Inputs w.r.t understanding of selinux notification and systemcall

Inputs w.r.t understanding of selinux notification and systemcall

[Ashish Mishra]

Hi All ,

For one of our internal projects we wanted to evaluate the functionality below .
Can group member please share any input w.r.t below aspect can be
implemented or any pointers on same :

a) Is there any mechanism to generate an event / notification for
selinux denials
    ( like say we have an action which is denied , so instead of user
reading log
      file if there is any notification mechanism which can be used )

b) If there is any mechanism to block calling of certain system call's
/ library calls .
   ( idea is to discourage certain instances of container to avoid calling some
     predefined system call & library functions )

Any pointers or comments or feedback on these two points will be helpful .

Thanks ,
Ashish

Re: Inputs w.r.t understanding of selinux notification and systemcall

[Ashish Mishra]

Hi Group Members ,

Good Morning & Happy new Year !

Can group member please provide any input / feedback for below
functionality support in SELINUX :

a) Is there any mechanism to generate an event / notification for
selinux denials
     I came across Logstash, Logentries and Splunk , which i am
currently looking at.
     Is there any selinux equivalent plugin or any other way for
selinux specific.

b) Is there any mechanism to block certain system call / library calls ?
    I came across "seccomp" from https://lwn.net/Articles/656307/
    But is there any selinux equivalent plugin or any other way for
selinux specific.
    or "seccomp" should be the preferred way for this task .

Any pointer / feedback / inputs will be helpful on the same


Thanks ,
Ashish
Thanks ,
Ashish




On Sun, Dec 27, 2020 at 2:17 PM Ashish Mishra <ashishm@mvista.com> wrote:
>
> Hi All ,
>
> For one of our internal projects we wanted to evaluate the functionality below .
> Can group member please share any input w.r.t below aspect can be
> implemented or any pointers on same :
>
> a) Is there any mechanism to generate an event / notification for
> selinux denials
>     ( like say we have an action which is denied , so instead of user
> reading log
>       file if there is any notification mechanism which can be used )
>
> b) If there is any mechanism to block calling of certain system call's
> / library calls .
>    ( idea is to discourage certain instances of container to avoid calling some
>      predefined system call & library functions )
>
> Any pointers or comments or feedback on these two points will be helpful .
>
> Thanks ,
> Ashish

Re: Inputs w.r.t understanding of selinux notification and systemcall

[Richard Haines]

On Fri, 2021-01-01 at 12:45 +0530, Ashish Mishra wrote:
> Hi Group Members ,
> 
> Good Morning & Happy new Year !
> 
> Can group member please provide any input / feedback for below
> functionality support in SELINUX :
> 
> a) Is there any mechanism to generate an event / notification for
> selinux denials
>      I came across Logstash, Logentries and Splunk , which i am
> currently looking at.
>      Is there any selinux equivalent plugin or any other way for
> selinux specific.

Have you looked at using the audit log services (auparse, ausearch
etc.):

This has the code and a number of examples for detecting AVC entries:
https://github.com/linux-audit/audit-userspace

Some sample programs here;
https://security-plus-data-science.blogspot.com/2017/04/writing-basic-auparse-program.html

This is an example where I wanted to detect specific events in the
testsuite (you should be able to pick the relevant bits):
https://lore.kernel.org/selinux/20201104164913.11536-2-richard_c_haines@btinternet.com/



> 
> b) Is there any mechanism to block certain system call / library
> calls ?
>     I came across "seccomp" from https://lwn.net/Articles/656307/
>     But is there any selinux equivalent plugin or any other way for
> selinux specific.
>     or "seccomp" should be the preferred way for this task .
> 
> Any pointer / feedback / inputs will be helpful on the same
> 
> 
> Thanks ,
> Ashish
> Thanks ,
> Ashish
> 
> 
> 
> 
> On Sun, Dec 27, 2020 at 2:17 PM Ashish Mishra <ashishm@mvista.com>
> wrote:
> > 
> > Hi All ,
> > 
> > For one of our internal projects we wanted to evaluate the
> > functionality below .
> > Can group member please share any input w.r.t below aspect can be
> > implemented or any pointers on same :
> > 
> > a) Is there any mechanism to generate an event / notification for
> > selinux denials
> >     ( like say we have an action which is denied , so instead of
> > user
> > reading log
> >       file if there is any notification mechanism which can be used
> > )
> > 
> > b) If there is any mechanism to block calling of certain system
> > call's
> > / library calls .
> >    ( idea is to discourage certain instances of container to avoid
> > calling some
> >      predefined system call & library functions )
> > 
> > Any pointers or comments or feedback on these two points will be
> > helpful .
> > 
> > Thanks ,
> > Ashish