add tripwire, bug 1550
This commit is contained in:
parent
0377627083
commit
8536924eec
@ -65,6 +65,7 @@
|
||||
thunderbird
|
||||
tor (Erich Schubert)
|
||||
transproxy
|
||||
tripwire
|
||||
uptime
|
||||
uwimap
|
||||
xen (Dan Walsh)
|
||||
|
10
refpolicy/policy/modules/admin/tripwire.fc
Normal file
10
refpolicy/policy/modules/admin/tripwire.fc
Normal file
@ -0,0 +1,10 @@
|
||||
|
||||
/etc/tripwire(/.*)? gen_context(system_u:object_r:tripwire_etc_t,s0)
|
||||
|
||||
/usr/sbin/siggen -- gen_context(system_u:object_r:siggen_exec_t,s0)
|
||||
/usr/sbin/tripwire -- gen_context(system_u:object_r:tripwire_exec_t,s0)
|
||||
/usr/sbin/twadmin -- gen_context(system_u:object_r:twadmin_exec_t,s0)
|
||||
/usr/sbin/twprint -- gen_context(system_u:object_r:twprint_exec_t,s0)
|
||||
|
||||
/var/lib/tripwire(/.*)? gen_context(system_u:object_r:tripwire_var_lib_t,s0)
|
||||
/var/lib/tripwire/report(/.*)? gen_context(system_u:object_r:tripwire_report_t,s0)
|
222
refpolicy/policy/modules/admin/tripwire.if
Normal file
222
refpolicy/policy/modules/admin/tripwire.if
Normal file
@ -0,0 +1,222 @@
|
||||
## <summary>Tripwire file integrity checker.</summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Tripwire file integrity checker.
|
||||
## </p>
|
||||
## <p>
|
||||
## NOTE: Tripwire creates temp file in its current working directory.
|
||||
## This policy does not allow write access to home directories, so
|
||||
## users will need to either cd to a directory where they have write
|
||||
## permission, or set the TEMPDIRECTORY variable in the tripwire config
|
||||
## file. The latter is preferable, as then the file_type_auto_trans
|
||||
## rules will kick in and label the files as private to tripwire.
|
||||
## </p>
|
||||
## </desc>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute tripwire in the tripwire domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_domtrans_tripwire',`
|
||||
gen_require(`
|
||||
type tripwire_t, tripwire_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,tripwire_exec_t,tripwire_t)
|
||||
allow tripwire_t $1:fd use;
|
||||
allow tripwire_t $1:fifo_file rw_file_perms;
|
||||
allow tripwire_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute tripwire in the tripwire domain, and
|
||||
## allow the specified role the tripwire domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the tripwire domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the tripwire domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_run_tripwire',`
|
||||
gen_require(`
|
||||
type tripwire_t;
|
||||
')
|
||||
|
||||
tripwire_domtrans_tripwire($1)
|
||||
role $2 types tripwire_t;
|
||||
allow tripwire_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute twadmin in the twadmin domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_domtrans_twadmin',`
|
||||
gen_require(`
|
||||
type twadmin_t, twadmin_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,twadmin_exec_t,twadmin_t)
|
||||
allow twadmin_t $1:fd use;
|
||||
allow twadmin_t $1:fifo_file rw_file_perms;
|
||||
allow twadmin_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute twadmin in the twadmin domain, and
|
||||
## allow the specified role the twadmin domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the twadmin domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the twadmin domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_run_twadmin',`
|
||||
gen_require(`
|
||||
type twadmin_t;
|
||||
')
|
||||
|
||||
tripwire_domtrans_twadmin($1)
|
||||
role $2 types twadmin_t;
|
||||
allow twadmin_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute twprint in the twprint domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_domtrans_twprint',`
|
||||
gen_require(`
|
||||
type twprint_t, twprint_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,twprint_exec_t,twprint_t)
|
||||
allow twprint_t $1:fd use;
|
||||
allow twprint_t $1:fifo_file rw_file_perms;
|
||||
allow twprint_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute twprint in the twprint domain, and
|
||||
## allow the specified role the twprint domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the twprint domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the twprint domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_run_twprint',`
|
||||
gen_require(`
|
||||
type twprint_t;
|
||||
')
|
||||
|
||||
tripwire_domtrans_twprint($1)
|
||||
role $2 types twprint_t;
|
||||
allow twprint_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute siggen in the siggen domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_domtrans_siggen',`
|
||||
gen_require(`
|
||||
type siggen_t, siggen_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,siggen_exec_t,siggen_t)
|
||||
allow siggen_t $1:fd use;
|
||||
allow siggen_t $1:fifo_file rw_file_perms;
|
||||
allow siggen_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute siggen in the siggen domain, and
|
||||
## allow the specified role the siggen domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed the siggen domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the terminal allow the siggen domain to use.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tripwire_run_siggen',`
|
||||
gen_require(`
|
||||
type siggen_t;
|
||||
')
|
||||
|
||||
tripwire_domtrans_siggen($1)
|
||||
role $2 types siggen_t;
|
||||
allow siggen_t $3:chr_file rw_term_perms;
|
||||
')
|
160
refpolicy/policy/modules/admin/tripwire.te
Normal file
160
refpolicy/policy/modules/admin/tripwire.te
Normal file
@ -0,0 +1,160 @@
|
||||
|
||||
policy_module(tripwire,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type siggen_t;
|
||||
type siggen_exec_t;
|
||||
domain_type(siggen_t)
|
||||
domain_entry_file(siggen_t,siggen_exec_t)
|
||||
|
||||
type tripwire_t;
|
||||
type tripwire_exec_t;
|
||||
domain_type(tripwire_t)
|
||||
domain_entry_file(tripwire_t,tripwire_exec_t)
|
||||
role system_r types tripwire_t;
|
||||
|
||||
type tripwire_etc_t;
|
||||
files_config_file(tripwire_etc_t)
|
||||
|
||||
type tripwire_report_t;
|
||||
files_type(tripwire_report_t)
|
||||
|
||||
type tripwire_tmp_t;
|
||||
files_tmp_file(tripwire_tmp_t)
|
||||
|
||||
type tripwire_var_lib_t;
|
||||
files_type(tripwire_var_lib_t)
|
||||
|
||||
type twadmin_t;
|
||||
type twadmin_exec_t;
|
||||
domain_type(twadmin_t)
|
||||
domain_entry_file(twadmin_t,twadmin_exec_t)
|
||||
|
||||
type twprint_t;
|
||||
type twprint_exec_t;
|
||||
domain_type(twprint_t)
|
||||
domain_entry_file(twprint_t,twprint_exec_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Tripwire local policy
|
||||
#
|
||||
|
||||
allow tripwire_t self:capability { setgid setuid dac_override };
|
||||
|
||||
allow tripwire_t tripwire_etc_t:file r_file_perms;
|
||||
allow tripwire_t tripwire_etc_t:dir r_dir_perms;
|
||||
allow tripwire_t tripwire_etc_t:lnk_file { getattr read };
|
||||
files_search_etc(tripwire_t)
|
||||
|
||||
allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
|
||||
allow tripwire_t tripwire_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(tripwire_t, tripwire_tmp_t, { file dir })
|
||||
|
||||
# Tripwire report files
|
||||
allow tripwire_t tripwire_report_t:dir manage_dir_perms;
|
||||
allow tripwire_t tripwire_report_t:file manage_file_perms;
|
||||
allow tripwire_t tripwire_report_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow tripwire_t tripwire_tmp_t:dir manage_dir_perms;
|
||||
allow tripwire_t tripwire_tmp_t:file manage_file_perms;
|
||||
allow tripwire_t tripwire_tmp_t:lnk_file create_lnk_perms;
|
||||
allow tripwire_t tripwire_tmp_t:sock_file manage_file_perms;
|
||||
allow tripwire_t tripwire_tmp_t:fifo_file manage_file_perms;
|
||||
files_tmp_filetrans(tripwire_t,tripwire_tmp_t,{ file lnk_file sock_file fifo_file })
|
||||
|
||||
allow tripwire_t tripwire_var_lib_t:file manage_file_perms;
|
||||
allow tripwire_t tripwire_var_lib_t:dir rw_dir_perms;
|
||||
files_var_lib_filetrans(tripwire_t,tripwire_var_lib_t,file)
|
||||
|
||||
kernel_read_system_state(tripwire_t)
|
||||
kernel_read_network_state(tripwire_t)
|
||||
kernel_read_software_raid_state(tripwire_t)
|
||||
kernel_getattr_core_if(tripwire_t)
|
||||
kernel_getattr_message_if(tripwire_t)
|
||||
kernel_read_kernel_sysctls(tripwire_t)
|
||||
|
||||
corecmd_exec_shell(tripwire_t)
|
||||
corecmd_exec_sbin(tripwire_t)
|
||||
|
||||
domain_use_interactive_fds(tripwire_t)
|
||||
|
||||
files_read_all_files(tripwire_t)
|
||||
files_read_all_symlinks(tripwire_t)
|
||||
files_getattr_all_pipes(tripwire_t)
|
||||
files_getattr_all_sockets(tripwire_t)
|
||||
|
||||
libs_use_ld_so(tripwire_t)
|
||||
libs_use_shared_libs(tripwire_t)
|
||||
|
||||
logging_send_syslog_msg(tripwire_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(tripwire_t,tripwire_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Twadmin local policy
|
||||
#
|
||||
|
||||
allow twadmin_t tripwire_etc_t:dir manage_dir_perms;
|
||||
allow twadmin_t tripwire_etc_t:file manage_file_perms;
|
||||
allow twadmin_t tripwire_etc_t:lnk_file create_lnk_perms;
|
||||
|
||||
domain_use_interactive_fds(twadmin_t)
|
||||
|
||||
libs_use_ld_so(twadmin_t)
|
||||
libs_use_shared_libs(twadmin_t)
|
||||
|
||||
logging_send_syslog_msg(twadmin_t)
|
||||
|
||||
miscfiles_read_localization(twadmin_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Twprint local policy
|
||||
#
|
||||
|
||||
allow twprint_t tripwire_etc_t:dir r_dir_perms;
|
||||
allow twprint_t tripwire_etc_t:file r_file_perms;
|
||||
allow twprint_t tripwire_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow twprint_t tripwire_report_t:dir r_dir_perms;
|
||||
allow twprint_t tripwire_report_t:file r_file_perms;
|
||||
allow twprint_t tripwire_report_t:lnk_file { getattr read };
|
||||
|
||||
allow twprint_t tripwire_var_lib_t:dir r_dir_perms;
|
||||
allow twprint_t tripwire_var_lib_t:file r_file_perms;
|
||||
allow twprint_t tripwire_var_lib_t:lnk_file { getattr read };
|
||||
files_search_var_lib(twprint_t)
|
||||
|
||||
domain_use_interactive_fds(twprint_t)
|
||||
|
||||
libs_use_ld_so(twprint_t)
|
||||
libs_use_shared_libs(twprint_t)
|
||||
|
||||
logging_send_syslog_msg(twprint_t)
|
||||
|
||||
miscfiles_read_localization(twprint_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Siggen local policy
|
||||
#
|
||||
|
||||
domain_use_interactive_fds(siggen_t)
|
||||
|
||||
# Need permission to read files
|
||||
files_read_all_files(siggen_t)
|
||||
|
||||
libs_use_ld_so(siggen_t)
|
||||
libs_use_shared_libs(siggen_t)
|
||||
|
||||
logging_send_syslog_msg(siggen_t)
|
||||
|
||||
miscfiles_read_localization(siggen_t)
|
@ -421,8 +421,8 @@ interface(`files_read_all_files',`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:file r_file_perms;
|
||||
allow $1 file_type:dir list_dir_perms;
|
||||
allow $1 file_type:file read_file_perms;
|
||||
|
||||
optional_policy(`
|
||||
auth_read_shadow($1)
|
||||
@ -638,7 +638,7 @@ interface(`files_read_all_symlinks',`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:dir list_dir_perms;
|
||||
allow $1 file_type:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -657,7 +657,7 @@ interface(`files_getattr_all_pipes',`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:dir list_dir_perms;
|
||||
allow $1 file_type:fifo_file getattr;
|
||||
')
|
||||
|
||||
@ -714,7 +714,7 @@ interface(`files_getattr_all_sockets',`
|
||||
attribute file_type;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:dir list_dir_perms;
|
||||
allow $1 file_type:sock_file getattr;
|
||||
')
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain,1.3.16)
|
||||
policy_module(userdomain,1.3.17)
|
||||
|
||||
gen_require(`
|
||||
role sysadm_r, staff_r, user_r;
|
||||
@ -400,6 +400,13 @@ ifdef(`targeted_policy',`
|
||||
sysnet_run_dhcpc(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tripwire_run_siggen(sysadm_t,sysadm_r,admin_terminal)
|
||||
tripwire_run_tripwire(sysadm_t,sysadm_r,admin_terminal)
|
||||
tripwire_run_twadmin(sysadm_t,sysadm_r,admin_terminal)
|
||||
tripwire_run_twprint(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domtrans(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user