Chris PeBenito 0fbfa5
#DESC Sxid - SUID/SGID program monitoring
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: sxid
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the sxid_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# sxid_exec_t is the type of the sxid executable.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
daemon_base_domain(sxid, `, privmail')
Chris PeBenito 0fbfa5
tmp_domain(sxid)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow sxid_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
system_crond_entry(sxid_exec_t, sxid_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
#allow system_crond_t sxid_log_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(sxid_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
Chris PeBenito 0fbfa5
allow sxid_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
log_domain(sxid)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow sxid_t file_type:notdevfile_class_set getattr;
Chris PeBenito 0fbfa5
allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
allow sxid_t ttyfile:chr_file getattr;
Chris PeBenito 0fbfa5
allow sxid_t file_type:dir { getattr read search };
Chris PeBenito 0fbfa5
allow sxid_t sysadmfile:file read;
Chris PeBenito 0fbfa5
allow sxid_t fs_type:dir { getattr read search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use the network.
Chris PeBenito 0fbfa5
can_network_server(sxid_t)
Chris PeBenito 0fbfa5
allow sxid_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow sxid_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
Chris PeBenito 0fbfa5
read_sysctl(sxid_t)
Chris PeBenito 0fbfa5
allow sxid_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow sxid_t self:capability { dac_override dac_read_search fsetid };
Chris PeBenito 0fbfa5
dontaudit sxid_t self:capability { setuid setgid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
# sxid leaves an open file handle to /proc/mounts
Chris PeBenito 0fbfa5
dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow mta to read the log files
Chris PeBenito 0fbfa5
allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
Chris PeBenito 0fbfa5
# stop warnings if mailx is passed a read/write file handle
Chris PeBenito 0fbfa5
dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow logrotate_t sxid_t:file { getattr write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit sxid_t security_t:dir { getattr read search };