Battle of the application firewalls

I’ve hacked up a small C program which i normally use for showing Apparmor and selinux to
people. It is a very simple daemon which reads a configuration file (/etc/foo.conf) , which tries to write a pid file (/var/run/foo)
and also tries to do some setuid magic and reading of /etc/shadow.
A good combination to show an application firewall in a live demo.

The source code is attached, you can download it in a file called foo.c and compile it afterwards with make foo
this should create a foo binary in the current directory.
There are also 2 init scripts available for starting and stopping this small daemon.
One for redhat and one for suse, just put those under /etc/init.d make sure they are executable and try to run your foo daemon with /etc/init.d/foo start

If this already works you can continue with your application firewall configuration

Apparmor (SLES10)

• Launch yast2
• Go to Apparmor -> Add profile wizard
• Fill in the full path to the foo binary (/usr/sbin/foo)
• Apparmor is now in learning mode
• Switch to a console and start and stop the foo daemon with the following command: /etc/init.d/foo stop ; sleep 2 ; /etc/init.d/foo start ; sleep 30
• Return to your yast2 window
• Press the ’scan system log for events’ button
• You will now have a list with all the events and can allow the necessary events
• Click finish and you are done

Selinux (RHES4)

• Install the selinux-policy-targeted-sources package (because we want to modify the default ‘targeted’ policy)
• Go to the /etc/selinux/targeted/src/policy directory
• Create a foo.te file under the domains/program subdirectory
• Put the following text in this file: daemon_domain(foo)
• Create a foo.fc under the /etc/selinux/targeted/src/policy/file_contexts/program directory
• Add the following lines to this file:

/usr/sbin/foo — user_u:object_r:foo_exec_t
/var/run/foo — user_u:object_r:foo_var_run_t

• save this file and return to the /etc/selinux/targeted/src/policy directory
• issue a make reload under this directory
• Now try to start your foo binary with the init script: /etc/init.d/foo start
• Check if the application is running: /etc/init.d/foo status , if it says ‘foo is stopped’ you still need to modify some things on your selinux configuration