selinux-policy/policy/modules/admin/tripwire.if

227 lines
5.0 KiB
Plaintext
Raw Normal View History

2006-04-24 18:00:32 +00:00
## <summary>Tripwire file integrity checker.</summary>
## <desc>
## <p>
## Tripwire file integrity checker.
## </p>
## <p>
## NOTE: Tripwire creates temp file in its current working directory.
## This policy does not allow write access to home directories, so
## users will need to either cd to a directory where they have write
## permission, or set the TEMPDIRECTORY variable in the tripwire config
## file. The latter is preferable, as then the file_type_auto_trans
## rules will kick in and label the files as private to tripwire.
## </p>
## </desc>
########################################
## <summary>
## Execute tripwire in the tripwire domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_tripwire',`
gen_require(`
type tripwire_t, tripwire_exec_t;
')
domain_auto_trans($1,tripwire_exec_t,tripwire_t)
allow tripwire_t $1:fd use;
allow tripwire_t $1:fifo_file rw_file_perms;
allow tripwire_t $1:process sigchld;
')
########################################
## <summary>
## Execute tripwire in the tripwire domain, and
## allow the specified role the tripwire domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the tripwire domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the tripwire domain to use.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2006-04-24 18:00:32 +00:00
#
interface(`tripwire_run_tripwire',`
gen_require(`
type tripwire_t;
')
tripwire_domtrans_tripwire($1)
role $2 types tripwire_t;
allow tripwire_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute twadmin in the twadmin domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_twadmin',`
gen_require(`
type twadmin_t, twadmin_exec_t;
')
domain_auto_trans($1,twadmin_exec_t,twadmin_t)
allow twadmin_t $1:fd use;
allow twadmin_t $1:fifo_file rw_file_perms;
allow twadmin_t $1:process sigchld;
')
########################################
## <summary>
## Execute twadmin in the twadmin domain, and
## allow the specified role the twadmin domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the twadmin domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the twadmin domain to use.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2006-04-24 18:00:32 +00:00
#
interface(`tripwire_run_twadmin',`
gen_require(`
type twadmin_t;
')
tripwire_domtrans_twadmin($1)
role $2 types twadmin_t;
allow twadmin_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute twprint in the twprint domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_twprint',`
gen_require(`
type twprint_t, twprint_exec_t;
')
domain_auto_trans($1,twprint_exec_t,twprint_t)
allow twprint_t $1:fd use;
allow twprint_t $1:fifo_file rw_file_perms;
allow twprint_t $1:process sigchld;
')
########################################
## <summary>
## Execute twprint in the twprint domain, and
## allow the specified role the twprint domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the twprint domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the twprint domain to use.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2006-04-24 18:00:32 +00:00
#
interface(`tripwire_run_twprint',`
gen_require(`
type twprint_t;
')
tripwire_domtrans_twprint($1)
role $2 types twprint_t;
allow twprint_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute siggen in the siggen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_siggen',`
gen_require(`
type siggen_t, siggen_exec_t;
')
domain_auto_trans($1,siggen_exec_t,siggen_t)
allow siggen_t $1:fd use;
allow siggen_t $1:fifo_file rw_file_perms;
allow siggen_t $1:process sigchld;
')
########################################
## <summary>
## Execute siggen in the siggen domain, and
## allow the specified role the siggen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the siggen domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the siggen domain to use.
## </summary>
## </param>
2006-09-06 22:07:25 +00:00
## <rolecap/>
2006-04-24 18:00:32 +00:00
#
interface(`tripwire_run_siggen',`
gen_require(`
type siggen_t;
')
tripwire_domtrans_siggen($1)
role $2 types siggen_t;
allow siggen_t $3:chr_file rw_term_perms;
')