trunk: pads from dan.

Changelog

@@ -26,6 +26,7 @@
 	ifplugd (Dan Walsh)
 	lircd (Miroslav Grepl)
 	logadm (Dan Walsh)
+	pads (Dan Walsh)
 	pingd (Dan Walsh)
 	psad (Dan Walsh)
 	portreserve (Dan Walsh)

policy/modules/services/pads.fc

@@ -0,0 +1,10 @@
+/etc/pads-ether-codes	--	gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-signature-list --	gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads.conf		--	gen_context(system_u:object_r:pads_config_t, s0)
+/etc/pads-assets.csv	--	gen_context(system_u:object_r:pads_config_t, s0)
+
+/etc/rc\.d/init\.d/pads --	gen_context(system_u:object_r:pads_initrc_exec_t, s0)
+
+/usr/bin/pads		--	gen_context(system_u:object_r:pads_exec_t, s0)
+
+/var/run/pads.pid	--	gen_context(system_u:object_r:pads_var_run_t, s0)

policy/modules/services/pads.if

@@ -0,0 +1,44 @@
+## <summary>Passive Asset Detection System</summary>
+## <desc>
+##	<p>
+##	PADS is a libpcap based detection engine used to
+##	passively detect network assets.  It is designed to
+##	complement IDS technology by providing context to IDS
+##	alerts.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pads environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pads_admin', `
+	gen_require(`
+		type pads_t, pads_config_t;
+		type pads_var_run_t, pads_initrc_exec_t;
+	')
+
+	allow $1 pads_t:process { ptrace signal_perms };
+	ps_process_pattern($1, pads_t)
+
+	init_labeled_script_domtrans($1, pads_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 pads_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, pads_var_run_t)
+	admin_pattern($1, pads_config_t)
+')

policy/modules/services/pads.te

@@ -0,0 +1,64 @@
+
+policy_module(pads, 1.0.0) 
+
+########################################
+#
+# Declarations
+#
+
+type pads_t;
+type pads_exec_t;
+init_daemon_domain(pads_t, pads_exec_t)
+role system_r types pads_t;
+
+type pads_initrc_exec_t;
+init_script_file(pads_initrc_exec_t)
+
+type pads_config_t;
+files_config_file(pads_config_t)
+
+type pads_var_run_t;
+files_pid_file(pads_var_run_t)
+
+########################################
+#
+# Declarations
+#
+
+allow pads_t self:capability { dac_override net_raw };
+allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
+allow pads_t self:udp_socket { create ioctl };
+allow pads_t self:unix_dgram_socket { write create connect };
+
+allow pads_t pads_config_t:file manage_file_perms;
+files_etc_filetrans(pads_t, pads_config_t, file)
+
+allow pads_t pads_var_run_t:file manage_file_perms;
+files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+kernel_read_sysctl(pads_t)
+
+corecmd_search_bin(pads_t)
+
+corenet_all_recvfrom_unlabeled(pads_t)
+corenet_all_recvfrom_netlabel(pads_t)
+corenet_tcp_sendrecv_generic_if(pads_t)
+corenet_tcp_sendrecv_generic_node(pads_t)
+corenet_tcp_connect_prelude_port(pads_t)
+
+dev_read_rand(pads_t)
+dev_read_urand(pads_t)
+
+files_read_etc_files(pads_t)
+files_search_spool(pads_t)
+
+miscfiles_read_localization(pads_t)
+
+logging_send_syslog_msg(pads_t)
+
+sysnet_dns_name_resolve(pads_t)
+
+optional_policy(`
+	prelude_manage_spool(pads_t)
+')