From: dominick.grift@gmail.com (grift)
Date: Sat, 08 Dec 2012 23:03:50 +0100
Subject: [refpolicy] [PATCH 03/11] Initial policy for logsentry
In-Reply-To: <1355000222-7297-4-git-send-email-sven.vermeulen@siphos.be>
References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be>
	<1355000222-7297-4-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1355004230.1797.52.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  logsentry.fc |    8 +++++++
>  logsentry.if |   33 +++++++++++++++++++++++++++++
>  logsentry.te |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 106 insertions(+), 0 deletions(-)
>  create mode 100644 logsentry.fc
>  create mode 100644 logsentry.if
>  create mode 100644 logsentry.te
> 
> diff --git a/logsentry.fc b/logsentry.fc
> new file mode 100644
> index 0000000..6327e1e
> --- /dev/null
> +++ b/logsentry.fc
> @@ -0,0 +1,8 @@
> +/usr/bin/logtail	--	gen_context(system_u:object_r:logsentry_exec_t,s0)
> +/etc/logcheck/logcheck\.sh	--	gen_context(system_u:object_r:logsentry_exec_t,s0)

Same as with makewhatis

I would rather have the actual cron script labeled with the executable
file type and leave /usr/bin/logtail generic since only a domain
transition from crond is supported in this policy

Then probably add a fc spec for /etc/logcheck/logcheck\.sh (bin_t) to
corecommands.if


> +
> +/etc/logcheck(/.*)?	--	gen_context(system_u:object_r:logsentry_etc_t,s0)
> +
> +/etc/logcheck/tmp(/.*)?	gen_context(system_u:object_r:logsentry_tmp_t,s0)

I would probably label above logsentry_etc_rw_t instead

> +
> +/etc/logcheck/logcheck\..*	--	gen_context(system_u:object_r:logsentry_filter_t,s0)

> diff --git a/logsentry.if b/logsentry.if
> new file mode 100644
> index 0000000..2109f42
> --- /dev/null
> +++ b/logsentry.if
> @@ -0,0 +1,33 @@
> +## <summary>Log file monitoring tool</summary>
> +
> +#######################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	a logsentry environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logsentry_admin',`
> +	gen_require(`
> +		type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t;
> +	')
> +
> +	allow $1 logsentry_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, logsentry_t)
> +
> +	files_list_etc($1)
> +	admin_pattern($1, logsentry_etc_t)
> +	admin_pattern($1, logsentry_filter_t)
> +
> +	files_list_tmp($1)
> +	admin_pattern($1, logsentry_tmp_t)
> +')
> diff --git a/logsentry.te b/logsentry.te
> new file mode 100644
> index 0000000..3cdfcbe
> --- /dev/null
> +++ b/logsentry.te
> @@ -0,0 +1,65 @@
> +policy_module(logsentry, 0.2)
> +
> +#######################################
> +# 
> +# Declarations
> +#
> +
> +type logsentry_t;
> +type logsentry_exec_t;
> +application_domain(logsentry_t, logsentry_exec_t)
> +role system_r types logsentry_t;
> +
> +type logsentry_etc_t;
> +files_type(logsentry_etc_t);
> +
> +type logsentry_tmp_t;
> +files_tmp_file(logsentry_tmp_t);
> +
> +type logsentry_filter_t;
> +files_type(logsentry_filter_t)
> +
> +#######################################
> +#
> +# Local Policy
> +#
> +
> +allow logsentry_t self:fifo_file { read write getattr ioctl };
> +allow logsentry_t self:capability { setuid setgid };
> +allow logsentry_t logsentry_exec_t:file execute_no_trans;
> +
> +manage_dirs_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
> +manage_files_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
> +
> +files_tmp_filetrans(logsentry_t, logsentry_tmp_t, file)
> +
> +manage_files_pattern(logsentry_t, logsentry_filter_t, logsentry_filter_t)
> +
> +files_read_etc_files(logsentry_t)
> +
> +logging_search_logs(logsentry_t)
> +logging_manage_generic_logs(logsentry_t)
> +
> +kernel_read_system_state(logsentry_t)
> +
> +corecmd_exec_shell(logsentry_t)
> +corecmd_exec_bin(logsentry_t)
> +
> +miscfiles_read_localization(logsentry_t)
> +
> +mta_send_mail(logsentry_t)
> +
> +userdom_dontaudit_search_user_home_dirs(logsentry_t)
> +
> +optional_policy(`
> +  logging_manage_audit_log(logsentry_t)
> +')
> +
> +optional_policy(`
> +  hostname_exec(logsentry_t)
> +')
> +
> +optional_policy(`
> +  cron_system_entry(logsentry_t, logsentry_exec_t)
> +')
> +