New policy for tripwire

Sat Mar 12 23:50:45 UTC 2005

This is written on an FC3 base system using the selinux-policy-strict-
sources-1.22.1-2 policy from March 11th.  These are the first policies
I've submitted so I'd appreciate any comments on how to write better
policies.

David

-------------- next part --------------
# tripwire
/etc/tripwire(/.*)?			system_u:object_r:tripwire_etc_t
/usr/sbin/siggen			system_u:object_r:siggen_exec_t
/usr/sbin/tripwire			system_u:object_r:tripwire_exec_t
/usr/sbin/tripwire-setup-keyfiles	system_u:object_r:bin_t
/usr/sbin/twadmin			system_u:object_r:twadmin_exec_t
/usr/sbin/twprint			system_u:object_r:twprint_exec_t
/var/lib/tripwire(/.*)?			system_u:object_r:tripwire_var_lib_t
/var/lib/tripwire/report(/.*)?		system_u:object_r:tripwire_report_t
-------------- next part --------------
# DESC tripwire
#
# Author: David Hampton <hampton at employees.org>
#

# NOTE: Tripwire creates temp file in its current working directory.
# This policy does not allow write access to home directories, so
# users will need to either cd to a directory where they have write
# permission, or set the TEMPDIRECTORY variable in the tripwire config
# file.  The latter is preferable, as then the file_type_auto_trans
# rules will kick in and label the files as private to tripwire.

# Common definitions
type tripwire_report_t, file_type, sysadmfile;
etcdir_domain(tripwire)
var_lib_domain(tripwire)
tmp_domain(tripwire)

# Macro for defining tripwire domains
define(`tripwire_domain',`
application_domain($1, `, auth')
role system_r types $1_t;

# Allow access to common tripwire files
allow $1_t tripwire_etc_t:file r_file_perms;
allow $1_t tripwire_etc_t:dir r_dir_perms;
allow $1_t tripwire_etc_t:lnk_file { getattr read };
file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)
allow $1_t tripwire_var_lib_t:dir rw_dir_perms;
file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }')

allow $1_t self:process { fork sigchld };
allow $1_t self:capability { setgid setuid dac_override };

# Tripwire needs to read all files on the system
general_proc_read_access($1_t)
allow $1_t file_type:dir { search getattr read};
allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read};
allow $1_t file_type:fifo_file { getattr };
allow $1_t device_type:file { getattr read };
allow $1_t sysctl_t:dir { getattr read };
allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;

# Tripwire report files
create_dir_file($1_t, tripwire_report_t)

# gethostid()?
allow $1_t self:unix_stream_socket { connect create };

# Running editor program (tripwire forks then runs bash which rins editor)
can_exec($1_t, shell_exec_t)
can_exec($1_t, bin_t)
uses_shlib($1_t)

allow $1_t self:dir search;
allow $1_t self:file { getattr read };
')

##########
##########

#
# When run by a user
#
tripwire_domain(`tripwire')

# Running from the command line
allow tripwire_t devpts_t:dir search;
allow tripwire_t devtty_t:chr_file { read write };
allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms;
allow tripwire_t sshd_t:fd use;

##########
##########

#
# When run from cron
#
tripwire_domain(`tripwire_crond')
system_crond_entry(tripwire_exec_t, tripwire_crond_t)
domain_auto_trans(crond_t, tripwire_exec_t, tripwire_t)

# Tripwire uses a temp file in the root home directory
#create_dir_file(tripwire_crond_t, root_t)

##########
# Twadmin
##########
application_domain(twadmin)
read_locale(twadmin_t)
create_dir_file(twadmin_t, tripwire_etc_t)

allow twadmin_t sysadm_tmp_t:file { getattr read write };

# Running from the command line
allow twadmin_t sshd_t:fd use;
allow twadmin_t sysadm_devpts_t:chr_file rw_file_perms;

dontaudit twadmin_t { bin_t sbin_t }:dir search;
dontaudit twadmin_t home_root_t:dir search;
dontaudit twprint_t user_home_dir_t:dir search;

##########
# Twprint
##########
application_domain(twprint)
read_locale(twprint_t)
r_dir_file(twprint_t, tripwire_etc_t)
allow twprint_t { var_t var_lib_t }:dir search;
r_dir_file(twprint_t, tripwire_var_lib_t)
r_dir_file(twprint_t, tripwire_report_t)

# Running from the command line
allow twprint_t sshd_t:fd use;
allow twprint_t sysadm_devpts_t:chr_file rw_file_perms;

dontaudit twprint_t { bin_t sbin_t }:dir search;
dontaudit twprint_t home_root_t:dir search;

##########
# Siggen
##########
application_domain(siggen, `, auth')
read_locale(siggen_t)

# Need permission to read files
allow siggen_t file_type:dir { search getattr read};
allow siggen_t file_type:file {getattr read};

# Running from the command line
allow siggen_t sshd_t:fd use;
allow siggen_t sysadm_devpts_t:chr_file rw_file_perms;