From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 8 Dec 2012 21:56:54 +0100 Subject: [refpolicy] [PATCH 03/11] Initial policy for logsentry In-Reply-To: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1355000222-7297-4-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Sven Vermeulen --- logsentry.fc | 8 +++++++ logsentry.if | 33 +++++++++++++++++++++++++++++ logsentry.te | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 106 insertions(+), 0 deletions(-) create mode 100644 logsentry.fc create mode 100644 logsentry.if create mode 100644 logsentry.te diff --git a/logsentry.fc b/logsentry.fc new file mode 100644 index 0000000..6327e1e --- /dev/null +++ b/logsentry.fc @@ -0,0 +1,8 @@ +/usr/bin/logtail -- gen_context(system_u:object_r:logsentry_exec_t,s0) +/etc/logcheck/logcheck\.sh -- gen_context(system_u:object_r:logsentry_exec_t,s0) + +/etc/logcheck(/.*)? -- gen_context(system_u:object_r:logsentry_etc_t,s0) + +/etc/logcheck/tmp(/.*)? gen_context(system_u:object_r:logsentry_tmp_t,s0) + +/etc/logcheck/logcheck\..* -- gen_context(system_u:object_r:logsentry_filter_t,s0) diff --git a/logsentry.if b/logsentry.if new file mode 100644 index 0000000..2109f42 --- /dev/null +++ b/logsentry.if @@ -0,0 +1,33 @@ +## Log file monitoring tool + +####################################### +## +## All of the rules required to administrate +## a logsentry environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`logsentry_admin',` + gen_require(` + type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t; + ') + + allow $1 logsentry_t:process { ptrace signal_perms }; + ps_process_pattern($1, logsentry_t) + + files_list_etc($1) + admin_pattern($1, logsentry_etc_t) + admin_pattern($1, logsentry_filter_t) + + files_list_tmp($1) + admin_pattern($1, logsentry_tmp_t) +') diff --git a/logsentry.te b/logsentry.te new file mode 100644 index 0000000..3cdfcbe --- /dev/null +++ b/logsentry.te @@ -0,0 +1,65 @@ +policy_module(logsentry, 0.2) + +####################################### +# +# Declarations +# + +type logsentry_t; +type logsentry_exec_t; +application_domain(logsentry_t, logsentry_exec_t) +role system_r types logsentry_t; + +type logsentry_etc_t; +files_type(logsentry_etc_t); + +type logsentry_tmp_t; +files_tmp_file(logsentry_tmp_t); + +type logsentry_filter_t; +files_type(logsentry_filter_t) + +####################################### +# +# Local Policy +# + +allow logsentry_t self:fifo_file { read write getattr ioctl }; +allow logsentry_t self:capability { setuid setgid }; +allow logsentry_t logsentry_exec_t:file execute_no_trans; + +manage_dirs_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t) +manage_files_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t) + +files_tmp_filetrans(logsentry_t, logsentry_tmp_t, file) + +manage_files_pattern(logsentry_t, logsentry_filter_t, logsentry_filter_t) + +files_read_etc_files(logsentry_t) + +logging_search_logs(logsentry_t) +logging_manage_generic_logs(logsentry_t) + +kernel_read_system_state(logsentry_t) + +corecmd_exec_shell(logsentry_t) +corecmd_exec_bin(logsentry_t) + +miscfiles_read_localization(logsentry_t) + +mta_send_mail(logsentry_t) + +userdom_dontaudit_search_user_home_dirs(logsentry_t) + +optional_policy(` + logging_manage_audit_log(logsentry_t) +') + +optional_policy(` + hostname_exec(logsentry_t) +') + +optional_policy(` + cron_system_entry(logsentry_t, logsentry_exec_t) +') + -- 1.7.8.6