trunk: add prelude from dan.

2008-06-06 03:13:42 +00:00 · 2008-06-06 03:13:42 +00:00 · cdbd09f65e
parent 147af4d309
commit cdbd09f65e
4 changed files with 247 additions and 0 deletions
--- a/1
+++ b/1
@ -11,6 +11,7 @@
 - Added modules:
 	kerneloops (Dan Walsh)
 	kismet (Dan Walsh)
+	prelude (Dan Walsh)

 * Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
 - Add core Security Enhanced X Windows support.
--- a/policy/modules/services/prelude.fc
+++ b/policy/modules/services/prelude.fc
@ -0,0 +1,11 @@
+/sbin/audisp-prelude		--	gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+/usr/bin/prelude-manager	--	gen_context(system_u:object_r:prelude_exec_t,s0)
+/usr/share/prewikka/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
+
+/var/lib/prelude-lml(/.*)?		gen_context(system_u:object_r:prelude_var_lib_t,s0)
+
+/var/run/prelude-manager(/.*)?		gen_context(system_u:object_r:prelude_var_run_t,s0)
+
+/var/spool/prelude-manager(/.*)?	gen_context(system_u:object_r:prelude_spool_t,s0)
+/var/spool/prelude(/.*)?		gen_context(system_u:object_r:prelude_spool_t,s0)
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@ -0,0 +1,89 @@
+## <summary>Prelude hybrid intrusion detection system</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run prelude.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans',`
+	gen_require(`
+		type prelude_t, prelude_exec_t;
+	')
+
+	domtrans_pattern($1, prelude_exec_t, prelude_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run prelude_audisp.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`prelude_domtrans_audisp',`
+	gen_require(`
+		type prelude_audisp_t, prelude_audisp_exec_t;
+	')
+
+	domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
+')
+
+########################################
+## <summary>
+##	Signal the prelude_audisp domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed acccess.
+## </summary>
+## </param>
+#
+interface(`prelude_signal_audisp',`
+	gen_require(`
+		type prelude_audisp_t;
+	')
+
+	allow $1 prelude_audisp_t:process signal;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an prelude environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`prelude_admin',`
+	gen_require(`
+		type prelude_t, prelude_spool_t;
+		type prelude_var_run_t, prelude_var_lib_t;
+		type prelude_audisp_t, prelude_audisp_var_run_t;
+	')
+
+	allow $1 prelude_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prelude_t)
+
+	allow $1 prelude_audisp_t:process { ptrace signal_perms };
+	ps_process_pattern($1, prelude_audisp_t)
+
+	manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+
+	manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t)
+
+	manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t)
+
+	manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+')
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@ -0,0 +1,146 @@
+
+policy_module(prelude, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type prelude_t;
+type prelude_exec_t;
+init_daemon_domain(prelude_t, prelude_exec_t)
+
+type prelude_spool_t;
+files_type(prelude_spool_t)
+
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
+type prelude_var_lib_t;
+files_type(prelude_var_lib_t)
+
+type prelude_audisp_t;
+type prelude_audisp_exec_t;
+init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+
+type prelude_audisp_var_run_t;
+files_pid_file(prelude_audisp_var_run_t)
+
+########################################
+#
+# prelude local policy
+#
+
+allow prelude_t self:capability sys_tty_config;
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_t)
+
+manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_t)
+
+manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
+files_pid_filetrans(prelude_t, prelude_var_run_t, file)
+
+corecmd_search_bin(prelude_t)
+
+corenet_all_recvfrom_unlabeled(prelude_t)
+corenet_all_recvfrom_netlabel(prelude_t)
+corenet_tcp_sendrecv_all_if(prelude_t)
+corenet_tcp_sendrecv_all_nodes(prelude_t)
+corenet_tcp_bind_all_nodes(prelude_t)
+
+dev_read_rand(prelude_t)
+dev_read_urand(prelude_t)
+
+# Init script handling
+domain_use_interactive_fds(prelude_t)
+
+files_read_etc_files(prelude_t)
+files_read_usr_files(prelude_t)
+
+auth_use_nsswitch(prelude_t)
+
+libs_use_ld_so(prelude_t)
+libs_use_shared_libs(prelude_t)
+
+logging_send_audit_msgs(prelude_t)
+logging_send_syslog_msg(prelude_t)
+
+miscfiles_read_localization(prelude_t)
+
+optional_policy(`
+	mysql_search_db(prelude_t)
+	mysql_stream_connect(prelude_t)
+')
+
+optional_policy(`
+	postgresql_stream_connect(prelude_t)
+')
+
+########################################
+#
+# prelude_audisp local policy
+#
+
+allow prelude_audisp_t self:fifo_file rw_file_perms;
+allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
+allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_audisp_t self:tcp_socket create_socket_perms;
+
+manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_audisp_t)
+
+manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
+
+corecmd_search_bin(prelude_audisp_t)
+
+corenet_all_recvfrom_unlabeled(prelude_audisp_t)
+corenet_all_recvfrom_netlabel(prelude_audisp_t)
+corenet_tcp_sendrecv_all_if(prelude_audisp_t)
+corenet_tcp_sendrecv_all_nodes(prelude_audisp_t)
+corenet_tcp_bind_all_nodes(prelude_audisp_t)
+
+dev_read_rand(prelude_audisp_t)
+dev_read_urand(prelude_audisp_t)
+
+# Init script handling
+domain_use_interactive_fds(prelude_audisp_t)
+
+files_read_etc_files(prelude_audisp_t)
+
+libs_use_ld_so(prelude_audisp_t)
+libs_use_shared_libs(prelude_audisp_t)
+
+logging_send_syslog_msg(prelude_audisp_t)
+
+miscfiles_read_localization(prelude_audisp_t)
+
+########################################
+#
+# prewikka_cgi Declarations
+#
+
+optional_policy(`
+	apache_content_template(prewikka)
+	files_read_etc_files(httpd_prewikka_script_t)
+
+	optional_policy(`
+		mysql_search_db(httpd_prewikka_script_t)
+		mysql_stream_connect(httpd_prewikka_script_t)
+	')
+
+	optional_policy(`
+		postgresql_stream_connect(httpd_prewikka_script_t)
+	')
+')