Home Explore Help
Sign In
Hoshpak
/
gentoo-selinux-policies
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

atop: add policy module

copied over from debian-selinux-policies
Helmut Pozimski 4 years ago
parent
36c53b33a8
commit
33178955c5
2 changed files with 143 additions and 0 deletions
Split View Show Diff Stats
  1. 17 0
      atop.fc
  2. 126 0
      atop.te

+ 17 - 0
atop.fc
View File 

@@ -0,0 +1,17 @@
 
+/etc/rc\.d/init\.d/atop	--	gen_context(system_u:object_r:atop_initrc_exec_t,s0)
 
+/etc/rc\.d/init\.d/atopacct	--	gen_context(system_u:object_r:atopacct_initrc_exec_t,s0)
 
+
 
+/usr/bin/atop			-- 	gen_context(system_u:object_r:atop_exec_t,s0)
 
+/usr/share/atop/atop.wrapper	--	gen_context(system_u:object_r:atop_exec_t,s0)
 
+/usr/share/atop/atop.daily	--	gen_context(system_u:object_r:atop_exec_t,s0)
 
+/usr/sbin/atopacctd	--	gen_context(system_u:object_r:atopacct_exec_t,s0)
 
+/var/log/atop(/.*)?			gen_context(system_u:object_r:atop_var_log_t,s0)
 
+
 
+/var/run/atop(/.*)?			gen_context(system_u:object_r:atop_var_run_t,s0)
 
+/var/run/atop\.pid		--	gen_context(system_u:object_r:atop_var_run_t,s0)
 
+
 
+/var/run/atopacctd\.pid		--	gen_context(system_u:object_r:atopacct_var_run_t,s0)
 
+/var/run/pacct_shadow.d(/.*)?		gen_context(system_u:object_r:atopacct_var_run_t,s0)
 
+/var/run/pacct_source	--	gen_context(system_u:object_r:atopacct_var_run_t,s0)
 
+
 
+/var/cache/atop.d(/.*)?			gen_context(system_u:object_r:atop_var_cache_t,s0)

+ 126 - 0
atop.te
View File 

@@ -0,0 +1,126 @@
 
+policy_module(atop, 0.1.18)
 
+
 
+########################################
 
+#
 
+# Declarations
 
+#
 
+
 
+attribute_role atop_roles;
 
+
 
+type atop_t;
 
+type atop_exec_t;
 
+init_daemon_domain(atop_t, atop_exec_t)
 
+role atop_roles types atop_t;
 
+
 
+type atopacct_t;
 
+type atopacct_exec_t;
 
+init_daemon_domain(atopacct_t, atopacct_exec_t)
 
+
 
+type atop_initrc_exec_t;
 
+init_script_file(atop_initrc_exec_t)
 
+
 
+type atopacct_initrc_exec_t;
 
+init_script_file(atopacct_initrc_exec_t)
 
+
 
+type atop_var_log_t;
 
+logging_log_file(atop_var_log_t)
 
+
 
+type atop_var_run_t;
 
+files_pid_file(atop_var_run_t)
 
+
 
+type atopacct_var_run_t;
 
+files_pid_file(atopacct_var_run_t)
 
+
 
+type atop_var_cache_t;
 
+files_type(atop_var_cache_t)
 
+
 
+########################################
 
+#
 
+# Local policy
 
+#
 
+
 
+allow atop_t atop_exec_t:file execute_no_trans;
 
+allow atop_t self:capability { setuid sys_nice sys_resource ipc_lock sys_pacct dac_override net_raw sys_ptrace };
 
+allow atop_t self:process { setsched sigkill setrlimit setpgid signal };
 
+allow atop_t self:sem { write read create unix_write unix_read };
 
+allow atop_t self:udp_socket { create ioctl };
 
+allow atop_t self:sem associate;
 
+allow atop_t self:rawip_socket { create getopt };
 
+allow atop_t self:fifo_file { getattr ioctl read write };
 
+
 
+allow atop_t atopacct_t:sem { associate read unix_write write };
 
+
 
+manage_dirs_pattern(atop_t, atop_var_log_t, atop_var_log_t)
 
+manage_files_pattern(atop_t, atop_var_log_t, atop_var_log_t)
 
+logging_log_filetrans(atop_t, atop_var_log_t, file)
 
+
 
+manage_dirs_pattern(atop_t, atop_var_cache_t, atop_var_cache_t)
 
+manage_files_pattern(atop_t, atop_var_cache_t, atop_var_cache_t)
 
+
 
+manage_dirs_pattern(atop_t, atop_var_run_t, atop_var_run_t)
 
+manage_files_pattern(atop_t, atop_var_run_t, atop_var_run_t)
 
+files_pid_filetrans(atop_t, atop_var_run_t, { file dir })
 
+
 
+read_files_pattern(atop_t, atopacct_var_run_t, atopacct_var_run_t)
 
+
 
+corecmd_exec_bin(atop_t)
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type initrc_t;
 
+	')
 
+	allow atop_t initrc_t:sem { read unix_write write associate };
 
+')
 
+
 
+userdom_getattr_user_home_dirs(atop_t)
 
+
 
+kernel_getattr_proc(atop_t)
 
+kernel_search_proc(atop_t)
 
+kernel_list_proc(atop_t)
 
+kernel_getattr_proc_files(atop_t)
 
+kernel_read_proc_symlinks(atop_t)
 
+kernel_read_system_state(atop_t)
 
+kernel_get_sysvipc_info(atop_t)
 
+kernel_read_kernel_sysctls(atop_t)
 
+
 
+domain_read_all_domains_state(atop_t)
 
+corecmd_shell_entry_type(atop_t)
 
+kernel_read_network_state(atop_t)
 
+fs_getattr_tmpfs(atop_t)
 
+auth_use_nsswitch(atop_t)
 
+
 
+storage_getattr_fixed_disk_dev(atop_t)
 
+miscfiles_read_localization(atop_t)
 
+dev_getattr_lvm_control(atop_t)
 
+
 
+cron_system_entry(atop_t, atop_exec_t)
 
+
 
+init_read_utmp(atop_t)
 
+
 
+### atopacct policy
 
+
 
+allow atopacct_t self:capability { net_admin sys_nice sys_pacct };
 
+allow atopacct_t self:netlink_generic_socket { bind create read setopt write };
 
+allow atopacct_t self:process { setsched signal };
 
+allow atopacct_t self:unix_dgram_socket { connect create write };
 
+allow atopacct_t self:sem { read unix_read };
 
+
 
+manage_dirs_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
 
+manage_files_pattern(atopacct_t, atopacct_var_run_t, atopacct_var_run_t)
 
+files_pid_filetrans(atopacct_t, atopacct_var_run_t, { file dir })
 
+
 
+logging_send_syslog_msg(atopacct_t)
 
+
 
+miscfiles_read_localization(atopacct_t)
 
+
 
+kernel_read_system_state(atopacct_t)
 
+
 
+fs_getattr_tmpfs(atopacct_t)
 
+
 
+optional_policy(`
 
+	gen_require(`
 
+		type initrc_t;
 
+	')
 
+	allow atopacct_t initrc_t:sem { associate read unix_read unix_write write };
 
+')
 
+