2006-04-24 18:00:32 +00:00
|
|
|
## <summary>Tripwire file integrity checker.</summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Tripwire file integrity checker.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## NOTE: Tripwire creates temp file in its current working directory.
|
|
|
|
## This policy does not allow write access to home directories, so
|
|
|
|
## users will need to either cd to a directory where they have write
|
|
|
|
## permission, or set the TEMPDIRECTORY variable in the tripwire config
|
|
|
|
## file. The latter is preferable, as then the file_type_auto_trans
|
|
|
|
## rules will kick in and label the files as private to tripwire.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute tripwire in the tripwire domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`tripwire_domtrans_tripwire',`
|
|
|
|
gen_require(`
|
|
|
|
type tripwire_t, tripwire_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,tripwire_exec_t,tripwire_t)
|
|
|
|
allow tripwire_t $1:fd use;
|
|
|
|
allow tripwire_t $1:fifo_file rw_file_perms;
|
|
|
|
allow tripwire_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute tripwire in the tripwire domain, and
|
|
|
|
## allow the specified role the tripwire domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## The role to be allowed the tripwire domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
|
|
|
## <summary>
|
|
|
|
## The type of the terminal allow the tripwire domain to use.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2006-04-24 18:00:32 +00:00
|
|
|
#
|
|
|
|
interface(`tripwire_run_tripwire',`
|
|
|
|
gen_require(`
|
|
|
|
type tripwire_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
tripwire_domtrans_tripwire($1)
|
|
|
|
role $2 types tripwire_t;
|
|
|
|
allow tripwire_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute twadmin in the twadmin domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`tripwire_domtrans_twadmin',`
|
|
|
|
gen_require(`
|
|
|
|
type twadmin_t, twadmin_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,twadmin_exec_t,twadmin_t)
|
|
|
|
allow twadmin_t $1:fd use;
|
|
|
|
allow twadmin_t $1:fifo_file rw_file_perms;
|
|
|
|
allow twadmin_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute twadmin in the twadmin domain, and
|
|
|
|
## allow the specified role the twadmin domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## The role to be allowed the twadmin domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
|
|
|
## <summary>
|
|
|
|
## The type of the terminal allow the twadmin domain to use.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2006-04-24 18:00:32 +00:00
|
|
|
#
|
|
|
|
interface(`tripwire_run_twadmin',`
|
|
|
|
gen_require(`
|
|
|
|
type twadmin_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
tripwire_domtrans_twadmin($1)
|
|
|
|
role $2 types twadmin_t;
|
|
|
|
allow twadmin_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute twprint in the twprint domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`tripwire_domtrans_twprint',`
|
|
|
|
gen_require(`
|
|
|
|
type twprint_t, twprint_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,twprint_exec_t,twprint_t)
|
|
|
|
allow twprint_t $1:fd use;
|
|
|
|
allow twprint_t $1:fifo_file rw_file_perms;
|
|
|
|
allow twprint_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute twprint in the twprint domain, and
|
|
|
|
## allow the specified role the twprint domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## The role to be allowed the twprint domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
|
|
|
## <summary>
|
|
|
|
## The type of the terminal allow the twprint domain to use.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2006-04-24 18:00:32 +00:00
|
|
|
#
|
|
|
|
interface(`tripwire_run_twprint',`
|
|
|
|
gen_require(`
|
|
|
|
type twprint_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
tripwire_domtrans_twprint($1)
|
|
|
|
role $2 types twprint_t;
|
|
|
|
allow twprint_t $3:chr_file rw_term_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute siggen in the siggen domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`tripwire_domtrans_siggen',`
|
|
|
|
gen_require(`
|
|
|
|
type siggen_t, siggen_exec_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
domain_auto_trans($1,siggen_exec_t,siggen_t)
|
|
|
|
allow siggen_t $1:fd use;
|
|
|
|
allow siggen_t $1:fifo_file rw_file_perms;
|
|
|
|
allow siggen_t $1:process sigchld;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute siggen in the siggen domain, and
|
|
|
|
## allow the specified role the siggen domain.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="role">
|
|
|
|
## <summary>
|
|
|
|
## The role to be allowed the siggen domain.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="terminal">
|
|
|
|
## <summary>
|
|
|
|
## The type of the terminal allow the siggen domain to use.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2006-04-24 18:00:32 +00:00
|
|
|
#
|
|
|
|
interface(`tripwire_run_siggen',`
|
|
|
|
gen_require(`
|
|
|
|
type siggen_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
tripwire_domtrans_siggen($1)
|
|
|
|
role $2 types siggen_t;
|
|
|
|
allow siggen_t $3:chr_file rw_term_perms;
|
|
|
|
')
|