|
Chris PeBenito |
0fbfa5 |
#DESC Sxid - SUID/SGID program monitoring
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: sxid
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#################################
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Rules for the sxid_t domain.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# sxid_exec_t is the type of the sxid executable.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(sxid, `, privmail')
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(sxid)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t fs_t:filesystem getattr;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`crond.te', `
|
|
Chris PeBenito |
0fbfa5 |
system_crond_entry(sxid_exec_t, sxid_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
#allow system_crond_t sxid_log_t:file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(sxid_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t bin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
log_domain(sxid)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t file_type:notdevfile_class_set getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t ttyfile:chr_file getattr;
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t file_type:dir { getattr read search };
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t sysadmfile:file read;
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t fs_type:dir { getattr read search };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Use the network.
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(sxid_t)
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t self:unix_stream_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(sxid_t)
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t devtty_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow sxid_t self:capability { dac_override dac_read_search fsetid };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit sxid_t self:capability { setuid setgid };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`mta.te', `
|
|
Chris PeBenito |
0fbfa5 |
# sxid leaves an open file handle to /proc/mounts
|
|
Chris PeBenito |
0fbfa5 |
dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow mta to read the log files
|
|
Chris PeBenito |
0fbfa5 |
allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
# stop warnings if mailx is passed a read/write file handle
|
|
Chris PeBenito |
0fbfa5 |
dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow logrotate_t sxid_t:file { getattr write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
dontaudit sxid_t security_t:dir { getattr read search };
|