trunk: 5 modules from dan.
This commit is contained in:
Chris PeBenito
parent
153fe24bdc
commit
a5ef553c2d
|
|
@ -13,8 +13,13 @@
|
|||
- Add kernel_service access vectors, from Stephen Smalley.
|
||||
- Added modules:
|
||||
git (Dan Walsh)
|
||||
gues (Dan Walsh)
|
||||
guest (Dan Walsh)
|
||||
ifplugd (Dan Walsh)
|
||||
logadm (Dan Walsh)
|
||||
pingd (Dan Walsh)
|
||||
psad (Dan Walsh)
|
||||
portreserve (Dan Walsh)
|
||||
ulogd (Dan Walsh)
|
||||
webadm (Dan Walsh)
|
||||
xguest (Dan Walsh)
|
||||
zosremote (Dan Walsh)
|
||||
|
|
|
|||
|
|
@ -138,6 +138,7 @@ network_port(ocsp, tcp,9080,s0)
|
|||
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
|
||||
network_port(pegasus_http, tcp,5988,s0)
|
||||
network_port(pegasus_https, tcp,5989,s0)
|
||||
network_port(pingd, tcp,9125,s0)
|
||||
network_port(postfix_policyd, tcp,10031,s0)
|
||||
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
|
||||
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0)
|
||||
|
||||
/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
|
||||
|
||||
/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
|
||||
|
|
@ -0,0 +1,133 @@
|
|||
## <summary>Bring up/down ethernet interfaces based on cable detection.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run ifplugd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ifplugd_domtrans',`
|
||||
gen_require(`
|
||||
type ifplugd_t, ifplugd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a generic signal to ifplugd
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ifplugd_signal',`
|
||||
gen_require(`
|
||||
type ifplugd_t;
|
||||
')
|
||||
|
||||
allow $1 ifplugd_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read ifplugd etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ifplugd_read_config',`
|
||||
gen_require(`
|
||||
type ifplugd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage ifplugd etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ifplugd_manage_config',`
|
||||
gen_require(`
|
||||
type ifplugd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
|
||||
manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read ifplugd PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ifplugd_read_pid_files',`
|
||||
gen_require(`
|
||||
type ifplugd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 ifplugd_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an ifplugd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the ifplugd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ifplugd_admin',`
|
||||
gen_require(`
|
||||
type ifplugd_t, ifplugd_etc_t;
|
||||
type ifplugd_var_run_t, ifplugd_initrc_exec_t;
|
||||
')
|
||||
|
||||
allow $1 ifplugd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ifplugd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ifplugd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, ifplugd_etc_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, ifplugd_var_run_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
|
||||
policy_module(ifplugd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type ifplugd_t;
|
||||
type ifplugd_exec_t;
|
||||
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
|
||||
|
||||
# config files
|
||||
type ifplugd_etc_t;
|
||||
files_type(ifplugd_etc_t)
|
||||
|
||||
type ifplugd_initrc_exec_t;
|
||||
init_script_file(ifplugd_initrc_exec_t)
|
||||
|
||||
# pid files
|
||||
type ifplugd_var_run_t;
|
||||
files_pid_file(ifplugd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# ifplugd local policy
|
||||
#
|
||||
|
||||
allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
|
||||
dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
|
||||
allow ifplugd_t self:process { signal signull };
|
||||
allow ifplugd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ifplugd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ifplugd_t self:udp_socket create_socket_perms;
|
||||
allow ifplugd_t self:packet_socket create_socket_perms;
|
||||
allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
|
||||
# pid file
|
||||
manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
|
||||
manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
|
||||
files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file })
|
||||
|
||||
# config files
|
||||
read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
|
||||
exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
|
||||
|
||||
kernel_read_system_state(ifplugd_t)
|
||||
kernel_read_network_state(ifplugd_t)
|
||||
kernel_rw_net_sysctls(ifplugd_t)
|
||||
kernel_read_kernel_sysctls(ifplugd_t)
|
||||
|
||||
corecmd_exec_shell(ifplugd_t)
|
||||
corecmd_exec_bin(ifplugd_t)
|
||||
|
||||
# reading of hardware information
|
||||
dev_read_sysfs(ifplugd_t)
|
||||
|
||||
domain_read_confined_domains_state(ifplugd_t)
|
||||
domain_dontaudit_read_all_domains_state(ifplugd_t)
|
||||
|
||||
auth_use_nsswitch(ifplugd_t)
|
||||
|
||||
logging_send_syslog_msg(ifplugd_t)
|
||||
|
||||
miscfiles_read_localization(ifplugd_t)
|
||||
|
||||
netutils_domtrans(ifplugd_t)
|
||||
# transition to ifconfig & dhcpc
|
||||
sysnet_domtrans_ifconfig(ifplugd_t)
|
||||
sysnet_domtrans_dhcpc(ifplugd_t)
|
||||
sysnet_delete_dhcpc_pid(ifplugd_t)
|
||||
sysnet_read_dhcpc_pid(ifplugd_t)
|
||||
sysnet_signal_dhcpc(ifplugd_t)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(ifplugd_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
|
||||
|
||||
/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
|
||||
|
||||
/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
|
||||
|
|
@ -0,0 +1,97 @@
|
|||
## <summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run pingd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pingd_domtrans',`
|
||||
gen_require(`
|
||||
type pingd_t, pingd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, pingd_exec_t, pingd_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read pingd etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pingd_read_config',`
|
||||
gen_require(`
|
||||
type pingd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Manage pingd etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pingd_manage_config',`
|
||||
gen_require(`
|
||||
type pingd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
||||
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an pingd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the pingd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`pingd_admin',`
|
||||
gen_require(`
|
||||
type pingd_t, pingd_etc_t;
|
||||
type pingd_initrc_exec_t, pingd_modules_t;
|
||||
')
|
||||
|
||||
allow $1 pingd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, pingd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 pingd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_list_etc($1)
|
||||
admin_pattern($1, pingd_etc_t)
|
||||
|
||||
files_list_usr($1)
|
||||
admin_pattern($1, pingd_modules_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
|
||||
policy_module(pingd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type pingd_t;
|
||||
type pingd_exec_t;
|
||||
init_daemon_domain(pingd_t, pingd_exec_t)
|
||||
|
||||
# type for config
|
||||
type pingd_etc_t;
|
||||
files_type(pingd_etc_t);
|
||||
|
||||
type pingd_initrc_exec_t;
|
||||
init_script_file(pingd_initrc_exec_t)
|
||||
|
||||
# type for pingd modules
|
||||
type pingd_modules_t;
|
||||
files_type(pingd_modules_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# pingd local policy
|
||||
#
|
||||
|
||||
allow pingd_t self:capability net_raw;
|
||||
allow pingd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow pingd_t self:rawip_socket { write read create bind };
|
||||
|
||||
read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
|
||||
|
||||
read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
|
||||
mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
|
||||
|
||||
corenet_raw_bind_generic_node(pingd_t)
|
||||
corenet_tcp_bind_generic_node(pingd_t)
|
||||
corenet_tcp_bind_pingd_port(pingd_t)
|
||||
|
||||
auth_use_nsswitch(pingd_t)
|
||||
|
||||
files_search_usr(pingd_t)
|
||||
|
||||
logging_send_syslog_msg(pingd_t)
|
||||
|
||||
miscfiles_read_localization(pingd_t)
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
|
||||
|
||||
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
|
||||
|
||||
/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
|
||||
|
|
@ -0,0 +1,66 @@
|
|||
## <summary>Reserve well-known ports in the RPC port range.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run portreserve.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`portreserve_domtrans',`
|
||||
gen_require(`
|
||||
type portreserve_t, portreserve_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, portreserve_exec_t, portreserve_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
## portreserve etcuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
##
|
||||
#
|
||||
interface(`portreserve_read_config',`
|
||||
gen_require(`
|
||||
type portreserve_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 portreserve_etc_t:dir list_dir_perms;
|
||||
read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
|
||||
read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Allow the specified domain to manage
|
||||
## portreserve etcuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
##
|
||||
#
|
||||
interface(`portreserve_manage_config',`
|
||||
gen_require(`
|
||||
type portreserve_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
|
||||
manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
|
||||
read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
|
||||
policy_module(portreserve, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type portreserve_t;
|
||||
type portreserve_exec_t;
|
||||
init_daemon_domain(portreserve_t, portreserve_exec_t)
|
||||
|
||||
type portreserve_etc_t;
|
||||
files_type(portreserve_etc_t)
|
||||
|
||||
type portreserve_var_run_t;
|
||||
files_pid_file(portreserve_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Portreserve local policy
|
||||
#
|
||||
|
||||
allow portreserve_t self:fifo_file rw_fifo_file_perms;
|
||||
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow portreserve_t self:tcp_socket create_socket_perms;
|
||||
allow portreserve_t self:udp_socket create_socket_perms;
|
||||
|
||||
# Read etc files
|
||||
list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
|
||||
read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
|
||||
|
||||
# Manage /var/run/portreserve/*
|
||||
manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
|
||||
manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
|
||||
manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
|
||||
files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
|
||||
|
||||
corenet_tcp_bind_generic_node(portreserve_t)
|
||||
corenet_udp_bind_generic_node(portreserve_t)
|
||||
corenet_tcp_bind_all_reserved_ports(portreserve_t)
|
||||
corenet_udp_bind_all_reserved_ports(portreserve_t)
|
||||
|
||||
files_read_etc_files(portreserve_t)
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
|
||||
/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0)
|
||||
|
||||
/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
|
||||
|
||||
/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
|
||||
/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
|
||||
/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
|
||||
|
|
@ -0,0 +1,262 @@
|
|||
## <summary>Intrusion Detection and Log Analysis with iptables</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run psad.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_domtrans',`
|
||||
gen_require(`
|
||||
type psad_t, psad_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, psad_exec_t, psad_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a generic signal to psad
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_signal',`
|
||||
gen_require(`
|
||||
type psad_t;
|
||||
')
|
||||
|
||||
allow $1 psad_t:process signal;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Send a null signal to psad.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_signull',`
|
||||
gen_require(`
|
||||
type psad_t;
|
||||
')
|
||||
|
||||
allow $1 psad_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read psad etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_read_config',`
|
||||
gen_require(`
|
||||
type psad_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, psad_etc_t, psad_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage psad etc configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_manage_config',`
|
||||
gen_require(`
|
||||
type psad_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
|
||||
manage_files_pattern($1, psad_etc_t, psad_etc_t)
|
||||
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read psad PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_read_pid_files',`
|
||||
gen_require(`
|
||||
type psad_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
read_files_pattern($1, psad_var_run_t, psad_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read psad PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_rw_pid_files',`
|
||||
gen_require(`
|
||||
type psad_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read psad's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`psad_read_log',`
|
||||
gen_require(`
|
||||
type psad_var_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
|
||||
read_files_pattern($1, psad_var_log_t, psad_var_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to append to psad's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`psad_append_log',`
|
||||
gen_require(`
|
||||
type psad_var_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
|
||||
append_files_pattern($1, psad_var_log_t, psad_var_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write psad fifo files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_rw_fifo_file',`
|
||||
gen_require(`
|
||||
type psad_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
|
||||
rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read and write psad tmp files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`psad_rw_tmp_files',`
|
||||
gen_require(`
|
||||
type psad_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an psad environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`psad_admin',`
|
||||
gen_require(`
|
||||
type psad_t, psad_var_run_t, psad_var_log_t;
|
||||
type psad_initrc_exec_t, psad_var_lib_t;
|
||||
type psad_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 psad_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, psad_t)
|
||||
|
||||
init_labeled_script_domtrans($1, psad_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 psad_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, psad_etc_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, psad_var_run_t)
|
||||
|
||||
logging_search_logs($1)
|
||||
admin_pattern($1, psad_var_log_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, psad_var_lib_t)
|
||||
|
||||
files_search_tmp($1)
|
||||
admin_pattern($1, psad_tmp_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,107 @@
|
|||
|
||||
policy_module(psad, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type psad_t;
|
||||
type psad_exec_t;
|
||||
init_daemon_domain(psad_t, psad_exec_t)
|
||||
|
||||
# config files
|
||||
type psad_etc_t;
|
||||
files_type(psad_etc_t)
|
||||
|
||||
type psad_initrc_exec_t;
|
||||
init_script_file(psad_initrc_exec_t)
|
||||
|
||||
# var/lib files
|
||||
type psad_var_lib_t;
|
||||
files_type(psad_var_lib_t)
|
||||
|
||||
# log files
|
||||
type psad_var_log_t;
|
||||
logging_log_file(psad_var_log_t)
|
||||
|
||||
# pid files
|
||||
type psad_var_run_t;
|
||||
files_pid_file(psad_var_run_t)
|
||||
|
||||
# tmp files
|
||||
type psad_tmp_t;
|
||||
files_tmp_file(psad_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# psad local policy
|
||||
#
|
||||
|
||||
allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
|
||||
dontaudit psad_t self:capability sys_tty_config;
|
||||
allow psad_t self:process signull;
|
||||
allow psad_t self:fifo_file rw_fifo_file_perms;
|
||||
allow psad_t self:rawip_socket create_socket_perms;
|
||||
|
||||
# config files
|
||||
read_files_pattern(psad_t, psad_etc_t, psad_etc_t)
|
||||
list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t)
|
||||
|
||||
# log files
|
||||
manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
|
||||
manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
|
||||
logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
|
||||
|
||||
# pid file
|
||||
manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
|
||||
manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
|
||||
files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
|
||||
|
||||
# tmp files
|
||||
manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
|
||||
manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t)
|
||||
files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
|
||||
|
||||
# /var/lib files
|
||||
search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
|
||||
manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
|
||||
|
||||
kernel_read_system_state(psad_t)
|
||||
kernel_read_network_state(psad_t)
|
||||
kernel_read_net_sysctls(psad_t)
|
||||
|
||||
corecmd_exec_shell(psad_t)
|
||||
corecmd_exec_bin(psad_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(psad_t)
|
||||
corenet_all_recvfrom_netlabel(psad_t)
|
||||
corenet_tcp_sendrecv_generic_if(psad_t)
|
||||
corenet_tcp_sendrecv_generic_node(psad_t)
|
||||
corenet_tcp_bind_generic_node(psad_t)
|
||||
corenet_tcp_sendrecv_all_ports(psad_t)
|
||||
corenet_tcp_connect_whois_port(psad_t)
|
||||
corenet_sendrecv_whois_client_packets(psad_t)
|
||||
|
||||
dev_read_urand(psad_t)
|
||||
|
||||
files_read_etc_runtime_files(psad_t)
|
||||
|
||||
fs_getattr_all_fs(psad_t)
|
||||
|
||||
auth_use_nsswitch(psad_t)
|
||||
|
||||
iptables_domtrans(psad_t)
|
||||
|
||||
logging_read_generic_logs(psad_t)
|
||||
logging_read_syslog_config(psad_t)
|
||||
logging_send_syslog_msg(psad_t)
|
||||
|
||||
miscfiles_read_localization(psad_t)
|
||||
|
||||
sysnet_exec_ifconfig(psad_t)
|
||||
|
||||
optional_policy(`
|
||||
mta_send_mail(psad_t)
|
||||
mta_read_queue(psad_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
|
||||
/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
|
||||
|
||||
/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
|
||||
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
|
||||
|
||||
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
|
||||
|
|
@ -0,0 +1,124 @@
|
|||
## <summary>Iptables/netfilter userspace logging daemon.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run ulogd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ulogd_domtrans',`
|
||||
gen_require(`
|
||||
type ulogd_t, ulogd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, ulogd_exec_t, ulogd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read
|
||||
## ulogd configuration files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ulogd_read_config',`
|
||||
gen_require(`
|
||||
type ulogd_etc_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read ulogd's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ulogd_read_log',`
|
||||
gen_require(`
|
||||
type ulogd_var_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 ulogd_var_log_t:dir list_dir_perms;
|
||||
read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to append to ulogd's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ulogd_append_log',`
|
||||
gen_require(`
|
||||
type ulogd_var_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 ulogd_var_log_t:dir list_dir_perms;
|
||||
allow $1 ulogd_var_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an ulogd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the syslog domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`ulogd_admin',`
|
||||
gen_require(`
|
||||
type ulogd_t, ulogd_etc_t;
|
||||
type ulogd_var_log_t, ulogd_initrc_exec_t;
|
||||
type ulogd_modules_t;
|
||||
')
|
||||
|
||||
allow $1 ulogd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, ulogd_t)
|
||||
|
||||
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 ulogd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, ulogd_etc_t)
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, ulogd_var_log_t)
|
||||
|
||||
files_search_usr($1)
|
||||
admin_pattern($1, ulogd_modules_t)
|
||||
')
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
|
||||
policy_module(ulogd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type ulogd_t;
|
||||
type ulogd_exec_t;
|
||||
init_daemon_domain(ulogd_t, ulogd_exec_t)
|
||||
|
||||
# config files
|
||||
type ulogd_etc_t;
|
||||
files_type(ulogd_etc_t)
|
||||
|
||||
type ulogd_initrc_exec_t;
|
||||
init_script_file(ulogd_initrc_exec_t)
|
||||
|
||||
# /usr/lib files
|
||||
type ulogd_modules_t;
|
||||
files_type(ulogd_modules_t)
|
||||
|
||||
# log files
|
||||
type ulogd_var_log_t;
|
||||
logging_log_file(ulogd_var_log_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# ulogd local policy
|
||||
#
|
||||
|
||||
allow ulogd_t self:capability net_admin;
|
||||
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
|
||||
|
||||
# config files
|
||||
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
|
||||
|
||||
# modules for ulogd
|
||||
list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
|
||||
mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
|
||||
|
||||
# log files
|
||||
manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
|
||||
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
|
||||
|
||||
files_search_etc(ulogd_t)
|
||||
|
||||
miscfiles_read_localization(ulogd_t)
|
||||
Loading…
Reference in New Issue