[Systrace] tuning systrace policy for expect

Ray ray at cyth.net
Mon May 16 12:58:24 EDT 2005 

On Sun, May 15, 2005 at 01:29:31PM +0200, Kim Onnel wrote:
> Hello Ray

Hi Kim,

Please reply to the mailing list instead of only to me.

> I am still having a problem with tuning the systrace policy for the expect
> script that will be used to let users automatically login to network
> devices without entering their passwords,
>  
> In details:
> 
> I have a shell script 'rpm' that is calling the expect script 'rtr3',
> the script 'rtr3' uses a file /~.rtr3, which has the passwords saved,
> and it has to be in the users home directory since it uses each users
> own password saved in the file.
> 
> I've generated a policy for both, but i get errors, from my humble
> experience with systrace, i've tried to tune the policy, permit and
> so, but got no luck,
> 
> I've listed below all the contents of the scripts, the policies i've
> tried to tune and the errors i got, perms of files and locations,
> please troubleshoot with me.
> 
> $ whoami
> mamin
>  
> $ ls -alh .rtr3
> -rw-r--r--  1 mamin  mamin   298B May 15 12:18 .rtr3
>  
> $ ls -alh /usr/bin/rpm
> -rwxr-xr-x  1 root  wheel   2.0K May 11 19:12 /usr/bin/rpm
>  
> $ ls -alh /usr/bin/rtr3
> -rwxr-xr-x  1 root  wheel  23.0K May 11 19:23 /usr/bin/rtr3
>  
> $ ls -alh /etc/systrace/usr_bin_rpm
> -rw-r--r--  1 root  wheel   1.3K May 15 12:44 /etc/systrace/usr_bin_rpm
>  
> $ ls -alh /etc/systrace/usr_bin_rtr3
> -rw-r--r--  1 root  wheel   4.9K May 15 12:42 /etc/systrace/usr_bin_rtr3
>  
> $ rpm auto
> /usr/bin/rpm[45]: rtr3: Operation not permitted
>  
> $ rtr3
> ERROR: ~/.rtr3 does not exist
> Default username and passwords are most likely not suitable for your network.
> invalid command name "display_usage_note_and_exit"
>    while executing
> "display_usage_note_and_exit"
>    invoked from within
> "if [file exists ~/.rtr3] {
> source ~/.rtr3
> } else {
> puts "ERROR: ~/.rtr3 does not exist"
> puts "Default username and passwords are most likely not suita..."
>    (file "/usr/bin/rtr3" line 56)
> $
>  
> The errors:
>  
> rpm script:
>  
> -bash-3.00# May 15 13:24:03 bastion2 systrace: deny user: mamin, prog:
> /usr/bin/rpm, pid: 14918(1)[29487], policy: /usr/bin/rpm, filters: 40,
> syscall: native-fsread(291), filename: /var/mail/mamin

Whenever you see denies like these you can easily translate them
into permit rules:
	native-fsread: filename eq "/var/mail/mamin" then permit

> May 15 13:24:03 bastion2 systrace: deny user: mamin,
> prog:/usr/bin/rpm, pid: 14918(1)[29487], policy: /usr/bin/rpm,
> filters: 40,syscall: native-fsread(291), filename: /<non-existent
> filename>:/home/mamin/bin/rtr3

Use this to avoid logging attempts to read nonexistent filenames:
	native-fsread: filename sub "<non-existent filename>" then deny[enoent]

> May 15 13:24:03 bastion2 systrace: deny user: mamin, prog:
> /usr/bin/rpm, pid: 20755(1)[14918], policy: /usr/bin/rpm, filters: 40,
> syscall: native-execve(59), filename: /usr/bin/rtr3, argv: rtr3 ?cisco
> -telnet 172.31.1.41
[...]
> if [ $1 == "adsl" ]
> then
> rtr3 -cisco -telnet 172.31.1.95
> fi
>  
> if [ $1 == "adsl2" ]
> then
> rtr3 -cisco -telnet 172.31.1.96
> fi

Use this line to connect to any host 172.31.1.96:
	native-execve: filename eq "/usr/bin/rtr3" and argv match "rtr3 -cisco -telnet 172.31.1.*" then permit

> native-fsread: filename eq "~/.expect.rc" then permit
> native-fsread: filename eq "~/expect.rc" then permit
> native-fsread: filename eq "~/.rtr3" then permit
> native-fsread: filename eq "~/.systrace/." then permit

I don't think tilde-expansion works in systrace, though I've never
tried it.

>        native-fswrite: filename eq "/tmp/tclt24674" then permit

Rules like these you want to change to something like this:
	native-fswrite: filename match "/tmp/tcl*" then permit

--
I've found that people who are great at something are not so much
convinced of their own greatness as mystified at why everyone else
seems so incompetent.
						Paul Graham

More information about the systrace mailing list