Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/samhain.if

## <summary>Check file integrity.</summary>

#######################################
## <summary>
##	The template to define a samhain domain.
## </summary>
## <param name="domain_prefix">
##	<summary>
##	Domain prefix to be used.
##	</summary>
## </param>
#
template(`samhain_service_template',`
	gen_require(`
		attribute samhain_domain;
		type samhain_exec_t;
	')

	type $1_t;
	domain_type($1_t)
	domain_entry_file($1_t, samhain_exec_t)

	files_read_all_files($1_t)

	mls_file_write_all_levels($1_t)

	logging_send_syslog_msg($1_t)
')

########################################
## <summary>
##	Execute samhain in the samhain domain
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`samhain_domtrans',`
	gen_require(`
		type samhain_t, samhain_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, samhain_exec_t, samhain_t)
')

########################################
## <summary>
##	Execute samhain in the samhain
##	domain with the clearance security
##	level and allow the specifiled role
##	the samhain domain.
## </summary>
## <desc>
##	<p>
##	Execute samhain in the samhain
##	domain with the clearance security
##	level and allow the specifiled role
##	the samhain domain.
##	</p>
##	<p>
##	The range_transition rule used in
##	this interface requires that the
##	calling domain should have the
##	clearance security level otherwise
##	the MLS constraint for process
##	transition would fail.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed to access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`samhain_run',`
	gen_require(`
		attribute_role samhain_roles;
		type samhain_exec_t;
	')

	samhain_domtrans($1)
	roleattribute $2 samhain_roles;

	ifdef(`enable_mls', `
		range_transition $1 samhain_exec_t:process mls_systemhigh;
	')
')

########################################
## <summary>
##	Create, read, write, and delete
##	samhain configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_config_files',`
	gen_require(`
		type samhain_etc_t;
	')

	files_rw_etc_dirs($1)
	allow $1 samhain_etc_t:file manage_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	samhain database files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_db_files',`
	gen_require(`
		type samhain_db_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, samhain_db_t, samhain_db_t)
')

#######################################
## <summary>
##	Create, read, write, and delete
##	samhain init script files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_init_script_files',`
	gen_require(`
		type samhain_initrc_exec_t;
	')

	files_search_etc($1)
	manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	samhain log and log.lock files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_log_files',`
	gen_require(`
		type samhain_log_t;
	')

	logging_search_logs($1)
	manage_files_pattern($1, samhain_log_t, samhain_log_t)
')

########################################
## <summary>
##	Create, read, write, and delete
##	samhain pid files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`samhain_manage_pid_files',`
	gen_require(`
		type samhain_var_run_t;
	')

	files_search_pids($1)
	manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t)
')

#######################################
## <summary>
##	All of the rules required to
##	administrate the samhain environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`samhain_admin',`
	gen_require(`
		attribute samhain_domain;
		type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
		type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
	')

	allow $1 samhain_domain:process { ptrace signal_perms };
	ps_process_pattern($1, samhain_domain)

	# pending
	# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
	# domain_system_change_exemption($1)
	# role_transition $2 samhain_initrc_exec_t system_r;
	# allow $2 system_r;

	files_list_var_lib($1)
	admin_pattern($1, samhain_db_t)

	files_list_etc($1)
	admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t })

	logging_list_logs($1)
	admin_pattern($1, samhain_log_t)

	files_list_pids($1)
	admin_pattern($1, samhain_var_run_t)

	# samhain_run($1, $2)
')