|
Re: How to use the secpolmonitor to monitor security violation event?
|
05/22/2025 12:10 AM
post122653
|
Re: How to use the secpolmonitor to monitor security violation event?
> I presume you're still running secpolenerate. Both it and secpolmonitor can't
> be used at the same time as they both make use of the kernel trace system and
> only one process can use it at a tine, However, secpolgenerate will provide
> all the information. Any attempts to use abilities etc that are not permitted
> will show up in /dev/secpolgenerate/errors.
>
> Note, that if you are intending to use this for production, it is important
> that you're not using secpolgenerate's -u or -t options and that you are using
> libsecpol.so.1, not libsepol-gen.so.1. And I might note that it is not safety
> certified, though provided a safety-certified library, libsecpolev.so as part
> of QOS 2.2.7 that can be used for monitoring.
Yes, you are right. I forget to update my testing.
In the inital stage, I try to run under secure open/develop mode (in this mode, it will show the policy violated message
to console or files).
And after refining the security policy, I apply it to secure mode (in this mode, it will check the policy and also block
if violate the policy).
And then I try to run the secpolmonitor base on the policy type I defined, it is still bocked in accessing the file.
E.g.,
$ on -T secpol_t secpolmonitor -a
The error message is:
tracelog_monitor likely failed to attach to path /dev/name/local/_tracelog: Permission denied
I already set the path to allow_attach and allow_link for secpol_t, but it is not working.
And except this error message, there is no other error can query.
I just guess the tracelog_monitor is runned as some security type, not secpol_t??? But I don't know what is the
tracelog_monitor means and where I can set for it?
Any suggestion?
Thanks.
|
|
|
|
Re: How to use the secpolmonitor to monitor security violation event?
|
05/22/2025 12:29 AM
post122654
|
Re: How to use the secpolmonitor to monitor security violation event?
>
> Note, that if you are intending to use this for production, it is important
> that you're not using secpolgenerate's -u or -t options and that you are using
> libsecpol.so.1, not libsepol-gen.so.1. And I might note that it is not safety
> certified, though provided a safety-certified library, libsecpolev.so as part
> of QOS 2.2.7 that can be used for monitoring.
According to your comment, here is a question.
Do you know if I implement an application that is based on the library libsecpolev.so to monitor the events, could I
also use secpolmonitor to monitor the event at the same time?
Would each of them block another? Becasue accoding my current understanding, it seems like the monitor application(no
wheather it is implemented by myself or by system) will access same file? And if one is running, it would block another
one?
Is it right?
Thanks.
|
|
|