The latest rbac-self-test is attached. It contains a number of fixes
over the last version. Most importantly, it now generates a success
audit record and has some missing return code checks. I would
appreciate any comments on the code or the policy. This may be close
enough for Klaus to include in the certification RPM, which would
help it get some testing.
--
George Wilson <[EMAIL PROTECTED]>
IBM Linux Technology Center
#!/usr/bin/python
################################################################################
# #
# The RBACPP Self Test #
# #
# Performs various tests on the system to verify RBACPP compliance. #
# #
# Copyright (C) 2006,2007 IBM Corporation #
# Licensed under GNU General Public License #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program; see the file COPYING. If not, write to #
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. #
# #
# Author: George C. Wilson <[EMAIL PROTECTED]> #
# #
################################################################################
# #
# USE #
# #
# 1. First take a snapshot of the filesystem hashes using AIDE. #
# #
# rbacpp-self-test --snapshot --verbose #
# #
# 2. Run the the self test in normal mode. #
# #
# rbacpp-self-test --verbose #
# #
# 3. Add the command to your crontab. #
# #
# rbacpp-self-test #
# #
# 4. Check the audit and system logs for failures. #
# #
################################################################################
import string
import re
import os
import os.path
import errno
import sys
import shutil
import pwd
import syslog
import socket
import selinux
import audit
class SelfTest:
#
# init
#
# Returns: None
#
def __init__(self):
self.default_failure_action = 'single'
self.config_file = '/etc/security/rbac-self-test.conf'
self.program_name = os.path.basename(sys.argv[0])
self.read = False
self.write = True
self.SystemHigh = 'SystemHigh'
self.SystemLow = 'SystemLow'
self.expectSuccess = False
self.expectFailure = True
self.success = True
self.failure = False
self.failure_action_performed = False
return(None)
#
# usage
#
# Returns: 0 - Success
#
def usage(self):
print self.program_name + ': [--snapshot] [--verbose]'
return(0)
#
# Parse args
#
# Returns: rc: 0 - Success, 1 - Failure
#
def args_parse(self):
self.opt_snapshot = False
self.opt_verbose = False
rc = 0
for opt in sys.argv[1:]:
if opt == '--snapshot' or opt == '-s':
self.opt_snapshot = True
elif opt == '--verbose' or opt == '-v':
self.opt_verbose = True
else:
rc = 1
return(rc)
#
# Init failure action from config file.
#
# Returns: 0 - Successfully logged audit message, errno or -1 on
failure
#
def failure_action_init(self):
rc = 0
self.failure_action = self.default_failure_action
try:
action_file = open(self.config_file, 'r')
if action_file.closed == False:
action_list = action_file.readlines()
action = action_list[0]
action = action.strip()
action_file.close()
except IOError, (oserrno, strerror):
self.message_log('Cannot read auditd action: ' + self.config_file +
': ' + strerror)
rc = oserrno
except:
raise
if rc == 0:
if ((action == 'single') or (action == 'log')):
self.failure_action = action
else:
self.message_log('Invalid failure action: ' + action)
rc = -1
return (rc)
#
# Perform the failure action.
#
# Return: 0 in success, errno or -1 on failure
#
def failure_action_perform(self):
rc = 0
# Just do it once, prevent recursion.
if self.failure_action_performed == False:
if self.failure_action == 'single':
try:
rc = os.spawnv(os.P_WAIT, '/sbin/telinit',
('/sbin/telinit', '1'))
self.failure_action_performed = True
if rc != 0:
self.message_log('/sbin/telinit 1 failed, rc = ' +
str(rc))
except OSError, (oserrno, strerror):
self.message_log('Cannot run /sbin/telinit s to go to
single user mode: '+ strerror)
rc = oserrno
except:
raise
elif self.failure_action != 'log':
self.failure_action_performed = True
self.message_log('Invalid audit failure action - logging only')
rc = -1
return(rc)
#
# Log an audit message
#
# Returns: 0 - Successfully logged audit message, 1 - Failure
#
def message_log(self, message, successful = False):
rc = 0
try:
hostname = socket.gethostname()
try:
hostaddr = socket.gethostbyname(hostname)
except:
hostaddr = 'unknown'
except:
hostname = 'unknown'
try:
ttyname = os.readlink('/proc/self/fd/0')
if ttyname.find('/dev') != 0:
ttyname = 'notatty'
except:
ttyname = 'unknown'
message = self.program_name + ': ' + message
if (successful == True):
audit_record_type = audit.AUDIT_TEST
else:
audit_record_type = audit.AUDIT_ANOM_RBAC_FAIL
try:
audit.audit_log_user_message(self.audit_fd,
audit_record_type,
message,
hostname,
hostaddr,
ttyname,
successful)
except:
print 'Attention: Cannot log audit record'
rc = 1
try:
syslog.openlog('Security')
syslog.syslog(syslog.LOG_AUTH|syslog.LOG_EMERG,
'Attention: Cannot log audit record (message was:
' + message + ')')
syslog.closelog()
except:
print 'Attention: Cannot log syslog record'
if self.opt_verbose == True:
print message
self.failure_action_perform()
return(rc)
#
# Initialize audit.
#
# Returns: An audit handle; Non-negative integer - Success, -1 -
Failure
#
def audit_open(self):
rc = 0
self.audit_fd = -1
rc = self.failure_action_init()
if rc != 0:
self.message_log('Cannot set failure action in audit init')
if rc == 0:
try:
self.audit_fd = audit.audit_open()
except:
self.message_log('Cannot open audit')
rc = 1
return(rc)
#
# Deinitialize audit.
#
# Returns: 0 - Success, 1 - Failure
#
def audit_close(self):
rc = 0
if self.audit_fd >= 0:
try:
audit.audit_close(self.audit_fd)
except:
self.message_log('Cannot close audit')
rc = 1
return(rc)
#
# Verify SELinux is enabled, enforcing, and MLS.
#
# Returns: 0 - Success, 1 - Failure
#
def selinux_verify(self):
rc = 0
try:
if selinux.is_selinux_enabled() != 1:
self.message_log('SELinux is not enabled')
rc = 1
except:
self.message_log('Cannot check whether SELinux is enabled')
rc = 1
if rc == 0:
try:
if selinux.security_getenforce() != 1:
self.message_log('SELinux is not in enforcing mode')
rc = 1
except:
self.message_log('Cannot check whether SELinux is enforcing')
rc = 1
if rc == 0:
try:
if selinux.is_selinux_mls_enabled() != 1:
self.message_log('SELinux MLS is not enabled')
rc = 1
except:
self.message_log('Cannot check whether SELinux MLS is enabled')
rc = 1
return(rc)
#
# Verify auditd is running
#
# Returns: 0 - Success, 1 - Failure
#
def auditd_verify(self):
rc = 0
try:
if audit.audit_is_enabled(self.audit_fd) != 1:
self.message_log('The audit daemon is not running')
rc = 1
except:
self.message_log('Cannot get audit status')
rc = 1
return(rc)
#
# Take an AIDE snapshot of configuration files.
#
# Returns: 0 - Success, spawnv rc or errno on failure
#
def snapshot_take(self):
rc = 0
if rc == 0:
try:
rc = os.spawnv(os.P_WAIT, '/usr/sbin/aide', ('/usr/sbin/aide',
'--init'))
except OSError, (oserrno, strerror):
self.message_log('Cannot initialize AIDE database, errno = ' +
str(oserrno) + ': ' + strerror)
rc = oserrno
except:
raise
if rc == 0:
try:
os.unlink('/var/lib/aide/aide.db.gz')
except OSError, (oserrno, strerror):
if oserrno != errno.ENOENT:
self.message_log('Cannot remove old AIDE database, errno =
' + str(oserrno) + ': ' + strerror)
rc = oserrno
except:
raise
if rc == 0:
try:
shutil.move('/var/lib/aide/aide.db.new.gz',
'/var/lib/aide/aide.db.gz')
except OSError, (oserrno, strerror):
self.message_log('Cannot move new AIDE database into place,
errno = ' + str(oserrno) + ': ' + strerror)
rc = oserrno
except:
raise
return(rc)
#
# Verify integrity of configuration files.
#
# Returns: 0 - Success; spawnv rc or errno - Failure
#
def snapshot_verify(self):
rc = 0
try:
rc = os.spawnv(os.P_WAIT, '/usr/sbin/aide', ('/usr/sbin/aide',
'--check'))
except OSError, (oserrno, strerror):
self.message_log('Cannot verify AIDE database, errno = ' +
str(oserrno) + ': ' + strerror)
rc = oserrno
except:
raise
if rc != 0:
self.message_log('Cannot verify AIDE database')
return(rc)
#
# internal "runcon"
#
# Returns: 0 - Success; spawnv rc or errno, or -1 - Failure
#
def runcon(self, context, program, *args):
rc = 0
progargs = (program,) + args
try:
rc = selinux.setexeccon(context)
except:
self.message_log('Cannot set exec context to ' + context)
rc = -1
if rc != 1:
try:
rc = os.spawnv(os.P_WAIT, program, progargs)
except OSError, (oserrno, strerror):
self.message_log('Cannot spawnv ' + str(progargs) + ': ' +
strerror)
rc = oserrno
except:
raise
return(rc)
#
# mlsfile_test
#
# Test reading/writing from level2 to level1
#
# Returns: 0 - Success, 1 - Failure
#
def mlsfile_test(self, write, level2, level1, expectfail):
rc = 0
context1 = 'root:sysadm_r:rbacselftest_t:' + level1
context2 = 'root:sysadm_r:rbacselftesthelper_t:' + level2
if write == True:
testopname = 'write'
testop = 'w'
else:
testopname = 'read'
testop = 'r'
rc = self.runcon(context1, '/usr/sbin/rbac-self-test-helper', context1,
'w')
if rc != 0:
self.message_log('Helper cannot complete create with context ' +
context1)
rc = 1
testrc = self.runcon(context2, '/usr/sbin/rbac-self-test-helper',
context1, testop)
if testrc != 0:
testrc = 1
if expectfail == True:
testrc = int(not testrc)
rc = self.runcon(context1, '/usr/sbin/rbac-self-test-helper', context1,
'd')
if rc != 0:
self.message_log('Helper cannot complete delete with context ' +
context1)
if testrc != 0:
self.message_log('MLS file test: write at ' + context1 + ', ' +
testopname + ' at ' + context2 + ' failed')
return(testrc)
#
# Main
#
# Exits: 0 - Success, 1 - Failure
#
def main():
rc = 0
st = SelfTest()
if rc == 0:
st.audit_open()
if rc == 0:
rc = st.args_parse()
if rc != 0:
st.usage()
if rc == 0 and st.audit_fd < 0:
rc = 1
if rc == 0 and st.opt_snapshot == True:
rc = st.snapshot_take()
else:
if rc == 0:
rc = st.selinux_verify()
if rc == 0:
rc = st.auditd_verify()
if rc == 0:
rc = st.snapshot_verify()
if rc == 0:
rc = st.mlsfile_test(st.read, st.SystemHigh, st.SystemLow,
st.expectSuccess)
if rc == 0:
rc = st.mlsfile_test(st.read, st.SystemLow, st.SystemHigh,
st.expectFailure)
if rc == 0:
rc = st.mlsfile_test(st.write, st.SystemHigh, st.SystemLow,
st.expectFailure)
# Stronger than BLP
if rc == 0:
rc = st.mlsfile_test(st.write, st.SystemLow, st.SystemHigh,
st.expectFailure)
if rc == 0:
st.message_log('The RBAC self test succeeded', st.success)
if st.opt_verbose == True:
print 'The RBAC self test succeeded.'
else:
st.message_log('The RBAC self test failed', st.failure)
if st.opt_verbose == True:
print 'The RBAC self test failed.'
if rc == 0:
st.audit_close()
return(rc)
if __name__ == "__main__":
sys.exit(main())
#!/usr/bin/python
################################################################################
# #
# The RBACPP Self Test Helper #
# #
# Writes, reads, and deletes test files in /var/run for rbac-self-test. #
# #
# Copyright (C) 2007 IBM Corporation #
# Licensed under GNU General Public License #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program; see the file COPYING. If not, write to #
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. #
# #
# Author: George C. Wilson <[EMAIL PROTECTED]> #
# #
################################################################################
import sys
import os
import selinux
def main():
f = None
rc = 0
datafile_basename = '/var/run/rbac-self-test-'
if len(sys.argv) == 3:
context = sys.argv[1]
op = sys.argv[2]
datafile_name = datafile_basename + context
if (op != 'r') and (op != 'w') and (op != 'd'):
print 'op must be either \'r\', \'w\', or \'d\''
rc = 1
else:
print 'usage: helper <context> <op>'
rc = 1
if rc == 0:
if (op == 'd'):
try:
os.unlink(datafile_name)
except:
print 'Cannot unlink file ' + datafile_name
rc = 1
else:
try:
f = open(datafile_name , op)
except:
print 'Cannot open file ' + datafile_name
rc = 1
if rc == 0:
if op == 'w':
try:
f.write(context)
except:
print 'Cannot write to file ' + datafile_name
rc = 1
elif op == 'r':
try:
junk = f.read()
except:
print 'Cannot read file ' + datafile_name
rc = 1
else:
print 'Bad file operator ' + op
rc = 1
if f != None:
try:
f.close()
except:
print 'Cannot close file ' + datafile_name
rc = 1
return(rc)
if __name__ == "__main__":
sys.exit(main())
.TH RBAC-SELF-TEST "1" "March 2007" "rbac-self-test 1.0" "User Commands"
.SH NAME
rbac-self-test \- Perform a set of tests on the system to ensure
compliance with RBACPP Section FPT_TST.1.
.SH SYNOPSIS
.B rbac-self-test
[\fIOPTION\fR]...
.SH DESCRIPTION
.\" Add any additional description here
.PP
Performs a set of tests that verify SELinux is functioning and
configuration files are intact.
.PP
1. Log into the system as root/sysadm_r/SystemHigh.
.PP
2. Create or edit /etc/security/rbac-self-test.conf. It must contain one
of the keywords \fBsingle\fR or \fBlog\fR on first line. The \fBsingle\fR
option tells rbac-self-test to change to single user mode when an error is
encountered so that an administrator can take corrective action. The
\fBlog\fR keyword causes rbac-self-test only to log anomalous events. The
default is \fBsingle\fR if there is not configuration file or the file
contains an invalid keyword.
.PP
3. Setup the aide database. One can do this via the --snapshot argument
to rbac-self-test.
.PP
\fBrbac-self-test --snapshot --verbose\fR
.PP
For more information on the aide program see the aide(1) manpage.
.PP
4. Run rbac-self-test in verbose mode to verify correct operation.
.PP
\fBrbac-self-test --verbose\fR
.PP
5. Run rbac-self-test on demand as required or add it to crontab to execute
it periodically.
.PP
\fBrbac-self-test\fR
.PP
6. Check the audit and system logs for failures.
.SH OPTIONS
.TP
\fB\-s\fR, \fB\-\-snapshot\fR
take a snapshot of configuration file hashes as defined in the aide
configuration file
.TP
\fB\-v\fR, \fB\-\-verbose\fR
display output to stdout in addition to producing and audit record
.SH EXIT
.PP
Exit status is 0 if OK; 1 if there is an error.
.SH AUTHOR
George C. Wilson at the IBM Corporation
.SH "REPORTING BUGS"
Report bugs to <[EMAIL PROTECTED]>.
.SH COPYRIGHT
Copyright \(co 2007 IBM Corporation
.br
This is free software. You may redistribute copies of it under the terms of
the GNU General Public License <http://www.gnu.org/licenses/gpl.html>.
There is NO WARRANTY, to the extent permitted by law.
# installation paths
SHAREDIR := /usr/share/selinux
AWK ?= gawk
NAME ?= $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config)
MLSENABLED := $(shell cat /selinux/mls)
ifeq ($(MLSENABLED),)
MLSENABLED := 1
endif
ifeq ($(MLSENABLED),1)
MCSFLAG=-mcs
endif
TYPE ?= $(NAME)${MCSFLAG}
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile
policy_module(local,1.0)
gen_require(`
type secadm_t, secadm_devpts_t, secadm_tty_device_t;
type rbacselftest_exec_t;
role secadm_r;
')
rbacselftest_run(secadm_t, secadm_r, { secadm_tty_device_t secadm_devpts_t })
gen_require(`
type sysadm_t, sysadm_devpts_t, sysadm_tty_device_t;
role sysadm_r;
')
rbacselftest_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
gen_require(`
type auditd_log_t;
')
allow secadm_t auditd_log_t:file write;
allow sysadm_t self:process transition;
/usr/local/bin/test-setexeccon --
gen_context(system_u:object_r:rbacselftest_exec_t,mls_systemlow)
/usr/sbin/rbac-self-test --
gen_context(system_u:object_r:rbacselftest_exec_t,mls_systemlow)
/usr/sbin/rbac-self-test-helper --
gen_context(system_u:object_r:rbacselftesthelper_exec_t,mls_systemlow)
/var/run/rbac-self-test-SystemLow --
gen_context(system_u:object_r:rbacselftest_var_run_t,mls_systemlow)
/var/run/rbac-self-test-SystemHigh --
gen_context(system_u:object_r:rbacselftest_var_run_t,mls_systemhigh)
/etc/security/rbac-self-test.conf --
gen_context(system_u:object_r:rbacselftest_etc_t,mls_systemhigh)
## <summary>RBAC Self Test</summary>
########################################
## <summary>
## Execute rbacselftest in the rbacselftest domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`rbacselftest_domtrans',`
gen_require(`
type rbacselftest_t, rbacselftest_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,rbacselftest_exec_t,rbacselftest_t)
allow $1 rbacselftest_t:fd use;
allow rbacselftest_t $1:fd use;
allow rbacselftest_t $1:fifo_file rw_file_perms;
allow rbacselftest_t $1:process sigchld;
')
########################################
## <summary>
## Execute rbacselftest programs in the rbacselftest domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the AIDE domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the AIDE domain to use.
## </summary>
## </param>
#
interface(`rbacselftest_run',`
gen_require(`
type rbacselftest_t;
')
rbacselftest_domtrans($1)
role $2 types rbacselftest_t;
allow rbacselftest_t $3:chr_file rw_file_perms;
')
policy_module(rbacselftest,1.0)
gen_require(`
type aide_db_t;
type aide_exec_t;
type sshd_t;
type secadm_t;
type sysadm_t;
type newrole_exec_t;
type sysadm_devpts_t;
type sysadm_tty_device_t;
type init_exec_t;
type initctl_t;
type var_lib_t;
attribute mlsprocsetsl;
attribute mlsfileread;
attribute mlsfilewrite;
')
########################################
#
# rbacselftest declarations
#
type rbacselftest_t;
type rbacselftest_exec_t;
domain_type(rbacselftest_t)
domain_entry_file(rbacselftest_t,rbacselftest_exec_t)
# rbacselftest database
type rbacselftest_var_run_t;
files_type(rbacselftest_var_run_t)
# rbacselftest etc
type rbacselftest_etc_t;
files_type(rbacselftest_etc_t)
########################################
#
# helper declarations
#
type rbacselftesthelper_t;
type rbacselftesthelper_exec_t;
domain_type(rbacselftesthelper_t)
domain_entry_file(rbacselftesthelper_t,rbacselftesthelper_exec_t)
########################################
#
# rbacselftest local policy
#
seutil_use_newrole_fds(rbacselftest_t)
# database actions
# pid file
allow rbacselftest_t rbacselftest_var_run_t:file manage_file_perms;
allow rbacselftest_t rbacselftest_var_run_t:dir rw_dir_perms;
files_pid_filetrans(rbacselftest_t, rbacselftest_var_run_t, { file dir })
# audit
allow rbacselftest_t self:capability {audit_write audit_control};
allow rbacselftest_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
# aide
aide_domtrans(rbacselftest_t)
allow rbacselftest_t var_lib_t:dir write;
allow rbacselftest_t aide_db_t:dir rw_dir_perms;
allow rbacselftest_t aide_db_t:dir create_file_perms;
# binaries
corecmd_exec_bin(rbacselftest_t)
corecmd_exec_sbin(rbacselftest_t)
corecmd_exec_shell(rbacselftest_t)
# Shell
allow rbacselftest_t shell_exec_t:file entrypoint;
# login
locallogin_use_fds(rbacselftest_t)
# init
allow rbacselftest_t init_exec_t:file execute;
allow rbacselftest_t init_exec_t:file execute_no_trans;
allow rbacselftest_t initctl_t:fifo_file write;
# ssh
allow rbacselftest_t sshd_t:fd use;
# secadm_t
allow secadm_t rbacselftest_exec_t:file { setattr write execute };
# sysadm_t
allow secadm_t rbacselftest_exec_t:file { setattr write execute };
# /var/run
allow rbacselftest_t var_run_t:file manage_file_perms;
allow rbacselftest_t var_run_t:dir rw_dir_perms;
allow rbacselftest_t rbacselftest_var_run_t:file { getattr setattr create read
write };
allow rbacselftest_t var_run_t:file { getattr setattr create read write };
# and more
allow rbacselftest_t self:fd use;
allow rbacselftest_t self:process { noatsecure rlimitinh siginh };
allow rbacselftest_t sysadm_devpts_t:chr_file write;
allow rbacselftest_t sysadm_tty_device_t:chr_file { read write };
# Allow to execute own exec type - may not be wise - change helper to help type.
#allow rbacselftest_t rbacselftest_exec_t:file execute_no_trans;
# bin_t
allow rbacselftest_t bin_t:file entrypoint;
########################################
#
# helper policy
#
# /var/run
allow rbacselftesthelper_t var_run_t:file manage_file_perms;
allow rbacselftesthelper_t var_run_t:dir rw_dir_perms;
allow rbacselftesthelper_t rbacselftest_var_run_t:file { getattr setattr create
read write };
allow rbacselftesthelper_t var_run_t:file { getattr setattr create read write };
# Allow rbacselftest_t to execute rbacselftesthelper_exec_t
allow rbacselftest_t rbacselftesthelper_exec_t:file entrypoint;
allow rbacselftest_t rbacselftesthelper_exec_t:file execute;
allow rbacselftest_t rbacselftesthelper_t:process transition;
allow rbacselftest_t rbacselftesthelper_t:process { noatsecure rlimitinh siginh
};
allow rbacselftesthelper_t local_login_t:fd use;
allow rbacselftesthelper_t rbacselftest_t:process sigchld;
allow rbacselftesthelper_t sysadm_tty_device_t:chr_file { read write };
allow rbacselftesthelper_t rbacselftest_t:fd use;
files_read_all_files(rbacselftesthelper_t)
libs_use_shared_libs(rbacselftesthelper_t)
libs_use_ld_so(rbacselftesthelper_t)
########################################
#
# Local policy
#
allow rbacselftest_t self:capability { dac_override fowner };
allow rbacselftest_t self:process { setfscreate setexec transition };
# Permit getting enforcing mode + other SELinux perms
selinux_get_enforce_mode(rbacselftest_t)
selinux_get_fs_mount(rbacselftest_t)
selinux_search_fs(rbacselftest_t)
selinux_compute_access_vector(rbacselftest_t)
selinux_compute_create_context(rbacselftest_t)
selinux_compute_relabel_context(rbacselftest_t)
selinux_compute_user_contexts(rbacselftest_t)
selinux_validate_context(rbacselftest_t)
# Permit getting audit status
logging_read_audit_config(rbacselftest_t)
logging_manage_all_logs(rbacselftest_t)
logging_manage_audit_config(rbacselftest_t)
logging_manage_audit_log(rbacselftest_t)
logging_read_all_logs(rbacselftest_t)
logging_read_audit_log(rbacselftest_t)
logging_send_syslog_msg(rbacselftest_t)
logging_write_generic_logs(rbacselftest_t)
# MLS overrides
mls_file_read_up(rbacselftest_t)
mls_file_write_down(rbacselftest_t)
mls_process_set_level(rbacselftest_t)
mls_fd_share_all_levels(rbacselftest_t)
mls_fd_use_all_levels(rbacselftest_t)
#mls_rangetrans_target(rbacselftest_t)
mls_rangetrans_source(rbacselftest_t)
#mls_file_writable_within_range(rbacselftest_t)
mls_context_translate_all_levels(rbacselftest_t)
mls_file_downgrade(rbacselftest_t)
mls_file_upgrade(rbacselftest_t)
# General perms
files_read_all_files(rbacselftest_t)
libs_use_shared_libs(rbacselftest_t)
libs_use_ld_so(rbacselftest_t)
role sysadm_r types rbacselftest_t;
role sysadm_r types rbacselftest_exec_t;
role sysadm_r types rbacselftesthelper_t;
role sysadm_r types rbacselftesthelper_exec_t;
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
