system call & library functions )
>
> Any pointers or comments or feedback on these two points will be helpful .
>
> Thanks ,
> Ashish
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Inputs w.r.t understanding of selinux notification and systemcall
2021-01-01 7:15 ` Ashish Mishra
@ 2021-01-01 11:57 ` Richard Haines
0 siblings, 0 replies; 3+ messages in thread
From: Richard Haines @ 2021-01-01 11:57 UTC (permalink / raw)
To: Ashish Mishra, SElinux list, Paul Moore
On Fri, 2021-01-01 at 12:45 +0530, Ashish Mishra wrote:
> Hi Group Members ,
>
> Good Morning & Happy new Year !
>
> Can group member please provide any input / feedback for below
> functionality support in SELINUX :
>
> a) Is there any mechanism to generate an event / notification for
> selinux denials
> I came across Logstash, Logentries and Splunk , which i am
> currently looking at.
> Is there any selinux equivalent plugin or any other way for
> selinux specific.
Have you looked at using the audit log services (auparse, ausearch
etc.):
This has the code and a number of examples for detecting AVC entries:
https://github.com/linux-audit/audit-userspace
Some sample programs here;
https://security-plus-data-science.blogspot.com/2017/04/writing-basic-auparse-program.html
This is an example where I wanted to detect specific events in the
testsuite (you should be able to pick the relevant bits):
https://lore.kernel.org/selinux/20201104164913.11536-2-richard_c_haines@btinternet.com/
>
> b) Is there any mechanism to block certain system call / library
> calls ?
> I came across "seccomp" from https://lwn.net/Articles/656307/
> But is there any selinux equivalent plugin or any other way for
> selinux specific.
> or "seccomp" should be the preferred way for this task .
>
> Any pointer / feedback / inputs will be helpful on the same
>
>
> Thanks ,
> Ashish
> Thanks ,
> Ashish
>
>
>
>
> On Sun, Dec 27, 2020 at 2:17 PM Ashish Mishra <ashishm@mvista.com>
> wrote:
> >
> > Hi All ,
> >
> > For one of our internal projects we wanted to evaluate the
> > functionality below .
> > Can group member please share any input w.r.t below aspect can be
> > implemented or any pointers on same :
> >
> > a) Is there any mechanism to generate an event / notification for
> > selinux denials
> > ( like say we have an action which is denied , so instead of
> > user
> > reading log
> > file if there is any notification mechanism which can be used
> > )
> >
> > b) If there is any mechanism to block calling of certain system
> > call's
> > / library calls .
> > ( idea is to discourage certain instances of container to avoid
> > calling some
> > predefined system call & library functions )
> >
> > Any pointers or comments or feedback on these two points will be
> > helpful .
> >
> > Thanks ,
> > Ashish
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-01 11:59 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-27 8:47 Inputs w.r.t understanding of selinux notification and systemcall Ashish Mishra
2021-01-01 7:15 ` Ashish Mishra
2021-01-01 11:57 ` Richard Haines
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.