## Check file integrity. ####################################### ## ## The template to define a samhain domain. ## ## ## ## Domain prefix to be used. ## ## # template(`samhain_service_template',` gen_require(` attribute samhain_domain; type samhain_exec_t; ') type $1_t, samhain_domain; domain_type($1_t) domain_entry_file($1_t, samhain_exec_t) files_read_all_files($1_t) mls_file_write_all_levels($1_t) ') ######################################## ## ## Execute samhain in the samhain domain ## ## ## ## Domain allowed to transition. ## ## # interface(`samhain_domtrans',` gen_require(` type samhain_t, samhain_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, samhain_exec_t, samhain_t) ') ######################################## ## ## Execute samhain in the samhain ## domain with the clearance security ## level and allow the specifiled role ## the samhain domain. ## ## ##

## Execute samhain in the samhain ## domain with the clearance security ## level and allow the specifiled role ## the samhain domain. ##

##

## The range_transition rule used in ## this interface requires that the ## calling domain should have the ## clearance security level otherwise ## the MLS constraint for process ## transition would fail. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed to access. ## ## ## # interface(`samhain_run',` gen_require(` attribute_role samhain_roles; type samhain_exec_t; ') samhain_domtrans($1) roleattribute $2 samhain_roles; ifdef(`enable_mls', ` range_transition $1 samhain_exec_t:process mls_systemhigh; ') ') ######################################## ## ## Create, read, write, and delete ## samhain configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`samhain_manage_config_files',` gen_require(` type samhain_etc_t; ') files_rw_etc_dirs($1) allow $1 samhain_etc_t:file manage_file_perms; ') ######################################## ## ## Create, read, write, and delete ## samhain database files. ## ## ## ## Domain allowed access. ## ## # interface(`samhain_manage_db_files',` gen_require(` type samhain_db_t; ') files_search_var_lib($1) manage_files_pattern($1, samhain_db_t, samhain_db_t) ') ####################################### ## ## Create, read, write, and delete ## samhain init script files. ## ## ## ## Domain allowed access. ## ## # interface(`samhain_manage_init_script_files',` gen_require(` type samhain_initrc_exec_t; ') files_search_etc($1) manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) ') ######################################## ## ## Create, read, write, and delete ## samhain log and log.lock files. ## ## ## ## Domain allowed access. ## ## # interface(`samhain_manage_log_files',` gen_require(` type samhain_log_t; ') logging_search_logs($1) manage_files_pattern($1, samhain_log_t, samhain_log_t) ') ######################################## ## ## Create, read, write, and delete ## samhain pid files. ## ## ## ## Domain allowed access. ## ## # interface(`samhain_manage_pid_files',` gen_require(` type samhain_var_run_t; ') files_search_pids($1) manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) ') ####################################### ## ## All of the rules required to ## administrate the samhain environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`samhain_admin',` gen_require(` attribute samhain_domain; type samhain_db_t, samhain_etc_t; type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') allow $1 samhain_domain:process { ptrace signal_perms }; ps_process_pattern($1, samhain_domain) # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first # init_startstop_service($1, $2, samhain_domain, samhain_initrc_exec_t) files_list_var_lib($1) admin_pattern($1, samhain_db_t) files_list_etc($1) admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t }) logging_list_logs($1) admin_pattern($1, samhain_log_t) files_list_pids($1) admin_pattern($1, samhain_var_run_t) ')