## Samhain - check file integrity
#######################################
##
## The template containing the most basic rules
## common to the samhain domains.
##
##
##
## The prefix of the samhain domains(e.g., samhain
## for the domain of command line access, samhaind
## for the domain started by init script).
##
##
##
#
template(`samhain_service_template',`
gen_require(`
type etc_t, samhain_etc_t, samhain_exec_t;
type samhain_log_t, samhain_var_run_t;
')
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, samhain_exec_t)
allow $1_t self:capability { dac_override dac_read_search fowner ipc_lock };
dontaudit $1_t self:capability { sys_resource sys_ptrace };
allow $1_t self:fd use;
allow $1_t self:process { setsched setrlimit signull };
allow $1_t samhain_etc_t:file read_file_perms;
files_search_etc($1_t)
manage_files_pattern($1_t, samhain_log_t, samhain_log_t)
logging_log_filetrans($1_t, samhain_log_t, file)
manage_files_pattern($1_t, samhain_var_run_t, samhain_var_run_t)
files_pid_filetrans($1_t, samhain_var_run_t, file)
# Samhain needs to get the attribute of /proc/kcore.
kernel_getattr_core_if($1_t)
corecmd_list_bin($1_t)
corecmd_read_bin_symlinks($1_t)
# To get entropy
dev_read_urand($1_t)
dev_dontaudit_read_rand($1_t)
# Get the attributes of all kinds of files in the rootfs.
dev_getattr_all_blk_files($1_t)
dev_getattr_all_chr_files($1_t)
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
files_getattr_all_dirs($1_t)
files_getattr_all_files($1_t)
files_getattr_all_symlinks($1_t)
files_getattr_all_pipes($1_t)
files_getattr_all_sockets($1_t)
files_getattr_all_mountpoints($1_t)
files_read_all_files($1_t)
files_read_all_symlinks($1_t)
# Get the attribute of other filesystems mountpoint, such as /selinux
# /proc, /sys and /tmp, but not the contents inside, which suggests
# that following rules should be set in samhain configuration file:
# [Attributes]
# file = /tmp
# file = /proc
# file = /sys
# file = /selinux
# [IgnoreALL]
# dir = -1/tmp
# dir = -1/proc
# dir = -1/sys
# dir = -1/selinux
fs_getattr_all_dirs($1_t)
# Samhain pid, log and log.lock files are all in directories of s0,
# while samhain daemon is running with the clearance level.
mls_file_write_all_levels($1_t)
# Read from utmp when monitoring login/logout events.
auth_read_login_records($1_t)
# Read from wtmp when monitoring login/logout events.
init_read_utmp($1_t)
logging_send_syslog_msg($1_t)
')
########################################
##
## Execute samhain in the samhain domain
##
##
##
## Domain allowed to transition.
##
##
#
interface(`samhain_domtrans',`
gen_require(`
type samhain_t, samhain_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, samhain_exec_t, samhain_t)
')
########################################
##
## Execute samhain in the samhain domain with the clearance security
## level and allow the specifiled role the samhain domain.
##
##
##
## Execute samhain in the samhain domain with the clearance security
## level and allow the specifiled role the samhain domain.
##
##
## The range_transition rule used in this interface requires that
## the calling domain should have the clearance security level
## otherwise the MLS constraint for process transition would fail.
##
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed to access.
##
##
##
#
interface(`samhain_run',`
gen_require(`
type samhain_t, samhain_exec_t;
')
samhain_domtrans($1)
role $2 types samhain_t;
ifdef(`enable_mls', `
range_transition $1 samhain_exec_t:process mls_systemhigh;
')
')
########################################
##
## Manage samhain configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`samhain_manage_config_files',`
gen_require(`
type samhain_etc_t;
')
files_rw_etc_dirs($1)
allow $1 samhain_etc_t:file manage_file_perms;
')
########################################
##
## Manage samhain database files.
##
##
##
## Domain allowed access.
##
##
#
interface(`samhain_manage_db_files',`
gen_require(`
type samhain_db_t;
')
files_search_var_lib($1)
manage_files_pattern($1, samhain_db_t, samhain_db_t)
')
#######################################
##
## Manage samhain init script files
##
##
##
## Domain allowed access.
##
##
#
interface(`samhain_manage_init_script_files',`
gen_require(`
type samhain_initrc_exec_t;
')
files_search_etc($1)
manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
')
########################################
##
## Manage samhain log and log.lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`samhain_manage_log_files',`
gen_require(`
type samhain_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, samhain_log_t, samhain_log_t)
')
########################################
##
## Manage samhain pid files.
##
##
##
## Domain allowed access.
##
##
#
interface(`samhain_manage_pid_files',`
gen_require(`
type samhain_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
')
#######################################
##
## All of the rules required to administrate
## the samhain environment.
##
##
##
## This interface assumes that the calling domain has been able to
## remove an entry from /var/lib/ or /var/log/ and belongs to the
## mlsfilewrite attribute, since samhain files may be of clearance
## security level while their parent directories are of s0.
##
##
##
##
## Domain allowed access.
##
##
#
interface(`samhain_admin',`
gen_require(`
type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
')
allow $1 samhain_t:process signal_perms;
ps_process_pattern($1, samhain_t)
tunable_policy(`deny_ptrace',`',`
allow $1 samhain_t:process ptrace;
allow $1 samhaind_t:process ptrace;
')
allow $1 samhaind_t:process signal_perms;
ps_process_pattern($1, samhaind_t)
files_list_var_lib($1)
admin_pattern($1, samhain_db_t)
files_list_etc($1)
admin_pattern($1, samhain_etc_t)
admin_pattern($1, samhain_initrc_exec_t)
logging_list_logs($1)
admin_pattern($1, samhain_log_t)
files_list_pids($1)
admin_pattern($1, samhain_var_run_t)
')