# DESC tripwire # # Author: David Hampton <hampton@employees.org> # # NOTE: Tripwire creates temp file in its current working directory. # This policy does not allow write access to home directories, so # users will need to either cd to a directory where they have write # permission, or set the TEMPDIRECTORY variable in the tripwire config # file. The latter is preferable, as then the file_type_auto_trans # rules will kick in and label the files as private to tripwire. # Common definitions type tripwire_report_t, file_type, sysadmfile; etcdir_domain(tripwire) var_lib_domain(tripwire) tmp_domain(tripwire) # Macro for defining tripwire domains define(`tripwire_domain',` application_domain($1, `, auth') role system_r types $1_t; # Allow access to common tripwire files allow $1_t tripwire_etc_t:file r_file_perms; allow $1_t tripwire_etc_t:dir r_dir_perms; allow $1_t tripwire_etc_t:lnk_file { getattr read }; file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file) allow $1_t tripwire_var_lib_t:dir rw_dir_perms; file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }') allow $1_t self:process { fork sigchld }; allow $1_t self:capability { setgid setuid dac_override }; # Tripwire needs to read all files on the system general_proc_read_access($1_t) allow $1_t file_type:dir { search getattr read}; allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read}; allow $1_t file_type:fifo_file { getattr }; allow $1_t device_type:file { getattr read }; allow $1_t sysctl_t:dir { getattr read }; allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr; # Tripwire report files create_dir_file($1_t, tripwire_report_t) # gethostid()? allow $1_t self:unix_stream_socket { connect create }; # Running editor program (tripwire forks then runs bash which rins editor) can_exec($1_t, shell_exec_t) can_exec($1_t, bin_t) uses_shlib($1_t) allow $1_t self:dir search; allow $1_t self:file { getattr read }; ') ########## ########## # # When run by a user # tripwire_domain(`tripwire') # Running from the command line allow tripwire_t devpts_t:dir search; allow tripwire_t devtty_t:chr_file { read write }; allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms; allow tripwire_t privfd:fd use; ########## ########## # # When run from cron # tripwire_domain(`tripwire_crond') system_crond_entry(tripwire_exec_t, tripwire_crond_t) domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t) # Tripwire uses a temp file in the root home directory #create_dir_file(tripwire_crond_t, root_t) ########## # Twadmin ########## application_domain(twadmin) read_locale(twadmin_t) create_dir_file(twadmin_t, tripwire_etc_t) allow twadmin_t sysadm_tmp_t:file { getattr read write }; # Running from the command line allow twadmin_t sshd_t:fd use; allow twadmin_t admin_tty_type:chr_file rw_file_perms; dontaudit twadmin_t { bin_t sbin_t }:dir search; dontaudit twadmin_t home_root_t:dir search; dontaudit twprint_t user_home_dir_t:dir search; ########## # Twprint ########## application_domain(twprint) read_locale(twprint_t) r_dir_file(twprint_t, tripwire_etc_t) allow twprint_t { var_t var_lib_t }:dir search; r_dir_file(twprint_t, tripwire_var_lib_t) r_dir_file(twprint_t, tripwire_report_t) # Running from the command line allow twprint_t sshd_t:fd use; allow twprint_t admin_tty_type:chr_file rw_file_perms; dontaudit twprint_t { bin_t sbin_t }:dir search; dontaudit twprint_t home_root_t:dir search; ########## # Siggen ########## application_domain(siggen, `, auth') read_locale(siggen_t) # Need permission to read files allow siggen_t file_type:dir { search getattr read}; allow siggen_t file_type:file {getattr read}; # Running from the command line allow siggen_t sshd_t:fd use; allow siggen_t admin_tty_type:chr_file rw_file_perms;