Current policy sets /lib(32|64)?/rc/init.d to lib_t. This causes
problems for DHCP among other things, as the initrc domain does not
have permissions to perform some operations. Changing to
initrc_state_t (the labeling used for /var/lib/init.d by
the older baselayout-1) resolves some of these issues.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
* Rearrange rules in the template.
* Remove samhain_etc_t:dir perms since there are no such dirs.
* Add extra docs in samhain_domtrans().
* Include samhaind_t in admin interface process perms.
Note, extra privileges may need to be granted to the samhain domain
if its default configuration file(/etc/samhainrc) is changed.
The samhain program could be used in the following way:
(In secadm_r role)
1. Initialize filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t init"
(Note, the current secadm console will be blocked until
the database is completed)
2. Start samhain deamon to check filesystem integrity
newrole -l s15:c0.c1023 -p -- -c "samhain -t check -D"
3. Update filesystem signature database:
newrole -l s15:c0.c1023 -p -- -c "samhain -t update"
(In sysadm_r role)
1. Start samhain in daemon mode:
run_init /etc/init.d/samhain start
2. Stop samhain daemon:
run_init /etc/init.d/samhain stop
3. Check samhain daemon status:
run_init /etc/init.d/samhain status
4. Read/write samhain log files:
newrole -l s15:c0.c1023 -p -- -c "cat /var/log/samhain_log"
5. Remove samhain database files
newrole -l s15:c0.c1023 -p -- -c "rm /var/lib/samhain/samhain_file"
Note:
1. Stop samhain daemon before updating signature database.
2. Don't try to start samhain daemon twice.
3. Need to toggle SELinux into the Permissive mode in order to remove
the samhain_log files from /var/log/.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
As of util-linux-n 2.18, the mount utility now attempts to write to the root
of newly mounted filesystems. It does this in an attempt to ensure that the
r/w status of a filesystem as shown in mtab is correct. To detect whether
a filesystem is r/w, mount calls access() with the W_OK argument. This
results in an AVC denial with current policy. As a fallback, mount also
attempts to modify the access time of the directory being mounted on if
the call to access() fails. As mount already possesses the necessary
privileges, the modification of the access time succeeds (at least on systems
with the futimens() function, which has existed in linux since kernel 2.6.22
and glibc since version 2.6, or about July 2007).
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Both the system administrator and the unprivileged user could use vlock
to lock the current console when logging in either from the serial console
or by ssh.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>