-
Notifications
You must be signed in to change notification settings - Fork 0
/
vault.te
88 lines (72 loc) · 2.5 KB
/
vault.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#module description
policy_module(vault,1.0.0)
#includes
require {
type local_login_t;
type initrc_t;
class sock_file write;
}
userdom_use_user_terminals(vault_t)
#there's got to be a better way to do this
gen_require(` type net_conf_t ; type kernel_t ; type user_home_t ; type user_home_dir_t ; type syslogd_var_run_t ; type sysctl_net_t ; type auditd_log_t ; type unconfined_t; role unconfined_r; role user_r;')
domtrans_pattern(unconfined_t, vault_exec_t, vault_t)
role unconfined_r types vault_t;
#process type daemon
type vault_t;
type vault_exec_t;
type vault_config_t;
type vault_log_t;
type vault_port_t;
#interface to make port available
corenet_port(vault_port_t)
#
###unfortunatelly so far there's now way to do portcon from module policy def
#so we need to do it from shell or CIL
#so after installing the module with
#semodule -i vault.pp
#we need to do
#semanage port -a -t vault_port_t -p tcp 5200
#transition for initrc
######type_transition initrc_t vault_exec_t : process vault_t;
init_daemon_domain(vault_t ,vault_exec_t)
logging_log_filetrans(vault_t,vault_log_t,file)
#library/config hooking , we might not need this as this is golang
libs_use_ld_so(vault_t)
libs_use_shared_libs(vault_t)
miscfiles_read_localization(vault_t)
files_config_file(vault_config_t)
#macro to add common syscalls for reading
read_files_pattern(vault_t,vault_config_t,vault_config_t)
#interface for logging
logging_log_file(vault_log_t)
#AVC net
#corenet_tcp_sendrecv_all_if(vault_t)
#corenet_tcp_sendrecv_all_nodes(vault_t)
#corenet_tcp_sendrecv_all_ports(vault_t)
corenet_tcp_bind_all_nodes(vault_t)
#give user type some attributes
#AVCs
allow vault_t user_home_dir_t:file *;
allow vault_t user_home_dir_t:dir *;
allow vault_t user_home_t:file *;
allow vault_t vault_config_t:dir list_dir_perms;
allow vault_t vault_log_t:dir setattr;
allow vault_t auditd_log_t:dir search;
allow vault_t syslogd_var_run_t:dir search;
##N
allow vault_t self:netlink_route_socket create;
allow vault_t self:tcp_socket *;
allow vault_t sysctl_net_t:file read;
allow vault_t self:unix_dgram_socket *;
allow vault_t kernel_t:unix_dgram_socket sendto;
allow vault_t sysctl_net_t:dir search;
allow vault_t self:capability net_admin;
allow vault_t self:netlink_route_socket bind;
allow vault_t sysctl_net_t:file open;
allow vault_t syslogd_var_run_t:sock_file write;
allow vault_t vault_port_t:tcp_socket *;
### issues with mlock and swap
allow vault_t self:capability ipc_lock;
##service account
allow vault_t self:udp_socket *;
allow vault_t net_conf_t:file *;