[selinux-policy: 2107/3172] trunk: 5 modules from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:06:58 UTC 2010
commit a5ef553c2db8fff191ed1d80610b35b82301590f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Apr 20 19:03:15 2009 +0000
trunk: 5 modules from dan.
Changelog | 7 +-
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/services/ifplugd.fc | 7 +
policy/modules/services/ifplugd.if | 133 ++++++++++++++++
policy/modules/services/ifplugd.te | 77 +++++++++
policy/modules/services/pingd.fc | 6 +
policy/modules/services/pingd.if | 97 ++++++++++++
policy/modules/services/pingd.te | 48 ++++++
policy/modules/services/portreserve.fc | 5 +
policy/modules/services/portreserve.if | 66 ++++++++
policy/modules/services/portreserve.te | 45 ++++++
policy/modules/services/psad.fc | 8 +
policy/modules/services/psad.if | 262 +++++++++++++++++++++++++++++++
policy/modules/services/psad.te | 107 +++++++++++++
policy/modules/services/ulogd.fc | 7 +
policy/modules/services/ulogd.if | 124 +++++++++++++++
policy/modules/services/ulogd.te | 49 ++++++
17 files changed, 1048 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 0a76432..2233075 100644
--- a/Changelog
+++ b/Changelog
@@ -13,8 +13,13 @@
- Add kernel_service access vectors, from Stephen Smalley.
- Added modules:
git (Dan Walsh)
- gues (Dan Walsh)
+ guest (Dan Walsh)
+ ifplugd (Dan Walsh)
logadm (Dan Walsh)
+ pingd (Dan Walsh)
+ psad (Dan Walsh)
+ portreserve (Dan Walsh)
+ ulogd (Dan Walsh)
webadm (Dan Walsh)
xguest (Dan Walsh)
zosremote (Dan Walsh)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b9c1965..205b5f4 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -138,6 +138,7 @@ network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
+network_port(pingd, tcp,9125,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
diff --git a/policy/modules/services/ifplugd.fc b/policy/modules/services/ifplugd.fc
new file mode 100644
index 0000000..8172803
--- /dev/null
+++ b/policy/modules/services/ifplugd.fc
@@ -0,0 +1,7 @@
+/etc/ifplugd(/.*)? gen_context(system_u:object_r:ifplugd_etc_t,s0)
+
+/etc/rc\.d/init\.d/ifplugd -- gen_context(system_u:object_r:ifplugd_initrc_exec_t,s0)
+
+/usr/sbin/ifplugd -- gen_context(system_u:object_r:ifplugd_exec_t,s0)
+
+/var/run/ifplugd.* gen_context(system_u:object_r:ifplugd_var_run_t,s0)
diff --git a/policy/modules/services/ifplugd.if b/policy/modules/services/ifplugd.if
new file mode 100644
index 0000000..dfb4232
--- /dev/null
+++ b/policy/modules/services/ifplugd.if
@@ -0,0 +1,133 @@
+## <summary>Bring up/down ethernet interfaces based on cable detection.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ifplugd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ifplugd_domtrans',`
+ gen_require(`
+ type ifplugd_t, ifplugd_exec_t;
+ ')
+
+ domtrans_pattern($1, ifplugd_exec_t, ifplugd_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to ifplugd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_signal',`
+ gen_require(`
+ type ifplugd_t;
+ ')
+
+ allow $1 ifplugd_t:process signal;
+')
+
+########################################
+## <summary>
+## Read ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_read_config',`
+ gen_require(`
+ type ifplugd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+## Manage ifplugd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_manage_config',`
+ gen_require(`
+ type ifplugd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+ manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t)
+')
+
+########################################
+## <summary>
+## Read ifplugd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ifplugd_read_pid_files',`
+ gen_require(`
+ type ifplugd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 ifplugd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ifplugd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the ifplugd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ifplugd_admin',`
+ gen_require(`
+ type ifplugd_t, ifplugd_etc_t;
+ type ifplugd_var_run_t, ifplugd_initrc_exec_t;
+ ')
+
+ allow $1 ifplugd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ifplugd_t)
+
+ init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ifplugd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, ifplugd_etc_t)
+
+ files_list_pids($1)
+ admin_pattern($1, ifplugd_var_run_t)
+')
diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
new file mode 100644
index 0000000..b663169
--- /dev/null
+++ b/policy/modules/services/ifplugd.te
@@ -0,0 +1,77 @@
+
+policy_module(ifplugd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ifplugd_t;
+type ifplugd_exec_t;
+init_daemon_domain(ifplugd_t, ifplugd_exec_t)
+
+# config files
+type ifplugd_etc_t;
+files_type(ifplugd_etc_t)
+
+type ifplugd_initrc_exec_t;
+init_script_file(ifplugd_initrc_exec_t)
+
+# pid files
+type ifplugd_var_run_t;
+files_pid_file(ifplugd_var_run_t)
+
+########################################
+#
+# ifplugd local policy
+#
+
+allow ifplugd_t self:capability { net_admin sys_nice net_bind_service };
+dontaudit ifplugd_t self:capability { sys_tty_config sys_ptrace };
+allow ifplugd_t self:process { signal signull };
+allow ifplugd_t self:fifo_file rw_fifo_file_perms;
+allow ifplugd_t self:tcp_socket create_stream_socket_perms;
+allow ifplugd_t self:udp_socket create_socket_perms;
+allow ifplugd_t self:packet_socket create_socket_perms;
+allow ifplugd_t self:netlink_route_socket create_netlink_socket_perms;
+
+# pid file
+manage_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+manage_sock_files_pattern(ifplugd_t, ifplugd_var_run_t, ifplugd_var_run_t)
+files_pid_filetrans(ifplugd_t, ifplugd_var_run_t, { file sock_file })
+
+# config files
+read_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+exec_files_pattern(ifplugd_t, ifplugd_etc_t, ifplugd_etc_t)
+
+kernel_read_system_state(ifplugd_t)
+kernel_read_network_state(ifplugd_t)
+kernel_rw_net_sysctls(ifplugd_t)
+kernel_read_kernel_sysctls(ifplugd_t)
+
+corecmd_exec_shell(ifplugd_t)
+corecmd_exec_bin(ifplugd_t)
+
+# reading of hardware information
+dev_read_sysfs(ifplugd_t)
+
+domain_read_confined_domains_state(ifplugd_t)
+domain_dontaudit_read_all_domains_state(ifplugd_t)
+
+auth_use_nsswitch(ifplugd_t)
+
+logging_send_syslog_msg(ifplugd_t)
+
+miscfiles_read_localization(ifplugd_t)
+
+netutils_domtrans(ifplugd_t)
+# transition to ifconfig & dhcpc
+sysnet_domtrans_ifconfig(ifplugd_t)
+sysnet_domtrans_dhcpc(ifplugd_t)
+sysnet_delete_dhcpc_pid(ifplugd_t)
+sysnet_read_dhcpc_pid(ifplugd_t)
+sysnet_signal_dhcpc(ifplugd_t)
+
+optional_policy(`
+ consoletype_exec(ifplugd_t)
+')
diff --git a/policy/modules/services/pingd.fc b/policy/modules/services/pingd.fc
new file mode 100644
index 0000000..ea085f7
--- /dev/null
+++ b/policy/modules/services/pingd.fc
@@ -0,0 +1,6 @@
+/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0)
+/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
+
+/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
+
+/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
diff --git a/policy/modules/services/pingd.if b/policy/modules/services/pingd.if
new file mode 100644
index 0000000..c79589d
--- /dev/null
+++ b/policy/modules/services/pingd.if
@@ -0,0 +1,97 @@
+## <summary>Pingd of the Whatsup cluster node up/down detection utility</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run pingd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pingd_domtrans',`
+ gen_require(`
+ type pingd_t, pingd_exec_t;
+ ')
+
+ domtrans_pattern($1, pingd_exec_t, pingd_t)
+')
+
+#######################################
+## <summary>
+## Read pingd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pingd_read_config',`
+ gen_require(`
+ type pingd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, pingd_etc_t, pingd_etc_t)
+')
+
+#######################################
+## <summary>
+## Manage pingd etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pingd_manage_config',`
+ gen_require(`
+ type pingd_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
+
+')
+
+#######################################
+## <summary>
+## All of the rules required to administrate
+## an pingd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the pingd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`pingd_admin',`
+ gen_require(`
+ type pingd_t, pingd_etc_t;
+ type pingd_initrc_exec_t, pingd_modules_t;
+ ')
+
+ allow $1 pingd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, pingd_t)
+
+ init_labeled_script_domtrans($1, pingd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 pingd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_etc($1)
+ admin_pattern($1, pingd_etc_t)
+
+ files_list_usr($1)
+ admin_pattern($1, pingd_modules_t)
+')
diff --git a/policy/modules/services/pingd.te b/policy/modules/services/pingd.te
new file mode 100644
index 0000000..251b2ac
--- /dev/null
+++ b/policy/modules/services/pingd.te
@@ -0,0 +1,48 @@
+
+policy_module(pingd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pingd_t;
+type pingd_exec_t;
+init_daemon_domain(pingd_t, pingd_exec_t)
+
+# type for config
+type pingd_etc_t;
+files_type(pingd_etc_t);
+
+type pingd_initrc_exec_t;
+init_script_file(pingd_initrc_exec_t)
+
+# type for pingd modules
+type pingd_modules_t;
+files_type(pingd_modules_t)
+
+########################################
+#
+# pingd local policy
+#
+
+allow pingd_t self:capability net_raw;
+allow pingd_t self:tcp_socket create_stream_socket_perms;
+allow pingd_t self:rawip_socket { write read create bind };
+
+read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
+
+read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
+
+corenet_raw_bind_generic_node(pingd_t)
+corenet_tcp_bind_generic_node(pingd_t)
+corenet_tcp_bind_pingd_port(pingd_t)
+
+auth_use_nsswitch(pingd_t)
+
+files_search_usr(pingd_t)
+
+logging_send_syslog_msg(pingd_t)
+
+miscfiles_read_localization(pingd_t)
diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
new file mode 100644
index 0000000..c69d047
--- /dev/null
+++ b/policy/modules/services/portreserve.fc
@@ -0,0 +1,5 @@
+/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
+
+/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
+
+/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
new file mode 100644
index 0000000..10300a0
--- /dev/null
+++ b/policy/modules/services/portreserve.if
@@ -0,0 +1,66 @@
+## <summary>Reserve well-known ports in the RPC port range.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run portreserve.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portreserve_domtrans',`
+ gen_require(`
+ type portreserve_t, portreserve_exec_t;
+ ')
+
+ domtrans_pattern($1, portreserve_exec_t, portreserve_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read
+## portreserve etcuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+##
+#
+interface(`portreserve_read_config',`
+ gen_require(`
+ type portreserve_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 portreserve_etc_t:dir list_dir_perms;
+ read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to manage
+## portreserve etcuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+##
+#
+interface(`portreserve_manage_config',`
+ gen_require(`
+ type portreserve_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+ read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
+')
diff --git a/policy/modules/services/portreserve.te b/policy/modules/services/portreserve.te
new file mode 100644
index 0000000..347387b
--- /dev/null
+++ b/policy/modules/services/portreserve.te
@@ -0,0 +1,45 @@
+
+policy_module(portreserve, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type portreserve_t;
+type portreserve_exec_t;
+init_daemon_domain(portreserve_t, portreserve_exec_t)
+
+type portreserve_etc_t;
+files_type(portreserve_etc_t)
+
+type portreserve_var_run_t;
+files_pid_file(portreserve_var_run_t)
+
+########################################
+#
+# Portreserve local policy
+#
+
+allow portreserve_t self:fifo_file rw_fifo_file_perms;
+allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+allow portreserve_t self:tcp_socket create_socket_perms;
+allow portreserve_t self:udp_socket create_socket_perms;
+
+# Read etc files
+list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
+
+# Manage /var/run/portreserve/*
+manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+
+corenet_tcp_bind_generic_node(portreserve_t)
+corenet_udp_bind_generic_node(portreserve_t)
+corenet_tcp_bind_all_reserved_ports(portreserve_t)
+corenet_udp_bind_all_reserved_ports(portreserve_t)
+
+files_read_etc_files(portreserve_t)
diff --git a/policy/modules/services/psad.fc b/policy/modules/services/psad.fc
new file mode 100644
index 0000000..6c66d44
--- /dev/null
+++ b/policy/modules/services/psad.fc
@@ -0,0 +1,8 @@
+/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)
+/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0)
+
+/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)
+
+/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)
+/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
+/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
new file mode 100644
index 0000000..97ab7e3
--- /dev/null
+++ b/policy/modules/services/psad.if
@@ -0,0 +1,262 @@
+## <summary>Intrusion Detection and Log Analysis with iptables</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run psad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`psad_domtrans',`
+ gen_require(`
+ type psad_t, psad_exec_t;
+ ')
+
+ domtrans_pattern($1, psad_exec_t, psad_t)
+')
+
+########################################
+## <summary>
+## Send a generic signal to psad
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_signal',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ allow $1 psad_t:process signal;
+')
+
+#######################################
+## <summary>
+## Send a null signal to psad.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_signull',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ allow $1 psad_t:process signull;
+')
+
+########################################
+## <summary>
+## Read psad etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_read_config',`
+ gen_require(`
+ type psad_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, psad_etc_t, psad_etc_t)
+')
+
+########################################
+## <summary>
+## Manage psad etc configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_manage_config',`
+ gen_require(`
+ type psad_etc_t;
+ ')
+
+ files_search_etc($1)
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
+
+')
+
+########################################
+## <summary>
+## Read psad PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_read_pid_files',`
+ gen_require(`
+ type psad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+## Read psad PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_rw_pid_files',`
+ gen_require(`
+ type psad_var_run_t;
+ ')
+
+ files_search_pids($1)
+ rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_read_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+ read_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append to psad's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_append_log',`
+ gen_require(`
+ type psad_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
+ append_files_pattern($1, psad_var_log_t, psad_var_log_t)
+')
+
+########################################
+## <summary>
+## Read and write psad fifo files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_rw_fifo_file',`
+ gen_require(`
+ type psad_t;
+ ')
+
+ files_search_var_lib($1)
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
+ rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
+')
+
+#######################################
+## <summary>
+## Read and write psad tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`psad_rw_tmp_files',`
+ gen_require(`
+ type psad_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an psad environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`psad_admin',`
+ gen_require(`
+ type psad_t, psad_var_run_t, psad_var_log_t;
+ type psad_initrc_exec_t, psad_var_lib_t;
+ type psad_tmp_t;
+ ')
+
+ allow $1 psad_t:process { ptrace signal_perms };
+ ps_process_pattern($1, psad_t)
+
+ init_labeled_script_domtrans($1, psad_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 psad_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, psad_etc_t)
+
+ files_search_pids($1)
+ admin_pattern($1, psad_var_run_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, psad_var_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, psad_var_lib_t)
+
+ files_search_tmp($1)
+ admin_pattern($1, psad_tmp_t)
+')
diff --git a/policy/modules/services/psad.te b/policy/modules/services/psad.te
new file mode 100644
index 0000000..a59cef5
--- /dev/null
+++ b/policy/modules/services/psad.te
@@ -0,0 +1,107 @@
+
+policy_module(psad, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type psad_t;
+type psad_exec_t;
+init_daemon_domain(psad_t, psad_exec_t)
+
+# config files
+type psad_etc_t;
+files_type(psad_etc_t)
+
+type psad_initrc_exec_t;
+init_script_file(psad_initrc_exec_t)
+
+# var/lib files
+type psad_var_lib_t;
+files_type(psad_var_lib_t)
+
+# log files
+type psad_var_log_t;
+logging_log_file(psad_var_log_t)
+
+# pid files
+type psad_var_run_t;
+files_pid_file(psad_var_run_t)
+
+# tmp files
+type psad_tmp_t;
+files_tmp_file(psad_tmp_t)
+
+########################################
+#
+# psad local policy
+#
+
+allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
+dontaudit psad_t self:capability sys_tty_config;
+allow psad_t self:process signull;
+allow psad_t self:fifo_file rw_fifo_file_perms;
+allow psad_t self:rawip_socket create_socket_perms;
+
+# config files
+read_files_pattern(psad_t, psad_etc_t, psad_etc_t)
+list_dirs_pattern(psad_t, psad_etc_t, psad_etc_t)
+
+# log files
+manage_files_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+manage_dirs_pattern(psad_t, psad_var_log_t, psad_var_log_t)
+logging_log_filetrans(psad_t, psad_var_log_t, { file dir })
+
+# pid file
+manage_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+manage_sock_files_pattern(psad_t, psad_var_run_t, psad_var_run_t)
+files_pid_filetrans(psad_t, psad_var_run_t, { file sock_file })
+
+# tmp files
+manage_dirs_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+manage_files_pattern(psad_t, psad_tmp_t, psad_tmp_t)
+files_tmp_filetrans(psad_t, psad_tmp_t, { file dir })
+
+# /var/lib files
+search_dirs_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+manage_fifo_files_pattern(psad_t, psad_var_lib_t, psad_var_lib_t)
+
+kernel_read_system_state(psad_t)
+kernel_read_network_state(psad_t)
+kernel_read_net_sysctls(psad_t)
+
+corecmd_exec_shell(psad_t)
+corecmd_exec_bin(psad_t)
+
+corenet_all_recvfrom_unlabeled(psad_t)
+corenet_all_recvfrom_netlabel(psad_t)
+corenet_tcp_sendrecv_generic_if(psad_t)
+corenet_tcp_sendrecv_generic_node(psad_t)
+corenet_tcp_bind_generic_node(psad_t)
+corenet_tcp_sendrecv_all_ports(psad_t)
+corenet_tcp_connect_whois_port(psad_t)
+corenet_sendrecv_whois_client_packets(psad_t)
+
+dev_read_urand(psad_t)
+
+files_read_etc_runtime_files(psad_t)
+
+fs_getattr_all_fs(psad_t)
+
+auth_use_nsswitch(psad_t)
+
+iptables_domtrans(psad_t)
+
+logging_read_generic_logs(psad_t)
+logging_read_syslog_config(psad_t)
+logging_send_syslog_msg(psad_t)
+
+miscfiles_read_localization(psad_t)
+
+sysnet_exec_ifconfig(psad_t)
+
+optional_policy(`
+ mta_send_mail(psad_t)
+ mta_read_queue(psad_t)
+')
diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc
new file mode 100644
index 0000000..831b4a3
--- /dev/null
+++ b/policy/modules/services/ulogd.fc
@@ -0,0 +1,7 @@
+/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
+/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
+
+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
+/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
+
+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff --git a/policy/modules/services/ulogd.if b/policy/modules/services/ulogd.if
new file mode 100644
index 0000000..9fb8175
--- /dev/null
+++ b/policy/modules/services/ulogd.if
@@ -0,0 +1,124 @@
+## <summary>Iptables/netfilter userspace logging daemon.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run ulogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ulogd_domtrans',`
+ gen_require(`
+ type ulogd_t, ulogd_exec_t;
+ ')
+
+ domtrans_pattern($1, ulogd_exec_t, ulogd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## ulogd configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_config',`
+ gen_require(`
+ type ulogd_etc_t;
+ ')
+
+ files_search_etc($1)
+ read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_read_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append to ulogd's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_append_log',`
+ gen_require(`
+ type ulogd_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 ulogd_var_log_t:dir list_dir_perms;
+ allow $1 ulogd_var_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an ulogd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the syslog domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ulogd_admin',`
+ gen_require(`
+ type ulogd_t, ulogd_etc_t;
+ type ulogd_var_log_t, ulogd_initrc_exec_t;
+ type ulogd_modules_t;
+ ')
+
+ allow $1 ulogd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ulogd_t)
+
+ init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 ulogd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, ulogd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, ulogd_var_log_t)
+
+ files_search_usr($1)
+ admin_pattern($1, ulogd_modules_t)
+')
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
new file mode 100644
index 0000000..f6c2d11
--- /dev/null
+++ b/policy/modules/services/ulogd.te
@@ -0,0 +1,49 @@
+
+policy_module(ulogd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ulogd_t;
+type ulogd_exec_t;
+init_daemon_domain(ulogd_t, ulogd_exec_t)
+
+# config files
+type ulogd_etc_t;
+files_type(ulogd_etc_t)
+
+type ulogd_initrc_exec_t;
+init_script_file(ulogd_initrc_exec_t)
+
+# /usr/lib files
+type ulogd_modules_t;
+files_type(ulogd_modules_t)
+
+# log files
+type ulogd_var_log_t;
+logging_log_file(ulogd_var_log_t)
+
+########################################
+#
+# ulogd local policy
+#
+
+allow ulogd_t self:capability net_admin;
+allow ulogd_t self:netlink_nflog_socket create_socket_perms;
+
+# config files
+read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
+
+# modules for ulogd
+list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
+
+# log files
+manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+
+files_search_etc(ulogd_t)
+
+miscfiles_read_localization(ulogd_t)
More information about the scm-commits
mailing list