Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing List
subject: New policy for tripwire Date: Sat, 12 Mar 2005 18:50:45 -0500
David
# tripwire /etc/tripwire(/.*)? system_u:object_r:tripwire_etc_t /usr/sbin/siggen system_u:object_r:siggen_exec_t /usr/sbin/tripwire system_u:object_r:tripwire_exec_t /usr/sbin/tripwire-setup-keyfiles system_u:object_r:bin_t /usr/sbin/twadmin system_u:object_r:twadmin_exec_t /usr/sbin/twprint system_u:object_r:twprint_exec_t /var/lib/tripwire(/.*)? system_u:object_r:tripwire_var_lib_t /var/lib/tripwire/report(/.*)? system_u:object_r:tripwire_report_t
# DESC tripwire
# NOTE: Tripwire creates temp file in its current working directory.
# Common definitions
# Macro for defining tripwire domains
# Allow access to common tripwire files allow $1_t tripwire_etc_t:file r_file_perms; allow $1_t tripwire_etc_t:dir r_dir_perms; allow $1_t tripwire_etc_t:lnk_file { getattr read }; file_type_auto_trans($1_t, var_lib_t, tripwire_var_lib_t, file)allow $1_t tripwire_var_lib_t:dir rw_dir_perms; file_type_auto_trans($1_t, tmp_t, tripwire_tmp_t, `{ file dir }') allow $1_t self:process { fork sigchld }; allow $1_t self:capability { setgid setuid dac_override };
# Tripwire needs to read all files on the system allow $1_t file_type:dir { search getattr read}; allow $1_t file_type:{file chr_file lnk_file sock_file} {getattr read}; allow $1_t file_type:fifo_file { getattr }; allow $1_t device_type:file { getattr read }; allow $1_t sysctl_t:dir { getattr read }; allow $1_t {memory_device_t tty_device_t urandom_device_t zero_device_t}:chr_file getattr;
# Tripwire report files
# gethostid()?
# Running editor program (tripwire forks then runs bash which rins editor)
allow $1_t self:dir search;
##########
#
# Running from the command line allow tripwire_t devpts_t:dir search; allow tripwire_t devtty_t:chr_file { read write }; allow tripwire_t {sysadm_devpts_t user_devpts_t}:chr_file rw_file_perms; allow tripwire_t sshd_t:fd use;
##########
#
# Tripwire uses a temp file in the root home directory
########## allow twadmin_t sysadm_tmp_t:file { getattr read write };
# Running from the command line dontaudit twadmin_t { bin_t sbin_t }:dir search; dontaudit twadmin_t home_root_t:dir search; dontaudit twprint_t user_home_dir_t:dir search;
##########
# Running from the command line dontaudit twprint_t { bin_t sbin_t }:dir search; dontaudit twprint_t home_root_t:dir search;
##########
# Need permission to read files
# Running from the command line -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
|
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |