psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   a0287575dbbc66e1df2d6654a3b5e284aa8a2ad7
  2.   samhain.if
Blob Blame History Raw 
## <summary>Samhain - check file integrity</summary>

#######################################
## <summary>
##	The template containing the most basic rules
##	common to the samhain domains.
## </summary>
## <param name="samhaindomain_prefix">
##	<summary>
##	The prefix of the samhain domains(e.g., samhain
##	for the domain of command line access, samhaind
##	for the domain started by init script).
##	</summary>
## </param>
## <rolebase/>
#
template(`samhain_service_template',`
	gen_require(`
		type etc_t, samhain_etc_t, samhain_exec_t;
		type samhain_log_t, samhain_var_run_t;
	')

	type $1_t;
	domain_type($1_t)
	domain_entry_file($1_t, samhain_exec_t)

	allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
	dontaudit $1_t self:capability { sys_resource sys_ptrace };
	allow $1_t self:fd use;
	allow $1_t self:process { setsched setrlimit signull };

	allow $1_t samhain_etc_t:file read_file_perms;
	files_search_etc($1_t)

	manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
	logging_log_filetrans($1_t, samhain_log_t, file)

	manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
	files_pid_filetrans($1_t, samhain_var_run_t, file)

	# Samhain needs to get the attribute of /proc/kcore.
	kernel_getattr_core_if($1_t)

	corecmd_list_bin($1_t)
	corecmd_read_bin_symlinks($1_t)

	# To get entropy
	dev_read_urand($1_t)
	dev_dontaudit_read_rand($1_t)

	# Get the attributes of all kinds of files in the rootfs.
	dev_getattr_all_blk_files($1_t)
	dev_getattr_all_chr_files($1_t)
	dev_getattr_generic_blk_files($1_t)
	dev_getattr_generic_chr_files($1_t)

	files_getattr_all_dirs($1_t)
	files_getattr_all_files($1_t)
	files_getattr_all_symlinks($1_t)
	files_getattr_all_pipes($1_t)
	files_getattr_all_sockets($1_t)
	files_getattr_all_mountpoints($1_t)
	files_read_all_files($1_t)
	files_read_all_symlinks($1_t)

	# Get the attribute of other filesystems mountpoint, such as /selinux
	# /proc, /sys and /tmp, but not the contents inside, which suggests
	# that following rules should be set in samhain configuration file:
	# [Attributes]
	#    file = /tmp
	#    file = /proc
	#    file = /sys
	#    file = /selinux
	# [IgnoreALL]
	#    dir = -1/tmp
	#    dir = -1/proc
	#    dir = -1/sys
	#    dir = -1/selinux
	fs_getattr_all_dirs($1_t)

	# Samhain pid, log and log.lock files are all in directories of s0,
	# while samhain daemon is running with the clearance level.
	mls_file_write_all_levels($1_t)

	# Read from utmp when monitoring login/logout events.
	auth_read_login_records($1_t)

	# Read from wtmp when monitoring login/logout events.
	init_read_utmp($1_t)

	logging_send_syslog_msg($1_t)
')

########################################
## <summary>
##	Execute samhain in the samhain domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`samhain_domtrans',`
	gen_require(`
		type samhain_t, samhain_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, samhain_exec_t, samhain_t)
')

########################################
## <summary>
##	Execute samhain in the samhain domain with the clearance security
##	level and allow the specifiled role the samhain domain.
## </summary>
## <desc>
##	<p>
##	Execute samhain in the samhain domain with the clearance security
##	level and allow the specifiled role the samhain domain.
##	</p>
##	<p>
##	The range_transition rule used in this interface requires that
##	the calling domain should have the clearance security level
##	otherwise the MLS constraint for process transition would fail.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed to access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`samhain_run',`
	gen_require(`
		type samhain_t, samhain_exec_t;
	')

	samhain_domtrans($1)
	role $2 types samhain_t;

	ifdef(`enable_mls', `
		range_transition $1 samhain_exec_t:process mls_systemhigh;
	')
')

########################################
## <summary>
##	Manage samhain configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_config_files',`
	gen_require(`
		type samhain_etc_t;
	')

	files_rw_etc_dirs($1)
	allow $1 samhain_etc_t:file manage_file_perms;
')

########################################
## <summary>
##	Manage samhain database files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_db_files',`
	gen_require(`
		type samhain_db_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, samhain_db_t, samhain_db_t)
')

#######################################
## <summary>
##	Manage samhain init script files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_init_script_files',`
	gen_require(`
		type samhain_initrc_exec_t;
	')

	files_search_etc($1)
	manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
')

########################################
## <summary>
##	Manage samhain log and log.lock files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_log_files',`
	gen_require(`
		type samhain_log_t;
	')

	logging_search_logs($1)
	manage_files_pattern($1, samhain_log_t, samhain_log_t)
')

########################################
## <summary>
##	Manage samhain pid files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_pid_files',`
	gen_require(`
		type samhain_var_run_t;
	')

	files_search_pids($1)
	manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
')

#######################################
## <summary>
##	All of the rules required to administrate
##	the samhain environment.
## </summary>
## <desc>
##	<p>
##	This interface assumes that the calling domain has been able to
##	remove an entry from /var/lib/ or /var/log/ and belongs to the
##	mlsfilewrite attribute, since samhain files may be of clearance
##	security level while their parent directories are of s0.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_admin',`
	gen_require(`
		type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
	')

	allow $1 samhain_t:process signal_perms;
	ps_process_pattern($1, samhain_t)
	tunable_policy(`deny_ptrace',`',`
		allow $1 samhain_t:process ptrace;
		allow $1 samhaind_t:process ptrace;
	')

	allow $1 samhaind_t:process signal_perms;
	ps_process_pattern($1, samhaind_t)

	files_list_var_lib($1)
	admin_pattern($1, samhain_db_t)

	files_list_etc($1)
	admin_pattern($1, samhain_etc_t)
	admin_pattern($1, samhain_initrc_exec_t)

	logging_list_logs($1)
	admin_pattern($1, samhain_log_t)

	files_list_pids($1)
	admin_pattern($1, samhain_var_run_t)
')
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.