[selinux-policy: 2417/3172] Add sectoolm by Miroslav Grepl.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:34:29 UTC 2010
commit 29b580ce8f03809529655e56c611df3890f64d45
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 19 09:39:06 2010 -0500
Add sectoolm by Miroslav Grepl.
Changelog | 1 +
policy/modules/admin/sectoolm.fc | 4 ++
policy/modules/admin/sectoolm.if | 2 +
policy/modules/admin/sectoolm.te | 107 ++++++++++++++++++++++++++++++++++++++
4 files changed, 114 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index e1bf08d..f9ac844 100644
--- a/Changelog
+++ b/Changelog
@@ -5,6 +5,7 @@
dbadm (KaiGai Kohei)
nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
pyicqt (Stefan Schulze Frielinghaus)
+ sectoolm (Miroslav Grepl)
* Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
diff --git a/policy/modules/admin/sectoolm.fc b/policy/modules/admin/sectoolm.fc
new file mode 100644
index 0000000..1ed6870
--- /dev/null
+++ b/policy/modules/admin/sectoolm.fc
@@ -0,0 +1,4 @@
+/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/policy/modules/admin/sectoolm.if b/policy/modules/admin/sectoolm.if
new file mode 100644
index 0000000..9007451
--- /dev/null
+++ b/policy/modules/admin/sectoolm.if
@@ -0,0 +1,2 @@
+## <summary>Sectool security audit tool</summary>
+
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
new file mode 100644
index 0000000..04aff3f
--- /dev/null
+++ b/policy/modules/admin/sectoolm.te
@@ -0,0 +1,107 @@
+
+policy_module(sectoolm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sectoolm_t;
+type sectoolm_exec_t;
+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
+type sectool_var_lib_t;
+files_type(sectool_var_lib_t)
+
+type sectool_var_log_t;
+logging_log_file(sectool_var_log_t)
+
+type sectool_tmp_t;
+files_tmp_file(sectool_tmp_t)
+
+########################################
+#
+# sectool local policy
+#
+
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:process { getcap getsched signull setsched };
+dontaudit sectoolm_t self:process { execstack execmem };
+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
+logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
+
+kernel_read_net_sysctls(sectoolm_t)
+kernel_read_network_state(sectoolm_t)
+kernel_read_kernel_sysctls(sectoolm_t)
+
+corecmd_exec_bin(sectoolm_t)
+corecmd_exec_shell(sectoolm_t)
+
+dev_read_sysfs(sectoolm_t)
+dev_read_urand(sectoolm_t)
+dev_getattr_all_blk_files(sectoolm_t)
+dev_getattr_all_chr_files(sectoolm_t)
+
+domain_getattr_all_domains(sectoolm_t)
+domain_read_all_domains_state(sectoolm_t)
+
+files_getattr_all_pipes(sectoolm_t)
+files_getattr_all_sockets(sectoolm_t)
+files_read_all_files(sectoolm_t)
+files_read_all_symlinks(sectoolm_t)
+
+fs_getattr_all_fs(sectoolm_t)
+fs_list_noxattr_fs(sectoolm_t)
+
+selinux_validate_context(sectoolm_t)
+
+# tcp_wrappers test
+application_exec_all(sectoolm_t)
+
+auth_use_nsswitch(sectoolm_t)
+
+# tests related to network
+hostname_exec(sectoolm_t)
+
+# tests related to network
+iptables_domtrans(sectoolm_t)
+
+libs_exec_ld_so(sectoolm_t)
+
+logging_send_syslog_msg(sectoolm_t)
+
+# tests related to network
+sysnet_domtrans_ifconfig(sectoolm_t)
+
+userdom_manage_user_tmp_sockets(sectoolm_t)
+
+optional_policy(`
+ mount_exec(sectoolm_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(sectoolm_t)
+')
+
+# suid test using
+# rpm -Vf option
+optional_policy(`
+ prelink_domtrans(sectoolm_t)
+')
+
+optional_policy(`
+ rpm_exec(sectoolm_t)
+ rpm_dontaudit_manage_db(sectoolm_t)
+')
+
More information about the scm-commits
mailing list