method used in policy deprecated in rhel 7.4

First: you are awesome and I love you. I am running the policy on splunk hosts on rhel6 with only minor casualties. I feel if not safe, less naked.

Second: Perhaps your instructions are deliberately obtuse to discourage the ignorant. If not, kindly consider these clarifications:

Packages

rhel6 has no "setools-devel" package that I could locate in the base or epel repos

• for my rhel6 hosts, /usr/share/selinux/devel/Makefile is provided by the package "selinux-policy"

----le snip---

yum provides /usr/share/selinux/devel/Makefile

Loaded plugins: aliases, changelog, downloadonly, security, verify
selinux-policy-3.7.19-260.el6_6.5.noarch : SELinux policy configuration
Repo : rhel-repo
Matched from:
Filename : /usr/share/selinux/devel/Makefile

selinux-policy-3.7.19-260.el6_6.5.noarch : SELinux policy configuration
Repo : installed
Matched from:
Other : Provides-match: /usr/share/selinux/devel/Makefile

----el snip----

Steps

I would suggest the clarifications below which take into account the item above>

• be root in a sensible directory
• yum install policycoreutils-python setools-console selinux-policy
• unzip selinux_policy_for_splunk-master.zip
• cd selinux_policy_for_splunk-master
• make -f /usr/share/selinux/devel/Makefile
• semodule -i splunk.pp
• semanage permissive -a splunk_t
• restorecon -R /opt/splunk
• restorecon /etc/init.d/splunk
• service splunk restart

Build RPM to automate installation of policy.

Need to add interfaces as per best practice.

This is probably related to #12

On RHEL 8 with the latest Splunkforwarder RPM package all files under /opt/splunkforwarder are owned by a splunk:splunk (the user and group are created by the RPM).

When running splunk as root with this policy we kept getting dac_read_search denials on various files within the /opt/splunkforwarder directory structure, including configuration files. It did not appear to prevent splunk from working.

type=AVC msg=audit(22/03/22 14:29:37.905:8673) : avc:  denied  { dac_read_search } for  pid=39267 comm=splunkd capability=dac_read_search  scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0

I read an ancient blog post from Mr Walsh and realised that the issue could be file permissions, not SELinux labels/policy. So I chowned all of /opt/splunkforwarder to be owned by root restarted splunk and the denials weren't reported.

Is this something which can be resolved in the policy or must the additional step to chown all files to root be done? If so please add it to your instructions.

Thanks again!

I resolved a PEBKAC in #11 and now have this policy working for Splunkforwarders in RHEL 8!

It seems to be functioning fully despite having dac_read_search denials like these:

type=PROCTITLE msg=audit(17/03/22 16:36:49.862:4019) : proctitle=splunkd --under-systemd -p 8089 _internal_launch_under_systemd 
type=PATH msg=audit(17/03/22 16:36:49.862:4019) : item=0 name=/var/log/sssd/sssd_implicit_files.log inode=16863845 dev=08:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(17/03/22 16:36:49.862:4019) : cwd=/ 
type=SYSCALL msg=audit(17/03/22 16:36:49.862:4019) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7f436f24c840 a1=0x7f43691fa150 a2=0x7f43691fa150 a3=0x2e44d8 items=1 ppid=1 pid=8843 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=splunkd exe=/opt/splunkforwarder/bin/splunkd subj=system_u:system_r:splunk_t:s0 key=(null) 
type=AVC msg=audit(17/03/22 16:36:49.862:4019) : avc:  denied  { dac_read_search } for  pid=8843 comm=splunkd capability=dac_read_search  scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0 

and

type=PROCTITLE msg=audit(17/03/22 16:52:44.647:4941) : proctitle=splunkd --under-systemd -p 8089 _internal_launch_under_systemd 
type=PATH msg=audit(17/03/22 16:52:44.647:4941) : item=0 name=/var/log/sssd/sssd.log inode=16863838 dev=08:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(17/03/22 16:52:44.647:4941) : cwd=/ 
type=SYSCALL msg=audit(17/03/22 16:52:44.647:4941) : arch=x86_64 syscall=lstat success=yes exit=0 a0=0x7fdba9c98100 a1=0x7fdba37fa150 a2=0x7fdba37fa150 a3=0x41f27a items=1 ppid=1 pid=20469 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=splunkd exe=/opt/splunkforwarder/bin/splunkd subj=system_u:system_r:splunk_t:s0 key=(null) 
type=AVC msg=audit(17/03/22 16:52:44.647:4941) : avc:  denied  { dac_read_search } for  pid=20469 comm=splunkd capability=dac_read_search  scontext=system_u:system_r:splunk_t:s0 tcontext=system_u:system_r:splunk_t:s0 tclass=capability permissive=0 

I can confirm that events from the sssd log files are being logged. Is this something I should ignore?

Thanks again!

README has now been updated: https://github.com/doksu/selinux_policy_for_splunk/

Hey @doksu thanks again for your FOSS contributions for those of us using Splunk!

We're keen to explore this policy as a way of avoiding the complication of setting ACLs and default directory ACLs on all of /var/log but then having to exclude specific things and deal with random applications which write specific permissions wiping out the ACLs.

Unfortunately I'm struggling to build this for RHEL 8. I'm a novice having not looked in to custom policies since doing SELinux training over 6 years ago! Could you help please?

• We've modified line 51 of splunk.te to reference distro_rhel8 instead of distro_rhel7.
• We're using the make command with DISTRO=rhel8 FWIW.

But when I try to install the module I get the following error:

# semodule -i splunk.pp

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/splunk/cil:66
semodule:  Failed!

I've looked through the unzipped cil file and line 64 to 67 contain:

(typeattributeset polymember (splunk_tmp_t splunkadm_sudo_tmp_t ))
(typeattributeset cil_gen_require consoletype_exec_t)
(typeattributeset cil_gen_require bin_t)

Have you used this on RHEL 8? (RHEL 9 isn't far away now!)
Have you used Splunk with the systemd unit files rather than SysV init as this policy covers?

Thanks very much!

I've already developed the splunkadm_r role and it works well; just needs to be merged into this policy.

Hi,

I'm getting the message below when I run audit2allow.

#============= splunk_t ==============

#!!!! The file '/run/dbus/system_bus_socket' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/dbus/system_bus_socket
allow splunk_t system_dbusd_t:unix_stream_socket connectto;

Thank you for sharing your work, it helped me a lot!

On RHEL 6 I get 'Building a policy module, but no module specification found' error. Can this be made to work with RHEL 6?

splunk.if:13: Error: duplicate definition of splunk_domtrans(). Original definition on 13.
splunk.if:32: Error: duplicate definition of splunk_initrc_domtrans(). Original definition on 32.
splunk.if:50: Error: duplicate definition of splunk_search_dir(). Original definition on 50.
splunk.if:73: Error: duplicate definition of splunk_read_files(). Original definition on 73.
splunk.if:101: Error: duplicate definition of splunk_manage_files(). Original definition on 101.
splunk.if:126: Error: duplicate definition of splunk_manage_dirs(). Original definition on 126.
splunk.if:155: Error: duplicate definition of splunk_admin(). Original definition on 155.
Compiling targeted splunk module
/usr/bin/checkmodule:  loading policy configuration from tmp/splunk.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/splunk.mod
Creating targeted splunk.pp policy package
rm tmp/splunk.mod.fc tmp/splunk.mod
checkmodule:  loading policy configuration from splunk.te
splunk.te:1:ERROR 'Building a policy module, but no module specification found.
' at token 'policy_module' on line 1:


checkmodule:  error(s) encountered while parsing configuration
Failed to compile splunk.te

Thanks,
-Mark