selinux-refpolicy/policy/modules/admin/samhain.if

238 lines
4.8 KiB
Plaintext

## <summary>Check file integrity.</summary>
#######################################
## <summary>
## The template to define a samhain domain.
## </summary>
## <param name="domain_prefix">
## <summary>
## Domain prefix to be used.
## </summary>
## </param>
#
template(`samhain_service_template',`
gen_require(`
attribute samhain_domain;
type samhain_exec_t;
')
type $1_t, samhain_domain;
domain_type($1_t)
domain_entry_file($1_t, samhain_exec_t)
files_read_all_files($1_t)
mls_file_write_all_levels($1_t)
')
########################################
## <summary>
## Execute samhain in the samhain domain
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`samhain_domtrans',`
gen_require(`
type samhain_t, samhain_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, samhain_exec_t, samhain_t)
')
########################################
## <summary>
## Execute samhain in the samhain
## domain with the clearance security
## level and allow the specifiled role
## the samhain domain.
## </summary>
## <desc>
## <p>
## Execute samhain in the samhain
## domain with the clearance security
## level and allow the specifiled role
## the samhain domain.
## </p>
## <p>
## The range_transition rule used in
## this interface requires that the
## calling domain should have the
## clearance security level otherwise
## the MLS constraint for process
## transition would fail.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed to access.
## </summary>
## </param>
## <rolecap/>
#
interface(`samhain_run',`
gen_require(`
attribute_role samhain_roles;
type samhain_exec_t;
')
samhain_domtrans($1)
roleattribute $2 samhain_roles;
ifdef(`enable_mls', `
range_transition $1 samhain_exec_t:process mls_systemhigh;
')
')
########################################
## <summary>
## Create, read, write, and delete
## samhain configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`samhain_manage_config_files',`
gen_require(`
type samhain_etc_t;
')
files_rw_etc_dirs($1)
allow $1 samhain_etc_t:file manage_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## samhain database files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`samhain_manage_db_files',`
gen_require(`
type samhain_db_t;
')
files_search_var_lib($1)
manage_files_pattern($1, samhain_db_t, samhain_db_t)
')
#######################################
## <summary>
## Create, read, write, and delete
## samhain init script files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`samhain_manage_init_script_files',`
gen_require(`
type samhain_initrc_exec_t;
')
files_search_etc($1)
manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
')
########################################
## <summary>
## Create, read, write, and delete
## samhain log and log.lock files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`samhain_manage_log_files',`
gen_require(`
type samhain_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, samhain_log_t, samhain_log_t)
')
########################################
## <summary>
## Create, read, write, and delete
## samhain pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`samhain_manage_pid_files',`
gen_require(`
type samhain_runtime_t;
')
files_search_pids($1)
manage_files_pattern($1, samhain_runtime_t, samhain_runtime_t)
')
#######################################
## <summary>
## All of the rules required to
## administrate the samhain environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`samhain_admin',`
gen_require(`
attribute samhain_domain;
type samhain_db_t, samhain_etc_t;
type samhain_initrc_exec_t, samhain_log_t, samhain_runtime_t;
')
allow $1 samhain_domain:process { ptrace signal_perms };
ps_process_pattern($1, samhain_domain)
# duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
# init_startstop_service($1, $2, samhain_domain, samhain_initrc_exec_t)
files_list_var_lib($1)
admin_pattern($1, samhain_db_t)
files_list_etc($1)
admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t })
logging_list_logs($1)
admin_pattern($1, samhain_log_t)
files_list_pids($1)
admin_pattern($1, samhain_runtime_t)
')