[selinux-policy: 2417/3172] Add sectoolm by Miroslav Grepl.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:34:29 UTC 2010 

commit 29b580ce8f03809529655e56c611df3890f64d45
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 19 09:39:06 2010 -0500

    Add sectoolm by Miroslav Grepl.

 Changelog                        |    1 +
 policy/modules/admin/sectoolm.fc |    4 ++
 policy/modules/admin/sectoolm.if |    2 +
 policy/modules/admin/sectoolm.te |  107 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 114 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index e1bf08d..f9ac844 100644
--- a/Changelog
+++ b/Changelog
@@ -5,6 +5,7 @@
 	dbadm (KaiGai Kohei)
 	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
 	pyicqt (Stefan Schulze Frielinghaus)
+	sectoolm (Miroslav Grepl)
 
 * Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
 - Add separate x_pointer and x_keyboard classes inheriting from x_device. 
diff --git a/policy/modules/admin/sectoolm.fc b/policy/modules/admin/sectoolm.fc
new file mode 100644
index 0000000..1ed6870
--- /dev/null
+++ b/policy/modules/admin/sectoolm.fc
@@ -0,0 +1,4 @@
+/usr/libexec/sectool-mechanism\.py	--	gen_context(system_u:object_r:sectoolm_exec_t,s0)
+
+/var/lib/sectool(/.*)?				gen_context(system_u:object_r:sectool_var_lib_t,s0)
+/var/log/sectool\.log			--	gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/policy/modules/admin/sectoolm.if b/policy/modules/admin/sectoolm.if
new file mode 100644
index 0000000..9007451
--- /dev/null
+++ b/policy/modules/admin/sectoolm.if
@@ -0,0 +1,2 @@
+## <summary>Sectool security audit tool</summary>
+
diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
new file mode 100644
index 0000000..04aff3f
--- /dev/null
+++ b/policy/modules/admin/sectoolm.te
@@ -0,0 +1,107 @@
+
+policy_module(sectoolm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sectoolm_t;
+type sectoolm_exec_t;
+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+
+type sectool_var_lib_t;
+files_type(sectool_var_lib_t)
+
+type sectool_var_log_t;
+logging_log_file(sectool_var_log_t)
+
+type sectool_tmp_t;
+files_tmp_file(sectool_tmp_t)
+
+########################################
+#
+# sectool local policy
+#
+
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
+allow sectoolm_t self:process { getcap getsched	signull setsched };
+dontaudit sectoolm_t self:process { execstack execmem };
+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
+
+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
+files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
+
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
+logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
+
+kernel_read_net_sysctls(sectoolm_t)
+kernel_read_network_state(sectoolm_t)
+kernel_read_kernel_sysctls(sectoolm_t)
+
+corecmd_exec_bin(sectoolm_t)
+corecmd_exec_shell(sectoolm_t)
+
+dev_read_sysfs(sectoolm_t)
+dev_read_urand(sectoolm_t)
+dev_getattr_all_blk_files(sectoolm_t)
+dev_getattr_all_chr_files(sectoolm_t)
+
+domain_getattr_all_domains(sectoolm_t)
+domain_read_all_domains_state(sectoolm_t)
+
+files_getattr_all_pipes(sectoolm_t)
+files_getattr_all_sockets(sectoolm_t)
+files_read_all_files(sectoolm_t)
+files_read_all_symlinks(sectoolm_t)
+
+fs_getattr_all_fs(sectoolm_t)
+fs_list_noxattr_fs(sectoolm_t)
+
+selinux_validate_context(sectoolm_t)
+
+# tcp_wrappers test
+application_exec_all(sectoolm_t)
+
+auth_use_nsswitch(sectoolm_t)
+
+# tests related to network
+hostname_exec(sectoolm_t)
+
+# tests related to network
+iptables_domtrans(sectoolm_t)
+
+libs_exec_ld_so(sectoolm_t)
+
+logging_send_syslog_msg(sectoolm_t)
+
+# tests related to network
+sysnet_domtrans_ifconfig(sectoolm_t)
+
+userdom_manage_user_tmp_sockets(sectoolm_t)
+
+optional_policy(`
+	mount_exec(sectoolm_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(sectoolm_t)
+')
+
+# suid test using
+# rpm -Vf option
+optional_policy(`
+	prelink_domtrans(sectoolm_t)
+')
+
+optional_policy(`
+	rpm_exec(sectoolm_t)
+	rpm_dontaudit_manage_db(sectoolm_t)
+')
+

More information about the scm-commits mailing list