QNX Operating System/Discussion/OSTech/How to use the secpolmonitor to monitor security violation event?/List of Posts
 
Forum Topic - How to use the secpolmonitor to monitor security violation event?: (8 Items)
   
Update
Vic One
05/20/2025 5:10 AM
post122651
How to use the secpolmonitor to monitor security violation event?   
Hi all, 

I am try to define a security policy for my QNX environment. 
I use secpolgenerate to generate a policy and deploy it to the environment.
But after I try to start up the environment and try to run the secpolmonitor to monitor the event, it always shows an 
error:
"tracelog_monitor likely failed to attach to path /dev/name/local/_tracelog: File exists"
Is there any can tell me how to fix this issue?
Thanks.
Roger Maclean
05/20/2025 6:43 AM
post122652
Re: How to use the secpolmonitor to monitor security violation event?   
I presume you're still running secpolenerate. Both it and secpolmonitor can't be used at the same time as they both make
 use of the kernel trace system and only one process can use it at a tine, However, secpolgenerate will provide all the 
information. Any attempts to use abilities etc that are not permitted will show up in /dev/secpolgenerate/errors.

Note, that if you are intending to use this for production, it is important that you're not using secpolgenerate's -u or
 -t options and that you are using libsecpol.so.1, not libsepol-gen.so.1. And I might note that it is not safety 
certified, though provided a safety-certified library, libsecpolev.so as part of QOS 2.2.7 that can be used for 
monitoring.
Vic One
05/22/2025 12:10 AM
post122653
Re: How to use the secpolmonitor to monitor security violation event?   
> I presume you're still running secpolenerate. Both it and secpolmonitor can't 
> be used at the same time as they both make use of the kernel trace system and 
> only one process can use it at a tine, However, secpolgenerate will provide 
> all the information. Any attempts to use abilities etc that are not permitted 
> will show up in /dev/secpolgenerate/errors.
> 
> Note, that if you are intending to use this for production, it is important 
> that you're not using secpolgenerate's -u or -t options and that you are using
>  libsecpol.so.1, not libsepol-gen.so.1. And I might note that it is not safety
>  certified, though provided a safety-certified library, libsecpolev.so as part
>  of QOS 2.2.7 that can be used for monitoring.

Yes, you are right.  I forget to update my testing.

In the inital stage, I try to run under secure open/develop mode (in this mode, it will show the policy violated message
 to console or files).
And after refining the security policy, I apply it to secure mode (in this mode, it will check the policy and also block
 if violate the policy).
And then I try to run the secpolmonitor base on the policy type I defined, it is still bocked in accessing the file.

E.g.,
$ on -T secpol_t secpolmonitor -a
The error message is:
tracelog_monitor likely failed to attach to path /dev/name/local/_tracelog: Permission denied

I already set the path to allow_attach and allow_link for secpol_t, but it is not working.
And except this error message, there is no other error can query.
I just guess the tracelog_monitor is runned as some security type, not secpol_t???  But I don't know what is the 
tracelog_monitor means and where I can set for it?
Any suggestion? 
Thanks.
Vic One
05/22/2025 6:02 AM
post122655
Re: How to use the secpolmonitor to monitor security violation event?   
> 
> E.g.,
> $ on -T secpol_t secpolmonitor -a
> The error message is:
> tracelog_monitor likely failed to attach to path /dev/name/local/_tracelog: 
> Permission denied
> 

Here is a update, I already find the root cause and fix it already.
It seems like the path and ability setting are needed to adjust, although I still don't know why the secpolgenerate can'
 show the errors or suggested policy in errors/policy file correctly. :(
Roger Maclean
05/22/2025 9:13 AM
post122657
Re: How to use the secpolmonitor to monitor security violation event?   
Secpolgenerate generates policy rules by observing what a program actually does. But a program such as secpolmonitor 
cannot operate while secpolgenerate is running since they both need the trace system. Since secpolmonitor cannot run 
properly, secpolgenerate can't observe it and generate the necessary rules.

To determine abilities required by secpolgenerate, I've used the following technique. Run it multiple times with a 
single ability denied and see if it starts, a similar approach can be taken with secpolmonitor.

for able in spawn_setuid spawn_setgid setuid setgid getid pathspace reboot cpumode runstate confset rsrcdbmgr session 
umask event rlimit mem_add mem_phys mem_special mem_global mem_peer mem_lock spawn fork prot_exec wait msg_queue 
clockset interrupt io trace priority connection schedule signal timer pgrp map_fixed path_trust swap rconstraint 
child_newapp public_channel aps_root able_create runstate_burst default_timer_tolerance xprocess_query chroot power 
prot_write_and_exec srandom hyp rlimit_peer; do
    on -A deny,all,$able secpolgenerate -N >/dev/null 2>&1
    if slay -f secpolgenerate; then
        echo "    $able"
    else
        while ! slay -pf secpolgenerate >/dev/null; do
            sleep 0.1
        done
    fi
done
Vic One
05/22/2025 12:29 AM
post122654
Re: How to use the secpolmonitor to monitor security violation event?   
> 
> Note, that if you are intending to use this for production, it is important 
> that you're not using secpolgenerate's -u or -t options and that you are using
>  libsecpol.so.1, not libsepol-gen.so.1. And I might note that it is not safety
>  certified, though provided a safety-certified library, libsecpolev.so as part
>  of QOS 2.2.7 that can be used for monitoring.

According to your comment, here is a question.
Do you know if I implement an application that is based on the library  libsecpolev.so to monitor the events, could I 
also use secpolmonitor to monitor the event at the same time?
Would each of them block another?  Becasue accoding my current understanding, it seems like the monitor application(no 
wheather it is implemented by myself or by system) will access same file?  And if one is running, it would block another
 one?
Is it right?
Thanks.
Roger Maclean
05/22/2025 7:58 AM
post122656
Re: How to use the secpolmonitor to monitor security violation event?   
No you can't use secpolmonitor and a program that is using libsecpolev at the same time since they both use the trace 
system. There are are a few uses that appear to violate this, for example you can use tracelogger and libsecpolev while 
you're using secpolgenerate. However, in the case of tracelogger, secpolgenerate temporarily disconnects from the trace 
system while traceloger is running and in the case of libsecpolev, libsecpolev is able to get events from secpolgenerate
.
Vic One
06/09/2025 5:51 AM
post122662
Re: How to use the secpolmonitor to monitor security violation event?   
> No you can't use secpolmonitor and a program that is using libsecpolev at the 
> same time since they both use the trace system. There are are a few uses that 
> appear to violate this, for example you can use tracelogger and libsecpolev 
> while you're using secpolgenerate. However, in the case of tracelogger, 
> secpolgenerate temporarily disconnects from the trace system while traceloger 
> is running and in the case of libsecpolev, libsecpolev is able to get events 
> from secpolgenerate.

Thanks for the information.
Our module also use the trace event mechanism to trace some API events.  
It seems like we will not able to run both secpolmonitor and the process for tracing event at the same time.
We need to adjust this.  Thanks.

Return