diff --git a/Changelog b/Changelog index a47fd0be..4674ce52 100644 --- a/Changelog +++ b/Changelog @@ -8,6 +8,7 @@ - Patch to fix leaky interface/template call depth calculator from Vaclav Ovsik. - Added modules: + kerneloops (Dan Walsh) kismet (Dan Walsh) * Wed Apr 02 2008 Chris PeBenito - 20080402 diff --git a/policy/modules/services/kerneloops.fc b/policy/modules/services/kerneloops.fc new file mode 100644 index 00000000..ec013108 --- /dev/null +++ b/policy/modules/services/kerneloops.fc @@ -0,0 +1 @@ +/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0) diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if new file mode 100644 index 00000000..87c21950 --- /dev/null +++ b/policy/modules/services/kerneloops.if @@ -0,0 +1,93 @@ +## policy for kerneloops + +######################################## +## +## Execute a domain transition to run kerneloops. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`kerneloops_domtrans',` + gen_require(` + type kerneloops_t; + type kerneloops_exec_t; + ') + + domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) +') + +######################################## +## +## Send and receive messages from +## kerneloops over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`kerneloops_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + allow $1 kerneloops_t:dbus send_msg; + allow kerneloops_t $1:dbus send_msg; +') + +######################################## +## +## dontaudit attempts to Send and receive messages from +## kerneloops over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`kerneloops_dontaudit_dbus_chat',` + gen_require(` + type kerneloops_t; + class dbus send_msg; + ') + + dontaudit $1 kerneloops_t:dbus send_msg; + dontaudit kerneloops_t $1:dbus send_msg; +') + +######################################## +## +## All of the rules required to administrate +## an kerneloops environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the kerneloops domain. +## +## +## +## +## The type of the user terminal. +## +## +## +# +interface(`kerneloops_admin',` + gen_require(` + type kerneloops_t; + ') + + allow $1 kerneloops_t:process { ptrace signal_perms }; + ps_process_pattern($1, kerneloops_t) +') diff --git a/policy/modules/services/kerneloops.te b/policy/modules/services/kerneloops.te new file mode 100644 index 00000000..e0b1c486 --- /dev/null +++ b/policy/modules/services/kerneloops.te @@ -0,0 +1,49 @@ +policy_module(kerneloops,1.0.0) + +######################################## +# +# Declarations +# + +type kerneloops_t; +type kerneloops_exec_t; +init_daemon_domain(kerneloops_t, kerneloops_exec_t) + +######################################## +# +# kerneloops local policy +# + +allow kerneloops_t self:capability sys_nice; +allow kerneloops_t self:process { setsched getsched }; +allow kerneloops_t self:fifo_file rw_file_perms; + +kernel_read_ring_buffer(kerneloops_t) + +# Init script handling +domain_use_interactive_fds(kerneloops_t) + +corenet_all_recvfrom_unlabeled(kerneloops_t) +corenet_all_recvfrom_netlabel(kerneloops_t) +corenet_tcp_sendrecv_all_if(kerneloops_t) +corenet_tcp_sendrecv_all_nodes(kerneloops_t) +corenet_tcp_sendrecv_all_ports(kerneloops_t) +corenet_tcp_bind_http_port(kerneloops_t) +corenet_tcp_connect_http_port(kerneloops_t) + +files_read_etc_files(kerneloops_t) + +libs_use_ld_so(kerneloops_t) +libs_use_shared_libs(kerneloops_t) + +logging_send_syslog_msg(kerneloops_t) +logging_read_generic_logs(kerneloops_t) + +miscfiles_read_localization(kerneloops_t) + +sysnet_dns_name_resolve(kerneloops_t) + +optional_policy(` + dbus_system_bus_client_template(kerneloops, kerneloops_t) + dbus_connect_system_bus(kerneloops_t) +')