293 lines
6.8 KiB
Plaintext
293 lines
6.8 KiB
Plaintext
## <summary>Samhain - check file integrity</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The template containing the most basic rules
|
|
## common to the samhain domains.
|
|
## </summary>
|
|
## <param name="samhaindomain_prefix">
|
|
## <summary>
|
|
## The prefix of the samhain domains(e.g., samhain
|
|
## for the domain of command line access, samhaind
|
|
## for the domain started by init script).
|
|
## </summary>
|
|
## </param>
|
|
## <rolebase/>
|
|
#
|
|
template(`samhain_service_template',`
|
|
gen_require(`
|
|
type etc_t, samhain_etc_t, samhain_exec_t;
|
|
type samhain_log_t, samhain_var_run_t;
|
|
')
|
|
|
|
type $1_t;
|
|
domain_type($1_t)
|
|
domain_entry_file($1_t, samhain_exec_t)
|
|
|
|
allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
|
|
dontaudit $1_t self:capability { sys_resource sys_ptrace };
|
|
allow $1_t self:fd use;
|
|
allow $1_t self:process { setsched setrlimit signull };
|
|
|
|
allow $1_t samhain_etc_t:file read_file_perms;
|
|
files_search_etc($1_t)
|
|
|
|
manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
|
|
logging_log_filetrans($1_t, samhain_log_t, file)
|
|
|
|
manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
|
|
files_pid_filetrans($1_t, samhain_var_run_t, file)
|
|
|
|
# Samhain needs to get the attribute of /proc/kcore.
|
|
kernel_getattr_core_if($1_t)
|
|
|
|
corecmd_list_bin($1_t)
|
|
corecmd_read_bin_symlinks($1_t)
|
|
|
|
# To get entropy
|
|
dev_read_urand($1_t)
|
|
dev_dontaudit_read_rand($1_t)
|
|
|
|
# Get the attributes of all kinds of files in the rootfs.
|
|
dev_getattr_all_blk_files($1_t)
|
|
dev_getattr_all_chr_files($1_t)
|
|
dev_getattr_generic_blk_files($1_t)
|
|
dev_getattr_generic_chr_files($1_t)
|
|
|
|
files_getattr_all_dirs($1_t)
|
|
files_getattr_all_files($1_t)
|
|
files_getattr_all_symlinks($1_t)
|
|
files_getattr_all_pipes($1_t)
|
|
files_getattr_all_sockets($1_t)
|
|
files_getattr_all_mountpoints($1_t)
|
|
files_read_all_files($1_t)
|
|
files_read_all_symlinks($1_t)
|
|
|
|
# Get the attribute of other filesystems mountpoint, such as /selinux
|
|
# /proc, /sys and /tmp, but not the contents inside, which suggests
|
|
# that following rules should be set in samhain configuration file:
|
|
# [Attributes]
|
|
# file = /tmp
|
|
# file = /proc
|
|
# file = /sys
|
|
# file = /selinux
|
|
# [IgnoreALL]
|
|
# dir = -1/tmp
|
|
# dir = -1/proc
|
|
# dir = -1/sys
|
|
# dir = -1/selinux
|
|
fs_getattr_all_dirs($1_t)
|
|
|
|
# Samhain pid, log and log.lock files are all in directories of s0,
|
|
# while samhain daemon is running with the clearance level.
|
|
mls_file_write_all_levels($1_t)
|
|
|
|
# Read from utmp when monitoring login/logout events.
|
|
auth_read_login_records($1_t)
|
|
|
|
# Read from wtmp when monitoring login/logout events.
|
|
init_read_utmp($1_t)
|
|
|
|
logging_send_syslog_msg($1_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute samhain in the samhain domain
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_domtrans',`
|
|
gen_require(`
|
|
type samhain_t, samhain_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, samhain_exec_t, samhain_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute samhain in the samhain domain with the clearance security
|
|
## level and allow the specifiled role the samhain domain.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## Execute samhain in the samhain domain with the clearance security
|
|
## level and allow the specifiled role the samhain domain.
|
|
## </p>
|
|
## <p>
|
|
## The range_transition rule used in this interface requires that
|
|
## the calling domain should have the clearance security level
|
|
## otherwise the MLS constraint for process transition would fail.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed to access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`samhain_run',`
|
|
gen_require(`
|
|
type samhain_t, samhain_exec_t;
|
|
')
|
|
|
|
samhain_domtrans($1)
|
|
role $2 types samhain_t;
|
|
|
|
ifdef(`enable_mls', `
|
|
range_transition $1 samhain_exec_t:process mls_systemhigh;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage samhain configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_manage_config_files',`
|
|
gen_require(`
|
|
type samhain_etc_t;
|
|
')
|
|
|
|
files_rw_etc_dirs($1)
|
|
allow $1 samhain_etc_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage samhain database files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_manage_db_files',`
|
|
gen_require(`
|
|
type samhain_db_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, samhain_db_t, samhain_db_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Manage samhain init script files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_manage_init_script_files',`
|
|
gen_require(`
|
|
type samhain_initrc_exec_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage samhain log and log.lock files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_manage_log_files',`
|
|
gen_require(`
|
|
type samhain_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
manage_files_pattern($1, samhain_log_t, samhain_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage samhain pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_manage_pid_files',`
|
|
gen_require(`
|
|
type samhain_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## the samhain environment.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This interface assumes that the calling domain has been able to
|
|
## remove an entry from /var/lib/ or /var/log/ and belongs to the
|
|
## mlsfilewrite attribute, since samhain files may be of clearance
|
|
## security level while their parent directories are of s0.
|
|
## </p>
|
|
## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samhain_admin',`
|
|
gen_require(`
|
|
type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
|
|
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
|
|
')
|
|
|
|
allow $1 samhain_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, samhain_t)
|
|
|
|
allow $1 samhaind_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, samhaind_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, samhain_db_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, samhain_etc_t)
|
|
admin_pattern($1, samhain_initrc_exec_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, samhain_log_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, samhain_var_run_t)
|
|
')
|