rpms / selinux-policy

Clone
Source Code
GIT

Blame strict/domains/program/unused/tripwire.te

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   ba35e4d410e53e771fdce6210ccab352c7f931d8
  2.   strict
  3.   domains
  4.   program
  5.   unused
  6.   tripwire.te
Blob History Raw
Chris PeBenito 2705f9 
# DESC tripwire
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
# Author: David Hampton <hampton@employees.org>
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# NOTE: Tripwire creates temp file in its current working directory.
Chris PeBenito 2705f9 
# This policy does not allow write access to home directories, so
Chris PeBenito 2705f9 
# users will need to either cd to a directory where they have write
Chris PeBenito 2705f9 
# permission, or set the TEMPDIRECTORY variable in the tripwire config
Chris PeBenito 2705f9 
# file.  The latter is preferable, as then the file_type_auto_trans
Chris PeBenito 2705f9 
# rules will kick in and label the files as private to tripwire.
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Common definitions
Chris PeBenito 2705f9 
type tripwire_report_t, file_type, sysadmfile;
Chris PeBenito 2705f9 
etcdir_domain(tripwire)
Chris PeBenito 2705f9 
var_lib_domain(tripwire)
Chris PeBenito 2705f9 
tmp_domain(tripwire)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Macro for defining tripwire domains
Chris PeBenito 2705f9 
define(`tripwire_domain',`
Chris PeBenito 2705f9 
application_domain($1, `, auth')
Chris PeBenito 2705f9 
role system_r types $1_t;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Allow access to common tripwire files
Chris PeBenito 2705f9 
allow $1_t tripwire_etc_t:file r_file_perms;
Chris PeBenito 2705f9 
allow $1_t tripwire_etc_t:dir r_dir_perms;
Chris PeBenito 2705f9 
allow $1_t tripwire_etc_t:lnk_file { getattr read };
Chris PeBenito 2705f9 
file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
Chris PeBenito 2705f9 
allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
Chris PeBenito 2705f9 
file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
allow $1_t self:process { fork sigchld };
Chris PeBenito 2705f9 
allow $1_t self:capability { setgid setuid dac_override };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Tripwire needs to read all files on the system
Chris PeBenito 2705f9 
general_proc_read_access($1_t)
Chris PeBenito 2705f9 
allow $1_t file_type:dir { search getattr read};
Chris PeBenito 2705f9 
allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
Chris PeBenito 2705f9 
allow $1_t file_type:fifo_file { getattr };
Chris PeBenito 2705f9 
allow $1_t device_type:file { getattr read };
Chris PeBenito 2705f9 
allow $1_t sysctl_t:dir { getattr read };
Chris PeBenito 2705f9 
allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Tripwire report files
Chris PeBenito 2705f9 
create_dir_file($1_t, tripwire_report_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# gethostid()?
Chris PeBenito 2705f9 
allow $1_t self:unix_stream_socket { connect create };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Running editor program (tripwire forks then runs bash which rins editor)
Chris PeBenito 2705f9 
can_exec($1_t, shell_exec_t)
Chris PeBenito 2705f9 
can_exec($1_t, bin_t)
Chris PeBenito 2705f9 
uses_shlib($1_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
allow $1_t self:dir search;
Chris PeBenito 2705f9 
allow $1_t self:file { getattr read };
Chris PeBenito 2705f9 
')
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
# When run by a user
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
tripwire_domain(`tripwire')
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Running from the command line
Chris PeBenito 2705f9 
allow tripwire_t devpts_t:dir search;
Chris PeBenito 2705f9 
allow tripwire_t devtty_t:chr_file { read write };
Chris PeBenito 2705f9 
allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
Chris PeBenito 2705f9 
allow tripwire_t privfd:fd use;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
# When run from cron
Chris PeBenito 2705f9 
#
Chris PeBenito 2705f9 
tripwire_domain(`tripwire_crond')
Chris PeBenito 2705f9 
system_crond_entry(tripwire_exec_t, tripwire_crond_t)
Chris PeBenito 2705f9 
domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Tripwire uses a temp file in the root home directory
Chris PeBenito 2705f9 
#create_dir_file(tripwire_crond_t, root_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
# Twadmin
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
application_domain(twadmin)
Chris PeBenito 2705f9 
read_locale(twadmin_t)
Chris PeBenito 2705f9 
create_dir_file(twadmin_t, tripwire_etc_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
allow twadmin_t sysadm_tmp_t:file { getattr read write };
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Running from the command line
Chris PeBenito 2705f9 
allow twadmin_t sshd_t:fd use;
Chris PeBenito 2705f9 
allow twadmin_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
dontaudit twadmin_t { bin_t sbin_t }:dir search;
Chris PeBenito 2705f9 
dontaudit twadmin_t home_root_t:dir search;
Chris PeBenito 2705f9 
dontaudit twprint_t user_home_dir_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
# Twprint
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
application_domain(twprint)
Chris PeBenito 2705f9 
read_locale(twprint_t)
Chris PeBenito 2705f9 
r_dir_file(twprint_t, tripwire_etc_t)
Chris PeBenito 2705f9 
allow twprint_t { var_t var_lib_t }:dir search;
Chris PeBenito 2705f9 
r_dir_file(twprint_t, tripwire_var_lib_t)
Chris PeBenito 2705f9 
r_dir_file(twprint_t, tripwire_report_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Running from the command line
Chris PeBenito 2705f9 
allow twprint_t sshd_t:fd use;
Chris PeBenito 2705f9 
allow twprint_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
dontaudit twprint_t { bin_t sbin_t }:dir search;
Chris PeBenito 2705f9 
dontaudit twprint_t home_root_t:dir search;
Chris PeBenito 2705f9
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
# Siggen
Chris PeBenito 2705f9 
##########
Chris PeBenito 2705f9 
application_domain(siggen, `, auth')
Chris PeBenito 2705f9 
read_locale(siggen_t)
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Need permission to read files
Chris PeBenito 2705f9 
allow siggen_t file_type:dir { search getattr read};
Chris PeBenito 2705f9 
allow siggen_t file_type:file {getattr read};
Chris PeBenito 2705f9
Chris PeBenito 2705f9 
# Running from the command line
Chris PeBenito 2705f9 
allow siggen_t sshd_t:fd use;
Chris PeBenito 2705f9 
allow siggen_t admin_tty_type:chr_file rw_file_perms;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation