add tripwire, bug 1550

refpolicy/Changelog

@@ -65,6 +65,7 @@
 	thunderbird
 	tor (Erich Schubert)
 	transproxy
+	tripwire
 	uptime
 	uwimap
 	xen (Dan Walsh)

refpolicy/policy/modules/admin/tripwire.fc

@@ -0,0 +1,10 @@
+
+/etc/tripwire(/.*)?			gen_context(system_u:object_r:tripwire_etc_t,s0)
+
+/usr/sbin/siggen		--	gen_context(system_u:object_r:siggen_exec_t,s0)
+/usr/sbin/tripwire		--	gen_context(system_u:object_r:tripwire_exec_t,s0)
+/usr/sbin/twadmin		--	gen_context(system_u:object_r:twadmin_exec_t,s0)
+/usr/sbin/twprint		--	gen_context(system_u:object_r:twprint_exec_t,s0)
+
+/var/lib/tripwire(/.*)?			gen_context(system_u:object_r:tripwire_var_lib_t,s0)
+/var/lib/tripwire/report(/.*)?		gen_context(system_u:object_r:tripwire_report_t,s0)

refpolicy/policy/modules/admin/tripwire.if

@@ -0,0 +1,222 @@
+## <summary>Tripwire file integrity checker.</summary>
+## <desc>
+##	<p>
+##	Tripwire file integrity checker.
+##	</p>
+##	<p>
+##	NOTE: Tripwire creates temp file in its current working directory.
+##	This policy does not allow write access to home directories, so
+##	users will need to either cd to a directory where they have write
+##	permission, or set the TEMPDIRECTORY variable in the tripwire config
+##	file.  The latter is preferable, as then the file_type_auto_trans
+##	rules will kick in and label the files as private to tripwire.
+##	</p>
+## </desc>
+
+########################################
+## <summary>
+##	Execute tripwire in the tripwire domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_tripwire',`
+	gen_require(`
+		type tripwire_t, tripwire_exec_t;
+	')
+
+	domain_auto_trans($1,tripwire_exec_t,tripwire_t)
+	allow tripwire_t $1:fd use;
+	allow tripwire_t $1:fifo_file rw_file_perms;
+	allow tripwire_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute tripwire in the tripwire domain, and
+##	allow the specified role the tripwire domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the tripwire domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the tripwire domain to use.
+##	</summary>
+## </param>
+#
+interface(`tripwire_run_tripwire',`
+	gen_require(`
+		type tripwire_t;
+	')
+
+	tripwire_domtrans_tripwire($1)
+	role $2 types tripwire_t;
+	allow tripwire_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute twadmin in the twadmin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_twadmin',`
+	gen_require(`
+		type twadmin_t, twadmin_exec_t;
+	')
+
+	domain_auto_trans($1,twadmin_exec_t,twadmin_t)
+	allow twadmin_t $1:fd use;
+	allow twadmin_t $1:fifo_file rw_file_perms;
+	allow twadmin_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute twadmin in the twadmin domain, and
+##	allow the specified role the twadmin domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the twadmin domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the twadmin domain to use.
+##	</summary>
+## </param>
+#
+interface(`tripwire_run_twadmin',`
+	gen_require(`
+		type twadmin_t;
+	')
+
+	tripwire_domtrans_twadmin($1)
+	role $2 types twadmin_t;
+	allow twadmin_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute twprint in the twprint domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_twprint',`
+	gen_require(`
+		type twprint_t, twprint_exec_t;
+	')
+
+	domain_auto_trans($1,twprint_exec_t,twprint_t)
+	allow twprint_t $1:fd use;
+	allow twprint_t $1:fifo_file rw_file_perms;
+	allow twprint_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute twprint in the twprint domain, and
+##	allow the specified role the twprint domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the twprint domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the twprint domain to use.
+##	</summary>
+## </param>
+#
+interface(`tripwire_run_twprint',`
+	gen_require(`
+		type twprint_t;
+	')
+
+	tripwire_domtrans_twprint($1)
+	role $2 types twprint_t;
+	allow twprint_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute siggen in the siggen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tripwire_domtrans_siggen',`
+	gen_require(`
+		type siggen_t, siggen_exec_t;
+	')
+
+	domain_auto_trans($1,siggen_exec_t,siggen_t)
+	allow siggen_t $1:fd use;
+	allow siggen_t $1:fifo_file rw_file_perms;
+	allow siggen_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute siggen in the siggen domain, and
+##	allow the specified role the siggen domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the siggen domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the siggen domain to use.
+##	</summary>
+## </param>
+#
+interface(`tripwire_run_siggen',`
+	gen_require(`
+		type siggen_t;
+	')
+
+	tripwire_domtrans_siggen($1)
+	role $2 types siggen_t;
+	allow siggen_t $3:chr_file rw_term_perms;
+')

refpolicy/policy/modules/admin/tripwire.te

@@ -0,0 +1,160 @@
+
+policy_module(tripwire,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type siggen_t;
+type siggen_exec_t;
+domain_type(siggen_t)
+domain_entry_file(siggen_t,siggen_exec_t)
+
+type tripwire_t;
+type tripwire_exec_t;
+domain_type(tripwire_t)
+domain_entry_file(tripwire_t,tripwire_exec_t)
+role system_r types tripwire_t;
+
+type tripwire_etc_t;
+files_config_file(tripwire_etc_t)
+
+type tripwire_report_t;
+files_type(tripwire_report_t)
+
+type tripwire_tmp_t;
+files_tmp_file(tripwire_tmp_t)
+
+type tripwire_var_lib_t;
+files_type(tripwire_var_lib_t)
+
+type twadmin_t;
+type twadmin_exec_t;
+domain_type(twadmin_t)
+domain_entry_file(twadmin_t,twadmin_exec_t)
+
+type twprint_t;
+type twprint_exec_t;
+domain_type(twprint_t)
+domain_entry_file(twprint_t,twprint_exec_t)
+
+########################################
+#
+# Tripwire local policy
+#
+
+allow tripwire_t self:capability { setgid setuid dac_override };
+
+allow tripwire_t tripwire_etc_t:file r_file_perms;
+allow tripwire_t tripwire_etc_t:dir r_dir_perms;
+allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
+files_search_etc(tripwire_t)
+
+allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
+allow tripwire_t tripwire_tmp_t:file manage_file_perms;
+files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
+
+# Tripwire report files
+allow tripwire_t tripwire_report_t:dir manage_dir_perms;
+allow tripwire_t tripwire_report_t:file manage_file_perms;
+allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
+
+allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
+allow tripwire_t tripwire_tmp_t:file manage_file_perms;
+allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
+allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
+allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
+files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
+
+allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
+allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
+
+kernel_read_system_state(tripwire_t)
+kernel_read_network_state(tripwire_t)
+kernel_read_software_raid_state(tripwire_t)
+kernel_getattr_core_if(tripwire_t)
+kernel_getattr_message_if(tripwire_t)
+kernel_read_kernel_sysctls(tripwire_t)
+
+corecmd_exec_shell(tripwire_t)
+corecmd_exec_sbin(tripwire_t)
+
+domain_use_interactive_fds(tripwire_t)
+
+files_read_all_files(tripwire_t)
+files_read_all_symlinks(tripwire_t)
+files_getattr_all_pipes(tripwire_t)
+files_getattr_all_sockets(tripwire_t)
+
+libs_use_ld_so(tripwire_t)
+libs_use_shared_libs(tripwire_t)
+
+logging_send_syslog_msg(tripwire_t)
+
+optional_policy(`
+	cron_system_entry(tripwire_t,tripwire_exec_t)
+')
+
+########################################
+#
+# Twadmin local policy
+#
+
+allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
+allow twadmin_t tripwire_etc_t:file manage_file_perms;
+allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
+
+domain_use_interactive_fds(twadmin_t)
+
+libs_use_ld_so(twadmin_t)
+libs_use_shared_libs(twadmin_t)
+
+logging_send_syslog_msg(twadmin_t)
+
+miscfiles_read_localization(twadmin_t)
+
+########################################
+#
+# Twprint local policy
+#
+
+allow twprint_t tripwire_etc_t:dir r_dir_perms;
+allow twprint_t tripwire_etc_t:file r_file_perms;
+allow twprint_t tripwire_etc_t:lnk_file { getattr read };
+
+allow twprint_t tripwire_report_t:dir r_dir_perms;
+allow twprint_t tripwire_report_t:file r_file_perms;
+allow twprint_t tripwire_report_t:lnk_file { getattr read };
+
+allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
+allow twprint_t tripwire_var_lib_t:file r_file_perms;
+allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
+files_search_var_lib(twprint_t)
+
+domain_use_interactive_fds(twprint_t)
+
+libs_use_ld_so(twprint_t)
+libs_use_shared_libs(twprint_t)
+
+logging_send_syslog_msg(twprint_t)
+
+miscfiles_read_localization(twprint_t)
+
+########################################
+#
+# Siggen local policy
+#
+
+domain_use_interactive_fds(siggen_t)
+
+# Need permission to read files
+files_read_all_files(siggen_t)
+
+libs_use_ld_so(siggen_t)
+libs_use_shared_libs(siggen_t)
+
+logging_send_syslog_msg(siggen_t)
+
+miscfiles_read_localization(siggen_t)

refpolicy/policy/modules/kernel/files.if

@@ -421,8 +421,8 @@ interface(`files_read_all_files',`
 		attribute file_type;
 	')
 
-	allow $1 file_type:dir search;
+	allow $1 file_type:dir list_dir_perms;
-	allow $1 file_type:file r_file_perms;
+	allow $1 file_type:file read_file_perms;
 
 	optional_policy(`
 		auth_read_shadow($1)
@@ -638,7 +638,7 @@ interface(`files_read_all_symlinks',`
 		attribute file_type;
 	')
 
-	allow $1 file_type:dir search;
+	allow $1 file_type:dir list_dir_perms;
 	allow $1 file_type:lnk_file { getattr read };
 ')
 
@@ -657,7 +657,7 @@ interface(`files_getattr_all_pipes',`
 		attribute file_type;
 	')
 
-	allow $1 file_type:dir search;
+	allow $1 file_type:dir list_dir_perms;
 	allow $1 file_type:fifo_file getattr;
 ')
 
@@ -714,7 +714,7 @@ interface(`files_getattr_all_sockets',`
 		attribute file_type;
 	')
 
-	allow $1 file_type:dir search;
+	allow $1 file_type:dir list_dir_perms;
 	allow $1 file_type:sock_file getattr;
 ')
 

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.16)
+policy_module(userdomain,1.3.17)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -400,6 +400,13 @@ ifdef(`targeted_policy',`
 		sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`
+		tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
+		tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
+		tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
+		tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`
 		unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
 	')