feffe/sau
1
0
Fork 0
Code Issues Pull Requests Projects Releases 20 Wiki Activity

added selinux module

Browse Source
This commit is contained in:
Fredrik Eriksson 2019-04-07 19:20:24 +02:00
parent d08fa867d4
commit bdbad6084b
No known key found for this signature in database
GPG Key ID: 8825C73A0FD1502A
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
selinux/sau.fc Normal file
View File

@ -0,0 +1,2 @@
/usr/bin/sau gen_context(system_u:object_r:sau_t,s0)
/etc/sau.cfg gen_context(system_u:object_r:sau_config_t,s0)

32
selinux/sau.te Normal file
View File

@ -0,0 +1,32 @@
policy_module(sau, 0.1)
gen_require(`
type system_cronjob_t;
type sysadm_t;
role sysadm_r;
roly system_r;
')
type sau_t;
type sau_exec_t;
type sau_config_t;
domain_type(sau_t)
domain_entry_file(sau_t, sau_exec_t)
files_config_file(sau_config_t)
read_files_pattern(sau_t, etc_t, sau_config_t);
role sysadm_r types sau_t;
role system_r types sau_t;
domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
# this should be fixed, but I don't know enough selinux magic to restrict this
# while still allowing it to inspect all open files for all processes
unconfined_domain_noaudit(sau_t)
# Gentoo specific
portage_domtrans(sau_t)