[PATCH 1/8][v2] audisp-racf plugin - Configuration and policy module files

Wed Oct 10 14:29:52 UTC 2007

This patch adds the configuration files and policy module sources needed
by the plugin.

The policy is not using newer interfaces so that it can be build for
RHEL5 GA.

There is a need for two separate configuration files: one for the audit
dispatcher and another for the plugin itself.
The plugin configuration includes server and authentication information,
thus it should not be readable by anyone but root. The default queue
size is to allow event bursts avoiding events drop.
The plugin comes disabled by default.

Signed-off-by: Klaus Heinrich Kiwi <klausk at br.ibm.com> 

diff -purN audit-1.6.2/audisp/plugins/racf/policy/build.sh audit-1.6.2_racf/audisp/plugins/racf/policy/build.sh

--- audit-1.6.2/audisp/plugins/racf/policy/build.sh	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/policy/build.sh	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,3 @@
+
+#!/bin/sh
+make -f /usr/share/selinux/devel/Makefile
diff -purN audit-1.6.2/audisp/plugins/racf/policy/install.sh audit-1.6.2_racf/audisp/plugins/racf/policy/install.sh
--- audit-1.6.2/audisp/plugins/racf/policy/install.sh	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/policy/install.sh	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,4 @@
+/usr/sbin/semodule -i racf.pp
+
+/sbin/restorecon -F -v /sbin/audisp-racf
+
diff -purN audit-1.6.2/audisp/plugins/racf/policy/racf.fc audit-1.6.2_racf/audisp/plugins/racf/policy/racf.fc
--- audit-1.6.2/audisp/plugins/racf/policy/racf.fc	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/policy/racf.fc	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,2 @@
+
+/sbin/audisp-racf	--	gen_context(system_u:object_r:racf_exec_t,s0)
diff -purN audit-1.6.2/audisp/plugins/racf/policy/racf.if audit-1.6.2_racf/audisp/plugins/racf/policy/racf.if
--- audit-1.6.2/audisp/plugins/racf/policy/racf.if	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/policy/racf.if	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,58 @@
+
+## <summary>policy for racf</summary>
+
+########################################
+## <summary>
+##      Execute a domain transition to run racf.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`racf_domtrans',`
+        gen_require(`
+                type racf_t;
+                type racf_exec_t;
+        ')
+
+        domain_auto_trans($1,racf_exec_t,racf_t);
+
+        allow $1 racf_t:fd use;
+        allow racf_t $1:fd use;
+        allow racf_t $1:fifo_file rw_file_perms;
+        allow racf_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute racf in the racf domain, and
+##	allow the specified role the racf domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the racf domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`racf_run',`
+	gen_require(`
+		type racf_t;
+	')
+
+	racf_domtrans($1)
+	role $2 types racf_t;
+	dontaudit racf_t $3:chr_file rw_term_perms;
+')
+
diff -purN audit-1.6.2/audisp/plugins/racf/policy/racf.te audit-1.6.2_racf/audisp/plugins/racf/policy/racf.te
--- audit-1.6.2/audisp/plugins/racf/policy/racf.te	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/policy/racf.te	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,55 @@
+policy_module(racf,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type racf_t;
+type racf_exec_t;
+
+## selinux-policy_devel > 3:
+## racf_application_domain(racf_t, racf_exec_t)
+
+## RHEL5 series:
+init_system_domain(racf_t, racf_exec_t)
+
+role system_r types racf_t;
+
+
+########################################
+#
+# racf local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow racf_t self:fifo_file rw_file_perms;
+allow racf_t self:unix_stream_socket create_stream_socket_perms;
+## allow signals to self
+allow racf_t self:process signal;
+
+## audisp is in the auditd_t domain
+gen_require(`
+        type auditd_t;
+')
+
+## Allow auditd_t->racf_t transition
+racf_domtrans(auditd_t);
+
+## audisp execve pipe?
+allow racf_t auditd_t:unix_stream_socket { read write getattr };
+
+## audisp must be able to send signals to audisp-racf
+allow auditd_t racf_t:process signal;
+
+## Allow network access, name resolv
+auth_use_nsswitch(racf_t);
+
+## 
+files_read_etc_files(racf_t)
+libs_use_ld_so(racf_t)
+libs_use_shared_libs(racf_t)
+miscfiles_read_localization(racf_t)
+logging_send_syslog_msg(racf_t)
+
+
diff -purN audit-1.6.2/audisp/plugins/racf/racf.conf audit-1.6.2_racf/audisp/plugins/racf/racf.conf
--- audit-1.6.2/audisp/plugins/racf/racf.conf	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/racf.conf	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,10 @@
+# This is the configuration file for the audit-plugin-racf
+# server, user and password are required, everything else is
+# optional
+
+server = racf.server
+port = 389
+user = RACFUSER
+password = password
+timeout = 15
+q_depth = 64
diff -purN audit-1.6.2/audisp/plugins/racf/audisp-racf.conf audit-1.6.2_racf/audisp/plugins/racf/audisp-racf.conf
--- audit-1.6.2/audisp/plugins/racf/audisp-racf.conf	1969-12-31 21:00:00.000000000 -0300
+++ audit-1.6.2_racf/audisp/plugins/racf/audisp-racf.conf	2007-10-10 10:26:18.000000000 -0300
@@ -0,0 +1,13 @@
+# This is the audit dispatcher configuration
+# for the RACF audit plugin
+# Note that this specific plugin has a configuration
+# file of its own. The complete path for this
+# file must be entered as the argument for the
+# plugin in the 'args' field below
+
+active = no
+direction = out
+path = /sbin/audisp-racf
+type = always 
+args = /etc/audisp/racf.conf
+format = string



