add tripwire, bug 1550

This commit is contained in:
Chris PeBenito 2006-04-24 18:00:32 +00:00
parent 0377627083
commit 8536924eec
6 changed files with 406 additions and 6 deletions

View File

@ -65,6 +65,7 @@
thunderbird thunderbird
tor (Erich Schubert) tor (Erich Schubert)
transproxy transproxy
tripwire
uptime uptime
uwimap uwimap
xen (Dan Walsh) xen (Dan Walsh)

View File

@ -0,0 +1,10 @@
/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0)
/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0)

View File

@ -0,0 +1,222 @@
## <summary>Tripwire file integrity checker.</summary>
## <desc>
## <p>
## Tripwire file integrity checker.
## </p>
## <p>
## NOTE: Tripwire creates temp file in its current working directory.
## This policy does not allow write access to home directories, so
## users will need to either cd to a directory where they have write
## permission, or set the TEMPDIRECTORY variable in the tripwire config
## file. The latter is preferable, as then the file_type_auto_trans
## rules will kick in and label the files as private to tripwire.
## </p>
## </desc>
########################################
## <summary>
## Execute tripwire in the tripwire domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_tripwire',`
gen_require(`
type tripwire_t, tripwire_exec_t;
')
domain_auto_trans($1,tripwire_exec_t,tripwire_t)
allow tripwire_t $1:fd use;
allow tripwire_t $1:fifo_file rw_file_perms;
allow tripwire_t $1:process sigchld;
')
########################################
## <summary>
## Execute tripwire in the tripwire domain, and
## allow the specified role the tripwire domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the tripwire domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the tripwire domain to use.
## </summary>
## </param>
#
interface(`tripwire_run_tripwire',`
gen_require(`
type tripwire_t;
')
tripwire_domtrans_tripwire($1)
role $2 types tripwire_t;
allow tripwire_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute twadmin in the twadmin domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_twadmin',`
gen_require(`
type twadmin_t, twadmin_exec_t;
')
domain_auto_trans($1,twadmin_exec_t,twadmin_t)
allow twadmin_t $1:fd use;
allow twadmin_t $1:fifo_file rw_file_perms;
allow twadmin_t $1:process sigchld;
')
########################################
## <summary>
## Execute twadmin in the twadmin domain, and
## allow the specified role the twadmin domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the twadmin domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the twadmin domain to use.
## </summary>
## </param>
#
interface(`tripwire_run_twadmin',`
gen_require(`
type twadmin_t;
')
tripwire_domtrans_twadmin($1)
role $2 types twadmin_t;
allow twadmin_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute twprint in the twprint domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_twprint',`
gen_require(`
type twprint_t, twprint_exec_t;
')
domain_auto_trans($1,twprint_exec_t,twprint_t)
allow twprint_t $1:fd use;
allow twprint_t $1:fifo_file rw_file_perms;
allow twprint_t $1:process sigchld;
')
########################################
## <summary>
## Execute twprint in the twprint domain, and
## allow the specified role the twprint domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the twprint domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the twprint domain to use.
## </summary>
## </param>
#
interface(`tripwire_run_twprint',`
gen_require(`
type twprint_t;
')
tripwire_domtrans_twprint($1)
role $2 types twprint_t;
allow twprint_t $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Execute siggen in the siggen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`tripwire_domtrans_siggen',`
gen_require(`
type siggen_t, siggen_exec_t;
')
domain_auto_trans($1,siggen_exec_t,siggen_t)
allow siggen_t $1:fd use;
allow siggen_t $1:fifo_file rw_file_perms;
allow siggen_t $1:process sigchld;
')
########################################
## <summary>
## Execute siggen in the siggen domain, and
## allow the specified role the siggen domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the siggen domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the siggen domain to use.
## </summary>
## </param>
#
interface(`tripwire_run_siggen',`
gen_require(`
type siggen_t;
')
tripwire_domtrans_siggen($1)
role $2 types siggen_t;
allow siggen_t $3:chr_file rw_term_perms;
')

View File

@ -0,0 +1,160 @@
policy_module(tripwire,1.0.0)
########################################
#
# Declarations
#
type siggen_t;
type siggen_exec_t;
domain_type(siggen_t)
domain_entry_file(siggen_t,siggen_exec_t)
type tripwire_t;
type tripwire_exec_t;
domain_type(tripwire_t)
domain_entry_file(tripwire_t,tripwire_exec_t)
role system_r types tripwire_t;
type tripwire_etc_t;
files_config_file(tripwire_etc_t)
type tripwire_report_t;
files_type(tripwire_report_t)
type tripwire_tmp_t;
files_tmp_file(tripwire_tmp_t)
type tripwire_var_lib_t;
files_type(tripwire_var_lib_t)
type twadmin_t;
type twadmin_exec_t;
domain_type(twadmin_t)
domain_entry_file(twadmin_t,twadmin_exec_t)
type twprint_t;
type twprint_exec_t;
domain_type(twprint_t)
domain_entry_file(twprint_t,twprint_exec_t)
########################################
#
# Tripwire local policy
#
allow tripwire_t self:capability { setgid setuid dac_override };
allow tripwire_t tripwire_etc_t:file r_file_perms;
allow tripwire_t tripwire_etc_t:dir r_dir_perms;
allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
files_search_etc(tripwire_t)
allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
allow tripwire_t tripwire_tmp_t:file manage_file_perms;
files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
# Tripwire report files
allow tripwire_t tripwire_report_t:dir manage_dir_perms;
allow tripwire_t tripwire_report_t:file manage_file_perms;
allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
allow tripwire_t tripwire_tmp_t:file manage_file_perms;
allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
kernel_read_system_state(tripwire_t)
kernel_read_network_state(tripwire_t)
kernel_read_software_raid_state(tripwire_t)
kernel_getattr_core_if(tripwire_t)
kernel_getattr_message_if(tripwire_t)
kernel_read_kernel_sysctls(tripwire_t)
corecmd_exec_shell(tripwire_t)
corecmd_exec_sbin(tripwire_t)
domain_use_interactive_fds(tripwire_t)
files_read_all_files(tripwire_t)
files_read_all_symlinks(tripwire_t)
files_getattr_all_pipes(tripwire_t)
files_getattr_all_sockets(tripwire_t)
libs_use_ld_so(tripwire_t)
libs_use_shared_libs(tripwire_t)
logging_send_syslog_msg(tripwire_t)
optional_policy(`
cron_system_entry(tripwire_t,tripwire_exec_t)
')
########################################
#
# Twadmin local policy
#
allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
allow twadmin_t tripwire_etc_t:file manage_file_perms;
allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
domain_use_interactive_fds(twadmin_t)
libs_use_ld_so(twadmin_t)
libs_use_shared_libs(twadmin_t)
logging_send_syslog_msg(twadmin_t)
miscfiles_read_localization(twadmin_t)
########################################
#
# Twprint local policy
#
allow twprint_t tripwire_etc_t:dir r_dir_perms;
allow twprint_t tripwire_etc_t:file r_file_perms;
allow twprint_t tripwire_etc_t:lnk_file { getattr read };
allow twprint_t tripwire_report_t:dir r_dir_perms;
allow twprint_t tripwire_report_t:file r_file_perms;
allow twprint_t tripwire_report_t:lnk_file { getattr read };
allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
allow twprint_t tripwire_var_lib_t:file r_file_perms;
allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
files_search_var_lib(twprint_t)
domain_use_interactive_fds(twprint_t)
libs_use_ld_so(twprint_t)
libs_use_shared_libs(twprint_t)
logging_send_syslog_msg(twprint_t)
miscfiles_read_localization(twprint_t)
########################################
#
# Siggen local policy
#
domain_use_interactive_fds(siggen_t)
# Need permission to read files
files_read_all_files(siggen_t)
libs_use_ld_so(siggen_t)
libs_use_shared_libs(siggen_t)
logging_send_syslog_msg(siggen_t)
miscfiles_read_localization(siggen_t)

View File

@ -421,8 +421,8 @@ interface(`files_read_all_files',`
attribute file_type; attribute file_type;
') ')
allow $1 file_type:dir search; allow $1 file_type:dir list_dir_perms;
allow $1 file_type:file r_file_perms; allow $1 file_type:file read_file_perms;
optional_policy(` optional_policy(`
auth_read_shadow($1) auth_read_shadow($1)
@ -638,7 +638,7 @@ interface(`files_read_all_symlinks',`
attribute file_type; attribute file_type;
') ')
allow $1 file_type:dir search; allow $1 file_type:dir list_dir_perms;
allow $1 file_type:lnk_file { getattr read }; allow $1 file_type:lnk_file { getattr read };
') ')
@ -657,7 +657,7 @@ interface(`files_getattr_all_pipes',`
attribute file_type; attribute file_type;
') ')
allow $1 file_type:dir search; allow $1 file_type:dir list_dir_perms;
allow $1 file_type:fifo_file getattr; allow $1 file_type:fifo_file getattr;
') ')
@ -714,7 +714,7 @@ interface(`files_getattr_all_sockets',`
attribute file_type; attribute file_type;
') ')
allow $1 file_type:dir search; allow $1 file_type:dir list_dir_perms;
allow $1 file_type:sock_file getattr; allow $1 file_type:sock_file getattr;
') ')

View File

@ -1,5 +1,5 @@
policy_module(userdomain,1.3.16) policy_module(userdomain,1.3.17)
gen_require(` gen_require(`
role sysadm_r, staff_r, user_r; role sysadm_r, staff_r, user_r;
@ -400,6 +400,13 @@ ifdef(`targeted_policy',`
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal) sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`
tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(` optional_policy(`
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal) unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
') ')