diff options
| author |   Dominick Grift <dac.override@gmail.com> | 2015-01-27 21:17:58 +0100 |
|---|---|---|
| committer |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2015-01-29 21:51:08 +0100 |
| commit | cba6dc0028608f027f7e02ab1d4df155632a7a46 (patch) | |
| tree | 794fd46693925ea7fb34420a8d395740a8684730 | |
| parent | Redundant rules and afs_files_t is not a filesystem type (diff) | |
| download | hardened-refpolicy-cba6dc0028608f027f7e02ab1d4df155632a7a46.tar.gz hardened-refpolicy-cba6dc0028608f027f7e02ab1d4df155632a7a46.tar.bz2 hardened-refpolicy-cba6dc0028608f027f7e02ab1d4df155632a7a46.zip | |
Various samhain fixes
connects to smtp port
resolves smtp dns name
missing samhain_domain attribute
reads random device
samhain_domains use unnamed pipes for internal comms
clarify why some rules are commented out for now in samhain_admin()
remove samhain_run() from samhain_admin()
samhain needs to be able to maintain directories in /var/lib
Signed-off-by: Dominick Grift <dac.override@gmail.com>
| -rw-r--r-- | policy/modules/contrib/samhain.if | 8 | ||||
| -rw-r--r-- | policy/modules/contrib/samhain.te | 12 |
2 files changed, 13 insertions, 7 deletions
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if index f0236d67d..b1ebcee53 100644 --- a/policy/modules/contrib/samhain.if +++ b/policy/modules/contrib/samhain.if @@ -16,7 +16,7 @@ template(`samhain_service_template',` type samhain_exec_t; ') - type $1_t; + type $1_t, samhain_domain; domain_type($1_t) domain_entry_file($1_t, samhain_exec_t) @@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',` interface(`samhain_admin',` gen_require(` attribute samhain_domain; - type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; + type samhain_db_t, samhain_etc_t; type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') allow $1 samhain_domain:process { ptrace signal_perms }; ps_process_pattern($1, samhain_domain) - # pending + # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first # init_labeled_script_domtrans($1, samhain_initrc_exec_t) # domain_system_change_exemption($1) # role_transition $2 samhain_initrc_exec_t system_r; @@ -237,6 +237,4 @@ interface(`samhain_admin',` files_list_pids($1) admin_pattern($1, samhain_var_run_t) - - # samhain_run($1, $2) ') diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te index c41ce4bff..3ed8e4558 100644 --- a/policy/modules/contrib/samhain.te +++ b/policy/modules/contrib/samhain.te @@ -1,4 +1,4 @@ -policy_module(samhain, 1.2.0) +policy_module(samhain, 1.2.1) ######################################## # @@ -50,8 +50,9 @@ ifdef(`enable_mls',` allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; -allow samhain_domain self:fd use; allow samhain_domain self:process { setsched setrlimit signull }; +allow samhain_domain self:fd use; +allow samhain_domain self:fifo_file rw_fifo_file_perms; allow samhain_domain samhain_etc_t:file read_file_perms; @@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain) # manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) +manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t) files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) domain_use_interactive_fds(samhain_t) @@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t) read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) +corenet_tcp_connect_smtp_port(samhaind_t) + +dev_read_rand(samhaind_t) + init_use_script_ptys(samhaind_t) + +sysnet_dns_name_resolve(samhaind_t) |