Skip to content

Commit

Permalink
(Miroslav Grepl) Contributed policy file to make psad compatible with…
Browse files Browse the repository at this point in the history 
… SELinux.

git-svn-id: file:///home/mbr/svn/psad_repos/psad/trunk@2249 91a0a83b-1414-0410-bf9a-c3dbc33e90b6
  • Loading branch information
@mrash
mrash committed Jan 24, 2009
1 parent 38188c5 commit c649c47
Show file tree
Hide file tree
Showing 5 changed files with 434 additions and 0 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
psad-2.1.5 (09//2008):
- (Miroslav Grepl) Contributed policy file to make psad compatible with
SELinux.
- Bug fix for local server ports not reported correctly under netstat
parsing (Franck Joncourt).
- (Steve B) Submitted patch to fix a bug in the start() function in the
Expand Down
4 changes: 4 additions & 0 deletions selinux/README
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

This directory contains policy files for making psad compatible with SELinux.
These policies were contributed on 01/23/09 by Miroslav Grepl
(<[email protected]>) at Red Hat.
17 changes: 17 additions & 0 deletions selinux/psad.fc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@


/etc/rc\.d/init\.d/psad -- gen_context(system_u:object_r:psad_initrc_exec_t,s0)

/etc/psad(/.*)? gen_context(system_u:object_r:psad_etc_t,s0)

/usr/sbin/psad -- gen_context(system_u:object_r:psad_exec_t,s0)

#/usr/sbin/psadwatchd -- gen_context(system_u:object_r:psadwatchd_exec_t,s0)

#/usr/sbin/kmsgsd -- gen_context(system_u:object_r:kmsgsd_exec_t,s0)

/var/run/psad(/.*)? gen_context(system_u:object_r:psad_var_run_t,s0)

/var/lib/psad(/.*)? gen_context(system_u:object_r:psad_var_lib_t,s0)

/var/log/psad(/.*)? gen_context(system_u:object_r:psad_var_log_t,s0)
304 changes: 304 additions & 0 deletions selinux/psad.if
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,304 @@
## <summary>Psad SELinux policy</summary>

########################################
## <summary>
## Execute a domain transition to run psad.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`psad_domtrans',`
gen_require(`
type psad_t, psad_exec_t;
')

domtrans_pattern($1, psad_exec_t, psad_t)
')

########################################
## <summary>
## Read and write psad UDP sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`psad_rw_udp_sockets',`
gen_require(`
type psad_t;
')

allow $1 psad_t:udp_socket { read write };
')

########################################
## <summary>
## Read and write psad packet sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`psad_rw_packet_sockets',`
gen_require(`
type psad_t;
')

allow $1 psad_t:packet_socket { read write };
')

########################################
## <summary>
## Send a generic signal to psad
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`psad_signal',`
gen_require(`
type psad_t;
')

allow $1 psad_t:process signal;
')

#######################################
## <summary>
## Send a null signal to psad.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`psad_signull',`
gen_require(`
type psad_t;
')

allow $1 psad_t:process signull;
')

########################################
## <summary>
## Read psad etc configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`psad_read_etc',`
gen_require(`
type psad_etc_t;
')

files_search_etc($1)
read_files_pattern($1, psad_etc_t, psad_etc_t)
')

########################################
## <summary>
## Manage psad etc configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`psad_manage_etc',`
gen_require(`
type psad_etc_t;
')

files_search_etc($1)
manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
manage_files_pattern($1, psad_etc_t, psad_etc_t)

')

########################################
## <summary>
## Read psad PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`psad_read_pid_files',`
gen_require(`
type psad_var_run_t;
')

files_search_pids($1)
read_files_pattern($1, psad_var_run_t, psad_var_run_t)
')

########################################
## <summary>
## Read psad PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`psad_rw_pid_files',`
gen_require(`
type psad_var_run_t;
')

files_search_pids($1)
rw_files_pattern($1, psad_var_run_t, psad_var_run_t)
')

########################################
## <summary>
## Allow the specified domain to read psad's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
##
#
interface(`psad_read_log',`
gen_require(`
type psad_var_log_t;
')

logging_search_logs($1)
list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
read_files_pattern($1, psad_var_log_t, psad_var_log_t)
')

########################################
## <summary>
## Allow the specified domain to append to psad's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
##
#
interface(`psad_append_log',`
gen_require(`
type psad_var_log_t;
')

logging_search_logs($1)
list_dirs_pattern($1, psad_var_log_t, psad_var_log_t)
append_files_pattern($1, psad_var_log_t, psad_var_log_t)
')

########################################
## <summary>
## Read and write psad fifo files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`psad_rw_fifo_file',`
gen_require(`
type psad_t;
')

files_search_var_lib($1)
search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t)
')

#######################################
## <summary>
## Read and write psad tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`psad_rw_tmp_files',`
gen_require(`
type psad_tmp_t;
')

files_search_tmp($1)
rw_files_pattern($1, psad_tmp_t, psad_tmp_t)
')

########################################
## <summary>
## All of the rules required to administrate
## an psad environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the syslog domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
type psad_initrc_exec_t, psad_var_lib_t;
type psad_tmp_t;
')

allow $1 psad_t:process { ptrace signal_perms };
ps_process_pattern($1, psad_t)

init_labeled_script_domtrans($1, psad_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 psad_initrc_exec_t system_r;
allow $2 system_r;

files_search_etc($1)
admin_pattern($1, psad_etc_t)

files_search_pids($1)
admin_pattern($1, psad_var_run_t)

logging_search_logs($1)
admin_pattern($1, psad_var_log_t)

files_search_var_lib($1)
admin_pattern($1, psad_var_lib_t)

files_search_tmp($1)
admin_pattern($1, psad_tmp_t)
')
Loading

0 comments on commit c649c47

Please sign in to comment.