diff --git a/Changelog b/Changelog index 3502a8c..46f1bfe 100644 --- a/Changelog +++ b/Changelog @@ -11,6 +11,7 @@ - Added modules: kerneloops (Dan Walsh) kismet (Dan Walsh) + prelude (Dan Walsh) * Wed Apr 02 2008 Chris PeBenito - 20080402 - Add core Security Enhanced X Windows support. diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc new file mode 100644 index 0000000..e590273 --- /dev/null +++ b/policy/modules/services/prelude.fc @@ -0,0 +1,11 @@ +/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0) + +/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0) +/usr/share/prewikka/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_prewikka_script_exec_t,s0) + +/var/lib/prelude-lml(/.*)? gen_context(system_u:object_r:prelude_var_lib_t,s0) + +/var/run/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_var_run_t,s0) + +/var/spool/prelude-manager(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) +/var/spool/prelude(/.*)? gen_context(system_u:object_r:prelude_spool_t,s0) diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if new file mode 100644 index 0000000..f2f66b9 --- /dev/null +++ b/policy/modules/services/prelude.if @@ -0,0 +1,89 @@ +## Prelude hybrid intrusion detection system + +######################################## +## +## Execute a domain transition to run prelude. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`prelude_domtrans',` + gen_require(` + type prelude_t, prelude_exec_t; + ') + + domtrans_pattern($1, prelude_exec_t, prelude_t) +') + +######################################## +## +## Execute a domain transition to run prelude_audisp. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`prelude_domtrans_audisp',` + gen_require(` + type prelude_audisp_t, prelude_audisp_exec_t; + ') + + domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) +') + +######################################## +## +## Signal the prelude_audisp domain. +## +## +## +## Domain allowed acccess. +## +## +# +interface(`prelude_signal_audisp',` + gen_require(` + type prelude_audisp_t; + ') + + allow $1 prelude_audisp_t:process signal; +') + +######################################## +## +## All of the rules required to administrate +## an prelude environment +## +## +## +## Domain allowed access. +## +## +## +# +interface(`prelude_admin',` + gen_require(` + type prelude_t, prelude_spool_t; + type prelude_var_run_t, prelude_var_lib_t; + type prelude_audisp_t, prelude_audisp_var_run_t; + ') + + allow $1 prelude_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_t) + + allow $1 prelude_audisp_t:process { ptrace signal_perms }; + ps_process_pattern($1, prelude_audisp_t) + + manage_files_pattern($1, prelude_spool_t, prelude_spool_t) + + manage_files_pattern($1, prelude_var_lib_t, prelude_var_lib_t) + + manage_files_pattern($1, prelude_var_run_t, prelude_var_run_t) + + manage_files_pattern($1, prelude_audisp_var_run_t, prelude_audisp_var_run_t) +') diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te new file mode 100644 index 0000000..6dc3f3d --- /dev/null +++ b/policy/modules/services/prelude.te @@ -0,0 +1,146 @@ + +policy_module(prelude, 1.0.0) + +######################################## +# +# Declarations +# + +type prelude_t; +type prelude_exec_t; +init_daemon_domain(prelude_t, prelude_exec_t) + +type prelude_spool_t; +files_type(prelude_spool_t) + +type prelude_var_run_t; +files_pid_file(prelude_var_run_t) + +type prelude_var_lib_t; +files_type(prelude_var_lib_t) + +type prelude_audisp_t; +type prelude_audisp_exec_t; +init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t) + +type prelude_audisp_var_run_t; +files_pid_file(prelude_audisp_var_run_t) + +######################################## +# +# prelude local policy +# + +allow prelude_t self:capability sys_tty_config; +allow prelude_t self:fifo_file rw_file_perms; +allow prelude_t self:unix_stream_socket create_stream_socket_perms; +allow prelude_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t) +files_search_spool(prelude_t) + +manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) +manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t) +files_search_var_lib(prelude_t) + +manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t) +files_pid_filetrans(prelude_t, prelude_var_run_t, file) + +corecmd_search_bin(prelude_t) + +corenet_all_recvfrom_unlabeled(prelude_t) +corenet_all_recvfrom_netlabel(prelude_t) +corenet_tcp_sendrecv_all_if(prelude_t) +corenet_tcp_sendrecv_all_nodes(prelude_t) +corenet_tcp_bind_all_nodes(prelude_t) + +dev_read_rand(prelude_t) +dev_read_urand(prelude_t) + +# Init script handling +domain_use_interactive_fds(prelude_t) + +files_read_etc_files(prelude_t) +files_read_usr_files(prelude_t) + +auth_use_nsswitch(prelude_t) + +libs_use_ld_so(prelude_t) +libs_use_shared_libs(prelude_t) + +logging_send_audit_msgs(prelude_t) +logging_send_syslog_msg(prelude_t) + +miscfiles_read_localization(prelude_t) + +optional_policy(` + mysql_search_db(prelude_t) + mysql_stream_connect(prelude_t) +') + +optional_policy(` + postgresql_stream_connect(prelude_t) +') + +######################################## +# +# prelude_audisp local policy +# + +allow prelude_audisp_t self:fifo_file rw_file_perms; +allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; +allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; +allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms; +allow prelude_audisp_t self:tcp_socket create_socket_perms; + +manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) +manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t) +files_search_spool(prelude_audisp_t) + +manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t) +files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file) + +corecmd_search_bin(prelude_audisp_t) + +corenet_all_recvfrom_unlabeled(prelude_audisp_t) +corenet_all_recvfrom_netlabel(prelude_audisp_t) +corenet_tcp_sendrecv_all_if(prelude_audisp_t) +corenet_tcp_sendrecv_all_nodes(prelude_audisp_t) +corenet_tcp_bind_all_nodes(prelude_audisp_t) + +dev_read_rand(prelude_audisp_t) +dev_read_urand(prelude_audisp_t) + +# Init script handling +domain_use_interactive_fds(prelude_audisp_t) + +files_read_etc_files(prelude_audisp_t) + +libs_use_ld_so(prelude_audisp_t) +libs_use_shared_libs(prelude_audisp_t) + +logging_send_syslog_msg(prelude_audisp_t) + +miscfiles_read_localization(prelude_audisp_t) + +######################################## +# +# prewikka_cgi Declarations +# + +optional_policy(` + apache_content_template(prewikka) + files_read_etc_files(httpd_prewikka_script_t) + + optional_policy(` + mysql_search_db(httpd_prewikka_script_t) + mysql_stream_connect(httpd_prewikka_script_t) + ') + + optional_policy(` + postgresql_stream_connect(httpd_prewikka_script_t) + ') +')