selinux-policy/strict/domains/program/unused/tripwire.te

# DESC tripwire
#
# Author: David Hampton <hampton@employees.org>
#

# NOTE: Tripwire creates temp file in its current working directory.
# This policy does not allow write access to home directories, so
# users will need to either cd to a directory where they have write
# permission, or set the TEMPDIRECTORY variable in the tripwire config
# file.  The latter is preferable, as then the file_type_auto_trans
# rules will kick in and label the files as private to tripwire.


# Common definitions
type tripwire_report_t, file_type, sysadmfile;
etcdir_domain(tripwire)
var_lib_domain(tripwire)
tmp_domain(tripwire)


# Macro for defining tripwire domains
define(`tripwire_domain',`
application_domain($1, `, auth')
role system_r types $1_t;

# Allow access to common tripwire files
allow $1_t tripwire_etc_t:file r_file_perms;
allow $1_t tripwire_etc_t:dir r_dir_perms;
allow $1_t tripwire_etc_t:lnk_file { getattr read };
file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')

allow $1_t self:process { fork sigchld };
allow $1_t self:capability { setgid setuid dac_override };

# Tripwire needs to read all files on the system
general_proc_read_access($1_t)
allow $1_t file_type:dir { search getattr read};
allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
allow $1_t file_type:fifo_file { getattr };
allow $1_t device_type:file { getattr read };
allow $1_t sysctl_t:dir { getattr read };
allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;

# Tripwire report files
create_dir_file($1_t, tripwire_report_t)

# gethostid()?
allow $1_t self:unix_stream_socket { connect create };

# Running editor program (tripwire forks then runs bash which rins editor)
can_exec($1_t, shell_exec_t)
can_exec($1_t, bin_t)
uses_shlib($1_t)

allow $1_t self:dir search;
allow $1_t self:file { getattr read };
')


##########
##########

#
# When run by a user
#
tripwire_domain(`tripwire')

# Running from the command line
allow tripwire_t devpts_t:dir search;
allow tripwire_t devtty_t:chr_file { read write };
allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
allow tripwire_t privfd:fd use;


##########
##########

#
# When run from cron
#
tripwire_domain(`tripwire_crond')
system_crond_entry(tripwire_exec_t, tripwire_crond_t)
domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)

# Tripwire uses a temp file in the root home directory
#create_dir_file(tripwire_crond_t, root_t)


##########
# Twadmin
##########
application_domain(twadmin)
read_locale(twadmin_t)
create_dir_file(twadmin_t, tripwire_etc_t)

allow twadmin_t sysadm_tmp_t:file { getattr read write };

# Running from the command line
allow twadmin_t sshd_t:fd use;
allow twadmin_t admin_tty_type:chr_file rw_file_perms;

dontaudit twadmin_t { bin_t sbin_t }:dir search;
dontaudit twadmin_t home_root_t:dir search;
dontaudit twprint_t user_home_dir_t:dir search;


##########
# Twprint
##########
application_domain(twprint)
read_locale(twprint_t)
r_dir_file(twprint_t, tripwire_etc_t)
allow twprint_t { var_t var_lib_t }:dir search;
r_dir_file(twprint_t, tripwire_var_lib_t)
r_dir_file(twprint_t, tripwire_report_t)

# Running from the command line
allow twprint_t sshd_t:fd use;
allow twprint_t admin_tty_type:chr_file rw_file_perms;

dontaudit twprint_t { bin_t sbin_t }:dir search;
dontaudit twprint_t home_root_t:dir search;


##########
# Siggen
##########
application_domain(siggen, `, auth')
read_locale(siggen_t)

# Need permission to read files
allow siggen_t file_type:dir { search getattr read};
allow siggen_t file_type:file {getattr read};

# Running from the command line
allow siggen_t sshd_t:fd use;
allow siggen_t admin_tty_type:chr_file rw_file_perms;