From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 05 Oct 2013 09:22:59 +0200 Subject: [refpolicy] [PATCH 03/11] Initial policy for logsentry In-Reply-To: <1355000222-7297-4-git-send-email-sven.vermeulen@siphos.be> References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> <1355000222-7297-4-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1380957779.2956.1.camel@d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote: > Signed-off-by: Sven Vermeulen I see that this is a system cron job. Where is the cronjob located? /etc/cron.daily/logcheck? > --- > logsentry.fc | 8 +++++++ > logsentry.if | 33 +++++++++++++++++++++++++++++ > logsentry.te | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 106 insertions(+), 0 deletions(-) > create mode 100644 logsentry.fc > create mode 100644 logsentry.if > create mode 100644 logsentry.te > > diff --git a/logsentry.fc b/logsentry.fc > new file mode 100644 > index 0000000..6327e1e > --- /dev/null > +++ b/logsentry.fc > @@ -0,0 +1,8 @@ > +/usr/bin/logtail -- gen_context(system_u:object_r:logsentry_exec_t,s0) > +/etc/logcheck/logcheck\.sh -- gen_context(system_u:object_r:logsentry_exec_t,s0) > + > +/etc/logcheck(/.*)? -- gen_context(system_u:object_r:logsentry_etc_t,s0) > + > +/etc/logcheck/tmp(/.*)? gen_context(system_u:object_r:logsentry_tmp_t,s0) > + > +/etc/logcheck/logcheck\..* -- gen_context(system_u:object_r:logsentry_filter_t,s0) > diff --git a/logsentry.if b/logsentry.if > new file mode 100644 > index 0000000..2109f42 > --- /dev/null > +++ b/logsentry.if > @@ -0,0 +1,33 @@ > +## Log file monitoring tool > + > +####################################### > +## > +## All of the rules required to administrate > +## a logsentry environment. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +# > +interface(`logsentry_admin',` > + gen_require(` > + type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t; > + ') > + > + allow $1 logsentry_t:process { ptrace signal_perms }; > + ps_process_pattern($1, logsentry_t) > + > + files_list_etc($1) > + admin_pattern($1, logsentry_etc_t) > + admin_pattern($1, logsentry_filter_t) > + > + files_list_tmp($1) > + admin_pattern($1, logsentry_tmp_t) > +') > diff --git a/logsentry.te b/logsentry.te > new file mode 100644 > index 0000000..3cdfcbe > --- /dev/null > +++ b/logsentry.te > @@ -0,0 +1,65 @@ > +policy_module(logsentry, 0.2) > + > +####################################### > +# > +# Declarations > +# > + > +type logsentry_t; > +type logsentry_exec_t; > +application_domain(logsentry_t, logsentry_exec_t) > +role system_r types logsentry_t; > + > +type logsentry_etc_t; > +files_type(logsentry_etc_t); > + > +type logsentry_tmp_t; > +files_tmp_file(logsentry_tmp_t); > + > +type logsentry_filter_t; > +files_type(logsentry_filter_t) > + > +####################################### > +# > +# Local Policy > +# > + > +allow logsentry_t self:fifo_file { read write getattr ioctl }; > +allow logsentry_t self:capability { setuid setgid }; > +allow logsentry_t logsentry_exec_t:file execute_no_trans; > + > +manage_dirs_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t) > +manage_files_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t) > + > +files_tmp_filetrans(logsentry_t, logsentry_tmp_t, file) > + > +manage_files_pattern(logsentry_t, logsentry_filter_t, logsentry_filter_t) > + > +files_read_etc_files(logsentry_t) > + > +logging_search_logs(logsentry_t) > +logging_manage_generic_logs(logsentry_t) > + > +kernel_read_system_state(logsentry_t) > + > +corecmd_exec_shell(logsentry_t) > +corecmd_exec_bin(logsentry_t) > + > +miscfiles_read_localization(logsentry_t) > + > +mta_send_mail(logsentry_t) > + > +userdom_dontaudit_search_user_home_dirs(logsentry_t) > + > +optional_policy(` > + logging_manage_audit_log(logsentry_t) > +') > + > +optional_policy(` > + hostname_exec(logsentry_t) > +') > + > +optional_policy(` > + cron_system_entry(logsentry_t, logsentry_exec_t) > +') > +