selinux-policy/policy/modules/services/prelude.if

## <summary>Prelude hybrid intrusion detection system</summary>

########################################
## <summary>
##	Execute a domain transition to run prelude.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`prelude_domtrans',`
	gen_require(`
		type prelude_t, prelude_exec_t;
	')

	domtrans_pattern($1, prelude_exec_t, prelude_t)
')

########################################
## <summary>
##	Execute a domain transition to run prelude_audisp.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`prelude_domtrans_audisp',`
	gen_require(`
		type prelude_audisp_t, prelude_audisp_exec_t;
	')

	domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
')

########################################
## <summary>
##	Signal the prelude_audisp domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed acccess.
##	</summary>
## </param>
#
interface(`prelude_signal_audisp',`
	gen_require(`
		type prelude_audisp_t;
	')

	allow $1 prelude_audisp_t:process signal;
')

########################################
## <summary>
##	Read the prelude spool files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`prelude_read_spool',`
	gen_require(`
		type prelude_spool_t;
	')

	files_search_spool($1)
	read_files_pattern($1, prelude_spool_t, prelude_spool_t)
')

########################################
## <summary>
##	Manage to prelude-manager spool files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`prelude_manage_spool',`
	gen_require(`
		type prelude_spool_t;
	')

	files_search_spool($1)
	manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
	manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
')

########################################
## <summary>
##	All of the rules required to administrate 
##	an prelude environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`prelude_admin',`
	gen_require(`
		type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
		type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
		type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
		type prelude_lml_t;
	')

	allow $1 prelude_t:process { ptrace signal_perms };
	ps_process_pattern($1, prelude_t)

	allow $1 prelude_audisp_t:process { ptrace signal_perms };
	ps_process_pattern($1, prelude_audisp_t)

	allow $1 prelude_lml_t:process { ptrace signal_perms };
	ps_process_pattern($1, prelude_lml_t)

	init_labeled_script_domtrans($1, prelude_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 prelude_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_spool($1)
	admin_pattern($1, prelude_spool_t)

	files_list_var_lib($1)
	admin_pattern($1, prelude_var_lib_t)

	files_list_pids($1)
	admin_pattern($1, prelude_var_run_t)
	admin_pattern($1, prelude_audisp_var_run_t)
	admin_pattern($1, prelude_lml_var_run_t)

	files_list_tmp($1)
	admin_pattern($1, prelude_lml_tmp_t)
')
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## <summary>Prelude hybrid intrusion detection system</summary>`

			`########################################`
			`## <summary>`
			`## Execute a domain transition to run prelude.`
			`## </summary>`
			`## <param name="domain">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## <summary>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## Domain allowed to transition.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## </summary>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## </param>`
			`#`
			interface(`prelude_domtrans',`
			gen_require(`
			`type prelude_t, prelude_exec_t;`
			`')`

			`domtrans_pattern($1, prelude_exec_t, prelude_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Execute a domain transition to run prelude_audisp.`
			`## </summary>`
			`## <param name="domain">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## <summary>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## Domain allowed to transition.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## </summary>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## </param>`
			`#`
			interface(`prelude_domtrans_audisp',`
			gen_require(`
			`type prelude_audisp_t, prelude_audisp_exec_t;`
			`')`

			`domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Signal the prelude_audisp domain.`
			`## </summary>`
			`## <param name="domain">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## <summary>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## Domain allowed acccess.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## </summary>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## </param>`
			`#`
			interface(`prelude_signal_audisp',`
			gen_require(`
			`type prelude_audisp_t;`
			`')`

			`allow $1 prelude_audisp_t:process signal;`
			`')`

trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`########################################`
			`## <summary>`
			`## Read the prelude spool files`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`prelude_read_spool',`
			gen_require(`
			`type prelude_spool_t;`
			`')`

			`files_search_spool($1)`
			`read_files_pattern($1, prelude_spool_t, prelude_spool_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Manage to prelude-manager spool files.`
			`## </summary>`
			`## <param name="domain">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed access.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-20 17:40:18 +00:00			`## </summary>`
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`## </param>`
			`#`
			interface(`prelude_manage_spool',`
			gen_require(`
			`type prelude_spool_t;`
			`')`

			`files_search_spool($1)`
			`manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)`
			`manage_files_pattern($1, prelude_spool_t, prelude_spool_t)`
			`')`

trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`########################################`
			`## <summary>`
			`## All of the rules required to administrate`
			`## an prelude environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`## <param name="role">`
			`## <summary>`
			`## Role allowed access.`
			`## </summary>`
			`## </param>`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`## <rolecap/>`
			`#`
			interface(`prelude_admin',`
			gen_require(`
Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. Replace type and attributes statements by comma delimiters where possible. 2010-09-20 17:44:58 +00:00			`type prelude_t, prelude_spool_t, prelude_initrc_exec_t;`
			`type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;`
			`type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;`
			`type prelude_lml_t;`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`')`

			`allow $1 prelude_t:process { ptrace signal_perms };`
			`ps_process_pattern($1, prelude_t)`

			`allow $1 prelude_audisp_t:process { ptrace signal_perms };`
			`ps_process_pattern($1, prelude_audisp_t)`

trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`allow $1 prelude_lml_t:process { ptrace signal_perms };`
			`ps_process_pattern($1, prelude_lml_t)`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`init_labeled_script_domtrans($1, prelude_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 prelude_initrc_exec_t system_r;`
			`allow $2 system_r;`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00
Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. 2010-09-20 13:36:05 +00:00			`files_list_spool($1)`
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`admin_pattern($1, prelude_spool_t)`
Allow pads_admin to search parent directories to be able to interact with pads content. Allow plymouthd_admin to search parent directories to be able to interact with plymouthd content. Allow postgresql admin to search parent directories to be able to manage postgresql content. Allow prelude_admin to search parent directories to be able to manage prelude content. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-09-15 11:05:32 +00:00
Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. 2010-09-20 13:36:05 +00:00			`files_list_var_lib($1)`
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`admin_pattern($1, prelude_var_lib_t)`
Allow pads_admin to search parent directories to be able to interact with pads content. Allow plymouthd_admin to search parent directories to be able to interact with plymouthd content. Allow postgresql admin to search parent directories to be able to manage postgresql content. Allow prelude_admin to search parent directories to be able to manage prelude content. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-09-15 11:05:32 +00:00
Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. 2010-09-20 13:36:05 +00:00			`files_list_pids($1)`
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`admin_pattern($1, prelude_var_run_t)`
			`admin_pattern($1, prelude_audisp_var_run_t)`
Move this to were the other is and where it should be. Move this to were the other is and where it should be. 2010-09-20 18:09:46 +00:00			`admin_pattern($1, prelude_lml_var_run_t)`
Allow pads_admin to search parent directories to be able to interact with pads content. Allow plymouthd_admin to search parent directories to be able to interact with plymouthd content. Allow postgresql admin to search parent directories to be able to manage postgresql content. Allow prelude_admin to search parent directories to be able to manage prelude content. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-09-15 11:05:32 +00:00
Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. 2010-09-20 13:36:05 +00:00			`files_list_tmp($1)`
trunk: prelude patch from dan. 2009-06-30 14:44:50 +00:00			`admin_pattern($1, prelude_lml_tmp_t)`
trunk: add prelude from dan. 2008-06-06 03:13:42 +00:00			`')`