psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Blame samhain.if

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   df9652e0b0c3e2a7649d16aafd974621e702a222
  2.   samhain.if
Blob History Raw
Chris PeBenito 9401ae1 
## <summary>Samhain - check file integrity</summary>
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
#######################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	The template containing the most basic rules
Chris PeBenito 9401ae1 
##	common to the samhain domains.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="samhaindomain_prefix">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	The prefix of the samhain domains(e.g., samhain
Chris PeBenito 9401ae1 
##	for the domain of command line access, samhaind
Chris PeBenito 9401ae1 
##	for the domain started by init script).
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
## <rolebase/>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
template(`samhain_service_template',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type etc_t, samhain_etc_t, samhain_exec_t;
Chris PeBenito 9401ae1 
		type samhain_log_t, samhain_var_run_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	type $1_t;
Chris PeBenito 9401ae1 
	domain_type($1_t)
Chris PeBenito 9401ae1 
	domain_entry_file($1_t, samhain_exec_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
Chris PeBenito 9401ae1 
	dontaudit $1_t self:capability { sys_resource sys_ptrace };
Chris PeBenito 9401ae1 
	allow $1_t self:fd use;
Chris PeBenito 9401ae1 
	allow $1_t self:process { setsched setrlimit signull };
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1_t samhain_etc_t:file read_file_perms;
Chris PeBenito 9401ae1 
	files_search_etc($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
Chris PeBenito 9401ae1 
	logging_log_filetrans($1_t, samhain_log_t, file)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
Chris PeBenito 9401ae1 
	files_pid_filetrans($1_t, samhain_var_run_t, file)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# Samhain needs to get the attribute of /proc/kcore.
Chris PeBenito 9401ae1 
	kernel_getattr_core_if($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	corecmd_list_bin($1_t)
Chris PeBenito 9401ae1 
	corecmd_read_bin_symlinks($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# To get entropy
Chris PeBenito 9401ae1 
	dev_read_urand($1_t)
Chris PeBenito 9401ae1 
	dev_dontaudit_read_rand($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# Get the attributes of all kinds of files in the rootfs.
Chris PeBenito 9401ae1 
	dev_getattr_all_blk_files($1_t)
Chris PeBenito 9401ae1 
	dev_getattr_all_chr_files($1_t)
Chris PeBenito 9401ae1 
	dev_getattr_generic_blk_files($1_t)
Chris PeBenito 9401ae1 
	dev_getattr_generic_chr_files($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_getattr_all_dirs($1_t)
Chris PeBenito 9401ae1 
	files_getattr_all_files($1_t)
Chris PeBenito 9401ae1 
	files_getattr_all_symlinks($1_t)
Chris PeBenito 9401ae1 
	files_getattr_all_pipes($1_t)
Chris PeBenito 9401ae1 
	files_getattr_all_sockets($1_t)
Chris PeBenito 9401ae1 
	files_getattr_all_mountpoints($1_t)
Chris PeBenito 9401ae1 
	files_read_all_files($1_t)
Chris PeBenito 9401ae1 
	files_read_all_symlinks($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# Get the attribute of other filesystems mountpoint, such as /selinux
Chris PeBenito 9401ae1 
	# /proc, /sys and /tmp, but not the contents inside, which suggests
Chris PeBenito 9401ae1 
	# that following rules should be set in samhain configuration file:
Chris PeBenito 9401ae1 
	# [Attributes]
Chris PeBenito 9401ae1 
	#    file = /tmp
Chris PeBenito 9401ae1 
	#    file = /proc
Chris PeBenito 9401ae1 
	#    file = /sys
Chris PeBenito 9401ae1 
	#    file = /selinux
Chris PeBenito 9401ae1 
	# [IgnoreALL]
Chris PeBenito 9401ae1 
	#    dir = -1/tmp
Chris PeBenito 9401ae1 
	#    dir = -1/proc
Chris PeBenito 9401ae1 
	#    dir = -1/sys
Chris PeBenito 9401ae1 
	#    dir = -1/selinux
Chris PeBenito 9401ae1 
	fs_getattr_all_dirs($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# Samhain pid, log and log.lock files are all in directories of s0,
Chris PeBenito 9401ae1 
	# while samhain daemon is running with the clearance level.
Chris PeBenito 9401ae1 
	mls_file_write_all_levels($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# Read from utmp when monitoring login/logout events.
Chris PeBenito 9401ae1 
	auth_read_login_records($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	# Read from wtmp when monitoring login/logout events.
Chris PeBenito 9401ae1 
	init_read_utmp($1_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	logging_send_syslog_msg($1_t)
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Execute samhain in the samhain domain
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed to transition.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_domtrans',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_t, samhain_exec_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	corecmd_search_bin($1)
Chris PeBenito 9401ae1 
	domtrans_pattern($1, samhain_exec_t, samhain_t)
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Execute samhain in the samhain domain with the clearance security
Chris PeBenito 9401ae1 
##	level and allow the specifiled role the samhain domain.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <desc>
Chris PeBenito 9401ae1 
##
Chris PeBenito 9401ae1 
##	Execute samhain in the samhain domain with the clearance security
Chris PeBenito 9401ae1 
##	level and allow the specifiled role the samhain domain.
Chris PeBenito 9401ae1 
##
Chris PeBenito 9401ae1 
##
Chris PeBenito 9401ae1 
##	The range_transition rule used in this interface requires that
Chris PeBenito 9401ae1 
##	the calling domain should have the clearance security level
Chris PeBenito 9401ae1 
##	otherwise the MLS constraint for process transition would fail.
Chris PeBenito 9401ae1 
##
Chris PeBenito 9401ae1 
## </desc>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed to transition.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
## <param name="role">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Role allowed to access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
## <rolecap/>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_run',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_t, samhain_exec_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	samhain_domtrans($1)
Chris PeBenito 9401ae1 
	role $2 types samhain_t;
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	ifdef(`enable_mls', `
Chris PeBenito 9401ae1 
		range_transition $1 samhain_exec_t:process mls_systemhigh;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Manage samhain configuration files.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_manage_config_files',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_etc_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_rw_etc_dirs($1)
Chris PeBenito 9401ae1 
	allow $1 samhain_etc_t:file manage_file_perms;
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Manage samhain database files.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_manage_db_files',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_db_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_search_var_lib($1)
Chris PeBenito 9401ae1 
	manage_files_pattern($1, samhain_db_t, samhain_db_t)
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
#######################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Manage samhain init script files
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_manage_init_script_files',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_initrc_exec_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_search_etc($1)
Chris PeBenito 9401ae1 
	manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Manage samhain log and log.lock files.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_manage_log_files',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_log_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	logging_search_logs($1)
Chris PeBenito 9401ae1 
	manage_files_pattern($1, samhain_log_t, samhain_log_t)
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
########################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	Manage samhain pid files.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_manage_pid_files',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_var_run_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_search_pids($1)
Chris PeBenito 9401ae1 
	manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
Chris PeBenito 9401ae1 
')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
#######################################
Chris PeBenito 9401ae1 
## <summary>
Chris PeBenito 9401ae1 
##	All of the rules required to administrate
Chris PeBenito 9401ae1 
##	the samhain environment.
Chris PeBenito 9401ae1 
## </summary>
Chris PeBenito 9401ae1 
## <desc>
Chris PeBenito 9401ae1 
##
Chris PeBenito 9401ae1 
##	This interface assumes that the calling domain has been able to
Chris PeBenito 9401ae1 
##	remove an entry from /var/lib/ or /var/log/ and belongs to the
Chris PeBenito 9401ae1 
##	mlsfilewrite attribute, since samhain files may be of clearance
Chris PeBenito 9401ae1 
##	security level while their parent directories are of s0.
Chris PeBenito 9401ae1 
##
Chris PeBenito 9401ae1 
## </desc>
Chris PeBenito 9401ae1 
## <param name="domain">
Chris PeBenito 9401ae1 
##	<summary>
Chris PeBenito 9401ae1 
##	Domain allowed access.
Chris PeBenito 9401ae1 
##	</summary>
Chris PeBenito 9401ae1 
## </param>
Chris PeBenito 9401ae1 
#
Chris PeBenito 9401ae1 
interface(`samhain_admin',`
Chris PeBenito 9401ae1 
	gen_require(`
Chris PeBenito 9401ae1 
		type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
Chris PeBenito 9401ae1 
		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
Chris PeBenito 9401ae1 
	')
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1 samhain_t:process { ptrace signal_perms };
Chris PeBenito 9401ae1 
	ps_process_pattern($1, samhain_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	allow $1 samhaind_t:process { ptrace signal_perms };
Chris PeBenito 9401ae1 
	ps_process_pattern($1, samhaind_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_list_var_lib($1)
Chris PeBenito 9401ae1 
	admin_pattern($1, samhain_db_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_list_etc($1)
Chris PeBenito 9401ae1 
	admin_pattern($1, samhain_etc_t)
Chris PeBenito 9401ae1 
	admin_pattern($1, samhain_initrc_exec_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	logging_list_logs($1)
Chris PeBenito 9401ae1 
	admin_pattern($1, samhain_log_t)
Chris PeBenito 9401ae1
Chris PeBenito 9401ae1 
	files_list_pids($1)
Chris PeBenito 9401ae1 
	admin_pattern($1, samhain_var_run_t)
Chris PeBenito 9401ae1 
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.