wiki:experiences:igraltist:jail_syslogd [RSBAC: Extending Linux Security Beyond the Limits]

Releases

Current version
Git/Latestdiff: 1.5.6

Latest Snapshots
Produced after each commit or rebase to new upstream version

GIT
RSBAC source code, can be unstable sometimes

Events

No events planned

This is the modified syslogd init-script.

--- sysklogd_org	2008-07-03 05:22:39.000000000 +0200
+++ sysklogd	2008-07-11 16:23:35.000000000 +0200
@@ -59,7 +59,7 @@
   start)
     echo -n "Starting system log daemon: syslogd"
     create_xconsole
-    start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
+    rsbac_jail -Y -i-N start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
     echo "."
     ;;
   stop)
@@ -76,7 +76,7 @@
     echo -n "Restarting system log daemon: syslogd"
     start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
     sleep 1
-    start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
+    rsbac_jail -Y -i -N start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
     echo "."
     ;;
   reload-or-restart)
@@ -86,7 +86,7 @@
     start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
     else
  	echo -n "Restarting system log daemon: syslogd"
-       start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
+	rsbac_jail -Y -i -N start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
     fi
     echo "."
     ;;

First I have started with no params for the rsbac_jail, because I dont know what is missing.

On a second terminal I have the security-user listen with, on

cat /proc/rsbac-info/rmsg

After the syslogd init-script is modified, I stop the service /etc/init.d/syslogd stop

Then I start the service /etc/init.d/syslogd stop and look on the other terminal

This now appears on the second terminal.

<7>0000000890|rsbac_adf_request_jail(): process jail 36 does not match IPC object jail 0 -> NOT_GRANTED!
<6>0000000891|rsbac_adf_request(): request WRITE, pid 4253, ppid 4252, prog_name syslogd, prog_file /sbin/syslogd,    uid 0, remote ip 192.168.1.5, target_type IPC, tid AnonPipe-ID 1833, attr none, value none, result NOT_GRANTED by   JAIL
<7>0000000892|rsbac_adf_request_jail(): process jail 36 does not match IPC object jail 0 -> NOT_GRANTED!
<6>0000000893|rsbac_adf_request(): request READ, pid 4253, ppid 4252, prog_name syslogd, prog_file /sbin/syslogd,  uid 0, remote ip 192.168.1.5, target_type IPC, tid AnonPipe-ID 1833, attr none, value none, result NOT_GRANTED by  JAIL

Now Iam searching for target_type

 target_type IPC

and his tid:

 tid AnonPipe-ID

Than I type 'rsbac_jail' and found this

\- stupid wiki
-i = allow access to IPC outside this jail

Now I have the first argument for the rsbac_jail. Also this looks interesting

\- stupid wiik
-N = enclose process in its private namespace

and at least

\- stupid wiki
-Y = this is the syslog jail

This have to set only here but dont forget!

So this three, -Y -i -N is now added in the syslog init-script, like you can see above.

//