From 8a2a0beee7eceb666a47de5cc036f1d52a76711b Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Oct 31 2012 12:14:30 +0000
Subject: Changes to the watchdog policy module


Add init script file
Add watchdog_admin()
Module clean up

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

---

diff --git a/watchdog.fc b/watchdog.fc
index 27ee394..eecd0e0 100644
--- a/watchdog.fc
+++ b/watchdog.fc
@@ -1,5 +1,7 @@
+/etc/rc\.d/init\.d/watchdog	--	gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
+
 /usr/sbin/watchdog	--	gen_context(system_u:object_r:watchdog_exec_t,s0)
 
-/var/log/watchdog(/.*)?	gen_context(system_u:object_r:watchdog_log_t,s0)
+/var/log/watchdog.*	gen_context(system_u:object_r:watchdog_log_t,s0)
 
 /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.if b/watchdog.if
index f8acf10..6461a77 100644
--- a/watchdog.if
+++ b/watchdog.if
@@ -1 +1,39 @@
-## <summary>Software watchdog</summary>
+## <summary>Software watchdog.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an watchdog environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`watchdog_admin',`
+	gen_require(`
+		type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t;
+		type watchdog_var_run_t;
+	')
+
+	allow $1 watchdog_t:process { ptrace signal_perms };
+	ps_process_pattern($1, watchdog_t)
+
+	init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 watchdog_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, watchdog_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, watchdog_var_run_t)
+')
diff --git a/watchdog.te b/watchdog.te
index b10bb05..29f79e8 100644
--- a/watchdog.te
+++ b/watchdog.te
@@ -1,14 +1,17 @@
-policy_module(watchdog, 1.7.0)
+policy_module(watchdog, 1.7.1)
 
 #################################
 #
-# Rules for the watchdog_t domain.
+# Declarations
 #
 
 type watchdog_t;
 type watchdog_exec_t;
 init_daemon_domain(watchdog_t, watchdog_exec_t)
 
+type watchdog_initrc_exec_t;
+init_script_file(watchdog_initrc_exec_t)
+
 type watchdog_log_t;
 logging_log_file(watchdog_log_t)
 
@@ -17,18 +20,16 @@ files_pid_file(watchdog_var_run_t)
 
 ########################################
 #
-# Declarations
+# Local policy
 #
 
 allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
 dontaudit watchdog_t self:capability sys_tty_config;
 allow watchdog_t self:process { setsched signal_perms };
 allow watchdog_t self:fifo_file rw_fifo_file_perms;
-allow watchdog_t self:unix_stream_socket create_socket_perms;
-allow watchdog_t self:tcp_socket create_stream_socket_perms;
-allow watchdog_t self:udp_socket create_socket_perms;
+allow watchdog_t self:tcp_socket { accept listen };
 
-allow watchdog_t watchdog_log_t:file manage_file_perms;
+allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 logging_log_filetrans(watchdog_t, watchdog_log_t, file)
 
 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
@@ -38,24 +39,19 @@ kernel_read_system_state(watchdog_t)
 kernel_read_kernel_sysctls(watchdog_t)
 kernel_unmount_proc(watchdog_t)
 
-# for orderly shutdown
 corecmd_exec_shell(watchdog_t)
 
-# cjp: why networking?
 corenet_all_recvfrom_unlabeled(watchdog_t)
 corenet_all_recvfrom_netlabel(watchdog_t)
 corenet_tcp_sendrecv_generic_if(watchdog_t)
-corenet_udp_sendrecv_generic_if(watchdog_t)
 corenet_tcp_sendrecv_generic_node(watchdog_t)
-corenet_udp_sendrecv_generic_node(watchdog_t)
 corenet_tcp_sendrecv_all_ports(watchdog_t)
-corenet_udp_sendrecv_all_ports(watchdog_t)
-corenet_tcp_connect_all_ports(watchdog_t)
+
 corenet_sendrecv_all_client_packets(watchdog_t)
+corenet_tcp_connect_all_ports(watchdog_t)
 
 dev_read_sysfs(watchdog_t)
 dev_write_watchdog(watchdog_t)
-# do not care about saving the random seed
 dev_dontaudit_read_rand(watchdog_t)
 dev_dontaudit_read_urand(watchdog_t)
 
@@ -68,7 +64,6 @@ domain_signal_all_domains(watchdog_t)
 domain_kill_all_domains(watchdog_t)
 
 files_read_etc_files(watchdog_t)
-# for updating mtab on umount
 files_manage_etc_runtime_files(watchdog_t)
 files_etc_filetrans_etc_runtime(watchdog_t, file)
 
@@ -76,14 +71,13 @@ fs_unmount_xattr_fs(watchdog_t)
 fs_getattr_all_fs(watchdog_t)
 fs_search_auto_mountpoints(watchdog_t)
 
-# record the fact that we are going down
 auth_append_login_records(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
 miscfiles_read_localization(watchdog_t)
 
-sysnet_read_config(watchdog_t)
+sysnet_dns_name_resolve(watchdog_t)
 
 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
 userdom_dontaudit_search_user_home_dirs(watchdog_t)