1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
|
policy_module(tripwire, 1.2.1)
########################################
#
# Declarations
#
attribute_role siggen_roles;
attribute_role tripwire_roles;
attribute_role twadmin_roles;
attribute_role twprint_roles;
type siggen_t;
type siggen_exec_t;
application_domain(siggen_t, siggen_exec_t)
role siggen_roles types siggen_t;
type tripwire_t;
type tripwire_exec_t;
application_domain(tripwire_t, tripwire_exec_t)
role tripwire_roles types tripwire_t;
type tripwire_etc_t;
files_config_file(tripwire_etc_t)
type tripwire_report_t;
files_type(tripwire_report_t)
type tripwire_tmp_t;
files_tmp_file(tripwire_tmp_t)
type tripwire_var_lib_t;
files_type(tripwire_var_lib_t)
type twadmin_t;
type twadmin_exec_t;
application_domain(twadmin_t, twadmin_exec_t)
role twadmin_roles types twadmin_t;
type twprint_t;
type twprint_exec_t;
application_domain(twprint_t, twprint_exec_t)
role twprint_roles types twprint_t;
########################################
#
# Local policy
#
allow tripwire_t self:capability { setgid setuid dac_override };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
allow tripwire_t tripwire_etc_t:file read_file_perms;
allow tripwire_t tripwire_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
manage_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
manage_lnk_files_pattern(tripwire_t, tripwire_report_t, tripwire_report_t)
manage_dirs_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_lnk_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_fifo_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
manage_sock_files_pattern(tripwire_t, tripwire_tmp_t, tripwire_tmp_t)
files_tmp_filetrans(tripwire_t, tripwire_tmp_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern(tripwire_t, tripwire_var_lib_t, tripwire_var_lib_t)
files_var_lib_filetrans(tripwire_t, tripwire_var_lib_t, file)
kernel_read_system_state(tripwire_t)
kernel_read_network_state(tripwire_t)
kernel_read_software_raid_state(tripwire_t)
kernel_getattr_core_if(tripwire_t)
kernel_getattr_message_if(tripwire_t)
kernel_read_kernel_sysctls(tripwire_t)
corecmd_exec_bin(tripwire_t)
corecmd_exec_shell(tripwire_t)
domain_use_interactive_fds(tripwire_t)
files_read_all_files(tripwire_t)
files_read_all_symlinks(tripwire_t)
files_getattr_all_pipes(tripwire_t)
files_getattr_all_sockets(tripwire_t)
logging_send_syslog_msg(tripwire_t)
userdom_use_user_terminals(tripwire_t)
optional_policy(`
cron_system_entry(tripwire_t, tripwire_exec_t)
')
########################################
#
# Twadmin local policy
#
allow twadmin_t tripwire_etc_t:dir list_dir_perms;
allow twadmin_t tripwire_etc_t:file read_file_perms;
allow twadmin_t tripwire_etc_t:lnk_file read_lnk_file_perms;
domain_use_interactive_fds(twadmin_t)
files_search_etc(twadmin_t)
logging_send_syslog_msg(twadmin_t)
miscfiles_read_localization(twadmin_t)
userdom_use_user_terminals(twadmin_t)
########################################
#
# Twprint local policy
#
allow twprint_t tripwire_etc_t:dir list_dir_perms;
allow twprint_t tripwire_etc_t:file read_file_perms;
allow twprint_t tripwire_etc_t:lnk_file read_lnk_file_perms;
allow twprint_t tripwire_report_t:dir list_dir_perms;
allow twprint_t tripwire_report_t:file read_file_perms;
allow twprint_t tripwire_report_t:lnk_file read_lnk_file_perms;
allow twprint_t tripwire_var_lib_t:dir list_dir_perms;
allow twprint_t tripwire_var_lib_t:file read_file_perms;
allow twprint_t tripwire_var_lib_t:lnk_file read_lnk_file_perms;
domain_use_interactive_fds(twprint_t)
files_search_etc(twprint_t)
files_search_var_lib(twprint_t)
logging_send_syslog_msg(twprint_t)
miscfiles_read_localization(twprint_t)
userdom_use_user_terminals(twprint_t)
########################################
#
# Siggen local policy
#
domain_use_interactive_fds(siggen_t)
files_read_all_files(siggen_t)
logging_send_syslog_msg(siggen_t)
miscfiles_read_localization(siggen_t)
userdom_use_user_terminals(siggen_t)
|
GitWeb