file access audits (NISPOM Chapter 8)

david colbert davidecolbert at yahoo.com
Wed Aug 4 18:48:21 UTC 2004


Hello,

Does anyone out there have policy config files that
bring a Fedora Core 2 system into compliance with
Chapter 8 of Defense Security Service's (DSS) National
Industrial Security Program Operating Manual (NISPOM)?

The gist of my problem is that I need to get more
strict access and auditing of any attempted access to
system files by non-root users.  I am trying to get
selinux to log every failed attempt of every non-root
user to r/w/x all system files. I can get it working
by commenting out the following line in
/etc/security/selinux/src/policy/tunable.te:

#define(`read_default_t')

which gives users acess to all  default files
The problem is, it disallows access to all users,
including root. This means that once I start
enforcing, I have to reboot into single user mode to
make any system changes as root. 

I need something which leaves sysadmin alone and only
sets restrictions and audits on staff and users (or
just users). With the above line still commented out,
I tried inserting the following lines in
/etc/security/selinux/src/policy/domains/admin.te to
open the system files bacck up to root again:

general_file_read_access(sysadmin_t)
general_file_write_access(sysadmin_t)
general_domain_access(sysadmin_t)

(Found in the "Configuring the SELinux Policy" doc by
Smalley)

However, the read and write access lines generated
syntax errors when I tried to make the new policy.

Anyone know what I am doing wrong? Version mismatch?
Mutually exclusive parameters? Anyone actually know
how to do what I am trying to do?

I am new to selinux, so I am hoping that I am just
missing something obvious.

Also, is there any other documentation besides the
pdf's on the NSA site?


Thanks in Advance,
David Colbert



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 



More information about the fedora-selinux-list mailing list