diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc
index e590273..3bd847a 100644
--- a/policy/modules/services/prelude.fc
+++ b/policy/modules/services/prelude.fc
@@ -1,11 +1,18 @@
+/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0)
+/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_initrc_exec_t,s0)
+
/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0)
/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0)
-
+/var/log/prelude.* gen_context(system_u:object_r:prelude_log_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0)
-
/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index f2f66b9..737be4f 100644
--- a/policy/modules/services/prelude.if
+++ b/policy/modules/services/prelude.if
@@ -56,6 +56,45 @@ interface(`prelude_signal_audisp',`
########################################
##
+## Read the prelude spool files
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`prelude_read_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+##
+## Manage to prelude-manager spool files.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`prelude_manage_spool',`
+ gen_require(`
+ type prelude_spool_t;
+ ')
+
+ files_search_spool($1)
+ manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+ manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
+########################################
+##
## All of the rules required to administrate
## an prelude environment
##
@@ -64,6 +103,11 @@ interface(`prelude_signal_audisp',`
## Domain allowed access.
##
##
+##
+##
+## Role allowed access.
+##
+##
##
#
interface(`prelude_admin',`
@@ -71,6 +115,10 @@ interface(`prelude_admin',`
type prelude_t, prelude_spool_t;
type prelude_var_run_t, prelude_var_lib_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
+ type prelude_initrc_exec_t;
+
+ type prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_lml_var_run_t;
')
allow $1 prelude_t:process { ptrace signal_perms };
@@ -79,11 +127,18 @@ interface(`prelude_admin',`
allow $1 prelude_audisp_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_audisp_t)
- manage_files_pattern($1, prelude_spool_t, prelude_spool_t)
-
- manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t)
+ allow $1 prelude_lml_t:process { ptrace signal_perms };
+ ps_process_pattern($1, prelude_lml_t)
- manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t)
+ init_labeled_script_domtrans($1, prelude_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_initrc_exec_t system_r;
+ allow $2 system_r;
- manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_spool_t)
+ admin_pattern($1, prelude_var_lib_t)
+ admin_pattern($1, prelude_var_run_t)
+ admin_pattern($1, prelude_audisp_var_run_t)
+ admin_pattern($1, prelude_lml_tmp_t)
+ admin_pattern($1, prelude_lml_var_run_t)
')
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
index aa31eca..cc4a00e 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@@ -1,5 +1,5 @@
-policy_module(prelude, 1.0.2)
+policy_module(prelude, 1.0.3)
########################################
#
@@ -10,9 +10,15 @@ type prelude_t;
type prelude_exec_t;
init_daemon_domain(prelude_t, prelude_exec_t)
+type prelude_initrc_exec_t;
+init_script_file(prelude_initrc_exec_t)
+
type prelude_spool_t;
files_type(prelude_spool_t)
+type prelude_log_t;
+logging_log_file(prelude_log_t)
+
type prelude_var_run_t;
files_pid_file(prelude_var_run_t)
@@ -22,21 +28,43 @@ files_type(prelude_var_lib_t)
type prelude_audisp_t;
type prelude_audisp_exec_t;
init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
+logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
type prelude_audisp_var_run_t;
files_pid_file(prelude_audisp_var_run_t)
+type prelude_correlator_t;
+type prelude_correlator_exec_t;
+init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
+role system_r types prelude_correlator_t;
+
+type prelude_correlator_config_t;
+files_config_file(prelude_correlator_config_t)
+
+type prelude_lml_t;
+type prelude_lml_exec_t;
+init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
+
+type prelude_lml_tmp_t;
+files_tmp_file(prelude_lml_tmp_t)
+
+type prelude_lml_var_run_t;
+files_pid_file(prelude_lml_var_run_t)
+
########################################
#
# prelude local policy
#
-allow prelude_t self:capability sys_tty_config;
+allow prelude_t self:capability { dac_override sys_tty_config };
allow prelude_t self:fifo_file rw_file_perms;
allow prelude_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
allow prelude_t self:tcp_socket create_stream_socket_perms;
+manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
+logging_log_filetrans(prelude_t, prelude_log_t, file)
+
manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
files_search_spool(prelude_t)
@@ -49,6 +77,9 @@ manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
files_pid_filetrans(prelude_t, prelude_var_run_t, file)
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
corecmd_search_bin(prelude_t)
corenet_all_recvfrom_unlabeled(prelude_t)
@@ -56,15 +87,20 @@ corenet_all_recvfrom_netlabel(prelude_t)
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
corenet_tcp_bind_generic_node(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
+corenet_tcp_connect_postgresql_port(prelude_t)
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
-# Init script handling
-domain_use_interactive_fds(prelude_t)
-
files_read_etc_files(prelude_t)
+files_read_etc_runtime_files(prelude_t)
files_read_usr_files(prelude_t)
+files_search_tmp(prelude_t)
+files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
auth_use_nsswitch(prelude_t)
@@ -86,7 +122,7 @@ optional_policy(`
#
# prelude_audisp local policy
#
-
+allow prelude_audisp_t self:capability dac_override;
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -100,6 +136,9 @@ files_search_spool(prelude_audisp_t)
manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
+kernel_read_sysctl(prelude_audisp_t)
+kernel_read_system_state(prelude_audisp_t)
+
corecmd_search_bin(prelude_audisp_t)
corenet_all_recvfrom_unlabeled(prelude_audisp_t)
@@ -107,6 +146,7 @@ corenet_all_recvfrom_netlabel(prelude_audisp_t)
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
corenet_tcp_bind_generic_node(prelude_audisp_t)
+corenet_tcp_connect_prelude_port(prelude_audisp_t)
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
@@ -115,11 +155,120 @@ dev_read_urand(prelude_audisp_t)
domain_use_interactive_fds(prelude_audisp_t)
files_read_etc_files(prelude_audisp_t)
+files_read_etc_runtime_files(prelude_audisp_t)
+files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
miscfiles_read_localization(prelude_audisp_t)
+sysnet_dns_name_resolve(prelude_audisp_t)
+
+########################################
+#
+# prelude_correlator local policy
+#
+
+allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
+allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+kernel_read_sysctl(prelude_correlator_t)
+
+corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
+corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
+files_read_etc_files(prelude_correlator_t)
+files_read_usr_files(prelude_correlator_t)
+files_search_spool(prelude_correlator_t)
+
+logging_send_syslog_msg(prelude_correlator_t)
+
+miscfiles_read_localization(prelude_correlator_t)
+
+sysnet_dns_name_resolve(prelude_correlator_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
+########################################
+#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
+allow prelude_lml_t self:unix_dgram_socket { write create connect };
+allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
+allow prelude_lml_t self:unix_stream_socket connectto;
+
+manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
+files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
+files_list_tmp(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
+files_search_spool(prelude_lml_t)
+
+manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
+files_search_var_lib(prelude_lml_t)
+
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
+
+fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
+libs_exec_lib_files(prelude_lml_t)
+libs_read_lib_files(prelude_lml_t)
+
+logging_send_syslog_msg(prelude_lml_t)
+logging_read_generic_logs(prelude_lml_t)
+
+miscfiles_read_localization(prelude_lml_t)
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
+userdom_read_all_users_state(prelude_lml_t)
+
+optional_policy(`
+ apache_search_sys_content(prelude_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
########################################
#
# prewikka_cgi Declarations
@@ -127,7 +276,22 @@ miscfiles_read_localization(prelude_audisp_t)
optional_policy(`
apache_content_template(prewikka)
+
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
+ kernel_read_sysctl(httpd_prewikka_script_t)
+ kernel_search_network_sysctl(httpd_prewikka_script_t)
+
+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
+ auth_use_nsswitch(httpd_prewikka_script_t)
+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
+
+ apache_search_sys_content(httpd_prewikka_script_t)
optional_policy(`
mysql_search_db(httpd_prewikka_script_t)