|
Dominick Grift |
ca1ea30 |
## <summary>Check file integrity.</summary>
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## The template to define a samhain domain.
|
|
|
1ec3d1a |
## </summary>
|
|
Dominick Grift |
ca1ea30 |
## <param name="domain_prefix">
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Domain prefix to be used.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
template(`samhain_service_template',`
|
|
|
1ec3d1a |
gen_require(`
|
|
Dominick Grift |
ca1ea30 |
attribute samhain_domain;
|
|
Dominick Grift |
ca1ea30 |
type samhain_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type $1_t;
|
|
|
1ec3d1a |
domain_type($1_t)
|
|
|
1ec3d1a |
domain_entry_file($1_t, samhain_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_read_all_files($1_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
mls_file_write_all_levels($1_t)
|
|
|
1f86dac |
|
|
|
1f86dac |
logging_send_sylog_msg($1_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute samhain in the samhain domain
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_domtrans',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type samhain_t, samhain_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_search_bin($1)
|
|
|
1ec3d1a |
domtrans_pattern($1, samhain_exec_t, samhain_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Execute samhain in the samhain
|
|
Dominick Grift |
ca1ea30 |
## domain with the clearance security
|
|
Dominick Grift |
ca1ea30 |
## level and allow the specifiled role
|
|
Dominick Grift |
ca1ea30 |
## the samhain domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
Dominick Grift |
ca1ea30 |
## Execute samhain in the samhain
|
|
Dominick Grift |
ca1ea30 |
## domain with the clearance security
|
|
Dominick Grift |
ca1ea30 |
## level and allow the specifiled role
|
|
Dominick Grift |
ca1ea30 |
## the samhain domain.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
##
|
|
Dominick Grift |
ca1ea30 |
## The range_transition rule used in
|
|
Dominick Grift |
ca1ea30 |
## this interface requires that the
|
|
Dominick Grift |
ca1ea30 |
## calling domain should have the
|
|
Dominick Grift |
ca1ea30 |
## clearance security level otherwise
|
|
Dominick Grift |
ca1ea30 |
## the MLS constraint for process
|
|
Dominick Grift |
ca1ea30 |
## transition would fail.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role allowed to access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_run',`
|
|
|
1ec3d1a |
gen_require(`
|
|
Dominick Grift |
ca1ea30 |
attribute_role samhain_roles;
|
|
Dominick Grift |
ca1ea30 |
type samhain_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
samhain_domtrans($1)
|
|
Dominick Grift |
ca1ea30 |
roleattribute $2 samhain_roles;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
ifdef(`enable_mls', `
|
|
|
1ec3d1a |
range_transition $1 samhain_exec_t:process mls_systemhigh;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Create, read, write, and delete
|
|
Dominick Grift |
ca1ea30 |
## samhain configuration files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_manage_config_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type samhain_etc_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_rw_etc_dirs($1)
|
|
|
1ec3d1a |
allow $1 samhain_etc_t:file manage_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Create, read, write, and delete
|
|
Dominick Grift |
ca1ea30 |
## samhain database files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_manage_db_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type samhain_db_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, samhain_db_t, samhain_db_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Create, read, write, and delete
|
|
Dominick Grift |
ca1ea30 |
## samhain init script files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_manage_init_script_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type samhain_initrc_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_etc($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Create, read, write, and delete
|
|
Dominick Grift |
ca1ea30 |
## samhain log and log.lock files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_manage_log_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type samhain_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, samhain_log_t, samhain_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Create, read, write, and delete
|
|
Dominick Grift |
ca1ea30 |
## samhain pid files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_manage_pid_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type samhain_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## All of the rules required to
|
|
Dominick Grift |
ca1ea30 |
## administrate the samhain environment.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
Dominick Grift |
ca1ea30 |
## <param name="role">
|
|
Dominick Grift |
ca1ea30 |
## <summary>
|
|
Dominick Grift |
ca1ea30 |
## Role allowed access.
|
|
Dominick Grift |
ca1ea30 |
## </summary>
|
|
Dominick Grift |
ca1ea30 |
## </param>
|
|
Dominick Grift |
ca1ea30 |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`samhain_admin',`
|
|
|
1ec3d1a |
gen_require(`
|
|
Dominick Grift |
ca1ea30 |
attribute samhain_domain;
|
|
|
1ec3d1a |
type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
|
|
|
1ec3d1a |
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
Dominick Grift |
ca1ea30 |
allow $1 samhain_domain:process { ptrace signal_perms };
|
|
Dominick Grift |
ca1ea30 |
ps_process_pattern($1, samhain_domain)
|
|
Chris PeBenito |
9401ae1 |
|
|
Dominick Grift |
ca1ea30 |
# pending
|
|
Dominick Grift |
ca1ea30 |
# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
|
|
Dominick Grift |
ca1ea30 |
# domain_system_change_exemption($1)
|
|
Dominick Grift |
ca1ea30 |
# role_transition $2 samhain_initrc_exec_t system_r;
|
|
Dominick Grift |
ca1ea30 |
# allow $2 system_r;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_list_var_lib($1)
|
|
|
1ec3d1a |
admin_pattern($1, samhain_db_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_list_etc($1)
|
|
Dominick Grift |
ca1ea30 |
admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t })
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_list_logs($1)
|
|
|
1ec3d1a |
admin_pattern($1, samhain_log_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_list_pids($1)
|
|
|
1ec3d1a |
admin_pattern($1, samhain_var_run_t)
|
|
Dominick Grift |
ca1ea30 |
|
|
Dominick Grift |
ca1ea30 |
# samhain_run($1, $2)
|
|
|
1ec3d1a |
')
|