trunk: 5 modules from dan.

2009-04-20 19:03:15 +00:00 · 2009-04-20 19:03:15 +00:00 · a5ef553c2d
commit a5ef553c2d
parent 153fe24bdc
17 changed files with 1048 additions and 1 deletions
--- a/7
+++ b/7
@ -13,8 +13,13 @@
 - Add kernel_service access vectors, from Stephen Smalley.
 - Added modules:
 	git (Dan Walsh)
-	gues (Dan Walsh)
+	guest (Dan Walsh)
+	ifplugd (Dan Walsh)
 	logadm (Dan Walsh)
+	pingd (Dan Walsh)
+	psad (Dan Walsh)
+	portreserve (Dan Walsh)
+	ulogd (Dan Walsh)
 	webadm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -138,6 +138,7 @@ network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
 network_port(pegasus_http, tcp,5988,s0)
 network_port(pegasus_https, tcp,5989,s0)
+network_port(pingd, tcp,9125,s0)
 network_port(postfix_policyd, tcp,10031,s0)
 network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
--- a/policy/modules/services/ifplugd.fc
+++ b/policy/modules/services/ifplugd.fc
@ -0,0 +1,7 @@
+/etc/ifplugd(/.*)?	                gen_context(system_u:object_r:ifplugd_etc_t,s0)
+
+/etc/rc\.d/init\.d/ifplugd      --      gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+
+/usr/sbin/ifplugd		--	gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
+/var/run/ifplugd.*			gen_context(system_u:object_r:ifplugd_var_run_t,s0)
--- a/policy/modules/services/ifplugd.if
+++ b/policy/modules/services/ifplugd.if
@ -0,0 +1,133 @@
+## <summary>Bring up/down ethernet interfaces based on cable detection.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ifplugd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ifplugd_domtrans',`
+	gen_require(`
+		type ifplugd_t, ifplugd_exec_t;
+	')
+
+	domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to ifplugd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_signal',`
+	gen_require(`
+		type ifplugd_t;
+	')
+
+	allow $1 ifplugd_t:process signal;
+')
+
+########################################
+## <summary>
+##	Read ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_read_config',`
+	gen_require(`
+		type ifplugd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_manage_config',`
+	gen_require(`
+		type ifplugd_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+	manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+##	Read ifplugd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ifplugd_read_pid_files',`
+	gen_require(`
+		type ifplugd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 ifplugd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ifplugd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the ifplugd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ifplugd_admin',`
+	gen_require(`
+		type ifplugd_t, ifplugd_etc_t;
+		type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+	')
+
+	allow $1 ifplugd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ifplugd_t)
+
+	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ifplugd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, ifplugd_etc_t)
+
+	files_list_pids($1)
+	admin_pattern($1, ifplugd_var_run_t)
+')
--- a/policy/modules/services/ifplugd.te
+++ b/policy/modules/services/ifplugd.te
@ -0,0 +1,77 @@
+
+policy_module(ifplugd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ifplugd_t;
+type ifplugd_exec_t;
+init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+# config files
+type ifplugd_etc_t;
+files_type(ifplugd_etc_t)
+
+type ifplugd_initrc_exec_t;
+init_script_file(ifplugd_initrc_exec_t)
+
+# pid files
+type ifplugd_var_run_t;
+files_pid_file(ifplugd_var_run_t)
+
+########################################
+#
+# ifplugd local policy
+#
+
+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
+allow ifplugd_t self:process { signal signull };
+allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+allow ifplugd_t self:tcp_socket create_stream_socket_perms;
+allow ifplugd_t self:udp_socket create_socket_perms;
+allow ifplugd_t self:packet_socket create_socket_perms;
+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms;
+
+# pid file
+manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file })
+
+# config files
+read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+
+kernel_read_system_state(ifplugd_t)
+kernel_read_network_state(ifplugd_t)
+kernel_rw_net_sysctls(ifplugd_t)
+kernel_read_kernel_sysctls(ifplugd_t)
+
+corecmd_exec_shell(ifplugd_t)
+corecmd_exec_bin(ifplugd_t)
+
+# reading of hardware information
+dev_read_sysfs(ifplugd_t)
+
+domain_read_confined_domains_state(ifplugd_t)
+domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+auth_use_nsswitch(ifplugd_t)
+
+logging_send_syslog_msg(ifplugd_t)
+
+miscfiles_read_localization(ifplugd_t)
+
+netutils_domtrans(ifplugd_t)
+# transition to ifconfig & dhcpc
+sysnet_domtrans_ifconfig(ifplugd_t)
+sysnet_domtrans_dhcpc(ifplugd_t)
+sysnet_delete_dhcpc_pid(ifplugd_t)
+sysnet_read_dhcpc_pid(ifplugd_t)
+sysnet_signal_dhcpc(ifplugd_t)
+
+optional_policy(`
+        consoletype_exec(ifplugd_t)
+')
--- a/policy/modules/services/pingd.fc
+++ b/policy/modules/services/pingd.fc
@ -0,0 +1,6 @@
+/etc/pingd.conf				--	gen_context(system_u:object_r:pingd_etc_t,s0)
+/etc/rc\.d/init\.d/whatsup-pingd	--	gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+
+/usr/lib/pingd(/.*)?				gen_context(system_u:object_r:pingd_modules_t,s0)
+
+/usr/sbin/pingd				--	gen_context(system_u:object_r:pingd_exec_t,s0)
--- a/policy/modules/services/pingd.if
+++ b/policy/modules/services/pingd.if
@ -0,0 +1,97 @@
+## <summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run pingd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pingd_domtrans',`
+	gen_require(`
+		type pingd_t, pingd_exec_t;
+	')
+
+	domtrans_pattern($1, pingd_exec_t, pingd_t)
+')
+
+#######################################
+## <summary>
+##      Read pingd etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pingd_read_config',`
+        gen_require(`
+                type pingd_etc_t;
+        ')
+
+        files_search_etc($1)
+        read_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+## <summary>
+##      Manage pingd etc configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pingd_manage_config',`
+        gen_require(`
+                type pingd_etc_t;
+        ')
+
+        files_search_etc($1)
+        manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+        manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+
+')
+
+#######################################
+## <summary>
+##      All of the rules required to administrate 
+##      an pingd environment
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      The role to be allowed to manage the pingd domain.
+##      </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pingd_admin',`
+        gen_require(`
+                type pingd_t, pingd_etc_t;
+                type pingd_initrc_exec_t, pingd_modules_t;
+        ')
+
+        allow $1 pingd_t:process { ptrace signal_perms };
+        ps_process_pattern($1, pingd_t)
+
+        init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+        domain_system_change_exemption($1)
+        role_transition $2 pingd_initrc_exec_t system_r;
+        allow $2 system_r;
+
+        files_list_etc($1)
+        admin_pattern($1, pingd_etc_t)
+
+	files_list_usr($1)
+        admin_pattern($1, pingd_modules_t)
+')
--- a/policy/modules/services/pingd.te
+++ b/policy/modules/services/pingd.te
@ -0,0 +1,48 @@
+
+policy_module(pingd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pingd_t;
+type pingd_exec_t;
+init_daemon_domain(pingd_t, pingd_exec_t)
+
+# type for config
+type pingd_etc_t;
+files_type(pingd_etc_t);
+
+type pingd_initrc_exec_t;
+init_script_file(pingd_initrc_exec_t)
+
+# type for pingd modules
+type pingd_modules_t;
+files_type(pingd_modules_t)
+
+########################################
+#
+# pingd local policy
+#
+
+allow pingd_t self:capability net_raw;
+allow pingd_t self:tcp_socket create_stream_socket_perms;
+allow pingd_t self:rawip_socket { write read create bind };
+
+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+
+corenet_raw_bind_generic_node(pingd_t)
+corenet_tcp_bind_generic_node(pingd_t)
+corenet_tcp_bind_pingd_port(pingd_t)
+
+auth_use_nsswitch(pingd_t)
+
+files_search_usr(pingd_t)
+
+logging_send_syslog_msg(pingd_t)
+
+miscfiles_read_localization(pingd_t)
--- a/policy/modules/services/portreserve.fc
+++ b/policy/modules/services/portreserve.fc
@ -0,0 +1,5 @@
+/etc/portreserve(/.*)?			gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+/sbin/portreserve		--	gen_context(system_u:object_r:portreserve_exec_t,s0)
+
+/var/run/portreserve(/.*)? 		gen_context(system_u:object_r:portreserve_var_run_t,s0)
--- a/policy/modules/services/portreserve.if
+++ b/policy/modules/services/portreserve.if
@ -0,0 +1,66 @@
+## <summary>Reserve well-known ports in the RPC port range.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run portreserve.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`portreserve_domtrans',`
+	gen_require(`
+		type portreserve_t, portreserve_exec_t;
+	')
+
+	domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to read
+##	portreserve etcuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`portreserve_read_config',`
+	gen_require(`
+		type portreserve_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 portreserve_etc_t:dir list_dir_perms;
+	read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+	read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+#######################################
+## <summary>
+##	Allow the specified domain to manage
+##	portreserve etcuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+##
+#
+interface(`portreserve_manage_config',`
+	gen_require(`
+		type portreserve_etc_t;
+	')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
+	manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+	read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
--- a/policy/modules/services/portreserve.te
+++ b/policy/modules/services/portreserve.te
@ -0,0 +1,45 @@
+
+policy_module(portreserve, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type portreserve_t;
+type portreserve_exec_t;
+init_daemon_domain(portreserve_t, portreserve_exec_t)
+
+type portreserve_etc_t;
+files_type(portreserve_etc_t)
+
+type portreserve_var_run_t;
+files_pid_file(portreserve_var_run_t)
+
+########################################
+#
+# Portreserve local policy
+#
+
+allow portreserve_t self:fifo_file rw_fifo_file_perms;
+allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+allow portreserve_t self:tcp_socket create_socket_perms;
+allow portreserve_t self:udp_socket create_socket_perms;
+
+# Read etc files
+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+
+# Manage /var/run/portreserve/*
+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+
+corenet_tcp_bind_generic_node(portreserve_t)
+corenet_udp_bind_generic_node(portreserve_t)
+corenet_tcp_bind_all_reserved_ports(portreserve_t)
+corenet_udp_bind_all_reserved_ports(portreserve_t)
+
+files_read_etc_files(portreserve_t)
--- a/policy/modules/services/psad.fc
+++ b/policy/modules/services/psad.fc
@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/psad --		gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/etc/psad(/.*)?				gen_context(system_u:object_r:psad_etc_t,s0)
+
+/usr/sbin/psad		--		gen_context(system_u:object_r:psad_exec_t,s0)
+
+/var/lib/psad(/.*)?			gen_context(system_u:object_r:psad_var_lib_t,s0)
+/var/log/psad(/.*)?			gen_context(system_u:object_r:psad_var_log_t,s0)
+/var/run/psad(/.*)?			gen_context(system_u:object_r:psad_var_run_t,s0)
--- a/policy/modules/services/psad.if
+++ b/policy/modules/services/psad.if
@ -0,0 +1,262 @@
+## <summary>Intrusion Detection and Log Analysis with iptables</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run psad.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`psad_domtrans',`
+	gen_require(`
+		type psad_t, psad_exec_t;
+	')
+
+	domtrans_pattern($1, psad_exec_t, psad_t)
+')
+
+########################################
+## <summary>
+##	Send a generic signal to psad
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_signal',`
+	gen_require(`
+		type psad_t;
+	')
+
+	allow $1 psad_t:process signal;
+')
+
+#######################################
+## <summary>
+##	Send a null signal to psad.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_signull',`
+	gen_require(`
+		type psad_t;
+	')
+
+	allow $1 psad_t:process signull;
+')
+
+########################################
+## <summary>
+##	Read psad etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_read_config',`
+	gen_require(`
+		type psad_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+## <summary>
+##	Manage psad etc configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_manage_config',`
+        gen_require(`
+                type psad_etc_t;
+        ')
+
+	files_search_etc($1)
+	manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+        manage_files_pattern($1, psad_etc_t, psad_etc_t)
+
+')
+
+########################################
+## <summary>
+##	Read psad PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_read_pid_files',`
+	gen_require(`
+		type psad_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read psad PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_rw_pid_files',`
+	gen_require(`
+		type psad_var_run_t;
+	')
+
+	files_search_pids($1)
+	rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read psad's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_read_log',`
+	gen_require(`
+		type psad_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+	read_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append to psad's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_append_log',`
+	gen_require(`
+		type psad_var_log_t;
+	')
+
+	logging_search_logs($1)
+	list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+	append_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+##	Read and write psad fifo files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_rw_fifo_file',`
+	gen_require(`
+		type psad_t;
+	')
+
+	files_search_var_lib($1)
+	search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+	rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+##	Read and write psad tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`psad_rw_tmp_files',`
+	gen_require(`
+		type psad_tmp_t;
+	')
+
+	files_search_tmp($1)
+	rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an psad environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_admin',`
+	gen_require(`
+		type psad_t, psad_var_run_t, psad_var_log_t;
+		type psad_initrc_exec_t, psad_var_lib_t;
+		type psad_tmp_t;
+	')
+
+	allow $1 psad_t:process { ptrace signal_perms };
+	ps_process_pattern($1, psad_t)
+
+	init_labeled_script_domtrans($1, psad_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 psad_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, psad_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, psad_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, psad_var_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, psad_var_lib_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, psad_tmp_t)
+')
--- a/policy/modules/services/psad.te
+++ b/policy/modules/services/psad.te
@ -0,0 +1,107 @@
+
+policy_module(psad, 1.0.0) 
+
+########################################
+#
+# Declarations
+#
+
+type psad_t;
+type psad_exec_t;
+init_daemon_domain(psad_t, psad_exec_t)
+
+# config files
+type psad_etc_t;
+files_type(psad_etc_t)
+
+type psad_initrc_exec_t;
+init_script_file(psad_initrc_exec_t)
+
+# var/lib files
+type psad_var_lib_t;
+files_type(psad_var_lib_t)
+
+# log files
+type psad_var_log_t;
+logging_log_file(psad_var_log_t)
+
+# pid files
+type psad_var_run_t;
+files_pid_file(psad_var_run_t)
+
+# tmp files
+type psad_tmp_t;
+files_tmp_file(psad_tmp_t)
+
+########################################
+#
+# psad local policy
+#
+
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+dontaudit psad_t self:capability sys_tty_config;
+allow psad_t self:process signull;
+allow psad_t self:fifo_file rw_fifo_file_perms;
+allow psad_t self:rawip_socket create_socket_perms;
+
+# config files
+read_files_pattern(psad_t, psad_etc_t, psad_etc_t)
+list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t)
+
+# log files
+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
+
+# pid file
+manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
+
+# tmp files
+manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
+
+# /var/lib files
+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+
+kernel_read_system_state(psad_t)
+kernel_read_network_state(psad_t)
+kernel_read_net_sysctls(psad_t)
+
+corecmd_exec_shell(psad_t)
+corecmd_exec_bin(psad_t)
+
+corenet_all_recvfrom_unlabeled(psad_t)
+corenet_all_recvfrom_netlabel(psad_t)
+corenet_tcp_sendrecv_generic_if(psad_t)
+corenet_tcp_sendrecv_generic_node(psad_t)
+corenet_tcp_bind_generic_node(psad_t)
+corenet_tcp_sendrecv_all_ports(psad_t)
+corenet_tcp_connect_whois_port(psad_t)
+corenet_sendrecv_whois_client_packets(psad_t)
+
+dev_read_urand(psad_t)
+
+files_read_etc_runtime_files(psad_t)
+
+fs_getattr_all_fs(psad_t)
+
+auth_use_nsswitch(psad_t)
+
+iptables_domtrans(psad_t)
+
+logging_read_generic_logs(psad_t)
+logging_read_syslog_config(psad_t)
+logging_send_syslog_msg(psad_t)
+
+miscfiles_read_localization(psad_t)
+
+sysnet_exec_ifconfig(psad_t)
+
+optional_policy(`
+        mta_send_mail(psad_t)
+	mta_read_queue(psad_t)
+')
--- a/policy/modules/services/ulogd.fc
+++ b/policy/modules/services/ulogd.fc
@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/ulogd	--	gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/etc/ulogd.conf			--	gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)?			gen_context(system_u:object_r:ulogd_modules_t,s0)	
+/usr/sbin/ulogd			--	gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)?			gen_context(system_u:object_r:ulogd_var_log_t,s0)
--- a/policy/modules/services/ulogd.if
+++ b/policy/modules/services/ulogd.if
@ -0,0 +1,124 @@
+## <summary>Iptables/netfilter userspace logging daemon.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run ulogd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ulogd_domtrans',`
+	gen_require(`
+		type ulogd_t, ulogd_exec_t;
+	')
+
+	domtrans_pattern($1, ulogd_exec_t, ulogd_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	ulogd configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_config',`
+	gen_require(`
+		type ulogd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read ulogd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_log',`
+	gen_require(`
+		type ulogd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 ulogd_var_log_t:dir list_dir_perms;
+	read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append to ulogd's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_append_log',`
+	gen_require(`
+		type ulogd_var_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 ulogd_var_log_t:dir list_dir_perms;
+	allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an ulogd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_admin',`
+	gen_require(`
+		type ulogd_t, ulogd_etc_t;
+		type ulogd_var_log_t, ulogd_initrc_exec_t;
+		type ulogd_modules_t;
+	')
+
+	allow $1 ulogd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ulogd_t)
+
+	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ulogd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, ulogd_etc_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, ulogd_var_log_t)
+
+	files_search_usr($1)
+	admin_pattern($1, ulogd_modules_t)
+')
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@ -0,0 +1,49 @@
+
+policy_module(ulogd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+files_search_etc(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)