|
|
06d521d |
## <summary> Standards Based Linux Instrumentation for Manageability. </summary>
|
|
|
1ec3d1a |
|
|
|
1bafb67 |
######################################
|
|
|
1bafb67 |
## <summary>
|
|
|
1bafb67 |
## Creates types and rules for a basic
|
|
|
1bafb67 |
## sblim daemon domain.
|
|
|
1bafb67 |
## </summary>
|
|
|
1bafb67 |
## <param name="prefix">
|
|
|
1bafb67 |
## <summary>
|
|
|
1bafb67 |
## Prefix for the domain.
|
|
|
1bafb67 |
## </summary>
|
|
|
1bafb67 |
## </param>
|
|
|
1bafb67 |
#
|
|
|
1bafb67 |
template(`sblim_domain_template',`
|
|
|
1bafb67 |
gen_require(`
|
|
|
1bafb67 |
attribute sblim_domain;
|
|
|
1bafb67 |
')
|
|
|
1bafb67 |
|
|
|
1bafb67 |
type sblim_$1_t, sblim_domain;
|
|
|
1bafb67 |
type sblim_$1_exec_t;
|
|
|
1bafb67 |
init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
|
|
|
1bafb67 |
|
|
|
1bafb67 |
kernel_read_system_state(sblim_$1_t)
|
|
|
1f86dac |
|
|
|
1f86dac |
corenet_all_recvfrom_unlabeled(sblim_$1_t)
|
|
|
1f86dac |
corenet_all_recvfrom_netlabel(sblim_$1_t)
|
|
|
1f86dac |
|
|
|
1f86dac |
logging_send_syslog_msg(sblim_$1_t)
|
|
|
1bafb67 |
')
|
|
|
1bafb67 |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Transition to gatherd.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
Chris PeBenito |
145597b |
## <summary>
|
|
|
899b713 |
## Domain allowed to transition.
|
|
Chris PeBenito |
145597b |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`sblim_domtrans_gatherd',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type sblim_gatherd_t, sblim_gatherd_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_search_bin($1)
|
|
|
1ec3d1a |
domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## Read gatherd PID files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`sblim_read_pid_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type sblim_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
allow $1 sblim_var_run_t:file read_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
06d521d |
## All of the rules required to administrate
|
|
|
06d521d |
## an gatherd environment
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
899b713 |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`sblim_admin',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
06d521d |
type sblim_gatherd_t;
|
|
|
06d521d |
type sblim_reposd_t;
|
|
|
06d521d |
type sblim_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
06d521d |
allow $1 sblim_gatherd_t:process signal_perms;
|
|
|
06d521d |
ps_process_pattern($1, sblim_gatherd_t)
|
|
|
c3af651 |
|
|
|
1ec3d1a |
tunable_policy(`deny_ptrace',`',`
|
|
|
1ec3d1a |
allow $1 sblim_gatherd_t:process ptrace;
|
|
|
1ec3d1a |
allow $1 sblim_reposd_t:process ptrace;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 sblim_reposd_t:process signal_perms;
|
|
|
1ec3d1a |
ps_process_pattern($1, sblim_reposd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
admin_pattern($1, sblim_var_run_t)
|
|
|
899b713 |
')
|