Appendix E - Running Snare Agent Alongside SELinux

Owned by Andrew Madge
Last updated: Jun 12, 2023 by rthorntonVersion comment
6 min read

SELinux is a security subsystem integrated into the kernel via Linux Security Modules developed by the NSA and comes bundled with Red Hat Enterprise Linux. Having this additional layer of security across the breadth of the operating system comes at the cost of usability since it enforces mandatory access control rather than discretionary access control to all aspects of the system.

Per the Red Hat documentation it works in the following manner

SELinux defines access controls for the applications, processes, and files on a system. 
It uses security policies, which are a set of rules that tell SELinux what can or can’t be accessed, to enforce the access allowed by a policy.

As part of this change in access control methodology core agent functionality by default ("Enforcing" mode) will fail and Access Vector Cache (AVC) denials will be raised which results in the agent crashing, not starting or missing core functionality.

In order to work around this on a system with SELinux in "enforcing" mode a number of additional policies must be applied to the system in order for the agent to be able to function as expected.

These policies can be applied either to the auditd context itself or any custom context created specifically for the agent on the system however it is recommended that they be applied to the auditd context.

The below example for each policy is being applied to the auditd context as this will automatically include Snare Agent as well.


In order for the agent to have the appropriate network connectivity so that functionality can occur regardless of system policy the agent port (Default: 6161) must be enabled through SELinux.

To enable this port issue the command as root per your distribution (this change is persistent through restarts):

# semanage port -a -t audit_port_t -p tcp 6161

In addition to this, in order to connect through to SAM the port which SAM is listening on (Default: 6262) must also be enabled. To enable this port issue the command as root per your distribution (this change is persistent through restarts):

# semanage port -a -t audit_port_t -p tcp 6262


Required Policies

module snare-required 1.1;

require {
        type var_t;
        type var_log_t;
        type auditd_etc_t;
        type auditd_initrc_exec_t;
        type cert_t;
        type auditctl_exec_t;
        type auditd_t;
		type audit_port_t;
		type auditd_unit_file_t;
		type initrc_exec_t;
		type init_t;

		class service { status start };
		class system { reload };
        class dir { add_name read remove_name write };
        class file { create execute_no_trans getattr map open read unlink write execute append ioctl };
		class tcp_socket { name_connect };
}
 
#============= auditd_t ==============

allow auditd_t auditctl_exec_t:file { execute_no_trans map open read execute };
allow auditd_t auditd_etc_t:dir { add_name remove_name write };
allow auditd_t auditd_etc_t:file { create unlink write };
allow auditd_t auditd_initrc_exec_t:file { getattr execute_no_trans map open read execute };
allow auditd_t audit_port_t:tcp_socket name_connect;
allow auditd_t auditd_unit_file_t:service { status start };
allow auditd_t cert_t:dir { add_name write };
allow auditd_t cert_t:file { write create };
allow auditd_t var_t:dir { read write add_name remove_name };
allow auditd_t var_t:file { write create open read getattr append unlink };
allow auditd_t var_log_t:dir { read write add_name remove_name };
allow auditd_t var_log_t:file { read write open create append };
allow auditd_t initrc_exec_t:file { getattr execute_no_trans map open read execute ioctl };
allow auditd_t init_t:system { reload };

Each of the above policies provides a specific functionality to the agent which is required for standard functionality as described in the table below.

PolicyDefinitionAgent Functionality
auditctl_exec_t:fileThis policy allows the execution of the auditctl commands by the applicationThis policy allows the agent to manage the audit policy of the system. As objectives are added to the agent, it will update auditctl to contain those new records. Without this the agent will either not start or be unable to manage objectives.
auditd_etc_t:dir
auditd_etc_t:file		This policy allows access to /etc/audit directory and the files held within.This policy is required for the agent to read from and write to the auditd and snare configuration files which are held within this directory.
auditd_initrc_exec_t:fileThis policy allows access to the auditd init scriptThis policy is required so that the agent can restart the auditd service on the system in order to apply updated configuration. Without this on agent restart the agent will close and not resume until auditd.service is manually restarted.
audit_port_t:tcp_socketThis policy allows access to connecting to TCP socketsThis policy is required so the agent can create/connect to TCP-based network destinations.
auditd_unit_file_t:serviceThis policy allows access to the auditd systemd unit fileThis policy is required on some older platforms in order for the agent to restart the auditd service
cert_t:dir
cert_t:file		This policy allows access to the system certificate store directoryThis policy is required for the agent to read the certificates used for https traffic as well as to generate self-signed certificates for cases where a CA signed certificate is not provided. It also allows the agent to provide a list of available certificates to use within the Security Certificates page.
var_t:dir
var_t:file		This policy allows access to /var directory and files within as well as subfolders marked with the same type.This policy is required for the agent to read from and write to the snare event cache held within /var/cache/snare for processing after restart or if system is experiencing heavy load 

var_log_t:dir
var_log_t:file

This policy allows access to /var/logThis policy is required for the agent to read and write to /var/log which is the recommended default location for file destinations.
initrc_exec_t:fileThis policy allows access to auditd init scriptThis policy is required on some older platforms in order for the agent to restart the auditd service
init_t:systemThis policy allows access to init.dThis policy is required on some older platforms in order for the agent to restart the auditd service

On newer platforms RHEL 8 or newer, some of these policies may not be required as these platforms use newer system utilities. This policy will cover agent functionality; however, a further review can be done to restrict permissions for high-security environments.

On legacy systems such as RHEL 6.x some of the above permissions may not exist within libsepol used to compile the policy for deployment. If this is the case on the system being built on then the following error will occur: "libsepol.permission_copy_callback: Module snare-required depends on permission x in class y, not satisfied", if this error is raised remove all references to whatever is listed for x from the policy file and repeat the process


Deploying policies

  1. Create a te file containing the above module definition. The file name of which must match the module name specified on the top line of the file. In this case snare-required.te

  2. Logon as root user, i.e. at the command prompt enter the command /bin/su and enter the root password when prompted. Issue the command, as root as per your distribution:

    # checkmodule -M -m -o snare-required.mod snare-required.te

    This will compile the policy module definition into a binary representation.

  3. Issue the command, as root as per your distribution:

    # semodule_package -o snare-required.pp -m snare-required.mod

    This will package the compiled binary representation into a policy file which can be installed.

  4. Issue the command as root per your distribution:

    # semodule -i snare-required.pp

    This will apply the policy to the system and allow the specified policies and allow the agent to function on the system

  5. Restart auditd service

    # service auditd restart

    This will restart the service allowing the agent to run under the new policies mitigating errors which occur without restarting.

    On some systems, it may require a full system reboot for these things to apply properly.

Additional Considerations

Despite these policies providing the base functionality of the agent there are some features that require further items to be added to the policy list. These include:

  1. File Destinations
  2. File Integrity Monitoring
  3. Log Audit

As these functions interact directly with the file system on the machine, they will not function without appropriate file and directory policies being applied for the specific target. These policies can be applied in a similar fashion to the base agent policies however the new additional policies must match the type of the target file or directory.  

For example if the target file is of type file_dest_t the following policy would need to be added to allow file destination to work to that file.

module snare-file-destination 1.0

require {
	type auditd_t;
	type file_dest_t;
	class dir { add_name read remove_name write getattr open };
	class file { create execute_no_trans getattr map open read unlink write execute };
}

#============= auditd_t ==============

allow auditd_t file_dest_t:dir { add_name read write getattr open };
allow auditd_t file_dest_t:file { create read write open getattr };


Refer to SELinux manual for the process of creating new contexts and types.


As well as these functional limitations, in some cases it may be required for the system to be rebooted after making changes to agent configuration in order for the agent web interface to become available.