From: harrytaurus2002@hotmail.com (HarryCiao) Date: Tue, 9 Nov 2010 03:33:24 +0000 Subject: [refpolicy] Add support for the samhain program Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi SELinux experts: I have tried to add support for the samhain program, which is used to check filesystem integrity. Please help comment on the attached implementation of the samhain.pp, many thanks! I have tested it on the samhain-2.5.5 package with the default configuration by the follow commands, and samhain could detect changes as to be monitored in its configuration file (/etc/samhainrc): (In sysadm_r role, install samhain.pp and update sysadm.pp) 1. Initialize database: newrole -l s15:c0.c1023 -- -c "samhain -t init" 2. Check samhain daemon status: run_init /etc/init.d/samhain status 3. Start samhain in daemon mode: run_init /etc/init.d/samhain start or, newrole -l s15:c0.c1023 -- -c "samhain -t check -D" 4. Stop samhain daemon: run_init /etc/init.d/samhain stop Tow more questions: 1. sysadm or secadm, who is a better choice to call samhain_admin() for? sysadm could manage /var/log/, /var/lib/ already but doesn't belong to the mlsfilewrite attribute, well secadm has the opposite abilities. Or some other better solution? 2. Would the samhain_run_init_script() make sense if the samhain_admin() is called for secadm? Thanks a lot! Best regards, Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101109/e6e1395d/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: v0-Add-support-for-the-samhain-program.patch Type: text/x-patch Size: 10489 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101109/e6e1395d/attachment-0001.bin