63 lines
1.8 KiB
Plaintext
63 lines
1.8 KiB
Plaintext
|
#DESC Sxid - SUID/SGID program monitoring
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
# X-Debian-Packages: sxid
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the sxid_t domain.
|
||
|
#
|
||
|
# sxid_exec_t is the type of the sxid executable.
|
||
|
#
|
||
|
daemon_base_domain(sxid, `, privmail')
|
||
|
tmp_domain(sxid)
|
||
|
|
||
|
allow sxid_t fs_t:filesystem getattr;
|
||
|
|
||
|
ifdef(`crond.te', `
|
||
|
system_crond_entry(sxid_exec_t, sxid_t)
|
||
|
')
|
||
|
#allow system_crond_t sxid_log_t:file create_file_perms;
|
||
|
|
||
|
read_locale(sxid_t)
|
||
|
|
||
|
can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
|
||
|
allow sxid_t bin_t:lnk_file read;
|
||
|
|
||
|
log_domain(sxid)
|
||
|
|
||
|
allow sxid_t file_type:notdevfile_class_set getattr;
|
||
|
allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
|
||
|
allow sxid_t ttyfile:chr_file getattr;
|
||
|
allow sxid_t file_type:dir { getattr read search };
|
||
|
allow sxid_t sysadmfile:file { getattr read };
|
||
|
dontaudit sxid_t devpts_t:dir r_dir_perms;
|
||
|
allow sxid_t fs_type:dir { getattr read search };
|
||
|
|
||
|
# Use the network.
|
||
|
can_network_server(sxid_t)
|
||
|
allow sxid_t self:fifo_file rw_file_perms;
|
||
|
allow sxid_t self:unix_stream_socket create_socket_perms;
|
||
|
|
||
|
allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
|
||
|
read_sysctl(sxid_t)
|
||
|
allow sxid_t devtty_t:chr_file rw_file_perms;
|
||
|
|
||
|
allow sxid_t self:capability { dac_override dac_read_search fsetid };
|
||
|
dontaudit sxid_t self:capability { setuid setgid };
|
||
|
|
||
|
ifdef(`mta.te', `
|
||
|
# sxid leaves an open file handle to /proc/mounts
|
||
|
dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
|
||
|
|
||
|
# allow mta to read the log files
|
||
|
allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
|
||
|
# stop warnings if mailx is passed a read/write file handle
|
||
|
dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
|
||
|
')
|
||
|
|
||
|
allow logrotate_t sxid_t:file { getattr write };
|
||
|
|
||
|
dontaudit sxid_t security_t:dir { getattr read search };
|