├── blacklist.txt
├── selinux
├── tmp
│ ├── iferror.m4
│ └── cvesync.tmp
├── cvesync.pp
├── cvesync_selinux-1.0-1.fc21.src.rpm
├── noarch
│ └── cvesync_selinux-1.0-1.fc21.noarch.rpm
├── cvesync.fc
├── cvesync.sh
├── cvesync.if
├── cvesync_selinux.spec
└── cvesync.te
├── rt.png
├── jira.png
├── cvesync.sqlite
├── settings.json
├── rt.json
├── tracker
├── tracker.go
├── jira.go
└── rt.go
├── jira.json
├── .gitignore
├── util
├── config.go
├── util.go
└── db.go
├── Makefile
├── rt.templ
├── nvd
├── cwe.go
└── cve.go
├── jira.templ
├── LICENSE
├── blacklist
└── blacklist.go
├── main
└── main.go
├── README.md
└── ca.crt
/blacklist.txt:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/selinux/tmp/iferror.m4:
--------------------------------------------------------------------------------
1 | ifdef(`__if_error',`m4exit(1)')
2 |
--------------------------------------------------------------------------------
/rt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mikkolehtisalo/cvesync/HEAD/rt.png
--------------------------------------------------------------------------------
/jira.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mikkolehtisalo/cvesync/HEAD/jira.png
--------------------------------------------------------------------------------
/cvesync.sqlite:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mikkolehtisalo/cvesync/HEAD/cvesync.sqlite
--------------------------------------------------------------------------------
/selinux/cvesync.pp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mikkolehtisalo/cvesync/HEAD/selinux/cvesync.pp
--------------------------------------------------------------------------------
/selinux/cvesync_selinux-1.0-1.fc21.src.rpm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mikkolehtisalo/cvesync/HEAD/selinux/cvesync_selinux-1.0-1.fc21.src.rpm
--------------------------------------------------------------------------------
/selinux/noarch/cvesync_selinux-1.0-1.fc21.noarch.rpm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mikkolehtisalo/cvesync/HEAD/selinux/noarch/cvesync_selinux-1.0-1.fc21.noarch.rpm
--------------------------------------------------------------------------------
/selinux/cvesync.fc:
--------------------------------------------------------------------------------
1 | /opt/cvesync(.*) gen_context(system_u:object_r:cvesync_t,s0)
2 | /opt/cvesync/var(.*) gen_context(system_u:object_r:cvesync_rw_t,s0)
3 | /opt/cvesync/bin/cvesync -- gen_context(system_u:object_r:cvesync_exec_t,s0)
4 |
--------------------------------------------------------------------------------
/settings.json:
--------------------------------------------------------------------------------
1 | {
2 | "CAKeyFile": "/opt/cvesync/etc/ca.crt",
3 | "FeedURL": "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz",
4 | "CWEfile": "/opt/cvesync/etc/cwec_v2.8.xml",
5 | "DBFile": "/opt/cvesync/var/cvesync.sqlite",
6 | "BlackList": "/opt/cvesync/etc/blacklist.txt"
7 | }
8 |
--------------------------------------------------------------------------------
/rt.json:
--------------------------------------------------------------------------------
1 | {
2 | "BaseURL": "http://dev.localdomain",
3 | "CAFile": "/opt/cvesync/etc/ca.crt",
4 | "Username": "root",
5 | "Password": "password",
6 | "Queue": "3",
7 | "TemplateFile": "/opt/cvesync/etc/rt.templ",
8 | "HighPriority": "100",
9 | "MediumPriority": "50",
10 | "LowPriority": "10"
11 | }
12 |
--------------------------------------------------------------------------------
/tracker/tracker.go:
--------------------------------------------------------------------------------
1 | package tracker
2 |
3 | import (
4 | "github.com/mikkolehtisalo/cvesync/nvd"
5 | )
6 |
7 | type Tracker interface {
8 | Init()
9 | // Returns ticket system's ticket ID when creating new one
10 | Add(nvd.Entry) (string, error)
11 | // Refer also to the ticket system's ticket ID
12 | Update(nvd.Entry, string) error
13 | }
14 |
--------------------------------------------------------------------------------
/jira.json:
--------------------------------------------------------------------------------
1 | {
2 | "BaseURL": "http://dev.localdomain:8080",
3 | "CAFile": "/opt/cvesync/etc/ca.crt",
4 | "Username": "admin",
5 | "Password": "password",
6 | "Project": "10000",
7 | "Issuetype": "10000",
8 | "TemplateFile": "/opt/cvesync/etc/jira.templ",
9 | "HighPriority": "2",
10 | "MediumPriority": "3",
11 | "LowPriority": "4"
12 | }
13 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Compiled Object files, Static and Dynamic libs (Shared Objects)
2 | *.o
3 | *.a
4 | *.so
5 |
6 | # Folders
7 | _obj
8 | _test
9 |
10 | # Architecture specific extensions/prefixes
11 | *.[568vq]
12 | [568vq].out
13 |
14 | *.cgo1.go
15 | *.cgo2.c
16 | _cgo_defun.c
17 | _cgo_gotypes.go
18 | _cgo_export.*
19 |
20 | _testmain.go
21 |
22 | *.exe
23 | *.test
24 | *.prof
25 |
--------------------------------------------------------------------------------
/util/config.go:
--------------------------------------------------------------------------------
1 | package util
2 |
3 | import (
4 | "encoding/json"
5 | "io/ioutil"
6 | )
7 |
8 | // Defines the configuration file format
9 | type ServiceConfiguration struct {
10 | CAKeyFile string
11 | FeedURL string
12 | CWEfile string
13 | DBFile string
14 | BlackList string
15 | }
16 |
17 | // Used to load the configuration from file
18 | func Load_Config(path string) ServiceConfiguration {
19 | s := ServiceConfiguration{}
20 | b, err := ioutil.ReadFile(path)
21 | checkerr(err)
22 |
23 | err = json.Unmarshal(b, &s)
24 | checkerr(err)
25 |
26 | return s
27 | }
28 |
--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | all: cvesync
2 |
3 | cvesync:
4 | go get github.com/mattn/go-sqlite3
5 | go get github.com/blackjack/syslog
6 | go build -o cvesync github.com/mikkolehtisalo/cvesync/main
7 |
8 | install:
9 | mkdir -p /opt/cvesync/bin /opt/cvesync/etc /opt/cvesync/var
10 | cp cvesync /opt/cvesync/bin/
11 | chmod 755 /opt/cvesync/bin/cvesync
12 | cp ca.crt settings.json jira.json blacklist.txt rt.json jira.templ rt.templ cwec_v2.8.xml /opt/cvesync/etc/
13 | chmod -R 755 /opt/cvesync/etc
14 | cp cvesync.sqlite /opt/cvesync/var/
15 | chmod 755 /opt/cvesync/var/cvesync.sqlite
16 |
17 | selinux:
18 | selinux/cvesync.sh
19 |
20 | clean:
21 | rm cvesync
22 |
23 | test:
24 | go test .
25 |
26 | .PHONY: selinux
27 |
--------------------------------------------------------------------------------
/rt.templ:
--------------------------------------------------------------------------------
1 | SUMMARY FOR {{.Id}}
2 |
3 | {{.Summary}}
4 |
5 | Published: {{.Published}}
6 | Modified: {{.Last_Modified}}
7 | CWE: {{if .CWE.Id}}{{.CWE.Id}} {{.CWE.Definition_Link}}: {{.CWE.CWE_Definition}}{{else}}Unknown{{end}}
8 |
9 | CVSS INFORMATION
10 |
11 | Score: {{.CVSS.Score}}
12 | Access Vector: {{.CVSS.Access_Vector}}
13 | Access Complexity: {{.CVSS.Access_Complexity}}
14 | Authentication: {{.CVSS.Authentication}}
15 | Confidentiality Impact: {{.CVSS.Confidentiality_Impact}}
16 | Integrity Impact: {{.CVSS.Availability_Impact}}
17 | Source: {{.CVSS.Source}}
18 | Generated on: {{.CVSS.Generated_On}}
19 |
20 | PRODUCTS
21 |
22 | {{range .Products}}
23 | {{.}}
24 | {{end}}
25 |
26 | REFERENCES
27 |
28 | {{range .References}}
29 | {{.Type}}:{{.Source}} {{.Target.Text}}: {{.Target.URL}}
30 | {{end}}
31 |
--------------------------------------------------------------------------------
/nvd/cwe.go:
--------------------------------------------------------------------------------
1 | package nvd
2 |
3 | import (
4 | "encoding/xml"
5 | "github.com/blackjack/syslog"
6 | "io/ioutil"
7 | )
8 |
9 | type CWE struct {
10 | Weaknesses []Weakness `xml:"Weaknesses>Weakness"`
11 | }
12 |
13 | type Weakness struct {
14 | ID string `xml:"ID,attr"`
15 | Description string `xml:"Description>Description_Summary"`
16 | }
17 |
18 | func Unmarshal_CWE(data []byte) CWE {
19 | var c CWE
20 | err := xml.Unmarshal(data, &c)
21 | if err != nil {
22 | syslog.Errf("Unable to parse CWEs: %v", err)
23 | panic(err)
24 | }
25 |
26 | return c
27 | }
28 |
29 | func Get_CWEs(filename string) CWE {
30 | b, err := ioutil.ReadFile(filename)
31 | if err != nil {
32 | syslog.Errf("Unable to read CWE file: %v", err)
33 | panic(err)
34 | }
35 |
36 | cwes := Unmarshal_CWE(b)
37 | return cwes
38 | }
39 |
--------------------------------------------------------------------------------
/jira.templ:
--------------------------------------------------------------------------------
1 |
2 | h1. Summary for {{.Id}}
3 |
4 | {{.Summary}}
5 |
6 | *Published:* {{.Published}}
7 | *Modified:* {{.Last_Modified}}
8 | *CWE:* {{if .CWE.Id}}[{{.CWE.Id}}|{{.CWE.Definition_Link}}] {{.CWE.CWE_Definition}}{{else}}Unknown{{end}}
9 |
10 | h1. CVSS information
11 |
12 | *Score:* {{.CVSS.Score}}
13 | *Access Vector:* {{.CVSS.Access_Vector}}
14 | *Access Complexity:* {{.CVSS.Access_Complexity}}
15 | *Authentication:* {{.CVSS.Authentication}}
16 | *Confidentiality Impact:* {{.CVSS.Confidentiality_Impact}}
17 | *Integrity Impact:* {{.CVSS.Availability_Impact}}
18 | *Source:* {{.CVSS.Source}}
19 | *Generated on:* {{.CVSS.Generated_On}}
20 |
21 | h1. Products
22 |
23 | {{range .Products}}
24 | {{escape_text .}}
25 | {{end}}
26 |
27 | h1. References
28 |
29 | {{range .References}}
30 | *{{.Type}}:{{.Source}}* [{{escape_text .Target.Text}}|{{.Target.URL}}]
31 | {{end}}
32 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2014 Mikko Lehtisalo
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
23 |
--------------------------------------------------------------------------------
/blacklist/blacklist.go:
--------------------------------------------------------------------------------
1 | package blacklist
2 |
3 | import (
4 | "bufio"
5 | "github.com/blackjack/syslog"
6 | "github.com/mikkolehtisalo/cvesync/nvd"
7 | "os"
8 | "strings"
9 | )
10 |
11 | type BlackList struct {
12 | items []string
13 | }
14 |
15 | func (b BlackList) Blacklisted(entry nvd.Entry) bool {
16 | result := false
17 | // Brute force approach
18 | for _, x := range entry.Products {
19 | for _, y := range b.items {
20 | if strings.Contains(x, y) {
21 | // BlackListed strings are substrings of Product lines
22 | result = true
23 | }
24 | }
25 | }
26 | return result
27 | }
28 |
29 | func Load_Blacklist(filename string) BlackList {
30 | blist := BlackList{}
31 |
32 | file, err := os.Open(filename)
33 | if err != nil {
34 | syslog.Errf("%v", err)
35 | panic(err)
36 | }
37 | defer file.Close()
38 |
39 | scanner := bufio.NewScanner(file)
40 | for scanner.Scan() {
41 | line := scanner.Text()
42 | // Ignore empty lines
43 | if len(line) > 0 {
44 | blist.items = append(blist.items, scanner.Text())
45 | }
46 | }
47 |
48 | if err := scanner.Err(); err != nil {
49 | syslog.Errf("%v", err)
50 | panic(err)
51 | }
52 |
53 | return blist
54 | }
55 |
--------------------------------------------------------------------------------
/util/util.go:
--------------------------------------------------------------------------------
1 | package util
2 |
3 | import (
4 | "bytes"
5 | "compress/gzip"
6 | "crypto/tls"
7 | "crypto/x509"
8 | "errors"
9 | "fmt"
10 | "github.com/blackjack/syslog"
11 | "io/ioutil"
12 | "net/http"
13 | )
14 |
15 | func checkerr(err error) {
16 | if err != nil {
17 | syslog.Errf("Error: %v", err)
18 | panic(err)
19 | }
20 | }
21 |
22 | func Download_File(url string, cafile string) []byte {
23 |
24 | // Load the CA certificate for server certificate validation
25 | capool := x509.NewCertPool()
26 | cacert, err := ioutil.ReadFile(cafile)
27 | checkerr(err)
28 | capool.AppendCertsFromPEM(cacert)
29 |
30 | // Check server certificate
31 | tr := &http.Transport{
32 | TLSClientConfig: &tls.Config{RootCAs: capool},
33 | }
34 |
35 | // Get!
36 | client := &http.Client{Transport: tr}
37 | resp, err := client.Get(url)
38 | checkerr(err)
39 | // 500s and such
40 | if resp.StatusCode != 200 {
41 | errr := errors.New(fmt.Sprintf("File download failed with status code %v", resp.StatusCode))
42 | syslog.Errf("%v", errr)
43 | panic(errr)
44 | }
45 |
46 | // Read the body
47 | defer resp.Body.Close()
48 | body, err := ioutil.ReadAll(resp.Body) // body is []byte
49 | checkerr(err)
50 |
51 | return body
52 | }
53 |
54 | func Gunzip(in []byte) []byte {
55 | br := bytes.NewReader(in)
56 | r, err := gzip.NewReader(br)
57 | checkerr(err)
58 | defer r.Close()
59 |
60 | out, err := ioutil.ReadAll(r)
61 | checkerr(err)
62 |
63 | return out
64 | }
65 |
--------------------------------------------------------------------------------
/selinux/cvesync.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh -e
2 |
3 | DIRNAME=`dirname $0`
4 | cd $DIRNAME
5 | USAGE="$0 [ --update ]"
6 | if [ `id -u` != 0 ]; then
7 | echo 'You must be root to run this script'
8 | exit 1
9 | fi
10 |
11 | if [ $# -eq 1 ]; then
12 | if [ "$1" = "--update" ] ; then
13 | time=`ls -l --time-style="+%x %X" cvesync.te | awk '{ printf "%s %s", $6, $7 }'`
14 | rules=`ausearch --start $time -m avc --raw -se cvesync`
15 | if [ x"$rules" != "x" ] ; then
16 | echo "Found avc's to update policy with"
17 | echo -e "$rules" | audit2allow -R
18 | echo "Do you want these changes added to policy [y/n]?"
19 | read ANS
20 | if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
21 | echo "Updating policy"
22 | echo -e "$rules" | audit2allow -R >> cvesync.te
23 | # Fall though and rebuild policy
24 | else
25 | exit 0
26 | fi
27 | else
28 | echo "No new avcs found"
29 | exit 0
30 | fi
31 | else
32 | echo -e $USAGE
33 | exit 1
34 | fi
35 | elif [ $# -ge 2 ] ; then
36 | echo -e $USAGE
37 | exit 1
38 | fi
39 |
40 | echo "Building and Loading Policy"
41 | set -x
42 | make -f /usr/share/selinux/devel/Makefile cvesync.pp || exit
43 | /usr/sbin/semodule -i cvesync.pp
44 |
45 | # Generate a man page off the installed module
46 | sepolicy manpage -p . -d cvesync_t
47 | # Fixing the file context on /opt/cvesync/bin/cvesync
48 | /sbin/restorecon -F -R -v /opt/cvesync
49 | # Generate a rpm package for the newly generated policy
50 |
51 | pwd=$(pwd)
52 | rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba cvesync_selinux.spec
53 |
--------------------------------------------------------------------------------
/selinux/cvesync.if:
--------------------------------------------------------------------------------
1 |
2 | ## policy for cvesync
3 |
4 | ########################################
5 | ##
6 | ## Execute TEMPLATE in the cvesync domin.
7 | ##
8 | ##
9 | ##
10 | ## Domain allowed to transition.
11 | ##
12 | ##
13 | #
14 | interface(`cvesync_domtrans',`
15 | gen_require(`
16 | type cvesync_t, cvesync_exec_t;
17 | ')
18 |
19 | corecmd_search_bin($1)
20 | domtrans_pattern($1, cvesync_exec_t, cvesync_t)
21 | ')
22 |
23 | ########################################
24 | ##
25 | ## Execute cvesync in the cvesync domain, and
26 | ## allow the specified role the cvesync domain.
27 | ##
28 | ##
29 | ##
30 | ## Domain allowed to transition
31 | ##
32 | ##
33 | ##
34 | ##
35 | ## The role to be allowed the cvesync domain.
36 | ##
37 | ##
38 | #
39 | interface(`cvesync_run',`
40 | gen_require(`
41 | type cvesync_t;
42 | attribute_role cvesync_roles;
43 | ')
44 |
45 | cvesync_domtrans($1)
46 | roleattribute $2 cvesync_roles;
47 | ')
48 |
49 | ########################################
50 | ##
51 | ## Role access for cvesync
52 | ##
53 | ##
54 | ##
55 | ## Role allowed access
56 | ##
57 | ##
58 | ##
59 | ##
60 | ## User domain for the role
61 | ##
62 | ##
63 | #
64 | interface(`cvesync_role',`
65 | gen_require(`
66 | type cvesync_t;
67 | attribute_role cvesync_roles;
68 | ')
69 |
70 | roleattribute $1 cvesync_roles;
71 |
72 | cvesync_domtrans($2)
73 |
74 | ps_process_pattern($2, cvesync_t)
75 | allow $2 cvesync_t:process { signull signal sigkill };
76 | ')
77 |
--------------------------------------------------------------------------------
/util/db.go:
--------------------------------------------------------------------------------
1 | package util
2 |
3 | import (
4 | "database/sql"
5 | _ "github.com/mattn/go-sqlite3"
6 | "time"
7 | )
8 |
9 | func Get_DB(dbfile string) *sql.DB {
10 | db, err := sql.Open("sqlite3", dbfile)
11 | checkerr(err)
12 | return db
13 | }
14 |
15 | func Exists(db *sql.DB, cveid string) bool {
16 | rows, err := db.Query("select count(cveid) from status where cveid=?", cveid)
17 | checkerr(err)
18 | defer rows.Close()
19 |
20 | count := int(0)
21 |
22 | for rows.Next() {
23 | rows.Scan(&count)
24 | }
25 |
26 | if count > 0 {
27 | return true
28 | }
29 |
30 | // Apparently, no
31 | return false
32 | }
33 |
34 | func Modified_Matches(db *sql.DB, cveid string, modified time.Time) bool {
35 | rows, err := db.Query("select count(cveid) from status where cveid=? and modified=?", cveid, modified)
36 | checkerr(err)
37 | defer rows.Close()
38 |
39 | count := int(0)
40 |
41 | for rows.Next() {
42 | rows.Scan(&count)
43 | }
44 |
45 | if count > 0 {
46 | return true
47 | }
48 |
49 | // Apparently, no
50 | return false
51 | }
52 |
53 | func DB_Add(db *sql.DB, cveid string, modified time.Time, ticketid string) {
54 | _, err := db.Exec("insert into status(cveid, modified, ticketid) values (?, ?, ?)", cveid, modified, ticketid)
55 | checkerr(err)
56 | }
57 |
58 | // Note that this implementation tracks only the previous modified time
59 | // It's okay as long as no feed contains several modifications of same CVE item
60 | func DB_Update(db *sql.DB, cveid string, modified time.Time) {
61 | _, err := db.Exec("update status set modified=? where cveid=?", modified, cveid)
62 | checkerr(err)
63 | }
64 |
65 | func DB_TicketID(db *sql.DB, cveid string) string {
66 | rows, err := db.Query("select ticketid from status where cveid=?", cveid)
67 | checkerr(err)
68 | defer rows.Close()
69 |
70 | id := ""
71 |
72 | for rows.Next() {
73 | rows.Scan(&id)
74 | }
75 |
76 | return id
77 | }
78 |
--------------------------------------------------------------------------------
/selinux/cvesync_selinux.spec:
--------------------------------------------------------------------------------
1 | # vim: sw=4:ts=4:et
2 |
3 |
4 | %define relabel_files() \
5 | restorecon -R /opt/cvesync/bin/cvesync; \
6 |
7 | %define selinux_policyver 3.13.1-103
8 |
9 | Name: cvesync_selinux
10 | Version: 1.0
11 | Release: 1%{?dist}
12 | Summary: SELinux policy module for cvesync
13 |
14 | Group: System Environment/Base
15 | License: GPLv2+
16 | # This is an example. You will need to change it.
17 | URL: http://HOSTNAME
18 | Source0: cvesync.pp
19 | Source1: cvesync.if
20 | Source2: cvesync_selinux.8
21 |
22 |
23 | Requires: policycoreutils, libselinux-utils
24 | Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
25 | Requires(postun): policycoreutils
26 | BuildArch: noarch
27 |
28 | %description
29 | This package installs and sets up the SELinux policy security module for cvesync.
30 |
31 | %install
32 | install -d %{buildroot}%{_datadir}/selinux/packages
33 | install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
34 | install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
35 | install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
36 | install -d %{buildroot}%{_mandir}/man8/
37 | install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/cvesync_selinux.8
38 | install -d %{buildroot}/etc/selinux/targeted/contexts/users/
39 |
40 |
41 | %post
42 | semodule -n -i %{_datadir}/selinux/packages/cvesync.pp
43 | if /usr/sbin/selinuxenabled ; then
44 | /usr/sbin/load_policy
45 | %relabel_files
46 |
47 | fi;
48 | exit 0
49 |
50 | %postun
51 | if [ $1 -eq 0 ]; then
52 | semodule -n -r cvesync
53 | if /usr/sbin/selinuxenabled ; then
54 | /usr/sbin/load_policy
55 | %relabel_files
56 |
57 | fi;
58 | fi;
59 | exit 0
60 |
61 | %files
62 | %attr(0600,root,root) %{_datadir}/selinux/packages/cvesync.pp
63 | %{_datadir}/selinux/devel/include/contrib/cvesync.if
64 | %{_mandir}/man8/cvesync_selinux.8.*
65 |
66 |
67 | %changelog
68 | * Wed Dec 24 2014 YOUR NAME 1.0-1
69 | - Initial version
70 |
71 |
--------------------------------------------------------------------------------
/main/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "database/sql"
5 | "github.com/blackjack/syslog"
6 | "github.com/mikkolehtisalo/cvesync/blacklist"
7 | "github.com/mikkolehtisalo/cvesync/nvd"
8 | "github.com/mikkolehtisalo/cvesync/tracker"
9 | "github.com/mikkolehtisalo/cvesync/util"
10 | )
11 |
12 | var (
13 | config util.ServiceConfiguration
14 | blist blacklist.BlackList
15 | )
16 |
17 | func sync(feed nvd.CVE, cwes nvd.CWE, ts tracker.Tracker) {
18 | db := util.Get_DB(config.DBFile)
19 | defer db.Close()
20 |
21 | // Initialize tracker
22 | ts.Init()
23 |
24 | // Reverse the order as the xml feed is sorted from newest to oldest
25 | for i := len(feed.Entries) - 1; i >= 0; i-- {
26 | entry := feed.Entries[i]
27 | // Is any of the mentioned products on the blacklist?
28 | if !blist.Blacklisted(entry) {
29 | sync_entry(entry, db, cwes, ts)
30 | } else {
31 | syslog.Infof("Not syncing %v because one of the products were blacklisted", entry.Id)
32 | }
33 | }
34 | }
35 |
36 | func sync_entry(entry nvd.Entry, db *sql.DB, cwes nvd.CWE, ts tracker.Tracker) {
37 | entry.CWE.CWECatalog = &cwes
38 | // Completely new?
39 | if !util.Exists(db, entry.Id) {
40 | syslog.Noticef("Adding new CVE %s", entry.Id)
41 | id, err := ts.Add(entry)
42 | if err != nil {
43 | syslog.Errf("Unable to add %v to issue tracker: %v", entry.Id, err)
44 | return
45 | }
46 | // Add to database, too
47 | util.DB_Add(db, entry.Id, entry.Last_Modified, id)
48 | // Already existing, but modified?
49 | } else if !util.Modified_Matches(db, entry.Id, entry.Last_Modified) {
50 | syslog.Noticef("Modifying old CVE %s", entry.Id)
51 | ticketid := util.DB_TicketID(db, entry.Id)
52 | err := ts.Update(entry, ticketid)
53 | if err != nil {
54 | syslog.Errf("Unable to modify %v in issue tracker: %v", entry.Id, err)
55 | return
56 | }
57 | // Update to database, too
58 | util.DB_Update(db, entry.Id, entry.Last_Modified)
59 | }
60 | }
61 |
62 | func main() {
63 | syslog.Openlog("cvesync", syslog.LOG_PID, syslog.LOG_DAEMON)
64 | syslog.Info("Cvesync started")
65 |
66 | config = util.Load_Config("/opt/cvesync/etc/settings.json")
67 | blist = blacklist.Load_Blacklist(config.BlackList)
68 | cve_feed := nvd.Get_CVE_feed(config.FeedURL, config.CAKeyFile)
69 | cwes := nvd.Get_CWEs(config.CWEfile)
70 |
71 | ts := tracker.Jira{}
72 | //ts := tracker.RT{}
73 | sync(cve_feed, cwes, &ts)
74 |
75 | syslog.Info("Cvesync ended")
76 | }
77 |
--------------------------------------------------------------------------------
/nvd/cve.go:
--------------------------------------------------------------------------------
1 | package nvd
2 |
3 | import (
4 | "encoding/xml"
5 | "fmt"
6 | "github.com/blackjack/syslog"
7 | "github.com/mikkolehtisalo/cvesync/util"
8 | "strings"
9 | "time"
10 | )
11 |
12 | type CVE struct {
13 | Entries []Entry `xml:"entry"`
14 | }
15 |
16 | //Ignored elements: vuln:vulnerable-configuration, most often just repeats vuln:vulnerable-software-list
17 | type Entry struct {
18 | Id string `xml:"cve-id"`
19 | Products []string `xml:"vulnerable-software-list>product"`
20 | Published time.Time `xml:"published-datetime"`
21 | Last_Modified time.Time `xml:"last-modified-datetime"`
22 | CVSS Cvss `xml:"cvss"`
23 | CWE Cwe `xml:"cwe"`
24 | References []Reference `xml:"references"`
25 | Summary string `xml:"summary"`
26 | }
27 |
28 | type Cvss struct {
29 | Score string `xml:"base_metrics>score"`
30 | Access_Vector string `xml:"base_metrics>access-vector"`
31 | Access_Complexity string `xml:"base_metrics>access-complexity"`
32 | Authentication string `xml:"base_metrics>authentication"`
33 | Confidentiality_Impact string `xml:"base_metrics>confidentiality-impact"`
34 | Integrity_Impact string `xml:"base_metrics>integrity-impact"`
35 | Availability_Impact string `xml:"base_metrics>availability-impact"`
36 | Source string `xml:"base_metrics>source"`
37 | Generated_On time.Time `xml:"base_metrics>generated-on-datetime"`
38 | }
39 |
40 | // To use a>b,attr directly in Entry would have been cleaner, but Unmarshal doesn't support that
41 | type Cwe struct {
42 | Id string `xml:"id,attr"`
43 | CWECatalog *CWE
44 | }
45 |
46 | // Links CWE to mitre.org
47 | func (c Cwe) Definition_Link() string {
48 | link := ""
49 | split := strings.Split(c.Id, "-")
50 | if len(split) == 2 {
51 | link = fmt.Sprintf("http://cwe.mitre.org/data/definitions/%v.html", split[1])
52 | }
53 | return link
54 | }
55 |
56 | // Description for the CWE
57 | func (c Cwe) CWE_Definition() string {
58 | definition := ""
59 | split := strings.Split(c.Id, "-")
60 | if len(split) == 2 {
61 | for x, _ := range c.CWECatalog.Weaknesses {
62 | if c.CWECatalog.Weaknesses[x].ID == split[1] {
63 | definition = c.CWECatalog.Weaknesses[x].Description
64 | // Remove line feeds, carriage returns and tabs
65 | definition = strings.Replace(definition, "\n", "", -1)
66 | definition = strings.Replace(definition, "\r", "", -1)
67 | definition = strings.Replace(definition, "\t", "", -1)
68 | }
69 | }
70 | }
71 | return definition
72 | }
73 |
74 | type Reference struct {
75 | Type string `xml:"reference_type,attr"`
76 | Source string `xml:"source"`
77 | Target Reference_Target `xml:"reference"`
78 | }
79 |
80 | type Reference_Target struct {
81 | URL string `xml:"href,attr"`
82 | Text string `xml:",chardata"`
83 | }
84 |
85 | func Unmarshal_CVE(data []byte) CVE {
86 | var c CVE
87 | err := xml.Unmarshal(data, &c)
88 | if err != nil {
89 | syslog.Errf("Unable to parse feed: %v", err)
90 | panic(err)
91 | }
92 |
93 | return c
94 | }
95 |
96 | func Get_CVE_feed(feedurl string, cakeyfile string) CVE {
97 | data := util.Download_File(feedurl, cakeyfile)
98 |
99 | var feed CVE
100 | if strings.HasSuffix(feedurl, ".gz") {
101 | unzipped := util.Gunzip(data)
102 | feed = Unmarshal_CVE(unzipped)
103 | } else {
104 | feed = Unmarshal_CVE(data)
105 | }
106 |
107 | return feed
108 | }
109 |
--------------------------------------------------------------------------------
/selinux/cvesync.te:
--------------------------------------------------------------------------------
1 | policy_module(cvesync, 1.0.0)
2 |
3 | ########################################
4 | #
5 | # Declarations
6 | #
7 |
8 | require {
9 | type unconfined_t;
10 | type urandom_device_t;
11 | type fs_t;
12 | role unconfined_r;
13 | class tcp_socket create;
14 | class unix_dgram_socket create;
15 | class file read;
16 | class dir search;
17 | class chr_file read;
18 | }
19 |
20 | attribute_role cvesync_roles;
21 | roleattribute system_r cvesync_roles;
22 |
23 | type cvesync_rw_t;
24 | type cvesync_t;
25 | type cvesync_exec_t;
26 | application_domain(cvesync_t, cvesync_exec_t)
27 | role cvesync_roles types cvesync_t;
28 |
29 | permissive cvesync_t;
30 |
31 | ########################################
32 | #
33 | # cvesync local policy
34 | #
35 |
36 | allow cvesync_t self:fifo_file manage_fifo_file_perms;
37 | allow cvesync_t self:unix_stream_socket create_stream_socket_perms;
38 |
39 | domain_use_interactive_fds(cvesync_t)
40 | files_read_etc_files(cvesync_t)
41 | logging_send_syslog_msg(cvesync_t)
42 | miscfiles_read_localization(cvesync_t)
43 | sysnet_dns_name_resolve(cvesync_t)
44 |
45 | # Transition to exec_t
46 | role unconfined_r types cvesync_exec_t;
47 | allow unconfined_t cvesync_exec_t:file execute;
48 | type_transition unconfined_t cvesync_exec_t:process cvesync_exec_t;
49 | allow unconfined_t cvesync_exec_t:process { siginh rlimitinh noatsecure transition };
50 | allow cvesync_exec_t self:file entrypoint;
51 |
52 | # Basic rights
53 | domain_base_type(cvesync_exec_t)
54 | files_list_root(cvesync_exec_t)
55 | unconfined_use_fds(cvesync_exec_t)
56 | userdom_use_inherited_user_ptys(cvesync_exec_t)
57 | kernel_read_unix_sysctls(cvesync_exec_t)
58 | init_read_pipes(cvesync_exec_t)
59 | virt_sandbox_domain(cvesync_exec_t)
60 | logging_send_syslog_msg(cvesync_exec_t)
61 |
62 | # Process control
63 | unconfined_sigchld(cvesync_exec_t)
64 |
65 | # Allow labeling files
66 | allow unconfined_t cvesync_t:dir { relabelfrom relabelto };
67 | allow unconfined_t cvesync_rw_t:dir { relabelfrom relabelto };
68 | allow unconfined_t cvesync_t:file { relabelfrom relabelto };
69 | allow unconfined_t cvesync_rw_t:file { relabelfrom relabelto };
70 | allow unconfined_t cvesync_exec_t:file { relabelfrom relabelto };
71 |
72 | # Allow unconfined users still manage files, when necessary
73 | allow unconfined_t cvesync_t:dir { search unlink read setattr create write getattr rmdir remove_name open add_name };
74 | allow unconfined_t cvesync_t:file { unlink rename setattr read lock create write getattr open append };
75 | allow unconfined_t cvesync_rw_t:dir { search unlink read setattr create write getattr rmdir remove_name open add_name };
76 | allow unconfined_t cvesync_rw_t:file { unlink rename setattr read lock create write getattr open append };
77 | allow unconfined_t cvesync_exec_t:file { unlink rename setattr read lock create write getattr open append };
78 |
79 | allow unconfined_t cvesync_t:dir setattr;
80 |
81 | # Allow file operations
82 | allow cvesync_exec_t cvesync_t:dir search;
83 | allow cvesync_exec_t cvesync_t:file { read getattr open };
84 | allow cvesync_exec_t cvesync_rw_t:dir { search unlink read create write getattr rmdir remove_name open add_name };
85 | allow cvesync_exec_t cvesync_rw_t:file { unlink rename setattr read lock create write getattr open append };
86 | allow cvesync_rw_t fs_t:filesystem associate;
87 |
88 | # Networking capabilities
89 | allow cvesync_exec_t self:unix_dgram_socket { create connect };
90 | allow cvesync_exec_t self:capability net_admin;
91 | allow cvesync_exec_t self:tcp_socket { setopt read write getattr getopt listen bind connect create };
92 | allow cvesync_exec_t self:udp_socket { getattr create connect read sendto write listen accept };
93 | allow cvesync_exec_t self:netlink_route_socket { create bind getattr };
94 | corenet_tcp_bind_generic_node(cvesync_exec_t)
95 | # :80, :443
96 | corenet_tcp_connect_http_port(cvesync_exec_t)
97 | # Jira is by default on :8080
98 | corenet_tcp_connect_http_cache_port(cvesync_exec_t)
99 |
100 | # For tls implementation
101 | allow cvesync_exec_t urandom_device_t:chr_file { read open };
102 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Cvesync
2 | =======
3 |
4 | Introduction
5 | ------------
6 |
7 | Accidentally disregarding known information-security vulnerabilities and exposures may lead to dire consequences. Tracking CVEs reliably requires great amount of work. Cvesync assists in previous by synchronizing new CVEs to an issue management system. After that the workflow included within issue management system can assist in the analysis, mitigation, and patching.
8 |
9 | By default cvesync reads the modified feed provided by [nvd](https://nvd.nist.gov), and updates to either Jira or RT. The outcome looks something like [this](https://raw.githubusercontent.com/mikkolehtisalo/cvesync/master/jira.png) or [this](https://raw.githubusercontent.com/mikkolehtisalo/cvesync/master/rt.png).
10 |
11 | Installation
12 | ------------
13 |
14 | The following prerequisities should be met:
15 |
16 | * Golang 1.3+
17 | * sqlite3
18 | * [go-sqlite3|github.com/mattn/go-sqlite3]
19 | * [blackjack/syslog|ithub.com/blackjack/syslog]
20 | * Jira or RT
21 |
22 | Cvesync can be built and installed with make:
23 |
24 | ```sh
25 | go get github.com/mikkolehtisalo/cvesync
26 | ...
27 | make
28 | sudo make install
29 | ```
30 |
31 | Configuration
32 | -------------
33 |
34 | The common options can be found from /opt/cvesync/etc/settings.json:
35 |
36 | ```json
37 | {
38 | "CAKeyFile": "/opt/cvesync/etc/ca.crt",
39 | "BlackList": "/opt/cvesync/etc/blacklist.txt",
40 | "FeedURL": "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz",
41 | "CWEfile": "/opt/cvesync/etc/cwec_v2.8.xml",
42 | "DBFile": "/opt/cvesync/var/cvesync.sqlite"
43 | }
44 | ```
45 |
46 | The CAKeyFile points to CA Certificate chain that is used for validating the NVD's server. Before you run cvesync you should verify that it and the used URL are valid.
47 |
48 | ### Jira
49 |
50 | Jira specific options can be found from /opt/cvesync/etc/jira.json:
51 |
52 | ```json
53 | {
54 | "BaseURL": "http://dev.localdomain:8080",
55 | "CAFile": "/opt/cvesync/etc/ca.crt",
56 | "Username": "admin",
57 | "Password": "password",
58 | "Project": "10000",
59 | "Issuetype": "10000",
60 | "TemplateFile": "/opt/cvesync/etc/jira.templ",
61 | "HighPriority": "2",
62 | "MediumPriority": "3",
63 | "LowPriority": "4"
64 | }
65 | ```
66 |
67 | It is recommended that you create separate user, project, priorities, and issue type in Jira. Also it is recommendable to evaluate different workflows for the vulnerability issue type. Also, make sure that the description field renderer is Wiki Style Renderer instead of Default Text Renderer.
68 |
69 | If the BaseURL starts with https, the server's certificate is checked against provided CA certificates, which should be supplied with CAFile.
70 |
71 | ### RT
72 |
73 | In order to synchronize to RT, you will have to change the tracker to Jira by modifying main.go before installing the application.
74 |
75 | ```go
76 | func main() {
77 | // ...
78 | //ts := tracker.Jira{}
79 | ts := tracker.RT{}
80 | }
81 | ```
82 |
83 | RT specific options can be found from /opt/cvesync/etc/rt.json:
84 |
85 | ```json
86 | {
87 | "BaseURL": "http://dev.localdomain",
88 | "CAFile": "/opt/cvesync/etc/ca.crt",
89 | "Username": "root",
90 | "Password": "password",
91 | "Queue": "3",
92 | "TemplateFile": "/opt/cvesync/etc/rt.templ",
93 | "HighPriority": "100",
94 | "MediumPriority": "50",
95 | "LowPriority": "10"
96 | }
97 |
98 | ```
99 |
100 | If the BaseURL starts with https, the server's certificate is checked against provided CA certificates, which should be supplied with CAFile.
101 |
102 | ### Blacklisting
103 |
104 | To reduce amount of unwanted spam, it is possible to blacklist CVEs by product strings. To use this feature, just add the blacklisted strings to /opt/cvesync/etc/blacklist.txt, one per each line. For example to suppress all CVEs targeting IBM's Java SDK:
105 |
106 | ```
107 | :ibm:java_sdk:
108 | ```
109 |
110 | The previous would match for example "cpe:/a:ibm:java_sdk:6.0.11.0::\~\~technology\~\~", and the CVE information would not be synchronized.
111 |
112 | For more information on product strings, please see [Official Common Platform Enumeration (CPE) Dictionary](https://nvd.nist.gov/cpe.cfm).
113 |
114 | SELinux
115 | -------
116 |
117 | A simple SELinux policy is included. To install it, use make:
118 |
119 | ```sh
120 | sudo make selinux
121 | ```
122 |
123 | Running
124 | -------
125 |
126 | NVD's CVE feeds update at maximum once per two hours. Cvesync should most likely be run daily via cron, for example:
127 |
128 | ```sh
129 | 0 5 * * * /opt/cvesync/bin/cvesync
130 | ```
131 |
132 | Notes
133 | -----
134 |
135 | * NVD recommends that the CVEs are classified with scale Low-Medium-High. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.
136 | * CWE xml can be downloaded from http://cwe.mitre.org/data/index.html#downloads . It doesn't update very often.
137 | * There is an interface (*Tracker*) for implementing other issue management systems
138 | * Logging is done to syslog facility DAEMON. If it is not meaningful to recover, the application panics.
139 | * If you need more complex logic for handling incoming CVEs you might want to take a look at [JIRA Automation Plugin](https://marketplace.atlassian.com/plugins/com.atlassian.plugin.automation.jira-automation-plugin)
140 |
141 |
--------------------------------------------------------------------------------
/ca.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIFVTCCBD2gAwIBAgIQc2F4U2xwSGt6m6UFglUbxjANBgkqhkiG9w0BAQsFADCB
3 | tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
4 | ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
5 | YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
6 | VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMzA3
7 | MDAwMDAwWhcNMTUwMzA3MjM1OTU5WjCBljELMAkGA1UEBhMCVVMxETAPBgNVBAgT
8 | CE1hcnlsYW5kMRUwEwYDVQQHFAxHYWl0aGVyc2J1cmcxNzA1BgNVBAoULk5hdGlv
9 | bmFsIEluc3RpdHV0ZSBvZiBTdGFuZGFyZHMgYW5kIFRlY2hub2xvZ3kxDTALBgNV
10 | BAsUBE9JU00xFTATBgNVBAMUDG52ZC5uaXN0LmdvdjCCASIwDQYJKoZIhvcNAQEB
11 | BQADggEPADCCAQoCggEBAKnbySJmo6SACNrgoyZnoJSUxmsGI/ZHnfNfK6iI+H6/
12 | K8+ypEGiWhySrlhKPIs8L2FJ/pKGyKjqosXwSTkQE7QTX8AcBOBCyE4DuU9GWWpm
13 | XsKHK12M3fwnGU8ReyOg1IZNTp2qvK4fGpHUQerwcx6iRxvm99K5SImb1gSb7L1q
14 | Kh2V1Z13/Xo4AbglhTjlNH/S5aXt1QRFAO7VVdESYzNYhJ71HGlperlhxl1rBAtE
15 | uPIp8VD+lZnRAQjt/fMcZdyIHjvGlZJ3/vLi02ut/KSy3HHvEX5MLdCkLNuda7Hm
16 | VJOXH/FKpGZ3OvEBRtZ58kPY/sjM7BdUuOFVJ34vxcsCAwEAAaOCAXwwggF4MBcG
17 | A1UdEQQQMA6CDG52ZC5uaXN0LmdvdjAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF
18 | oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0gBDwwOjA4Bgpg
19 | hkgBhvhFAQc2MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv
20 | bS9jcHMwHwYDVR0jBBgwFoAUDURcFlNEwYJ+HSCrJfQBY9i+eaUwRQYDVR0fBD4w
21 | PDA6oDigNoY0aHR0cDovL1NWUlNlY3VyZS1HMy1jcmwudmVyaXNpZ24uY29tL1NW
22 | UlNlY3VyZUczLmNybDB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6
23 | Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3Vy
24 | ZS1HMy1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjANBgkqhkiG9w0B
25 | AQsFAAOCAQEADDVGYSh+jRDrYj9LaDbzxSigqUO1wdswVXq+Jm+PIlEQNzStmPYe
26 | CgBrU0JU/gfikIuc/9a6rx0a+9nfq67SJcIfc5X8K1lHZnQvoCGm7okKVlMYc/GV
27 | vEPnuXRDtDwd9TIbDjPE4U8byyCzJgnL5wMiqnJPo9+ICANKvXHXPp07hf2C0ar8
28 | 1chXCTtOufoFtww1g/JOYfjMkF+QDGWYuwLf6JYSYMzEqR2q+GDCh1sVZftZOrv3
29 | ZYSbDlFs2FL0XWGlXPctZ4jLvkhloGo9GnS6xkLfU25GQqF0x195IBBY0c/R4Vfr
30 | fUxBaCeaTzW26vd9VrB6OIEJr5m8Gt3Vfw==
31 | -----END CERTIFICATE-----
32 | -----BEGIN CERTIFICATE-----
33 | MIIFlTCCBH2gAwIBAgIQLP62CQ7ireLp/CI3JPG2vzANBgkqhkiG9w0BAQUFADCB
34 | yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
35 | ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp
36 | U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
37 | ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
38 | aG9yaXR5IC0gRzMwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
39 | MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
40 | ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
41 | aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
42 | aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
43 | DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
44 | 5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
45 | f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
46 | tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
47 | GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
48 | M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggGIMIIB
49 | hDASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4RQEHFwMw
50 | VjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAqBggr
51 | BgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMA4GA1UdDwEB
52 | /wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAf
53 | MAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52
54 | ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0wGzEZMBcGA1UEAxMQ
55 | VmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+HSCrJfQBY9i+eaUw
56 | NAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy1n
57 | My5jcmwwDQYJKoZIhvcNAQEFBQADggEBAHREFQzFWA4YY+3z8CjDeuuSSG/ghSBJ
58 | olwwlpIX4IjoeYuzT864Hzk2tTeEeODf4YFIVsSxah8nUsGdpgVTUGPPoUJOMXvn
59 | 8wJeBSlUDXBwv3td5XbPIPXHy6vmIS6phYRetZUgq1CDTI/pvtWZKXTGM/eYXlLF
60 | 6QDvXevUHQjfb3cqQvfLljws85xLxbNFmz7cy9YmiLOd5n+gFC6X5hzSDO7+DDMi
61 | o//+4Q/nk/UId1UCsobqYWVmqs017AmyiAPO/v3sGncYYQY2BMYgla74dZfeDNu4
62 | MXA68Mb6ZdlkhGEmZYVBcOmkaKs+P+SggTofsK27BlpugAtNWjEy5JY=
63 | -----END CERTIFICATE-----
64 | -----BEGIN CERTIFICATE-----
65 | MIIEOzCCA6SgAwIBAgIQSsnqCI7m94zHpfn6OaSTljANBgkqhkiG9w0BAQUFADBf
66 | MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
67 | LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
68 | HhcNMTEwNjA5MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
69 | FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
70 | dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZv
71 | ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
72 | IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzMwggEi
73 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLupxS/HgfGh5vGzdzvfjJa5QS
74 | ME/wNkf10JEK9RfIpWHBFkBN+4phkOV2IMERBn2rLG6m9RFBjvotrSphWaRnJkzQ
75 | 6LxSW3AgBFjResmkabyDF2StBYu80FjOjYz16/BCSQudlydnMm7hrpMVHHC8IE0v
76 | GN6SiOhshVcRGul+4yYRVKJFllWDyjCJ6NzYo+0qgD9/eWVXPhUgZggvlZO/qkcv
77 | qEaX8BLi/sIKK1Hmdua3RrfiDabMqMNMWVWJ5uhTXBzqnfBiFgunyV8M8N7Cds6v
78 | 92ry+kGmojMUyeV6Y9OeYjfVhWWeDuZTJHQbXh0SU1vHLOeDSTsVropouVeXAgMB
79 | AAGjggEGMIIBAjAPBgNVHRMBAf8EBTADAQH/MD0GA1UdIAQ2MDQwMgYEVR0gADAq
80 | MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMDEGA1Ud
81 | HwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4G
82 | A1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9n
83 | aWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8v
84 | bG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjANBgkqhkiG9w0BAQUFAAOBgQBl
85 | 2Sr58sJgybnqQQfKNrcYL2iu/gMk5mdU7nTDLNn1M8Fetw6Tz3iejrImFBFT0cjC
86 | EiG0PXsq2BzUS2TsiU+/lYeH3pVk9HPGF9+9GZCX6GmBEmlmStMkQA5ZdRWwRHQX
87 | op4GYNOwg7jdL+afe2dcFqFH284ueQXZ8fT4PuJKoQ==
88 | -----END CERTIFICATE-----
89 | -----BEGIN CERTIFICATE-----
90 | MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
91 | A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
92 | cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
93 | MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
94 | BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
95 | YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
96 | ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
97 | BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
98 | I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
99 | CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
100 | lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
101 | AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
102 | -----END CERTIFICATE-----
103 |
--------------------------------------------------------------------------------
/tracker/jira.go:
--------------------------------------------------------------------------------
1 | package tracker
2 |
3 | import (
4 | "bytes"
5 | "crypto/tls"
6 | "crypto/x509"
7 | "encoding/json"
8 | "errors"
9 | "fmt"
10 | "github.com/blackjack/syslog"
11 | "github.com/mikkolehtisalo/cvesync/nvd"
12 | "io/ioutil"
13 | "net/http"
14 | "strconv"
15 | "strings"
16 | "text/template"
17 | )
18 |
19 | type Jira struct {
20 | BaseURL string
21 | CAFile string
22 | Username string
23 | Password string
24 | Project string
25 | Issuetype string
26 | TemplateFile string
27 | HighPriority string
28 | MediumPriority string
29 | LowPriority string
30 | Template *template.Template
31 | }
32 |
33 | func (j *Jira) Init() {
34 | // Loading Jira related settings
35 | b, err := ioutil.ReadFile("/opt/cvesync/etc/jira.json")
36 | if err != nil {
37 | syslog.Errf("Unable to read Jira settings file: %v", err)
38 | panic(err)
39 | }
40 |
41 | err = json.Unmarshal(b, &j)
42 | if err != nil {
43 | syslog.Errf("Unable to unmarshal Jira settings json: %v", err)
44 | panic(err)
45 | }
46 |
47 | funcMap := template.FuncMap{
48 | "escape_text": escape_text,
49 | }
50 |
51 | j.Template, err = template.New("jira.templ").Funcs(funcMap).ParseFiles(j.TemplateFile)
52 | if err != nil {
53 | syslog.Errf("Unable to parse Jira template file: %v", err)
54 | panic(err)
55 | }
56 |
57 | }
58 |
59 | // A few CVEs contain characters that break Jira's text formatting
60 | func escape_text(s string) string {
61 | result := strings.Replace(s, "[", "\\[", -1)
62 | result = strings.Replace(result, "]", "\\]", -1)
63 | result = strings.Replace(result, "~", "\\~", -1)
64 |
65 | return result
66 | }
67 |
68 | func (j Jira) build_description(e nvd.Entry) string {
69 | var result bytes.Buffer
70 |
71 | err := j.Template.Execute(&result, e)
72 | if err != nil {
73 | syslog.Errf("Unable to execute Jira template file: %v", err)
74 | panic(err)
75 | }
76 |
77 | return result.String()
78 | }
79 |
80 | // Populates struct for JSON request
81 | func (j Jira) build_ticket(e nvd.Entry) (JiraTicket, error) {
82 | ticket := JiraTicket{}
83 | summary := fmt.Sprintf("%v: %v", e.Id, e.Summary)
84 | // Effectively cut the summary at 200 characters (Jira supports <255 by default)
85 | if len(summary) > 200 {
86 | summary = summary[:200] + "..."
87 | }
88 | ticket.Fields.Summary = summary
89 | ticket.Fields.Issuetype.Id = j.Issuetype
90 | ticket.Fields.Project.Id = j.Project
91 | ticket.Fields.Description = j.build_description(e)
92 |
93 | // Priority
94 | score_float64, err := strconv.ParseFloat(e.CVSS.Score, 64)
95 | if err != nil {
96 | // Some CVEs have no CVSS score set yet, this is ok!
97 | // If err, then score_float64 to 4.0 => medium
98 | score_float64 = float64(4.0)
99 | }
100 | ticket.Fields.Priority.Id = j.LowPriority
101 | if score_float64 >= 4.0 {
102 | ticket.Fields.Priority.Id = j.MediumPriority
103 | }
104 | if score_float64 >= 7.0 {
105 | ticket.Fields.Priority.Id = j.HighPriority
106 | }
107 |
108 | return ticket, nil
109 |
110 | }
111 |
112 | // Add new ticket, return the Jira's ticket id
113 | func (j Jira) Add(e nvd.Entry) (string, error) {
114 | ticket, err := j.build_ticket(e)
115 | if err != nil {
116 | return "", err
117 | }
118 |
119 | json, err := json.Marshal(ticket)
120 | if err != nil {
121 | return "", err
122 | }
123 |
124 | id, err := jira_request("POST", j.BaseURL+"/rest/api/2/issue", j.CAFile, j.Username, j.Password, string(json))
125 | return id, err
126 | }
127 |
128 | // Modify existing ticket, ticketid is Jira's ticket id
129 | func (j Jira) Update(e nvd.Entry, ticketid string) error {
130 | ticket, err := j.build_ticket(e)
131 | if err != nil {
132 | return err
133 | }
134 |
135 | json, err := json.Marshal(ticket)
136 | if err != nil {
137 | return err
138 | }
139 |
140 | _, err = jira_request("PUT", j.BaseURL+"/rest/api/2/issue/"+ticketid, j.CAFile, j.Username, j.Password, string(json))
141 | return err
142 | }
143 |
144 | func jira_request(reqtype string, path string, cafile string, username string, password string, jsonstr string) (string, error) {
145 | var client *http.Client
146 | // If https, add CA certificate checking
147 | if strings.HasPrefix(path, "https://") {
148 | capool := x509.NewCertPool()
149 | cacert, err := ioutil.ReadFile(cafile)
150 | if err != nil {
151 | syslog.Errf("Unable to read CA file: %v", err)
152 | return "", err
153 | }
154 | capool.AppendCertsFromPEM(cacert)
155 |
156 | // Check server certificate
157 | tr := &http.Transport{
158 | TLSClientConfig: &tls.Config{RootCAs: capool},
159 | }
160 |
161 | client = &http.Client{Transport: tr}
162 | } else {
163 | client = &http.Client{}
164 | }
165 |
166 | // Build request..
167 | jsonreader := strings.NewReader(jsonstr)
168 | req, err := http.NewRequest(reqtype, path, jsonreader)
169 | if err != nil {
170 | return "", err
171 | }
172 |
173 | // Without application/json Jira returns 415
174 | req.Header.Set("Content-Type", "application/json")
175 | // Basic Authentication
176 | req.SetBasicAuth(username, password)
177 |
178 | // Request!
179 | resp, err := client.Do(req)
180 | if err != nil {
181 | return "", err
182 | }
183 |
184 | // If not successful, return with statuscode
185 | if (resp.StatusCode < 200) || (resp.StatusCode > 299) {
186 | return "", errors.New(fmt.Sprintf("Response contained %v", resp.StatusCode))
187 | }
188 |
189 | ticketid := ""
190 | // Only POST returns something meaningful
191 | if reqtype == "POST" {
192 | defer resp.Body.Close()
193 | body, err := ioutil.ReadAll(resp.Body)
194 | if err != nil {
195 | return "", err
196 | }
197 |
198 | jira_response := Jira_Response{}
199 | err = json.Unmarshal(body, &jira_response)
200 | if err != nil {
201 | return "", err
202 | }
203 | ticketid = jira_response.Id
204 | }
205 |
206 | return ticketid, nil
207 | }
208 |
209 | type JiraTicket struct {
210 | Fields Field `json:"fields"`
211 | }
212 |
213 | type Field struct {
214 | Project Project_field `json:"project"`
215 | Summary string `json:"summary"`
216 | Issuetype Issuetype_field `json:"issuetype"`
217 | Priority Priority_field `json:"priority"`
218 | Description string `json:"description"`
219 | }
220 |
221 | type Project_field struct {
222 | Id string `json:"id"`
223 | }
224 |
225 | type Issuetype_field struct {
226 | Id string `json:"id"`
227 | }
228 |
229 | type Priority_field struct {
230 | Id string `json:"id"`
231 | }
232 |
233 | // Jira responds with basic information about the created/modified ticket
234 | type Jira_Response struct {
235 | Id string `json:"id"`
236 | Key string `json:"key"`
237 | Self string `json:"self"`
238 | }
239 |
--------------------------------------------------------------------------------
/tracker/rt.go:
--------------------------------------------------------------------------------
1 | package tracker
2 |
3 | import (
4 | "bytes"
5 | "crypto/tls"
6 | "crypto/x509"
7 | "encoding/json"
8 | "errors"
9 | "fmt"
10 | "github.com/blackjack/syslog"
11 | "github.com/mikkolehtisalo/cvesync/nvd"
12 | "io/ioutil"
13 | "net/http"
14 | "net/http/cookiejar"
15 | "net/url"
16 | "regexp"
17 | "strconv"
18 | "strings"
19 | "text/template"
20 | )
21 |
22 | type RT struct {
23 | BaseURL string
24 | CAFile string
25 | Username string
26 | Password string
27 | Queue string
28 | HighPriority string
29 | MediumPriority string
30 | LowPriority string
31 | TemplateFile string
32 | Template *template.Template
33 | }
34 |
35 | func (rt *RT) Init() {
36 | // Loading RT related settings
37 | b, err := ioutil.ReadFile("/opt/cvesync/etc/rt.json")
38 | if err != nil {
39 | syslog.Errf("Unable to read RT settings file: %v", err)
40 | panic(err)
41 | }
42 |
43 | err = json.Unmarshal(b, &rt)
44 | if err != nil {
45 | syslog.Errf("Unable to unmarshal RT settings json: %v", err)
46 | panic(err)
47 | }
48 |
49 | rt.Template, err = template.New("rt.templ").ParseFiles(rt.TemplateFile)
50 | if err != nil {
51 | syslog.Errf("Unable to parse RT template file: %v", err)
52 | panic(err)
53 | }
54 | }
55 |
56 | func (rt RT) authenticate(jar *cookiejar.Jar) error {
57 |
58 | client := &http.Client{
59 | Jar: jar,
60 | }
61 |
62 | data := url.Values{}
63 | data.Add("user", rt.Username)
64 | data.Add("pass", rt.Password)
65 |
66 | client.PostForm(rt.BaseURL, data)
67 |
68 | // Check that we got back at least one cookie -> probably successful authentication!
69 | // Alternatively could check that RT_SID_url.80 exists
70 | url, err := url.Parse(rt.BaseURL)
71 | if err != nil {
72 | syslog.Errf("Unable to parse BaseURL: %v", err)
73 | panic(err)
74 | }
75 | if len(jar.Cookies(url)) < 1 {
76 | return errors.New("Authentication to RT failed!")
77 | }
78 |
79 | return nil
80 | }
81 |
82 | type RTTicket struct {
83 | Subject string
84 | Queue string
85 | Priority string
86 | Text string
87 | }
88 |
89 | // RT requires that the lines in description are indented.
90 | func indent_text(s string) string {
91 | lines := strings.Split(s, "\n")
92 | for x, _ := range lines {
93 | lines[x] = " " + lines[x]
94 | }
95 | return strings.Join(lines, "\n")
96 | }
97 |
98 | func (rt RT) build_text(e nvd.Entry) string {
99 | var result bytes.Buffer
100 |
101 | err := rt.Template.Execute(&result, e)
102 | if err != nil {
103 | syslog.Errf("Unable to execute RT template file: %v", err)
104 | panic(err)
105 | }
106 |
107 | return result.String()
108 | }
109 |
110 | func (rt RT) build_ticket(e nvd.Entry) (RTTicket, error) {
111 | ticket := RTTicket{}
112 |
113 | subject := fmt.Sprintf("%v: %v", e.Id, e.Summary)
114 | // Effectively cut the summary at 200 characters (limit is at 255?)
115 | if len(subject) > 200 {
116 | subject = subject[:200] + "..."
117 | }
118 | ticket.Subject = subject
119 | ticket.Queue = rt.Queue
120 |
121 | // Priority
122 | score_float64, err := strconv.ParseFloat(e.CVSS.Score, 64)
123 | if err != nil {
124 | // Some CVEs have no CVSS score set yet, this is ok!
125 | // If err, then score_float64 to 4.0 => medium
126 | score_float64 = float64(4.0)
127 | }
128 | ticket.Priority = rt.LowPriority
129 | if score_float64 >= 4.0 {
130 | ticket.Priority = rt.MediumPriority
131 | }
132 | if score_float64 >= 7.0 {
133 | ticket.Priority = rt.HighPriority
134 | }
135 |
136 | ticket.Text = indent_text(rt.build_text(e))
137 |
138 | return ticket, nil
139 | }
140 |
141 | func (rt RT) Add(e nvd.Entry) (string, error) {
142 | // Authenticate against RT for this operation
143 | jar, err := cookiejar.New(nil)
144 | if err != nil {
145 | syslog.Errf("Unable to create cookie jar: %v", err)
146 | panic(err)
147 | }
148 | err = rt.authenticate(jar)
149 | if err != nil {
150 | syslog.Errf("%v", err)
151 | return "", err
152 | }
153 |
154 | // Build ticket information...
155 | ticket, err := rt.build_ticket(e)
156 | if err != nil {
157 | return "", err
158 | }
159 |
160 | // Build the request
161 | request := fmt.Sprintf("id: ticket/new\nQueue: %v\nSubject: %v\nPriority: %v\nText:%v\n", ticket.Queue, ticket.Subject, ticket.Priority, ticket.Text)
162 |
163 | id, err := rt_request("POST", rt.BaseURL+"/REST/1.0/ticket/new", rt.CAFile, jar, request)
164 | return id, err
165 | }
166 |
167 | func rt_request(reqtype string, path string, cafile string, jar *cookiejar.Jar, ticket string) (string, error) {
168 | var client *http.Client
169 | // If https, add CA certificate checking
170 | if strings.HasPrefix(path, "https://") {
171 | capool := x509.NewCertPool()
172 | cacert, err := ioutil.ReadFile(cafile)
173 | if err != nil {
174 | syslog.Errf("Unable to read CA file: %v", err)
175 | return "", err
176 | }
177 | capool.AppendCertsFromPEM(cacert)
178 |
179 | // Check server certificate
180 | tr := &http.Transport{
181 | TLSClientConfig: &tls.Config{RootCAs: capool},
182 | }
183 |
184 | client = &http.Client{Transport: tr, Jar: jar}
185 | } else {
186 | client = &http.Client{Jar: jar}
187 | }
188 |
189 | data := url.Values{}
190 | data.Add("content", ticket)
191 |
192 | req, err := http.NewRequest(reqtype, path, strings.NewReader(data.Encode()))
193 | if err != nil {
194 | return "", err
195 | }
196 |
197 | // We are handling "form"
198 | req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
199 |
200 | // Make RT's anti-XSS happy
201 | req.Header.Set("Referer", path)
202 |
203 | // Request!
204 | resp, err := client.Do(req)
205 | if err != nil {
206 | return "", err
207 | }
208 |
209 | defer resp.Body.Close()
210 | body, err := ioutil.ReadAll(resp.Body)
211 | if err != nil {
212 | return "", err
213 | }
214 |
215 | ticketid := get_ticket_id(string(body))
216 |
217 | return ticketid, nil
218 |
219 | }
220 |
221 | // Gets the RT's ticket id
222 | func get_ticket_id(body string) string {
223 | regexp := regexp.MustCompile("# Ticket (\\d+) created.")
224 | result := ""
225 | for _, x := range strings.Split(body, "\n") {
226 | if regexp.MatchString(x) {
227 | id := regexp.FindAllStringSubmatch(x, -1)
228 | result = id[0][1]
229 | }
230 | }
231 | return result
232 | }
233 |
234 | func (rt RT) Update(e nvd.Entry, ticketid string) error {
235 | // Authenticate against RT for this operation
236 | jar, err := cookiejar.New(nil)
237 | if err != nil {
238 | syslog.Errf("Unable to create cookie jar: %v", err)
239 | panic(err)
240 | }
241 | err = rt.authenticate(jar)
242 | if err != nil {
243 | syslog.Errf("%v", err)
244 | return err
245 | }
246 |
247 | // Build ticket information...
248 | ticket, err := rt.build_ticket(e)
249 | if err != nil {
250 | return err
251 | }
252 |
253 | // Build the request
254 | request := fmt.Sprintf("Queue: %v\nSubject: %v\nPriority: %v\nText:%v\n", ticket.Queue, ticket.Subject, ticket.Priority, ticket.Text)
255 | _, err = rt_request("POST", rt.BaseURL+"/REST/1.0/ticket/"+ticketid+"/edit", rt.CAFile, jar, request)
256 |
257 | if err != nil {
258 | return err
259 | }
260 |
261 | // For some reason the RT doesn't react to Text on ticket/edit
262 | // Adding the new text as comment
263 | comment_request := fmt.Sprintf("id: %v\nAction: comment\nText:%v\n", ticketid, ticket.Text)
264 | _, err = rt_request("POST", rt.BaseURL+"/REST/1.0/ticket/"+ticketid+"/comment", rt.CAFile, jar, comment_request)
265 |
266 | return err
267 | }
268 |
--------------------------------------------------------------------------------
/selinux/tmp/cvesync.tmp:
--------------------------------------------------------------------------------
1 | #line 1 "/usr/share/selinux/devel/include/support/file_patterns.spt"
2 | #
3 | # Directory patterns (dir)
4 | #
5 | # Parameters:
6 | # 1. domain type
7 | # 2. container (directory) type
8 | # 3. directory type
9 | #
10 | #line 12
11 |
12 |
13 | #line 17
14 |
15 |
16 | #line 22
17 |
18 |
19 | #line 27
20 |
21 |
22 | #line 32
23 |
24 |
25 | #line 37
26 |
27 |
28 | #line 42
29 |
30 |
31 | #line 47
32 |
33 |
34 | #line 52
35 |
36 |
37 | #line 57
38 |
39 |
40 | #line 62
41 |
42 |
43 | #line 67
44 |
45 |
46 | #line 72
47 |
48 |
49 | #line 77
50 |
51 |
52 | #
53 | # Regular file patterns (file)
54 | #
55 | # Parameters:
56 | # 1. domain type
57 | # 2. container (directory) type
58 | # 3. file type
59 | #
60 | #line 90
61 |
62 |
63 | #line 95
64 |
65 |
66 | #line 100
67 |
68 |
69 | #line 105
70 |
71 |
72 | #line 110
73 |
74 |
75 | #line 115
76 |
77 |
78 | #line 120
79 |
80 |
81 | #line 125
82 |
83 |
84 | #line 130
85 |
86 |
87 | #line 135
88 |
89 |
90 | #line 140
91 |
92 |
93 | #line 145
94 |
95 |
96 | #line 150
97 |
98 |
99 | #line 155
100 |
101 |
102 | #line 160
103 |
104 |
105 | #
106 | # Symbolic link patterns (lnk_file)
107 | #
108 | # Parameters:
109 | # 1. domain type
110 | # 2. container (directory) type
111 | # 3. file type
112 | #
113 | #line 173
114 |
115 |
116 | #line 178
117 |
118 |
119 | #line 183
120 |
121 |
122 | #line 188
123 |
124 |
125 | #line 193
126 |
127 |
128 | #line 198
129 |
130 |
131 | #line 203
132 |
133 |
134 | #line 208
135 |
136 |
137 | #line 213
138 |
139 |
140 | #line 218
141 |
142 |
143 | #line 223
144 |
145 |
146 | #line 228
147 |
148 |
149 | #line 233
150 |
151 |
152 | #
153 | # (Un)named Pipes/FIFO patterns (fifo_file)
154 | #
155 | # Parameters:
156 | # 1. domain type
157 | # 2. container (directory) type
158 | # 3. file type
159 | #
160 | #line 246
161 |
162 |
163 | #line 251
164 |
165 |
166 | #line 256
167 |
168 |
169 | #line 261
170 |
171 |
172 | #line 266
173 |
174 |
175 | #line 271
176 |
177 |
178 | #line 276
179 |
180 |
181 | #line 281
182 |
183 |
184 | #line 286
185 |
186 |
187 | #line 291
188 |
189 |
190 | #line 296
191 |
192 |
193 | #line 301
194 |
195 |
196 | #line 306
197 |
198 |
199 | #
200 | # (Un)named sockets patterns (sock_file)
201 | #
202 | # Parameters:
203 | # 1. domain type
204 | # 2. container (directory) type
205 | # 3. file type
206 | #
207 | #line 319
208 |
209 |
210 | #line 324
211 |
212 |
213 | #line 329
214 |
215 |
216 | #line 334
217 |
218 |
219 | #line 339
220 |
221 |
222 | #line 344
223 |
224 |
225 | #line 349
226 |
227 |
228 | #line 354
229 |
230 |
231 | #line 359
232 |
233 |
234 | #line 364
235 |
236 |
237 | #line 369
238 |
239 |
240 | #line 374
241 |
242 |
243 | #
244 | # Block device node patterns (blk_file)
245 | #
246 | # Parameters:
247 | # 1. domain type
248 | # 2. container (directory) type
249 | # 3. file type
250 | #
251 | #line 387
252 |
253 |
254 | #line 392
255 |
256 |
257 | #line 397
258 |
259 |
260 | #line 402
261 |
262 |
263 | #line 407
264 |
265 |
266 | #line 412
267 |
268 |
269 | #line 418
270 |
271 |
272 | #line 423
273 |
274 |
275 | #line 428
276 |
277 |
278 | #line 434
279 |
280 |
281 | #line 439
282 |
283 |
284 | #line 444
285 |
286 |
287 | #line 449
288 |
289 |
290 | #
291 | # Character device node patterns (chr_file)
292 | #
293 | # Parameters:
294 | # 1. domain type
295 | # 2. container (directory) type
296 | # 3. file type
297 | #
298 | #line 462
299 |
300 |
301 | #line 467
302 |
303 |
304 | #line 472
305 |
306 |
307 | #line 477
308 |
309 |
310 | #line 482
311 |
312 |
313 | #line 487
314 |
315 |
316 | #line 493
317 |
318 |
319 | #line 498
320 |
321 |
322 | #line 503
323 |
324 |
325 | #line 509
326 |
327 |
328 | #line 514
329 |
330 |
331 | #line 519
332 |
333 |
334 | #line 524
335 |
336 |
337 | #
338 | # File type_transition patterns
339 | #
340 | # filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename])
341 | #
342 | #line 534
343 |
344 |
345 | #
346 | # filetrans_pattern(domain,dirtype,newtype,class(es),[filename])
347 | #
348 | #line 542
349 |
350 |
351 | #line 556
352 |
353 | #line 1 "/usr/share/selinux/devel/include/support/ipc_patterns.spt"
354 | #
355 | # unix domain socket patterns
356 | #
357 | #line 8
358 |
359 |
360 | #line 14
361 |
362 | #line 1 "/usr/share/selinux/devel/include/support/obj_perm_sets.spt"
363 | ########################################
364 | #
365 | # Support macros for sets of object classes and permissions
366 | #
367 | # This file should only have object class and permission set macros - they
368 | # can only reference object classes and/or permissions.
369 |
370 | #
371 | # All directory and file classes
372 | #
373 |
374 |
375 | #
376 | # All non-directory file classes.
377 | #
378 |
379 |
380 | #
381 | # Non-device file classes.
382 | #
383 |
384 |
385 | #
386 | # Device file classes.
387 | #
388 |
389 |
390 | #
391 | # All socket classes.
392 | #
393 |
394 |
395 | #
396 | # Datagram socket classes.
397 | #
398 |
399 |
400 | #
401 | # Stream socket classes.
402 | #
403 |
404 |
405 | #
406 | # Unprivileged socket classes (exclude rawip, netlink, packet).
407 | #
408 |
409 |
410 | ########################################
411 | #
412 | # Macros for sets of permissions
413 | #
414 |
415 | #
416 | # Permissions to mount and unmount file systems.
417 | #
418 |
419 |
420 | #
421 | # Permissions for using sockets.
422 | #
423 |
424 |
425 | #
426 | # Permissions for creating and using sockets.
427 | #
428 |
429 |
430 | #
431 | # Permissions for using stream sockets.
432 | #
433 |
434 |
435 | #
436 | # Permissions for creating and using stream sockets.
437 | #
438 |
439 |
440 | #
441 | # Permissions for creating and using sockets.
442 | #
443 |
444 |
445 | #
446 | # Permissions for creating and using sockets.
447 | #
448 |
449 |
450 |
451 | #
452 | # Permissions for creating and using netlink sockets.
453 | #
454 |
455 |
456 | #
457 | # Permissions for using netlink sockets for operations that modify state.
458 | #
459 |
460 |
461 | #
462 | # Permissions for using netlink sockets for operations that observe state.
463 | #
464 |
465 |
466 | #
467 | # Permissions for sending all signals.
468 | #
469 |
470 |
471 | #
472 | # Permissions for sending and receiving network packets.
473 | #
474 |
475 |
476 | #
477 | # Permissions for using System V IPC
478 | #
479 |
480 |
481 |
482 |
483 |
484 |
485 |
486 |
487 |
488 |
489 | ########################################
490 | #
491 | # New permission sets
492 | #
493 |
494 | #
495 | # Directory (dir)
496 | #
497 |
498 |
499 |
500 |
501 |
502 |
503 |
504 |
505 |
506 |
507 |
508 |
509 |
510 |
511 |
512 | #
513 | # Regular file (file)
514 | #
515 |
516 |
517 |
518 |
519 |
520 |
521 |
522 |
523 |
524 |
525 |
526 |
527 |
528 |
529 |
530 |
531 |
532 |
533 |
534 |
535 | #
536 | # Symbolic link (lnk_file)
537 | #
538 |
539 |
540 |
541 |
542 |
543 |
544 |
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 | #
553 | # (Un)named Pipes/FIFOs (fifo_file)
554 | #
555 |
556 |
557 |
558 |
559 |
560 |
561 |
562 |
563 |
564 |
565 |
566 |
567 |
568 |
569 |
570 | #
571 | # (Un)named Sockets (sock_file)
572 | #
573 |
574 |
575 |
576 |
577 |
578 |
579 |
580 |
581 |
582 |
583 |
584 |
585 |
586 |
587 | #
588 | # Block device nodes (blk_file)
589 | #
590 |
591 |
592 |
593 |
594 |
595 |
596 |
597 |
598 |
599 |
600 |
601 |
602 |
603 |
604 |
605 | #
606 | # Character device nodes (chr_file)
607 | #
608 |
609 |
610 |
611 |
612 |
613 |
614 |
615 |
616 |
617 |
618 |
619 |
620 |
621 |
622 |
623 | ########################################
624 | #
625 | # Special permission sets
626 | #
627 |
628 | #
629 | # Use (read and write) terminals
630 | #
631 |
632 |
633 |
634 | #
635 | # Sockets
636 | #
637 |
638 |
639 |
640 | #
641 | # Keys
642 | #
643 |
644 |
645 | #
646 | # Service
647 | #
648 |
649 | #line 1 "/usr/share/selinux/devel/include/support/misc_patterns.spt"
650 | #
651 | # Specified domain transition patterns
652 | #
653 | #line 8
654 |
655 |
656 | # compatibility:
657 |
658 |
659 | #line 20
660 |
661 |
662 | #
663 | # Automatic domain transition patterns
664 | #
665 | #line 28
666 |
667 |
668 | # compatibility:
669 |
670 |
671 | #line 39
672 |
673 |
674 | #
675 | # Dynamic transition pattern
676 | #
677 | #line 48
678 |
679 |
680 | #
681 | # Other process permissions
682 | #
683 | #line 58
684 |
685 | #line 1 "/usr/share/selinux/devel/include/support/misc_macros.spt"
686 |
687 | ########################################
688 | #
689 | # Helper macros
690 | #
691 |
692 | #
693 | # shiftn(num,list...)
694 | #
695 | # shift the list num times
696 | #
697 |
698 |
699 | #
700 | # ifndef(expr,true_block,false_block)
701 | #
702 | # m4 does not have this.
703 | #
704 |
705 |
706 | #
707 | # __endline__
708 | #
709 | # dummy macro to insert a newline. used for
710 | # errprint, so the close parentheses can be
711 | # indented correctly.
712 | #
713 | #line 29
714 |
715 |
716 | ########################################
717 | #
718 | # refpolwarn(message)
719 | #
720 | # print a warning message
721 | #
722 |
723 |
724 | ########################################
725 | #
726 | # refpolerr(message)
727 | #
728 | # print an error message. does not
729 | # make anything fail.
730 | #
731 |
732 |
733 | ########################################
734 | #
735 | # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
736 | #
737 | #line 58
738 |
739 |
740 | ########################################
741 | #
742 | # gen_context(context,mls_sensitivity,[mcs_categories])
743 | #
744 | #line 65
745 |
746 | ########################################
747 | #
748 | # can_exec(domain,executable)
749 | #
750 |
751 |
752 | ########################################
753 | #
754 | # gen_bool(name,default_value)
755 | #
756 | #line 78
757 |
758 | #line 1 "/usr/share/selinux/devel/include/support/all_perms.spt"
759 |
760 |
761 |
762 |
763 |
764 |
765 |
766 |
767 |
768 |
769 |
770 |
771 |
772 |
773 |
774 |
775 |
776 |
777 |
778 |
779 |
780 |
781 |
782 |
783 |
784 |
785 |
786 |
787 |
788 |
789 |
790 |
791 |
792 |
793 |
794 |
795 |
796 |
797 |
798 |
799 |
800 |
801 |
802 |
803 |
804 |
805 |
806 |
807 |
808 |
809 |
810 |
811 |
812 |
813 |
814 |
815 |
816 |
817 |
818 |
819 |
820 |
821 |
822 |
823 |
824 |
825 |
826 |
827 |
828 |
829 |
830 |
831 |
832 |
833 |
834 |
835 |
836 |
837 |
838 |
839 |
840 |
841 |
842 |
843 | #line 137
844 |
845 |
846 | #line 172
847 |
848 | #line 1 "/usr/share/selinux/devel/include/support/mls_mcs_macros.spt"
849 | ########################################
850 | #
851 | # gen_cats(N)
852 | #
853 | # declares categores c0 to c(N-1)
854 | #
855 | #line 10
856 |
857 |
858 |
859 |
860 | ########################################
861 | #
862 | # gen_sens(N)
863 | #
864 | # declares sensitivites s0 to s(N-1) with dominance
865 | # in increasing numeric order with s0 lowest, s(N-1) highest
866 | #
867 | #line 24
868 |
869 |
870 |
871 |
872 | #line 34
873 |
874 |
875 | ########################################
876 | #
877 | # gen_levels(N,M)
878 | #
879 | # levels from s0 to (N-1) with categories c0 to (M-1)
880 | #
881 | #line 45
882 |
883 |
884 |
885 |
886 | ########################################
887 | #
888 | # Basic level names for system low and high
889 | #
890 |
891 |
892 |
893 |
894 |
895 | #line 1 "/usr/share/selinux/devel/include/support/loadable_module.spt"
896 | ########################################
897 | #
898 | # Macros for switching between source policy
899 | # and loadable policy module support
900 | #
901 |
902 | ##############################
903 | #
904 | # For adding the module statement
905 | #
906 | #line 30
907 |
908 |
909 | ##############################
910 | #
911 | # For use in interfaces, to optionally insert a require block
912 | #
913 | #line 48
914 |
915 |
916 | # helper function, since m4 wont expand macros
917 | # if a line is a comment (#):
918 | #line 55
919 |
920 | ##############################
921 | #
922 | # In the future interfaces should be in loadable modules
923 | #
924 | # template(name,rules)
925 | #
926 | #line 71
927 |
928 |
929 | ##############################
930 | #
931 | # In the future interfaces should be in loadable modules
932 | #
933 | # interface(name,rules)
934 | #
935 | #line 88
936 |
937 |
938 |
939 |
940 | ##############################
941 | #
942 | # Optional policy handling
943 | #
944 | #line 102
945 |
946 |
947 | ##############################
948 | #
949 | # Determine if we should use the default
950 | # tunable value as specified by the policy
951 | # or if the override value should be used
952 | #
953 |
954 |
955 | ##############################
956 | #
957 | # Extract booleans out of an expression.
958 | # This needs to be reworked so expressions
959 | # with parentheses can work.
960 |
961 | #line 123
962 |
963 |
964 | ##############################
965 | #
966 | # Tunable declaration
967 | #
968 | #line 131
969 |
970 |
971 | ##############################
972 | #
973 | # Tunable policy handling
974 | #
975 | #line 146
976 |
977 | #line 357523 "tmp/all_interfaces.conf"
978 |
979 | #line 1 "cvesync.te"
980 |
981 | #line 1
982 |
983 | #line 1
984 | module cvesync 1.0.0;
985 | #line 1
986 |
987 | #line 1
988 | require {
989 | #line 1
990 | role system_r;
991 | #line 1
992 |
993 | #line 1
994 | class security { compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy };
995 | #line 1
996 | class process { fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate ptrace_child };
997 | #line 1
998 | class system { ipc_info syslog_read syslog_mod syslog_console module_request halt reboot status undefined enable disable reload kill };
999 | #line 1
1000 | class capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
1001 | #line 1
1002 | class filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget };
1003 | #line 1
1004 | class file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint execmod open audit_access };
1005 | #line 1
1006 | class dir { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod };
1007 | #line 1
1008 | class fd { use };
1009 | #line 1
1010 | class lnk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod };
1011 | #line 1
1012 | class chr_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton execute_no_trans entrypoint execmod open audit_access };
1013 | #line 1
1014 | class blk_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod };
1015 | #line 1
1016 | class sock_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod };
1017 | #line 1
1018 | class fifo_file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton open audit_access execmod };
1019 | #line 1
1020 | class socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1021 | #line 1
1022 | class tcp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom node_bind name_connect };
1023 | #line 1
1024 | class udp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind };
1025 | #line 1
1026 | class rawip_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind };
1027 | #line 1
1028 | class node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto };
1029 | #line 1
1030 | class netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
1031 | #line 1
1032 | class netlink_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1033 | #line 1
1034 | class packet_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1035 | #line 1
1036 | class key_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1037 | #line 1
1038 | class unix_stream_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind connectto newconn acceptfrom };
1039 | #line 1
1040 | class unix_dgram_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1041 | #line 1
1042 | class sem { create destroy getattr setattr read write associate unix_read unix_write };
1043 | #line 1
1044 | class msg { send receive };
1045 | #line 1
1046 | class msgq { create destroy getattr setattr read write associate unix_read unix_write enqueue };
1047 | #line 1
1048 | class shm { create destroy getattr setattr read write associate unix_read unix_write lock };
1049 | #line 1
1050 | class ipc { create destroy getattr setattr read write associate unix_read unix_write };
1051 | #line 1
1052 | class netlink_route_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write };
1053 | #line 1
1054 | class netlink_firewall_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write };
1055 | #line 1
1056 | class netlink_tcpdiag_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write };
1057 | #line 1
1058 | class netlink_nflog_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1059 | #line 1
1060 | class netlink_xfrm_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write };
1061 | #line 1
1062 | class netlink_selinux_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1063 | #line 1
1064 | class netlink_audit_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit };
1065 | #line 1
1066 | class netlink_ip6fw_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind nlmsg_read nlmsg_write };
1067 | #line 1
1068 | class netlink_dnrt_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1069 | #line 1
1070 | class association { sendto recvfrom setcontext polmatch };
1071 | #line 1
1072 | class netlink_kobject_uevent_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1073 | #line 1
1074 | class appletalk_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
1075 | #line 1
1076 | class packet { send recv relabelto flow_in flow_out forward_in forward_out };
1077 | #line 1
1078 | class key { view read write search link setattr create };
1079 | #line 1
1080 | class dccp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind node_bind name_connect };
1081 | #line 1
1082 | class memprotect { mmap_zero };
1083 | #line 1
1084 | class peer { recv };
1085 | #line 1
1086 | class capability2 { mac_override mac_admin syslog wake_alarm epolwakeup block_suspend compromise_kernel };
1087 | #line 1
1088 | class kernel_service { use_as_override create_files_as };
1089 | #line 1
1090 | class tun_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind attach_queue };
1091 | #line 1
1092 | class service { start stop status reload enable disable kill load };
1093 | #line 1
1094 | class proxy { read };
1095 | #line 1
1096 |
1097 | #line 1
1098 |
1099 | #line 1
1100 |
1101 | #line 1
1102 | sensitivity s0;
1103 | #line 1
1104 |
1105 | #line 1
1106 | category c0;
1107 | #line 1
1108 | category c1;
1109 | #line 1
1110 | category c2;
1111 | #line 1
1112 | category c3;
1113 | #line 1
1114 | category c4;
1115 | #line 1
1116 | category c5;
1117 | #line 1
1118 | category c6;
1119 | #line 1
1120 | category c7;
1121 | #line 1
1122 | category c8;
1123 | #line 1
1124 | category c9;
1125 | #line 1
1126 | category c10;
1127 | #line 1
1128 | category c11;
1129 | #line 1
1130 | category c12;
1131 | #line 1
1132 | category c13;
1133 | #line 1
1134 | category c14;
1135 | #line 1
1136 | category c15;
1137 | #line 1
1138 | category c16;
1139 | #line 1
1140 | category c17;
1141 | #line 1
1142 | category c18;
1143 | #line 1
1144 | category c19;
1145 | #line 1
1146 | category c20;
1147 | #line 1
1148 | category c21;
1149 | #line 1
1150 | category c22;
1151 | #line 1
1152 | category c23;
1153 | #line 1
1154 | category c24;
1155 | #line 1
1156 | category c25;
1157 | #line 1
1158 | category c26;
1159 | #line 1
1160 | category c27;
1161 | #line 1
1162 | category c28;
1163 | #line 1
1164 | category c29;
1165 | #line 1
1166 | category c30;
1167 | #line 1
1168 | category c31;
1169 | #line 1
1170 | category c32;
1171 | #line 1
1172 | category c33;
1173 | #line 1
1174 | category c34;
1175 | #line 1
1176 | category c35;
1177 | #line 1
1178 | category c36;
1179 | #line 1
1180 | category c37;
1181 | #line 1
1182 | category c38;
1183 | #line 1
1184 | category c39;
1185 | #line 1
1186 | category c40;
1187 | #line 1
1188 | category c41;
1189 | #line 1
1190 | category c42;
1191 | #line 1
1192 | category c43;
1193 | #line 1
1194 | category c44;
1195 | #line 1
1196 | category c45;
1197 | #line 1
1198 | category c46;
1199 | #line 1
1200 | category c47;
1201 | #line 1
1202 | category c48;
1203 | #line 1
1204 | category c49;
1205 | #line 1
1206 | category c50;
1207 | #line 1
1208 | category c51;
1209 | #line 1
1210 | category c52;
1211 | #line 1
1212 | category c53;
1213 | #line 1
1214 | category c54;
1215 | #line 1
1216 | category c55;
1217 | #line 1
1218 | category c56;
1219 | #line 1
1220 | category c57;
1221 | #line 1
1222 | category c58;
1223 | #line 1
1224 | category c59;
1225 | #line 1
1226 | category c60;
1227 | #line 1
1228 | category c61;
1229 | #line 1
1230 | category c62;
1231 | #line 1
1232 | category c63;
1233 | #line 1
1234 | category c64;
1235 | #line 1
1236 | category c65;
1237 | #line 1
1238 | category c66;
1239 | #line 1
1240 | category c67;
1241 | #line 1
1242 | category c68;
1243 | #line 1
1244 | category c69;
1245 | #line 1
1246 | category c70;
1247 | #line 1
1248 | category c71;
1249 | #line 1
1250 | category c72;
1251 | #line 1
1252 | category c73;
1253 | #line 1
1254 | category c74;
1255 | #line 1
1256 | category c75;
1257 | #line 1
1258 | category c76;
1259 | #line 1
1260 | category c77;
1261 | #line 1
1262 | category c78;
1263 | #line 1
1264 | category c79;
1265 | #line 1
1266 | category c80;
1267 | #line 1
1268 | category c81;
1269 | #line 1
1270 | category c82;
1271 | #line 1
1272 | category c83;
1273 | #line 1
1274 | category c84;
1275 | #line 1
1276 | category c85;
1277 | #line 1
1278 | category c86;
1279 | #line 1
1280 | category c87;
1281 | #line 1
1282 | category c88;
1283 | #line 1
1284 | category c89;
1285 | #line 1
1286 | category c90;
1287 | #line 1
1288 | category c91;
1289 | #line 1
1290 | category c92;
1291 | #line 1
1292 | category c93;
1293 | #line 1
1294 | category c94;
1295 | #line 1
1296 | category c95;
1297 | #line 1
1298 | category c96;
1299 | #line 1
1300 | category c97;
1301 | #line 1
1302 | category c98;
1303 | #line 1
1304 | category c99;
1305 | #line 1
1306 | category c100;
1307 | #line 1
1308 | category c101;
1309 | #line 1
1310 | category c102;
1311 | #line 1
1312 | category c103;
1313 | #line 1
1314 | category c104;
1315 | #line 1
1316 | category c105;
1317 | #line 1
1318 | category c106;
1319 | #line 1
1320 | category c107;
1321 | #line 1
1322 | category c108;
1323 | #line 1
1324 | category c109;
1325 | #line 1
1326 | category c110;
1327 | #line 1
1328 | category c111;
1329 | #line 1
1330 | category c112;
1331 | #line 1
1332 | category c113;
1333 | #line 1
1334 | category c114;
1335 | #line 1
1336 | category c115;
1337 | #line 1
1338 | category c116;
1339 | #line 1
1340 | category c117;
1341 | #line 1
1342 | category c118;
1343 | #line 1
1344 | category c119;
1345 | #line 1
1346 | category c120;
1347 | #line 1
1348 | category c121;
1349 | #line 1
1350 | category c122;
1351 | #line 1
1352 | category c123;
1353 | #line 1
1354 | category c124;
1355 | #line 1
1356 | category c125;
1357 | #line 1
1358 | category c126;
1359 | #line 1
1360 | category c127;
1361 | #line 1
1362 | category c128;
1363 | #line 1
1364 | category c129;
1365 | #line 1
1366 | category c130;
1367 | #line 1
1368 | category c131;
1369 | #line 1
1370 | category c132;
1371 | #line 1
1372 | category c133;
1373 | #line 1
1374 | category c134;
1375 | #line 1
1376 | category c135;
1377 | #line 1
1378 | category c136;
1379 | #line 1
1380 | category c137;
1381 | #line 1
1382 | category c138;
1383 | #line 1
1384 | category c139;
1385 | #line 1
1386 | category c140;
1387 | #line 1
1388 | category c141;
1389 | #line 1
1390 | category c142;
1391 | #line 1
1392 | category c143;
1393 | #line 1
1394 | category c144;
1395 | #line 1
1396 | category c145;
1397 | #line 1
1398 | category c146;
1399 | #line 1
1400 | category c147;
1401 | #line 1
1402 | category c148;
1403 | #line 1
1404 | category c149;
1405 | #line 1
1406 | category c150;
1407 | #line 1
1408 | category c151;
1409 | #line 1
1410 | category c152;
1411 | #line 1
1412 | category c153;
1413 | #line 1
1414 | category c154;
1415 | #line 1
1416 | category c155;
1417 | #line 1
1418 | category c156;
1419 | #line 1
1420 | category c157;
1421 | #line 1
1422 | category c158;
1423 | #line 1
1424 | category c159;
1425 | #line 1
1426 | category c160;
1427 | #line 1
1428 | category c161;
1429 | #line 1
1430 | category c162;
1431 | #line 1
1432 | category c163;
1433 | #line 1
1434 | category c164;
1435 | #line 1
1436 | category c165;
1437 | #line 1
1438 | category c166;
1439 | #line 1
1440 | category c167;
1441 | #line 1
1442 | category c168;
1443 | #line 1
1444 | category c169;
1445 | #line 1
1446 | category c170;
1447 | #line 1
1448 | category c171;
1449 | #line 1
1450 | category c172;
1451 | #line 1
1452 | category c173;
1453 | #line 1
1454 | category c174;
1455 | #line 1
1456 | category c175;
1457 | #line 1
1458 | category c176;
1459 | #line 1
1460 | category c177;
1461 | #line 1
1462 | category c178;
1463 | #line 1
1464 | category c179;
1465 | #line 1
1466 | category c180;
1467 | #line 1
1468 | category c181;
1469 | #line 1
1470 | category c182;
1471 | #line 1
1472 | category c183;
1473 | #line 1
1474 | category c184;
1475 | #line 1
1476 | category c185;
1477 | #line 1
1478 | category c186;
1479 | #line 1
1480 | category c187;
1481 | #line 1
1482 | category c188;
1483 | #line 1
1484 | category c189;
1485 | #line 1
1486 | category c190;
1487 | #line 1
1488 | category c191;
1489 | #line 1
1490 | category c192;
1491 | #line 1
1492 | category c193;
1493 | #line 1
1494 | category c194;
1495 | #line 1
1496 | category c195;
1497 | #line 1
1498 | category c196;
1499 | #line 1
1500 | category c197;
1501 | #line 1
1502 | category c198;
1503 | #line 1
1504 | category c199;
1505 | #line 1
1506 | category c200;
1507 | #line 1
1508 | category c201;
1509 | #line 1
1510 | category c202;
1511 | #line 1
1512 | category c203;
1513 | #line 1
1514 | category c204;
1515 | #line 1
1516 | category c205;
1517 | #line 1
1518 | category c206;
1519 | #line 1
1520 | category c207;
1521 | #line 1
1522 | category c208;
1523 | #line 1
1524 | category c209;
1525 | #line 1
1526 | category c210;
1527 | #line 1
1528 | category c211;
1529 | #line 1
1530 | category c212;
1531 | #line 1
1532 | category c213;
1533 | #line 1
1534 | category c214;
1535 | #line 1
1536 | category c215;
1537 | #line 1
1538 | category c216;
1539 | #line 1
1540 | category c217;
1541 | #line 1
1542 | category c218;
1543 | #line 1
1544 | category c219;
1545 | #line 1
1546 | category c220;
1547 | #line 1
1548 | category c221;
1549 | #line 1
1550 | category c222;
1551 | #line 1
1552 | category c223;
1553 | #line 1
1554 | category c224;
1555 | #line 1
1556 | category c225;
1557 | #line 1
1558 | category c226;
1559 | #line 1
1560 | category c227;
1561 | #line 1
1562 | category c228;
1563 | #line 1
1564 | category c229;
1565 | #line 1
1566 | category c230;
1567 | #line 1
1568 | category c231;
1569 | #line 1
1570 | category c232;
1571 | #line 1
1572 | category c233;
1573 | #line 1
1574 | category c234;
1575 | #line 1
1576 | category c235;
1577 | #line 1
1578 | category c236;
1579 | #line 1
1580 | category c237;
1581 | #line 1
1582 | category c238;
1583 | #line 1
1584 | category c239;
1585 | #line 1
1586 | category c240;
1587 | #line 1
1588 | category c241;
1589 | #line 1
1590 | category c242;
1591 | #line 1
1592 | category c243;
1593 | #line 1
1594 | category c244;
1595 | #line 1
1596 | category c245;
1597 | #line 1
1598 | category c246;
1599 | #line 1
1600 | category c247;
1601 | #line 1
1602 | category c248;
1603 | #line 1
1604 | category c249;
1605 | #line 1
1606 | category c250;
1607 | #line 1
1608 | category c251;
1609 | #line 1
1610 | category c252;
1611 | #line 1
1612 | category c253;
1613 | #line 1
1614 | category c254;
1615 | #line 1
1616 | category c255;
1617 | #line 1
1618 | category c256;
1619 | #line 1
1620 | category c257;
1621 | #line 1
1622 | category c258;
1623 | #line 1
1624 | category c259;
1625 | #line 1
1626 | category c260;
1627 | #line 1
1628 | category c261;
1629 | #line 1
1630 | category c262;
1631 | #line 1
1632 | category c263;
1633 | #line 1
1634 | category c264;
1635 | #line 1
1636 | category c265;
1637 | #line 1
1638 | category c266;
1639 | #line 1
1640 | category c267;
1641 | #line 1
1642 | category c268;
1643 | #line 1
1644 | category c269;
1645 | #line 1
1646 | category c270;
1647 | #line 1
1648 | category c271;
1649 | #line 1
1650 | category c272;
1651 | #line 1
1652 | category c273;
1653 | #line 1
1654 | category c274;
1655 | #line 1
1656 | category c275;
1657 | #line 1
1658 | category c276;
1659 | #line 1
1660 | category c277;
1661 | #line 1
1662 | category c278;
1663 | #line 1
1664 | category c279;
1665 | #line 1
1666 | category c280;
1667 | #line 1
1668 | category c281;
1669 | #line 1
1670 | category c282;
1671 | #line 1
1672 | category c283;
1673 | #line 1
1674 | category c284;
1675 | #line 1
1676 | category c285;
1677 | #line 1
1678 | category c286;
1679 | #line 1
1680 | category c287;
1681 | #line 1
1682 | category c288;
1683 | #line 1
1684 | category c289;
1685 | #line 1
1686 | category c290;
1687 | #line 1
1688 | category c291;
1689 | #line 1
1690 | category c292;
1691 | #line 1
1692 | category c293;
1693 | #line 1
1694 | category c294;
1695 | #line 1
1696 | category c295;
1697 | #line 1
1698 | category c296;
1699 | #line 1
1700 | category c297;
1701 | #line 1
1702 | category c298;
1703 | #line 1
1704 | category c299;
1705 | #line 1
1706 | category c300;
1707 | #line 1
1708 | category c301;
1709 | #line 1
1710 | category c302;
1711 | #line 1
1712 | category c303;
1713 | #line 1
1714 | category c304;
1715 | #line 1
1716 | category c305;
1717 | #line 1
1718 | category c306;
1719 | #line 1
1720 | category c307;
1721 | #line 1
1722 | category c308;
1723 | #line 1
1724 | category c309;
1725 | #line 1
1726 | category c310;
1727 | #line 1
1728 | category c311;
1729 | #line 1
1730 | category c312;
1731 | #line 1
1732 | category c313;
1733 | #line 1
1734 | category c314;
1735 | #line 1
1736 | category c315;
1737 | #line 1
1738 | category c316;
1739 | #line 1
1740 | category c317;
1741 | #line 1
1742 | category c318;
1743 | #line 1
1744 | category c319;
1745 | #line 1
1746 | category c320;
1747 | #line 1
1748 | category c321;
1749 | #line 1
1750 | category c322;
1751 | #line 1
1752 | category c323;
1753 | #line 1
1754 | category c324;
1755 | #line 1
1756 | category c325;
1757 | #line 1
1758 | category c326;
1759 | #line 1
1760 | category c327;
1761 | #line 1
1762 | category c328;
1763 | #line 1
1764 | category c329;
1765 | #line 1
1766 | category c330;
1767 | #line 1
1768 | category c331;
1769 | #line 1
1770 | category c332;
1771 | #line 1
1772 | category c333;
1773 | #line 1
1774 | category c334;
1775 | #line 1
1776 | category c335;
1777 | #line 1
1778 | category c336;
1779 | #line 1
1780 | category c337;
1781 | #line 1
1782 | category c338;
1783 | #line 1
1784 | category c339;
1785 | #line 1
1786 | category c340;
1787 | #line 1
1788 | category c341;
1789 | #line 1
1790 | category c342;
1791 | #line 1
1792 | category c343;
1793 | #line 1
1794 | category c344;
1795 | #line 1
1796 | category c345;
1797 | #line 1
1798 | category c346;
1799 | #line 1
1800 | category c347;
1801 | #line 1
1802 | category c348;
1803 | #line 1
1804 | category c349;
1805 | #line 1
1806 | category c350;
1807 | #line 1
1808 | category c351;
1809 | #line 1
1810 | category c352;
1811 | #line 1
1812 | category c353;
1813 | #line 1
1814 | category c354;
1815 | #line 1
1816 | category c355;
1817 | #line 1
1818 | category c356;
1819 | #line 1
1820 | category c357;
1821 | #line 1
1822 | category c358;
1823 | #line 1
1824 | category c359;
1825 | #line 1
1826 | category c360;
1827 | #line 1
1828 | category c361;
1829 | #line 1
1830 | category c362;
1831 | #line 1
1832 | category c363;
1833 | #line 1
1834 | category c364;
1835 | #line 1
1836 | category c365;
1837 | #line 1
1838 | category c366;
1839 | #line 1
1840 | category c367;
1841 | #line 1
1842 | category c368;
1843 | #line 1
1844 | category c369;
1845 | #line 1
1846 | category c370;
1847 | #line 1
1848 | category c371;
1849 | #line 1
1850 | category c372;
1851 | #line 1
1852 | category c373;
1853 | #line 1
1854 | category c374;
1855 | #line 1
1856 | category c375;
1857 | #line 1
1858 | category c376;
1859 | #line 1
1860 | category c377;
1861 | #line 1
1862 | category c378;
1863 | #line 1
1864 | category c379;
1865 | #line 1
1866 | category c380;
1867 | #line 1
1868 | category c381;
1869 | #line 1
1870 | category c382;
1871 | #line 1
1872 | category c383;
1873 | #line 1
1874 | category c384;
1875 | #line 1
1876 | category c385;
1877 | #line 1
1878 | category c386;
1879 | #line 1
1880 | category c387;
1881 | #line 1
1882 | category c388;
1883 | #line 1
1884 | category c389;
1885 | #line 1
1886 | category c390;
1887 | #line 1
1888 | category c391;
1889 | #line 1
1890 | category c392;
1891 | #line 1
1892 | category c393;
1893 | #line 1
1894 | category c394;
1895 | #line 1
1896 | category c395;
1897 | #line 1
1898 | category c396;
1899 | #line 1
1900 | category c397;
1901 | #line 1
1902 | category c398;
1903 | #line 1
1904 | category c399;
1905 | #line 1
1906 | category c400;
1907 | #line 1
1908 | category c401;
1909 | #line 1
1910 | category c402;
1911 | #line 1
1912 | category c403;
1913 | #line 1
1914 | category c404;
1915 | #line 1
1916 | category c405;
1917 | #line 1
1918 | category c406;
1919 | #line 1
1920 | category c407;
1921 | #line 1
1922 | category c408;
1923 | #line 1
1924 | category c409;
1925 | #line 1
1926 | category c410;
1927 | #line 1
1928 | category c411;
1929 | #line 1
1930 | category c412;
1931 | #line 1
1932 | category c413;
1933 | #line 1
1934 | category c414;
1935 | #line 1
1936 | category c415;
1937 | #line 1
1938 | category c416;
1939 | #line 1
1940 | category c417;
1941 | #line 1
1942 | category c418;
1943 | #line 1
1944 | category c419;
1945 | #line 1
1946 | category c420;
1947 | #line 1
1948 | category c421;
1949 | #line 1
1950 | category c422;
1951 | #line 1
1952 | category c423;
1953 | #line 1
1954 | category c424;
1955 | #line 1
1956 | category c425;
1957 | #line 1
1958 | category c426;
1959 | #line 1
1960 | category c427;
1961 | #line 1
1962 | category c428;
1963 | #line 1
1964 | category c429;
1965 | #line 1
1966 | category c430;
1967 | #line 1
1968 | category c431;
1969 | #line 1
1970 | category c432;
1971 | #line 1
1972 | category c433;
1973 | #line 1
1974 | category c434;
1975 | #line 1
1976 | category c435;
1977 | #line 1
1978 | category c436;
1979 | #line 1
1980 | category c437;
1981 | #line 1
1982 | category c438;
1983 | #line 1
1984 | category c439;
1985 | #line 1
1986 | category c440;
1987 | #line 1
1988 | category c441;
1989 | #line 1
1990 | category c442;
1991 | #line 1
1992 | category c443;
1993 | #line 1
1994 | category c444;
1995 | #line 1
1996 | category c445;
1997 | #line 1
1998 | category c446;
1999 | #line 1
2000 | category c447;
2001 | #line 1
2002 | category c448;
2003 | #line 1
2004 | category c449;
2005 | #line 1
2006 | category c450;
2007 | #line 1
2008 | category c451;
2009 | #line 1
2010 | category c452;
2011 | #line 1
2012 | category c453;
2013 | #line 1
2014 | category c454;
2015 | #line 1
2016 | category c455;
2017 | #line 1
2018 | category c456;
2019 | #line 1
2020 | category c457;
2021 | #line 1
2022 | category c458;
2023 | #line 1
2024 | category c459;
2025 | #line 1
2026 | category c460;
2027 | #line 1
2028 | category c461;
2029 | #line 1
2030 | category c462;
2031 | #line 1
2032 | category c463;
2033 | #line 1
2034 | category c464;
2035 | #line 1
2036 | category c465;
2037 | #line 1
2038 | category c466;
2039 | #line 1
2040 | category c467;
2041 | #line 1
2042 | category c468;
2043 | #line 1
2044 | category c469;
2045 | #line 1
2046 | category c470;
2047 | #line 1
2048 | category c471;
2049 | #line 1
2050 | category c472;
2051 | #line 1
2052 | category c473;
2053 | #line 1
2054 | category c474;
2055 | #line 1
2056 | category c475;
2057 | #line 1
2058 | category c476;
2059 | #line 1
2060 | category c477;
2061 | #line 1
2062 | category c478;
2063 | #line 1
2064 | category c479;
2065 | #line 1
2066 | category c480;
2067 | #line 1
2068 | category c481;
2069 | #line 1
2070 | category c482;
2071 | #line 1
2072 | category c483;
2073 | #line 1
2074 | category c484;
2075 | #line 1
2076 | category c485;
2077 | #line 1
2078 | category c486;
2079 | #line 1
2080 | category c487;
2081 | #line 1
2082 | category c488;
2083 | #line 1
2084 | category c489;
2085 | #line 1
2086 | category c490;
2087 | #line 1
2088 | category c491;
2089 | #line 1
2090 | category c492;
2091 | #line 1
2092 | category c493;
2093 | #line 1
2094 | category c494;
2095 | #line 1
2096 | category c495;
2097 | #line 1
2098 | category c496;
2099 | #line 1
2100 | category c497;
2101 | #line 1
2102 | category c498;
2103 | #line 1
2104 | category c499;
2105 | #line 1
2106 | category c500;
2107 | #line 1
2108 | category c501;
2109 | #line 1
2110 | category c502;
2111 | #line 1
2112 | category c503;
2113 | #line 1
2114 | category c504;
2115 | #line 1
2116 | category c505;
2117 | #line 1
2118 | category c506;
2119 | #line 1
2120 | category c507;
2121 | #line 1
2122 | category c508;
2123 | #line 1
2124 | category c509;
2125 | #line 1
2126 | category c510;
2127 | #line 1
2128 | category c511;
2129 | #line 1
2130 | category c512;
2131 | #line 1
2132 | category c513;
2133 | #line 1
2134 | category c514;
2135 | #line 1
2136 | category c515;
2137 | #line 1
2138 | category c516;
2139 | #line 1
2140 | category c517;
2141 | #line 1
2142 | category c518;
2143 | #line 1
2144 | category c519;
2145 | #line 1
2146 | category c520;
2147 | #line 1
2148 | category c521;
2149 | #line 1
2150 | category c522;
2151 | #line 1
2152 | category c523;
2153 | #line 1
2154 | category c524;
2155 | #line 1
2156 | category c525;
2157 | #line 1
2158 | category c526;
2159 | #line 1
2160 | category c527;
2161 | #line 1
2162 | category c528;
2163 | #line 1
2164 | category c529;
2165 | #line 1
2166 | category c530;
2167 | #line 1
2168 | category c531;
2169 | #line 1
2170 | category c532;
2171 | #line 1
2172 | category c533;
2173 | #line 1
2174 | category c534;
2175 | #line 1
2176 | category c535;
2177 | #line 1
2178 | category c536;
2179 | #line 1
2180 | category c537;
2181 | #line 1
2182 | category c538;
2183 | #line 1
2184 | category c539;
2185 | #line 1
2186 | category c540;
2187 | #line 1
2188 | category c541;
2189 | #line 1
2190 | category c542;
2191 | #line 1
2192 | category c543;
2193 | #line 1
2194 | category c544;
2195 | #line 1
2196 | category c545;
2197 | #line 1
2198 | category c546;
2199 | #line 1
2200 | category c547;
2201 | #line 1
2202 | category c548;
2203 | #line 1
2204 | category c549;
2205 | #line 1
2206 | category c550;
2207 | #line 1
2208 | category c551;
2209 | #line 1
2210 | category c552;
2211 | #line 1
2212 | category c553;
2213 | #line 1
2214 | category c554;
2215 | #line 1
2216 | category c555;
2217 | #line 1
2218 | category c556;
2219 | #line 1
2220 | category c557;
2221 | #line 1
2222 | category c558;
2223 | #line 1
2224 | category c559;
2225 | #line 1
2226 | category c560;
2227 | #line 1
2228 | category c561;
2229 | #line 1
2230 | category c562;
2231 | #line 1
2232 | category c563;
2233 | #line 1
2234 | category c564;
2235 | #line 1
2236 | category c565;
2237 | #line 1
2238 | category c566;
2239 | #line 1
2240 | category c567;
2241 | #line 1
2242 | category c568;
2243 | #line 1
2244 | category c569;
2245 | #line 1
2246 | category c570;
2247 | #line 1
2248 | category c571;
2249 | #line 1
2250 | category c572;
2251 | #line 1
2252 | category c573;
2253 | #line 1
2254 | category c574;
2255 | #line 1
2256 | category c575;
2257 | #line 1
2258 | category c576;
2259 | #line 1
2260 | category c577;
2261 | #line 1
2262 | category c578;
2263 | #line 1
2264 | category c579;
2265 | #line 1
2266 | category c580;
2267 | #line 1
2268 | category c581;
2269 | #line 1
2270 | category c582;
2271 | #line 1
2272 | category c583;
2273 | #line 1
2274 | category c584;
2275 | #line 1
2276 | category c585;
2277 | #line 1
2278 | category c586;
2279 | #line 1
2280 | category c587;
2281 | #line 1
2282 | category c588;
2283 | #line 1
2284 | category c589;
2285 | #line 1
2286 | category c590;
2287 | #line 1
2288 | category c591;
2289 | #line 1
2290 | category c592;
2291 | #line 1
2292 | category c593;
2293 | #line 1
2294 | category c594;
2295 | #line 1
2296 | category c595;
2297 | #line 1
2298 | category c596;
2299 | #line 1
2300 | category c597;
2301 | #line 1
2302 | category c598;
2303 | #line 1
2304 | category c599;
2305 | #line 1
2306 | category c600;
2307 | #line 1
2308 | category c601;
2309 | #line 1
2310 | category c602;
2311 | #line 1
2312 | category c603;
2313 | #line 1
2314 | category c604;
2315 | #line 1
2316 | category c605;
2317 | #line 1
2318 | category c606;
2319 | #line 1
2320 | category c607;
2321 | #line 1
2322 | category c608;
2323 | #line 1
2324 | category c609;
2325 | #line 1
2326 | category c610;
2327 | #line 1
2328 | category c611;
2329 | #line 1
2330 | category c612;
2331 | #line 1
2332 | category c613;
2333 | #line 1
2334 | category c614;
2335 | #line 1
2336 | category c615;
2337 | #line 1
2338 | category c616;
2339 | #line 1
2340 | category c617;
2341 | #line 1
2342 | category c618;
2343 | #line 1
2344 | category c619;
2345 | #line 1
2346 | category c620;
2347 | #line 1
2348 | category c621;
2349 | #line 1
2350 | category c622;
2351 | #line 1
2352 | category c623;
2353 | #line 1
2354 | category c624;
2355 | #line 1
2356 | category c625;
2357 | #line 1
2358 | category c626;
2359 | #line 1
2360 | category c627;
2361 | #line 1
2362 | category c628;
2363 | #line 1
2364 | category c629;
2365 | #line 1
2366 | category c630;
2367 | #line 1
2368 | category c631;
2369 | #line 1
2370 | category c632;
2371 | #line 1
2372 | category c633;
2373 | #line 1
2374 | category c634;
2375 | #line 1
2376 | category c635;
2377 | #line 1
2378 | category c636;
2379 | #line 1
2380 | category c637;
2381 | #line 1
2382 | category c638;
2383 | #line 1
2384 | category c639;
2385 | #line 1
2386 | category c640;
2387 | #line 1
2388 | category c641;
2389 | #line 1
2390 | category c642;
2391 | #line 1
2392 | category c643;
2393 | #line 1
2394 | category c644;
2395 | #line 1
2396 | category c645;
2397 | #line 1
2398 | category c646;
2399 | #line 1
2400 | category c647;
2401 | #line 1
2402 | category c648;
2403 | #line 1
2404 | category c649;
2405 | #line 1
2406 | category c650;
2407 | #line 1
2408 | category c651;
2409 | #line 1
2410 | category c652;
2411 | #line 1
2412 | category c653;
2413 | #line 1
2414 | category c654;
2415 | #line 1
2416 | category c655;
2417 | #line 1
2418 | category c656;
2419 | #line 1
2420 | category c657;
2421 | #line 1
2422 | category c658;
2423 | #line 1
2424 | category c659;
2425 | #line 1
2426 | category c660;
2427 | #line 1
2428 | category c661;
2429 | #line 1
2430 | category c662;
2431 | #line 1
2432 | category c663;
2433 | #line 1
2434 | category c664;
2435 | #line 1
2436 | category c665;
2437 | #line 1
2438 | category c666;
2439 | #line 1
2440 | category c667;
2441 | #line 1
2442 | category c668;
2443 | #line 1
2444 | category c669;
2445 | #line 1
2446 | category c670;
2447 | #line 1
2448 | category c671;
2449 | #line 1
2450 | category c672;
2451 | #line 1
2452 | category c673;
2453 | #line 1
2454 | category c674;
2455 | #line 1
2456 | category c675;
2457 | #line 1
2458 | category c676;
2459 | #line 1
2460 | category c677;
2461 | #line 1
2462 | category c678;
2463 | #line 1
2464 | category c679;
2465 | #line 1
2466 | category c680;
2467 | #line 1
2468 | category c681;
2469 | #line 1
2470 | category c682;
2471 | #line 1
2472 | category c683;
2473 | #line 1
2474 | category c684;
2475 | #line 1
2476 | category c685;
2477 | #line 1
2478 | category c686;
2479 | #line 1
2480 | category c687;
2481 | #line 1
2482 | category c688;
2483 | #line 1
2484 | category c689;
2485 | #line 1
2486 | category c690;
2487 | #line 1
2488 | category c691;
2489 | #line 1
2490 | category c692;
2491 | #line 1
2492 | category c693;
2493 | #line 1
2494 | category c694;
2495 | #line 1
2496 | category c695;
2497 | #line 1
2498 | category c696;
2499 | #line 1
2500 | category c697;
2501 | #line 1
2502 | category c698;
2503 | #line 1
2504 | category c699;
2505 | #line 1
2506 | category c700;
2507 | #line 1
2508 | category c701;
2509 | #line 1
2510 | category c702;
2511 | #line 1
2512 | category c703;
2513 | #line 1
2514 | category c704;
2515 | #line 1
2516 | category c705;
2517 | #line 1
2518 | category c706;
2519 | #line 1
2520 | category c707;
2521 | #line 1
2522 | category c708;
2523 | #line 1
2524 | category c709;
2525 | #line 1
2526 | category c710;
2527 | #line 1
2528 | category c711;
2529 | #line 1
2530 | category c712;
2531 | #line 1
2532 | category c713;
2533 | #line 1
2534 | category c714;
2535 | #line 1
2536 | category c715;
2537 | #line 1
2538 | category c716;
2539 | #line 1
2540 | category c717;
2541 | #line 1
2542 | category c718;
2543 | #line 1
2544 | category c719;
2545 | #line 1
2546 | category c720;
2547 | #line 1
2548 | category c721;
2549 | #line 1
2550 | category c722;
2551 | #line 1
2552 | category c723;
2553 | #line 1
2554 | category c724;
2555 | #line 1
2556 | category c725;
2557 | #line 1
2558 | category c726;
2559 | #line 1
2560 | category c727;
2561 | #line 1
2562 | category c728;
2563 | #line 1
2564 | category c729;
2565 | #line 1
2566 | category c730;
2567 | #line 1
2568 | category c731;
2569 | #line 1
2570 | category c732;
2571 | #line 1
2572 | category c733;
2573 | #line 1
2574 | category c734;
2575 | #line 1
2576 | category c735;
2577 | #line 1
2578 | category c736;
2579 | #line 1
2580 | category c737;
2581 | #line 1
2582 | category c738;
2583 | #line 1
2584 | category c739;
2585 | #line 1
2586 | category c740;
2587 | #line 1
2588 | category c741;
2589 | #line 1
2590 | category c742;
2591 | #line 1
2592 | category c743;
2593 | #line 1
2594 | category c744;
2595 | #line 1
2596 | category c745;
2597 | #line 1
2598 | category c746;
2599 | #line 1
2600 | category c747;
2601 | #line 1
2602 | category c748;
2603 | #line 1
2604 | category c749;
2605 | #line 1
2606 | category c750;
2607 | #line 1
2608 | category c751;
2609 | #line 1
2610 | category c752;
2611 | #line 1
2612 | category c753;
2613 | #line 1
2614 | category c754;
2615 | #line 1
2616 | category c755;
2617 | #line 1
2618 | category c756;
2619 | #line 1
2620 | category c757;
2621 | #line 1
2622 | category c758;
2623 | #line 1
2624 | category c759;
2625 | #line 1
2626 | category c760;
2627 | #line 1
2628 | category c761;
2629 | #line 1
2630 | category c762;
2631 | #line 1
2632 | category c763;
2633 | #line 1
2634 | category c764;
2635 | #line 1
2636 | category c765;
2637 | #line 1
2638 | category c766;
2639 | #line 1
2640 | category c767;
2641 | #line 1
2642 | category c768;
2643 | #line 1
2644 | category c769;
2645 | #line 1
2646 | category c770;
2647 | #line 1
2648 | category c771;
2649 | #line 1
2650 | category c772;
2651 | #line 1
2652 | category c773;
2653 | #line 1
2654 | category c774;
2655 | #line 1
2656 | category c775;
2657 | #line 1
2658 | category c776;
2659 | #line 1
2660 | category c777;
2661 | #line 1
2662 | category c778;
2663 | #line 1
2664 | category c779;
2665 | #line 1
2666 | category c780;
2667 | #line 1
2668 | category c781;
2669 | #line 1
2670 | category c782;
2671 | #line 1
2672 | category c783;
2673 | #line 1
2674 | category c784;
2675 | #line 1
2676 | category c785;
2677 | #line 1
2678 | category c786;
2679 | #line 1
2680 | category c787;
2681 | #line 1
2682 | category c788;
2683 | #line 1
2684 | category c789;
2685 | #line 1
2686 | category c790;
2687 | #line 1
2688 | category c791;
2689 | #line 1
2690 | category c792;
2691 | #line 1
2692 | category c793;
2693 | #line 1
2694 | category c794;
2695 | #line 1
2696 | category c795;
2697 | #line 1
2698 | category c796;
2699 | #line 1
2700 | category c797;
2701 | #line 1
2702 | category c798;
2703 | #line 1
2704 | category c799;
2705 | #line 1
2706 | category c800;
2707 | #line 1
2708 | category c801;
2709 | #line 1
2710 | category c802;
2711 | #line 1
2712 | category c803;
2713 | #line 1
2714 | category c804;
2715 | #line 1
2716 | category c805;
2717 | #line 1
2718 | category c806;
2719 | #line 1
2720 | category c807;
2721 | #line 1
2722 | category c808;
2723 | #line 1
2724 | category c809;
2725 | #line 1
2726 | category c810;
2727 | #line 1
2728 | category c811;
2729 | #line 1
2730 | category c812;
2731 | #line 1
2732 | category c813;
2733 | #line 1
2734 | category c814;
2735 | #line 1
2736 | category c815;
2737 | #line 1
2738 | category c816;
2739 | #line 1
2740 | category c817;
2741 | #line 1
2742 | category c818;
2743 | #line 1
2744 | category c819;
2745 | #line 1
2746 | category c820;
2747 | #line 1
2748 | category c821;
2749 | #line 1
2750 | category c822;
2751 | #line 1
2752 | category c823;
2753 | #line 1
2754 | category c824;
2755 | #line 1
2756 | category c825;
2757 | #line 1
2758 | category c826;
2759 | #line 1
2760 | category c827;
2761 | #line 1
2762 | category c828;
2763 | #line 1
2764 | category c829;
2765 | #line 1
2766 | category c830;
2767 | #line 1
2768 | category c831;
2769 | #line 1
2770 | category c832;
2771 | #line 1
2772 | category c833;
2773 | #line 1
2774 | category c834;
2775 | #line 1
2776 | category c835;
2777 | #line 1
2778 | category c836;
2779 | #line 1
2780 | category c837;
2781 | #line 1
2782 | category c838;
2783 | #line 1
2784 | category c839;
2785 | #line 1
2786 | category c840;
2787 | #line 1
2788 | category c841;
2789 | #line 1
2790 | category c842;
2791 | #line 1
2792 | category c843;
2793 | #line 1
2794 | category c844;
2795 | #line 1
2796 | category c845;
2797 | #line 1
2798 | category c846;
2799 | #line 1
2800 | category c847;
2801 | #line 1
2802 | category c848;
2803 | #line 1
2804 | category c849;
2805 | #line 1
2806 | category c850;
2807 | #line 1
2808 | category c851;
2809 | #line 1
2810 | category c852;
2811 | #line 1
2812 | category c853;
2813 | #line 1
2814 | category c854;
2815 | #line 1
2816 | category c855;
2817 | #line 1
2818 | category c856;
2819 | #line 1
2820 | category c857;
2821 | #line 1
2822 | category c858;
2823 | #line 1
2824 | category c859;
2825 | #line 1
2826 | category c860;
2827 | #line 1
2828 | category c861;
2829 | #line 1
2830 | category c862;
2831 | #line 1
2832 | category c863;
2833 | #line 1
2834 | category c864;
2835 | #line 1
2836 | category c865;
2837 | #line 1
2838 | category c866;
2839 | #line 1
2840 | category c867;
2841 | #line 1
2842 | category c868;
2843 | #line 1
2844 | category c869;
2845 | #line 1
2846 | category c870;
2847 | #line 1
2848 | category c871;
2849 | #line 1
2850 | category c872;
2851 | #line 1
2852 | category c873;
2853 | #line 1
2854 | category c874;
2855 | #line 1
2856 | category c875;
2857 | #line 1
2858 | category c876;
2859 | #line 1
2860 | category c877;
2861 | #line 1
2862 | category c878;
2863 | #line 1
2864 | category c879;
2865 | #line 1
2866 | category c880;
2867 | #line 1
2868 | category c881;
2869 | #line 1
2870 | category c882;
2871 | #line 1
2872 | category c883;
2873 | #line 1
2874 | category c884;
2875 | #line 1
2876 | category c885;
2877 | #line 1
2878 | category c886;
2879 | #line 1
2880 | category c887;
2881 | #line 1
2882 | category c888;
2883 | #line 1
2884 | category c889;
2885 | #line 1
2886 | category c890;
2887 | #line 1
2888 | category c891;
2889 | #line 1
2890 | category c892;
2891 | #line 1
2892 | category c893;
2893 | #line 1
2894 | category c894;
2895 | #line 1
2896 | category c895;
2897 | #line 1
2898 | category c896;
2899 | #line 1
2900 | category c897;
2901 | #line 1
2902 | category c898;
2903 | #line 1
2904 | category c899;
2905 | #line 1
2906 | category c900;
2907 | #line 1
2908 | category c901;
2909 | #line 1
2910 | category c902;
2911 | #line 1
2912 | category c903;
2913 | #line 1
2914 | category c904;
2915 | #line 1
2916 | category c905;
2917 | #line 1
2918 | category c906;
2919 | #line 1
2920 | category c907;
2921 | #line 1
2922 | category c908;
2923 | #line 1
2924 | category c909;
2925 | #line 1
2926 | category c910;
2927 | #line 1
2928 | category c911;
2929 | #line 1
2930 | category c912;
2931 | #line 1
2932 | category c913;
2933 | #line 1
2934 | category c914;
2935 | #line 1
2936 | category c915;
2937 | #line 1
2938 | category c916;
2939 | #line 1
2940 | category c917;
2941 | #line 1
2942 | category c918;
2943 | #line 1
2944 | category c919;
2945 | #line 1
2946 | category c920;
2947 | #line 1
2948 | category c921;
2949 | #line 1
2950 | category c922;
2951 | #line 1
2952 | category c923;
2953 | #line 1
2954 | category c924;
2955 | #line 1
2956 | category c925;
2957 | #line 1
2958 | category c926;
2959 | #line 1
2960 | category c927;
2961 | #line 1
2962 | category c928;
2963 | #line 1
2964 | category c929;
2965 | #line 1
2966 | category c930;
2967 | #line 1
2968 | category c931;
2969 | #line 1
2970 | category c932;
2971 | #line 1
2972 | category c933;
2973 | #line 1
2974 | category c934;
2975 | #line 1
2976 | category c935;
2977 | #line 1
2978 | category c936;
2979 | #line 1
2980 | category c937;
2981 | #line 1
2982 | category c938;
2983 | #line 1
2984 | category c939;
2985 | #line 1
2986 | category c940;
2987 | #line 1
2988 | category c941;
2989 | #line 1
2990 | category c942;
2991 | #line 1
2992 | category c943;
2993 | #line 1
2994 | category c944;
2995 | #line 1
2996 | category c945;
2997 | #line 1
2998 | category c946;
2999 | #line 1
3000 | category c947;
3001 | #line 1
3002 | category c948;
3003 | #line 1
3004 | category c949;
3005 | #line 1
3006 | category c950;
3007 | #line 1
3008 | category c951;
3009 | #line 1
3010 | category c952;
3011 | #line 1
3012 | category c953;
3013 | #line 1
3014 | category c954;
3015 | #line 1
3016 | category c955;
3017 | #line 1
3018 | category c956;
3019 | #line 1
3020 | category c957;
3021 | #line 1
3022 | category c958;
3023 | #line 1
3024 | category c959;
3025 | #line 1
3026 | category c960;
3027 | #line 1
3028 | category c961;
3029 | #line 1
3030 | category c962;
3031 | #line 1
3032 | category c963;
3033 | #line 1
3034 | category c964;
3035 | #line 1
3036 | category c965;
3037 | #line 1
3038 | category c966;
3039 | #line 1
3040 | category c967;
3041 | #line 1
3042 | category c968;
3043 | #line 1
3044 | category c969;
3045 | #line 1
3046 | category c970;
3047 | #line 1
3048 | category c971;
3049 | #line 1
3050 | category c972;
3051 | #line 1
3052 | category c973;
3053 | #line 1
3054 | category c974;
3055 | #line 1
3056 | category c975;
3057 | #line 1
3058 | category c976;
3059 | #line 1
3060 | category c977;
3061 | #line 1
3062 | category c978;
3063 | #line 1
3064 | category c979;
3065 | #line 1
3066 | category c980;
3067 | #line 1
3068 | category c981;
3069 | #line 1
3070 | category c982;
3071 | #line 1
3072 | category c983;
3073 | #line 1
3074 | category c984;
3075 | #line 1
3076 | category c985;
3077 | #line 1
3078 | category c986;
3079 | #line 1
3080 | category c987;
3081 | #line 1
3082 | category c988;
3083 | #line 1
3084 | category c989;
3085 | #line 1
3086 | category c990;
3087 | #line 1
3088 | category c991;
3089 | #line 1
3090 | category c992;
3091 | #line 1
3092 | category c993;
3093 | #line 1
3094 | category c994;
3095 | #line 1
3096 | category c995;
3097 | #line 1
3098 | category c996;
3099 | #line 1
3100 | category c997;
3101 | #line 1
3102 | category c998;
3103 | #line 1
3104 | category c999;
3105 | #line 1
3106 | category c1000;
3107 | #line 1
3108 | category c1001;
3109 | #line 1
3110 | category c1002;
3111 | #line 1
3112 | category c1003;
3113 | #line 1
3114 | category c1004;
3115 | #line 1
3116 | category c1005;
3117 | #line 1
3118 | category c1006;
3119 | #line 1
3120 | category c1007;
3121 | #line 1
3122 | category c1008;
3123 | #line 1
3124 | category c1009;
3125 | #line 1
3126 | category c1010;
3127 | #line 1
3128 | category c1011;
3129 | #line 1
3130 | category c1012;
3131 | #line 1
3132 | category c1013;
3133 | #line 1
3134 | category c1014;
3135 | #line 1
3136 | category c1015;
3137 | #line 1
3138 | category c1016;
3139 | #line 1
3140 | category c1017;
3141 | #line 1
3142 | category c1018;
3143 | #line 1
3144 | category c1019;
3145 | #line 1
3146 | category c1020;
3147 | #line 1
3148 | category c1021;
3149 | #line 1
3150 | category c1022;
3151 | #line 1
3152 | category c1023;
3153 | #line 1
3154 |
3155 | #line 1
3156 |
3157 | #line 1
3158 |
3159 | #line 1
3160 |
3161 | #line 1
3162 | }
3163 | #line 1
3164 |
3165 | #line 1
3166 |
3167 |
3168 | ########################################
3169 | #
3170 | # Declarations
3171 | #
3172 |
3173 | require {
3174 | type unconfined_t;
3175 | type urandom_device_t;
3176 | type fs_t;
3177 | role unconfined_r;
3178 | class tcp_socket create;
3179 | class unix_dgram_socket create;
3180 | class file read;
3181 | class dir search;
3182 | class chr_file read;
3183 | }
3184 |
3185 | attribute_role cvesync_roles;
3186 | roleattribute system_r cvesync_roles;
3187 |
3188 | type cvesync_rw_t;
3189 | type cvesync_t;
3190 | type cvesync_exec_t;
3191 |
3192 | #line 26
3193 | ##### begin application_domain(cvesync_t,cvesync_exec_t) depth: 1
3194 | #line 26
3195 |
3196 | #line 26
3197 |
3198 | #line 26
3199 | ##### begin application_type(cvesync_t) depth: 2
3200 | #line 26
3201 |
3202 | #line 26
3203 |
3204 | #line 26
3205 |
3206 | #line 26
3207 | require {
3208 | #line 26
3209 |
3210 | #line 26
3211 | attribute application_domain_type;
3212 | #line 26
3213 |
3214 | #line 26
3215 | } # end require
3216 | #line 26
3217 |
3218 | #line 26
3219 |
3220 | #line 26
3221 |
3222 | #line 26
3223 | typeattribute cvesync_t application_domain_type;
3224 | #line 26
3225 |
3226 | #line 26
3227 | # start with basic domain
3228 | #line 26
3229 |
3230 | #line 26
3231 | ##### begin domain_type(cvesync_t) depth: 3
3232 | #line 26
3233 |
3234 | #line 26
3235 | # start with basic domain
3236 | #line 26
3237 |
3238 | #line 26
3239 | ##### begin domain_base_type(cvesync_t) depth: 4
3240 | #line 26
3241 |
3242 | #line 26
3243 |
3244 | #line 26
3245 |
3246 | #line 26
3247 | require {
3248 | #line 26
3249 |
3250 | #line 26
3251 | attribute domain;
3252 | #line 26
3253 |
3254 | #line 26
3255 | } # end require
3256 | #line 26
3257 |
3258 | #line 26
3259 |
3260 | #line 26
3261 |
3262 | #line 26
3263 | typeattribute cvesync_t domain;
3264 | #line 26
3265 |
3266 | #line 26
3267 |
3268 | #line 26
3269 | ##### end domain_base_type(cvesync_t) depth: 3
3270 | #line 26
3271 |
3272 | #line 26
3273 |
3274 | #line 26
3275 | # Only way to get corenet_unlabeled packets disabled to work
3276 | #line 26
3277 |
3278 | #line 26
3279 | ##### begin corenet_all_recvfrom_unlabeled(cvesync_t) depth: 4
3280 | #line 26
3281 |
3282 | #line 26
3283 |
3284 | #line 26
3285 |
3286 | #line 26
3287 | require {
3288 | #line 26
3289 |
3290 | #line 26
3291 | attribute corenet_unlabeled_type;
3292 | #line 26
3293 |
3294 | #line 26
3295 | } # end require
3296 | #line 26
3297 |
3298 | #line 26
3299 |
3300 | #line 26
3301 | typeattribute cvesync_t corenet_unlabeled_type;
3302 | #line 26
3303 |
3304 | #line 26
3305 |
3306 | #line 26
3307 | ##### end corenet_all_recvfrom_unlabeled(cvesync_t) depth: 3
3308 | #line 26
3309 |
3310 | #line 26
3311 |
3312 | #line 26
3313 |
3314 | #line 26
3315 | ##### end domain_type(cvesync_t) depth: 2
3316 | #line 26
3317 |
3318 | #line 26
3319 |
3320 | #line 26
3321 |
3322 | #line 26
3323 | ##### end application_type(cvesync_t) depth: 1
3324 | #line 26
3325 |
3326 | #line 26
3327 |
3328 | #line 26
3329 | ##### begin application_executable_file(cvesync_exec_t) depth: 2
3330 | #line 26
3331 |
3332 | #line 26
3333 |
3334 | #line 26
3335 |
3336 | #line 26
3337 | require {
3338 | #line 26
3339 |
3340 | #line 26
3341 | attribute application_exec_type;
3342 | #line 26
3343 |
3344 | #line 26
3345 | } # end require
3346 | #line 26
3347 |
3348 | #line 26
3349 |
3350 | #line 26
3351 |
3352 | #line 26
3353 | typeattribute cvesync_exec_t application_exec_type;
3354 | #line 26
3355 |
3356 | #line 26
3357 |
3358 | #line 26
3359 | ##### begin corecmd_executable_file(cvesync_exec_t) depth: 3
3360 | #line 26
3361 |
3362 | #line 26
3363 |
3364 | #line 26
3365 |
3366 | #line 26
3367 | require {
3368 | #line 26
3369 |
3370 | #line 26
3371 | attribute exec_type;
3372 | #line 26
3373 |
3374 | #line 26
3375 | } # end require
3376 | #line 26
3377 |
3378 | #line 26
3379 |
3380 | #line 26
3381 |
3382 | #line 26
3383 | typeattribute cvesync_exec_t exec_type;
3384 | #line 26
3385 |
3386 | #line 26
3387 |
3388 | #line 26
3389 | ##### begin files_type(cvesync_exec_t) depth: 4
3390 | #line 26
3391 |
3392 | #line 26
3393 |
3394 | #line 26
3395 |
3396 | #line 26
3397 | require {
3398 | #line 26
3399 |
3400 | #line 26
3401 | attribute file_type, non_security_file_type, non_auth_file_type;
3402 | #line 26
3403 |
3404 | #line 26
3405 | } # end require
3406 | #line 26
3407 |
3408 | #line 26
3409 |
3410 | #line 26
3411 |
3412 | #line 26
3413 | typeattribute cvesync_exec_t file_type, non_security_file_type, non_auth_file_type;
3414 | #line 26
3415 |
3416 | #line 26
3417 |
3418 | #line 26
3419 | ##### end files_type(cvesync_exec_t) depth: 3
3420 | #line 26
3421 |
3422 | #line 26
3423 |
3424 | #line 26
3425 |
3426 | #line 26
3427 | ##### end corecmd_executable_file(cvesync_exec_t) depth: 2
3428 | #line 26
3429 |
3430 | #line 26
3431 |
3432 | #line 26
3433 |
3434 | #line 26
3435 | ##### end application_executable_file(cvesync_exec_t) depth: 1
3436 | #line 26
3437 |
3438 | #line 26
3439 |
3440 | #line 26
3441 | ##### begin domain_entry_file(cvesync_t,cvesync_exec_t) depth: 2
3442 | #line 26
3443 |
3444 | #line 26
3445 |
3446 | #line 26
3447 |
3448 | #line 26
3449 | require {
3450 | #line 26
3451 |
3452 | #line 26
3453 | attribute entry_type;
3454 | #line 26
3455 |
3456 | #line 26
3457 | } # end require
3458 | #line 26
3459 |
3460 | #line 26
3461 |
3462 | #line 26
3463 |
3464 | #line 26
3465 | allow cvesync_t cvesync_exec_t:file entrypoint;
3466 | #line 26
3467 | allow cvesync_t cvesync_exec_t:file { { getattr open read execute ioctl } ioctl lock execute_no_trans };
3468 | #line 26
3469 |
3470 | #line 26
3471 | typeattribute cvesync_exec_t entry_type;
3472 | #line 26
3473 |
3474 | #line 26
3475 |
3476 | #line 26
3477 | ##### begin corecmd_executable_file(cvesync_exec_t) depth: 3
3478 | #line 26
3479 |
3480 | #line 26
3481 |
3482 | #line 26
3483 |
3484 | #line 26
3485 | require {
3486 | #line 26
3487 |
3488 | #line 26
3489 | attribute exec_type;
3490 | #line 26
3491 |
3492 | #line 26
3493 | } # end require
3494 | #line 26
3495 |
3496 | #line 26
3497 |
3498 | #line 26
3499 |
3500 | #line 26
3501 | typeattribute cvesync_exec_t exec_type;
3502 | #line 26
3503 |
3504 | #line 26
3505 |
3506 | #line 26
3507 | ##### begin files_type(cvesync_exec_t) depth: 4
3508 | #line 26
3509 |
3510 | #line 26
3511 |
3512 | #line 26
3513 |
3514 | #line 26
3515 | require {
3516 | #line 26
3517 |
3518 | #line 26
3519 | attribute file_type, non_security_file_type, non_auth_file_type;
3520 | #line 26
3521 |
3522 | #line 26
3523 | } # end require
3524 | #line 26
3525 |
3526 | #line 26
3527 |
3528 | #line 26
3529 |
3530 | #line 26
3531 | typeattribute cvesync_exec_t file_type, non_security_file_type, non_auth_file_type;
3532 | #line 26
3533 |
3534 | #line 26
3535 |
3536 | #line 26
3537 | ##### end files_type(cvesync_exec_t) depth: 3
3538 | #line 26
3539 |
3540 | #line 26
3541 |
3542 | #line 26
3543 |
3544 | #line 26
3545 | ##### end corecmd_executable_file(cvesync_exec_t) depth: 2
3546 | #line 26
3547 |
3548 | #line 26
3549 |
3550 | #line 26
3551 |
3552 | #line 26
3553 | ##### end domain_entry_file(cvesync_t,cvesync_exec_t) depth: 1
3554 | #line 26
3555 |
3556 | #line 26
3557 |
3558 | #line 26
3559 |
3560 | #line 26
3561 | ##### end application_domain(cvesync_t,cvesync_exec_t) depth: 0
3562 | #line 26
3563 |
3564 | role cvesync_roles types cvesync_t;
3565 |
3566 | permissive cvesync_t;
3567 |
3568 | ########################################
3569 | #
3570 | # cvesync local policy
3571 | #
3572 |
3573 | allow cvesync_t self:fifo_file { create open getattr setattr read write append rename link unlink ioctl lock };
3574 | allow cvesync_t self:unix_stream_socket { { create { ioctl read getattr lock write setattr append bind connect getopt setopt shutdown } } listen accept };
3575 |
3576 |
3577 | #line 39
3578 | ##### begin domain_use_interactive_fds(cvesync_t) depth: 1
3579 | #line 39
3580 |
3581 | #line 39
3582 |
3583 | #line 39
3584 |
3585 | #line 39
3586 | require {
3587 | #line 39
3588 |
3589 | #line 39
3590 | attribute privfd;
3591 | #line 39
3592 |
3593 | #line 39
3594 | } # end require
3595 | #line 39
3596 |
3597 | #line 39
3598 |
3599 | #line 39
3600 |
3601 | #line 39
3602 | allow cvesync_t privfd:fd use;
3603 | #line 39
3604 |
3605 | #line 39
3606 |
3607 | #line 39
3608 | ##### end domain_use_interactive_fds(cvesync_t) depth: 0
3609 | #line 39
3610 |
3611 |
3612 | #line 40
3613 | ##### begin files_read_etc_files(cvesync_t) depth: 1
3614 | #line 40
3615 |
3616 | #line 40
3617 |
3618 | #line 40
3619 |
3620 | #line 40
3621 | require {
3622 | #line 40
3623 |
3624 | #line 40
3625 | type etc_t;
3626 | #line 40
3627 |
3628 | #line 40
3629 | } # end require
3630 | #line 40
3631 |
3632 | #line 40
3633 |
3634 | #line 40
3635 |
3636 | #line 40
3637 | allow cvesync_t etc_t:dir { getattr search open read lock ioctl };
3638 | #line 40
3639 |
3640 | #line 40
3641 | allow cvesync_t etc_t:dir { getattr search open };
3642 | #line 40
3643 | allow cvesync_t etc_t:file { open { getattr read ioctl lock } };
3644 | #line 40
3645 |
3646 | #line 40
3647 |
3648 | #line 40
3649 | allow cvesync_t etc_t:dir { getattr search open };
3650 | #line 40
3651 | allow cvesync_t etc_t:lnk_file { getattr read };
3652 | #line 40
3653 |
3654 | #line 40
3655 |
3656 | #line 40
3657 | ##### begin files_read_etc_runtime_files(cvesync_t) depth: 2
3658 | #line 40
3659 |
3660 | #line 40
3661 |
3662 | #line 40
3663 |
3664 | #line 40
3665 | require {
3666 | #line 40
3667 |
3668 | #line 40
3669 | type etc_t, etc_runtime_t;
3670 | #line 40
3671 |
3672 | #line 40
3673 | } # end require
3674 | #line 40
3675 |
3676 | #line 40
3677 |
3678 | #line 40
3679 |
3680 | #line 40
3681 | allow cvesync_t etc_t:dir { getattr search open read lock ioctl };
3682 | #line 40
3683 |
3684 | #line 40
3685 | allow cvesync_t etc_t:dir { getattr search open };
3686 | #line 40
3687 | allow cvesync_t etc_runtime_t:file { open { getattr read ioctl lock } };
3688 | #line 40
3689 |
3690 | #line 40
3691 |
3692 | #line 40
3693 | allow cvesync_t etc_t:dir { getattr search open };
3694 | #line 40
3695 | allow cvesync_t etc_runtime_t:lnk_file { getattr read };
3696 | #line 40
3697 |
3698 | #line 40
3699 |
3700 | #line 40
3701 |
3702 | #line 40
3703 | ##### end files_read_etc_runtime_files(cvesync_t) depth: 1
3704 | #line 40
3705 |
3706 | #line 40
3707 |
3708 | #line 40
3709 |
3710 | #line 40
3711 | ##### end files_read_etc_files(cvesync_t) depth: 0
3712 | #line 40
3713 |
3714 |
3715 | #line 41
3716 | ##### begin logging_send_syslog_msg(cvesync_t) depth: 1
3717 | #line 41
3718 |
3719 | #line 41
3720 |
3721 | #line 41
3722 |
3723 | #line 41
3724 | require {
3725 | #line 41
3726 |
3727 | #line 41
3728 | attribute syslog_client_type;
3729 | #line 41
3730 |
3731 | #line 41
3732 | } # end require
3733 | #line 41
3734 |
3735 | #line 41
3736 |
3737 | #line 41
3738 |
3739 | #line 41
3740 | typeattribute cvesync_t syslog_client_type;
3741 | #line 41
3742 |
3743 | #line 41
3744 |
3745 | #line 41
3746 | ##### end logging_send_syslog_msg(cvesync_t) depth: 0
3747 | #line 41
3748 |
3749 |
3750 | #line 42
3751 | ##### begin miscfiles_read_localization(cvesync_t) depth: 1
3752 | #line 42
3753 |
3754 | #line 42
3755 |
3756 | #line 42
3757 |
3758 | #line 42
3759 | require {
3760 | #line 42
3761 |
3762 | #line 42
3763 | type locale_t;
3764 | #line 42
3765 |
3766 | #line 42
3767 | } # end require
3768 | #line 42
3769 |
3770 | #line 42
3771 |
3772 | #line 42
3773 |
3774 | #line 42
3775 |
3776 | #line 42
3777 | ##### begin files_read_etc_symlinks(cvesync_t) depth: 2
3778 | #line 42
3779 |
3780 | #line 42
3781 |
3782 | #line 42
3783 |
3784 | #line 42
3785 | require {
3786 | #line 42
3787 |
3788 | #line 42
3789 | type etc_t;
3790 | #line 42
3791 |
3792 | #line 42
3793 | } # end require
3794 | #line 42
3795 |
3796 | #line 42
3797 |
3798 | #line 42
3799 |
3800 | #line 42
3801 |
3802 | #line 42
3803 | allow cvesync_t etc_t:dir { getattr search open };
3804 | #line 42
3805 | allow cvesync_t etc_t:lnk_file { getattr read };
3806 | #line 42
3807 |
3808 | #line 42
3809 |
3810 | #line 42
3811 |
3812 | #line 42
3813 | ##### end files_read_etc_symlinks(cvesync_t) depth: 1
3814 | #line 42
3815 |
3816 | #line 42
3817 |
3818 | #line 42
3819 | ##### begin files_search_usr(cvesync_t) depth: 2
3820 | #line 42
3821 |
3822 | #line 42
3823 |
3824 | #line 42
3825 |
3826 | #line 42
3827 | require {
3828 | #line 42
3829 |
3830 | #line 42
3831 | type usr_t;
3832 | #line 42
3833 |
3834 | #line 42
3835 | } # end require
3836 | #line 42
3837 |
3838 | #line 42
3839 |
3840 | #line 42
3841 |
3842 | #line 42
3843 | allow cvesync_t usr_t:dir { getattr search open };
3844 | #line 42
3845 |
3846 | #line 42
3847 |
3848 | #line 42
3849 | ##### end files_search_usr(cvesync_t) depth: 1
3850 | #line 42
3851 |
3852 | #line 42
3853 | allow cvesync_t locale_t:dir { getattr search open read lock ioctl };
3854 | #line 42
3855 |
3856 | #line 42
3857 | allow cvesync_t locale_t:dir { getattr search open };
3858 | #line 42
3859 | allow cvesync_t locale_t:file { open { getattr read ioctl lock } };
3860 | #line 42
3861 |
3862 | #line 42
3863 |
3864 | #line 42
3865 | allow cvesync_t locale_t:dir { getattr search open };
3866 | #line 42
3867 | allow cvesync_t locale_t:lnk_file { getattr read };
3868 | #line 42
3869 |
3870 | #line 42
3871 |
3872 | #line 42
3873 |
3874 | #line 42
3875 | ##### end miscfiles_read_localization(cvesync_t) depth: 0
3876 | #line 42
3877 |
3878 |
3879 | #line 43
3880 | ##### begin sysnet_dns_name_resolve(cvesync_t) depth: 1
3881 | #line 43
3882 |
3883 | #line 43
3884 |
3885 | #line 43
3886 |
3887 | #line 43
3888 | require {
3889 | #line 43
3890 |
3891 | #line 43
3892 | type net_conf_t;
3893 | #line 43
3894 |
3895 | #line 43
3896 | } # end require
3897 | #line 43
3898 |
3899 | #line 43
3900 |
3901 | #line 43
3902 |
3903 | #line 43
3904 | allow cvesync_t self:tcp_socket { create { ioctl read getattr lock write setattr append bind connect getopt setopt shutdown } };
3905 | #line 43
3906 | allow cvesync_t self:udp_socket { create { ioctl read getattr lock write setattr append bind connect getopt setopt shutdown } };
3907 | #line 43
3908 | allow cvesync_t self:netlink_route_socket { { create { ioctl read getattr lock write setattr append bind connect getopt setopt shutdown } } nlmsg_read };
3909 | #line 43
3910 |
3911 | #line 43
3912 |
3913 | #line 43
3914 | ##### begin corenet_tcp_sendrecv_generic_if(cvesync_t) depth: 2
3915 | #line 43
3916 |
3917 | #line 43
3918 |
3919 | #line 43
3920 |
3921 | #line 43
3922 | require {
3923 | #line 43
3924 |
3925 | #line 43
3926 | type netif_t;
3927 | #line 43
3928 |
3929 | #line 43
3930 | } # end require
3931 | #line 43
3932 |
3933 | #line 43
3934 |
3935 | #line 43
3936 |
3937 | #line 43
3938 | allow cvesync_t netif_t:netif { tcp_send tcp_recv egress ingress };
3939 | #line 43
3940 |
3941 | #line 43
3942 |
3943 | #line 43
3944 | ##### end corenet_tcp_sendrecv_generic_if(cvesync_t) depth: 1
3945 | #line 43
3946 |
3947 | #line 43
3948 |
3949 | #line 43
3950 | ##### begin corenet_udp_sendrecv_generic_if(cvesync_t) depth: 2
3951 | #line 43
3952 |
3953 | #line 43
3954 |
3955 | #line 43
3956 | ##### begin corenet_udp_send_generic_if(cvesync_t) depth: 3
3957 | #line 43
3958 |
3959 | #line 43
3960 |
3961 | #line 43
3962 |
3963 | #line 43
3964 | require {
3965 | #line 43
3966 |
3967 | #line 43
3968 | type netif_t;
3969 | #line 43
3970 |
3971 | #line 43
3972 | } # end require
3973 | #line 43
3974 |
3975 | #line 43
3976 |
3977 | #line 43
3978 |
3979 | #line 43
3980 | allow cvesync_t netif_t:netif { udp_send egress };
3981 | #line 43
3982 |
3983 | #line 43
3984 |
3985 | #line 43
3986 | ##### end corenet_udp_send_generic_if(cvesync_t) depth: 2
3987 | #line 43
3988 |
3989 | #line 43
3990 |
3991 | #line 43
3992 | ##### begin corenet_udp_receive_generic_if(cvesync_t) depth: 3
3993 | #line 43
3994 |
3995 | #line 43
3996 |
3997 | #line 43
3998 |
3999 | #line 43
4000 | require {
4001 | #line 43
4002 |
4003 | #line 43
4004 | type netif_t;
4005 | #line 43
4006 |
4007 | #line 43
4008 | } # end require
4009 | #line 43
4010 |
4011 | #line 43
4012 |
4013 | #line 43
4014 |
4015 | #line 43
4016 | allow cvesync_t netif_t:netif { udp_recv ingress };
4017 | #line 43
4018 |
4019 | #line 43
4020 |
4021 | #line 43
4022 | ##### end corenet_udp_receive_generic_if(cvesync_t) depth: 2
4023 | #line 43
4024 |
4025 | #line 43
4026 |
4027 | #line 43
4028 |
4029 | #line 43
4030 | ##### end corenet_udp_sendrecv_generic_if(cvesync_t) depth: 1
4031 | #line 43
4032 |
4033 | #line 43
4034 |
4035 | #line 43
4036 | ##### begin corenet_tcp_sendrecv_generic_node(cvesync_t) depth: 2
4037 | #line 43
4038 |
4039 | #line 43
4040 |
4041 | #line 43
4042 |
4043 | #line 43
4044 | require {
4045 | #line 43
4046 |
4047 | #line 43
4048 | type node_t;
4049 | #line 43
4050 |
4051 | #line 43
4052 | } # end require
4053 | #line 43
4054 |
4055 | #line 43
4056 |
4057 | #line 43
4058 |
4059 | #line 43
4060 | allow cvesync_t node_t:node { tcp_send tcp_recv sendto recvfrom };
4061 | #line 43
4062 |
4063 | #line 43
4064 |
4065 | #line 43
4066 | ##### end corenet_tcp_sendrecv_generic_node(cvesync_t) depth: 1
4067 | #line 43
4068 |
4069 | #line 43
4070 |
4071 | #line 43
4072 | ##### begin corenet_udp_sendrecv_generic_node(cvesync_t) depth: 2
4073 | #line 43
4074 |
4075 | #line 43
4076 |
4077 | #line 43
4078 | ##### begin corenet_udp_send_generic_node(cvesync_t) depth: 3
4079 | #line 43
4080 |
4081 | #line 43
4082 |
4083 | #line 43
4084 |
4085 | #line 43
4086 | require {
4087 | #line 43
4088 |
4089 | #line 43
4090 | type node_t;
4091 | #line 43
4092 |
4093 | #line 43
4094 | } # end require
4095 | #line 43
4096 |
4097 | #line 43
4098 |
4099 | #line 43
4100 |
4101 | #line 43
4102 | allow cvesync_t node_t:node { udp_send sendto };
4103 | #line 43
4104 |
4105 | #line 43
4106 |
4107 | #line 43
4108 | ##### end corenet_udp_send_generic_node(cvesync_t) depth: 2
4109 | #line 43
4110 |
4111 | #line 43
4112 |
4113 | #line 43
4114 | ##### begin corenet_udp_receive_generic_node(cvesync_t) depth: 3
4115 | #line 43
4116 |
4117 | #line 43
4118 |
4119 | #line 43
4120 |
4121 | #line 43
4122 | require {
4123 | #line 43
4124 |
4125 | #line 43
4126 | type node_t;
4127 | #line 43
4128 |
4129 | #line 43
4130 | } # end require
4131 | #line 43
4132 |
4133 | #line 43
4134 |
4135 | #line 43
4136 |
4137 | #line 43
4138 | allow cvesync_t node_t:node { udp_recv recvfrom };
4139 | #line 43
4140 |
4141 | #line 43
4142 |
4143 | #line 43
4144 | ##### end corenet_udp_receive_generic_node(cvesync_t) depth: 2
4145 | #line 43
4146 |
4147 | #line 43
4148 |
4149 | #line 43
4150 |
4151 | #line 43
4152 | ##### end corenet_udp_sendrecv_generic_node(cvesync_t) depth: 1
4153 | #line 43
4154 |
4155 | #line 43
4156 |
4157 | #line 43
4158 | ##### begin corenet_tcp_sendrecv_dns_port(cvesync_t) depth: 2
4159 | #line 43
4160 |
4161 | #line 43
4162 |
4163 | #line 43
4164 |
4165 | #line 43
4166 | require {
4167 | #line 43
4168 |
4169 | #line 43
4170 | type dns_port_t;
4171 | #line 43
4172 |
4173 | #line 43
4174 | } # end require
4175 | #line 43
4176 |
4177 | #line 43
4178 |
4179 | #line 43
4180 |
4181 | #line 43
4182 | allow cvesync_t dns_port_t:tcp_socket { send_msg recv_msg };
4183 | #line 43
4184 |
4185 | #line 43
4186 |
4187 | #line 43
4188 | ##### end corenet_tcp_sendrecv_dns_port(cvesync_t) depth: 1
4189 | #line 43
4190 |
4191 | #line 43
4192 |
4193 | #line 43
4194 | ##### begin corenet_udp_sendrecv_dns_port(cvesync_t) depth: 2
4195 | #line 43
4196 |
4197 | #line 43
4198 |
4199 | #line 43
4200 | ##### begin corenet_udp_send_dns_port(cvesync_t) depth: 3
4201 | #line 43
4202 |
4203 | #line 43
4204 |
4205 | #line 43
4206 |
4207 | #line 43
4208 | require {
4209 | #line 43
4210 |
4211 | #line 43
4212 | type dns_port_t;
4213 | #line 43
4214 |
4215 | #line 43
4216 | } # end require
4217 | #line 43
4218 |
4219 | #line 43
4220 |
4221 | #line 43
4222 |
4223 | #line 43
4224 | allow cvesync_t dns_port_t:udp_socket send_msg;
4225 | #line 43
4226 |
4227 | #line 43
4228 |
4229 | #line 43
4230 | ##### end corenet_udp_send_dns_port(cvesync_t) depth: 2
4231 | #line 43
4232 |
4233 | #line 43
4234 |
4235 | #line 43
4236 | ##### begin corenet_udp_receive_dns_port(cvesync_t) depth: 3
4237 | #line 43
4238 |
4239 | #line 43
4240 |
4241 | #line 43
4242 |
4243 | #line 43
4244 | require {
4245 | #line 43
4246 |
4247 | #line 43
4248 | type dns_port_t;
4249 | #line 43
4250 |
4251 | #line 43
4252 | } # end require
4253 | #line 43
4254 |
4255 | #line 43
4256 |
4257 | #line 43
4258 |
4259 | #line 43
4260 | allow cvesync_t dns_port_t:udp_socket recv_msg;
4261 | #line 43
4262 |
4263 | #line 43
4264 |
4265 | #line 43
4266 | ##### end corenet_udp_receive_dns_port(cvesync_t) depth: 2
4267 | #line 43
4268 |
4269 | #line 43
4270 |
4271 | #line 43
4272 |
4273 | #line 43
4274 | ##### end corenet_udp_sendrecv_dns_port(cvesync_t) depth: 1
4275 | #line 43
4276 |
4277 | #line 43
4278 |
4279 | #line 43
4280 | ##### begin corenet_tcp_connect_dns_port(cvesync_t) depth: 2
4281 | #line 43
4282 |
4283 | #line 43
4284 |
4285 | #line 43
4286 |
4287 | #line 43
4288 | require {
4289 | #line 43
4290 |
4291 | #line 43
4292 | type dns_port_t;
4293 | #line 43
4294 |
4295 | #line 43
4296 | } # end require
4297 | #line 43
4298 |
4299 | #line 43
4300 |
4301 | #line 43
4302 |
4303 | #line 43
4304 | allow cvesync_t dns_port_t:tcp_socket name_connect;
4305 | #line 43
4306 |
4307 | #line 43
4308 |
4309 | #line 43
4310 | ##### end corenet_tcp_connect_dns_port(cvesync_t) depth: 1
4311 | #line 43
4312 |
4313 | #line 43
4314 |
4315 | #line 43
4316 | ##### begin corenet_tcp_connect_dnssec_port(cvesync_t) depth: 2
4317 | #line 43
4318 |
4319 | #line 43
4320 |
4321 | #line 43
4322 |
4323 | #line 43
4324 | require {
4325 | #line 43
4326 |
4327 | #line 43
4328 | type dnssec_port_t;
4329 | #line 43
4330 |
4331 | #line 43
4332 | } # end require
4333 | #line 43
4334 |
4335 | #line 43
4336 |
4337 | #line 43
4338 |
4339 | #line 43
4340 | allow cvesync_t dnssec_port_t:tcp_socket name_connect;
4341 | #line 43
4342 |
4343 | #line 43
4344 |
4345 | #line 43
4346 | ##### end corenet_tcp_connect_dnssec_port(cvesync_t) depth: 1
4347 | #line 43
4348 |
4349 | #line 43
4350 |
4351 | #line 43
4352 | ##### begin corenet_sendrecv_dns_client_packets(cvesync_t) depth: 2
4353 | #line 43
4354 |
4355 | #line 43
4356 |
4357 | #line 43
4358 | ##### begin corenet_send_dns_client_packets(cvesync_t) depth: 3
4359 | #line 43
4360 |
4361 | #line 43
4362 |
4363 | #line 43
4364 |
4365 | #line 43
4366 | require {
4367 | #line 43
4368 |
4369 | #line 43
4370 | type dns_client_packet_t;
4371 | #line 43
4372 |
4373 | #line 43
4374 | } # end require
4375 | #line 43
4376 |
4377 | #line 43
4378 |
4379 | #line 43
4380 |
4381 | #line 43
4382 | allow cvesync_t dns_client_packet_t:packet send;
4383 | #line 43
4384 |
4385 | #line 43
4386 |
4387 | #line 43
4388 | ##### end corenet_send_dns_client_packets(cvesync_t) depth: 2
4389 | #line 43
4390 |
4391 | #line 43
4392 |
4393 | #line 43
4394 | ##### begin corenet_receive_dns_client_packets(cvesync_t) depth: 3
4395 | #line 43
4396 |
4397 | #line 43
4398 |
4399 | #line 43
4400 |
4401 | #line 43
4402 | require {
4403 | #line 43
4404 |
4405 | #line 43
4406 | type dns_client_packet_t;
4407 | #line 43
4408 |
4409 | #line 43
4410 | } # end require
4411 | #line 43
4412 |
4413 | #line 43
4414 |
4415 | #line 43
4416 |
4417 | #line 43
4418 | allow cvesync_t dns_client_packet_t:packet recv;
4419 | #line 43
4420 |
4421 | #line 43
4422 |
4423 | #line 43
4424 | ##### end corenet_receive_dns_client_packets(cvesync_t) depth: 2
4425 | #line 43
4426 |
4427 | #line 43
4428 |
4429 | #line 43
4430 |
4431 | #line 43
4432 | ##### end corenet_sendrecv_dns_client_packets(cvesync_t) depth: 1
4433 | #line 43
4434 |
4435 | #line 43
4436 |
4437 | #line 43
4438 |
4439 | #line 43
4440 | ##### begin miscfiles_read_generic_certs(cvesync_t) depth: 2
4441 | #line 43
4442 |
4443 | #line 43
4444 |
4445 | #line 43
4446 |
4447 | #line 43
4448 | require {
4449 | #line 43
4450 |
4451 | #line 43
4452 | type cert_t;
4453 | #line 43
4454 |
4455 | #line 43
4456 | } # end require
4457 | #line 43
4458 |
4459 | #line 43
4460 |
4461 | #line 43
4462 |
4463 | #line 43
4464 | allow cvesync_t cert_t:dir { getattr search open read lock ioctl };
4465 | #line 43
4466 |
4467 | #line 43
4468 | allow cvesync_t cert_t:dir { getattr search open };
4469 | #line 43
4470 | allow cvesync_t cert_t:file { open { getattr read ioctl lock } };
4471 | #line 43
4472 |
4473 | #line 43
4474 |
4475 | #line 43
4476 | allow cvesync_t cert_t:dir { getattr search open };
4477 | #line 43
4478 | allow cvesync_t cert_t:lnk_file { getattr read };
4479 | #line 43
4480 |
4481 | #line 43
4482 |
4483 | #line 43
4484 |
4485 | #line 43
4486 | ##### end miscfiles_read_generic_certs(cvesync_t) depth: 1
4487 | #line 43
4488 |
4489 | #line 43
4490 |
4491 | #line 43
4492 |
4493 | #line 43
4494 | ##### begin sysnet_read_config(cvesync_t) depth: 2
4495 | #line 43
4496 |
4497 | #line 43
4498 |
4499 | #line 43
4500 |
4501 | #line 43
4502 | require {
4503 | #line 43
4504 |
4505 | #line 43
4506 | type net_conf_t;
4507 | #line 43
4508 |
4509 | #line 43
4510 | } # end require
4511 | #line 43
4512 |
4513 | #line 43
4514 |
4515 | #line 43
4516 |
4517 | #line 43
4518 |
4519 | #line 43
4520 | ##### begin files_search_etc(cvesync_t) depth: 3
4521 | #line 43
4522 |
4523 | #line 43
4524 |
4525 | #line 43
4526 |
4527 | #line 43
4528 | require {
4529 | #line 43
4530 |
4531 | #line 43
4532 | type etc_t;
4533 | #line 43
4534 |
4535 | #line 43
4536 | } # end require
4537 | #line 43
4538 |
4539 | #line 43
4540 |
4541 | #line 43
4542 |
4543 | #line 43
4544 | allow cvesync_t etc_t:dir { getattr search open };
4545 | #line 43
4546 |
4547 | #line 43
4548 |
4549 | #line 43
4550 | ##### end files_search_etc(cvesync_t) depth: 2
4551 | #line 43
4552 |
4553 | #line 43
4554 | allow cvesync_t net_conf_t:file { open { getattr read ioctl lock } };
4555 | #line 43
4556 |
4557 | #line 43
4558 |
4559 | #line 43
4560 |
4561 | #line 43
4562 |
4563 | #line 43
4564 |
4565 | #line 43
4566 | ##### begin files_search_pids(cvesync_t) depth: 3
4567 | #line 43
4568 |
4569 | #line 43
4570 |
4571 | #line 43
4572 |
4573 | #line 43
4574 | require {
4575 | #line 43
4576 |
4577 | #line 43
4578 | type var_t, var_run_t;
4579 | #line 43
4580 |
4581 | #line 43
4582 | } # end require
4583 | #line 43
4584 |
4585 | #line 43
4586 |
4587 | #line 43
4588 |
4589 | #line 43
4590 | allow cvesync_t var_t:lnk_file { getattr read };
4591 | #line 43
4592 | allow cvesync_t var_run_t:lnk_file { getattr read };
4593 | #line 43
4594 |
4595 | #line 43
4596 | allow cvesync_t var_t:dir { getattr search open };
4597 | #line 43
4598 | allow cvesync_t var_run_t:dir { getattr search open };
4599 | #line 43
4600 |
4601 | #line 43
4602 |
4603 | #line 43
4604 |
4605 | #line 43
4606 | ##### end files_search_pids(cvesync_t) depth: 2
4607 | #line 43
4608 |
4609 | #line 43
4610 |
4611 | #line 43
4612 | ##### begin init_search_pid_dirs(cvesync_t) depth: 3
4613 | #line 43
4614 |
4615 | #line 43
4616 |
4617 | #line 43
4618 |
4619 | #line 43
4620 | require {
4621 | #line 43
4622 |
4623 | #line 43
4624 | type init_var_run_t;
4625 | #line 43
4626 |
4627 | #line 43
4628 | } # end require
4629 | #line 43
4630 |
4631 | #line 43
4632 |
4633 | #line 43
4634 |
4635 | #line 43
4636 | allow cvesync_t init_var_run_t:dir { getattr search open };
4637 | #line 43
4638 |
4639 | #line 43
4640 |
4641 | #line 43
4642 | ##### end init_search_pid_dirs(cvesync_t) depth: 2
4643 | #line 43
4644 |
4645 | #line 43
4646 | allow cvesync_t net_conf_t:dir { getattr search open read lock ioctl };
4647 | #line 43
4648 | allow cvesync_t net_conf_t:lnk_file { getattr read };
4649 | #line 43
4650 |
4651 | #line 43
4652 | allow cvesync_t net_conf_t:dir { getattr search open };
4653 | #line 43
4654 | allow cvesync_t net_conf_t:file { open { getattr read ioctl lock } };
4655 | #line 43
4656 |
4657 | #line 43
4658 |
4659 | #line 43
4660 |
4661 | #line 43
4662 |
4663 | #line 43
4664 | ##### end sysnet_read_config(cvesync_t) depth: 1
4665 | #line 43
4666 |
4667 | #line 43
4668 |
4669 | #line 43
4670 |
4671 | #line 43
4672 | optional {
4673 | #line 43
4674 |
4675 | #line 43
4676 |
4677 | #line 43
4678 | ##### begin avahi_stream_connect(cvesync_t) depth: 2
4679 | #line 43
4680 |
4681 | #line 43
4682 |
4683 | #line 43
4684 |
4685 | #line 43
4686 | require {
4687 | #line 43
4688 |
4689 | #line 43
4690 | type avahi_t, avahi_var_run_t;
4691 | #line 43
4692 |
4693 | #line 43
4694 | } # end require
4695 | #line 43
4696 |
4697 | #line 43
4698 |
4699 | #line 43
4700 |
4701 | #line 43
4702 |
4703 | #line 43
4704 | ##### begin files_search_pids(cvesync_t) depth: 3
4705 | #line 43
4706 |
4707 | #line 43
4708 |
4709 | #line 43
4710 |
4711 | #line 43
4712 | require {
4713 | #line 43
4714 |
4715 | #line 43
4716 | type var_t, var_run_t;
4717 | #line 43
4718 |
4719 | #line 43
4720 | } # end require
4721 | #line 43
4722 |
4723 | #line 43
4724 |
4725 | #line 43
4726 |
4727 | #line 43
4728 | allow cvesync_t var_t:lnk_file { getattr read };
4729 | #line 43
4730 | allow cvesync_t var_run_t:lnk_file { getattr read };
4731 | #line 43
4732 |
4733 | #line 43
4734 | allow cvesync_t var_t:dir { getattr search open };
4735 | #line 43
4736 | allow cvesync_t var_run_t:dir { getattr search open };
4737 | #line 43
4738 |
4739 | #line 43
4740 |
4741 | #line 43
4742 |
4743 | #line 43
4744 | ##### end files_search_pids(cvesync_t) depth: 2
4745 | #line 43
4746 |
4747 | #line 43
4748 |
4749 | #line 43
4750 | allow cvesync_t avahi_var_run_t:dir { getattr search open };
4751 | #line 43
4752 | allow cvesync_t avahi_var_run_t:sock_file { getattr write open append };
4753 | #line 43
4754 | allow cvesync_t avahi_t:unix_stream_socket connectto;
4755 | #line 43
4756 |
4757 | #line 43
4758 |
4759 | #line 43
4760 |
4761 | #line 43
4762 | ##### end avahi_stream_connect(cvesync_t) depth: 1
4763 | #line 43
4764 |
4765 | #line 43
4766 |
4767 | #line 43
4768 | } # end optional
4769 | #line 43
4770 |
4771 | #line 43
4772 |
4773 | #line 43
4774 |
4775 | #line 43
4776 | optional {
4777 | #line 43
4778 |
4779 | #line 43
4780 |
4781 | #line 43
4782 | ##### begin nscd_use(cvesync_t) depth: 2
4783 | #line 43
4784 |
4785 | #line 43
4786 |
4787 | #line 43
4788 |
4789 | #line 43
4790 |
4791 | #line 43
4792 | require {
4793 | #line 43
4794 |
4795 | #line 43
4796 |
4797 | #line 43
4798 | bool nscd_use_shm;
4799 | #line 43
4800 |
4801 | #line 43
4802 |
4803 | #line 43
4804 |
4805 | #line 43
4806 | } # end require
4807 | #line 43
4808 |
4809 | #line 43
4810 |
4811 | #line 43
4812 | if (nscd_use_shm) {
4813 | #line 43
4814 |
4815 | #line 43
4816 |
4817 | #line 43
4818 | ##### begin nscd_shm_use(cvesync_t) depth: 3
4819 | #line 43
4820 |
4821 | #line 43
4822 |
4823 | #line 43
4824 |
4825 | #line 43
4826 | require {
4827 | #line 43
4828 |
4829 | #line 43
4830 | type nscd_t, nscd_var_run_t;
4831 | #line 43
4832 | class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
4833 | #line 43
4834 |
4835 | #line 43
4836 | } # end require
4837 | #line 43
4838 |
4839 | #line 43
4840 |
4841 | #line 43
4842 |
4843 | #line 43
4844 | allow cvesync_t nscd_var_run_t:dir { getattr search open read lock ioctl };
4845 | #line 43
4846 | allow cvesync_t nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv };
4847 | #line 43
4848 | # Receive fd from nscd and map the backing file with read access.
4849 | #line 43
4850 | allow cvesync_t nscd_t:fd use;
4851 | #line 43
4852 |
4853 | #line 43
4854 | # cjp: these were originally inherited from the
4855 | #line 43
4856 | # nscd_socket_domain macro. need to investigate
4857 | #line 43
4858 | # if they are all actually required
4859 | #line 43
4860 | allow cvesync_t self:unix_stream_socket { { create { ioctl read getattr lock write setattr append bind connect getopt setopt shutdown } } listen accept };
4861 | #line 43
4862 |
4863 | #line 43
4864 | # dg: This may not be required.
4865 | #line 43
4866 | allow cvesync_t nscd_var_run_t:sock_file { getattr open read };
4867 | #line 43
4868 |
4869 | #line 43
4870 |
4871 | #line 43
4872 | allow cvesync_t nscd_var_run_t:dir { getattr search open };
4873 | #line 43
4874 | allow cvesync_t nscd_var_run_t:sock_file { getattr write open append };
4875 | #line 43
4876 | allow cvesync_t nscd_t:unix_stream_socket connectto;
4877 | #line 43
4878 |
4879 | #line 43
4880 |
4881 | #line 43
4882 | ##### begin files_search_pids(cvesync_t) depth: 4
4883 | #line 43
4884 |
4885 | #line 43
4886 |
4887 | #line 43
4888 |
4889 | #line 43
4890 | require {
4891 | #line 43
4892 |
4893 | #line 43
4894 | type var_t, var_run_t;
4895 | #line 43
4896 |
4897 | #line 43
4898 | } # end require
4899 | #line 43
4900 |
4901 | #line 43
4902 |
4903 | #line 43
4904 |
4905 | #line 43
4906 | allow cvesync_t var_t:lnk_file { getattr read };
4907 | #line 43
4908 | allow cvesync_t var_run_t:lnk_file { getattr read };
4909 | #line 43
4910 |
4911 | #line 43
4912 | allow cvesync_t var_t:dir { getattr search open };
4913 | #line 43
4914 | allow cvesync_t var_run_t:dir { getattr search open };
4915 | #line 43
4916 |
4917 | #line 43
4918 |
4919 | #line 43
4920 |
4921 | #line 43
4922 | ##### end files_search_pids(cvesync_t) depth: 3
4923 | #line 43
4924 |
4925 | #line 43
4926 | allow cvesync_t nscd_t:nscd { getpwd getgrp gethost getserv };
4927 | #line 43
4928 | dontaudit cvesync_t nscd_var_run_t:file { open { getattr read ioctl lock } };
4929 | #line 43
4930 |
4931 | #line 43
4932 |
4933 | #line 43
4934 | ##### end nscd_shm_use(cvesync_t) depth: 2
4935 | #line 43
4936 |
4937 | #line 43
4938 |
4939 | #line 43
4940 | } else {
4941 | #line 43
4942 |
4943 | #line 43
4944 |
4945 | #line 43
4946 | ##### begin nscd_socket_use(cvesync_t) depth: 3
4947 | #line 43
4948 |
4949 | #line 43
4950 |
4951 | #line 43
4952 |
4953 | #line 43
4954 | require {
4955 | #line 43
4956 |
4957 | #line 43
4958 | type nscd_t, nscd_var_run_t;
4959 | #line 43
4960 | class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
4961 | #line 43
4962 |
4963 | #line 43
4964 | } # end require
4965 | #line 43
4966 |
4967 | #line 43
4968 |
4969 | #line 43
4970 |
4971 | #line 43
4972 | allow cvesync_t self:unix_stream_socket { create { ioctl read getattr lock write setattr append bind connect getopt setopt shutdown } };
4973 | #line 43
4974 |
4975 | #line 43
4976 | allow cvesync_t nscd_t:nscd { getpwd getgrp gethost };
4977 | #line 43
4978 | dontaudit cvesync_t nscd_t:fd use;
4979 | #line 43
4980 | dontaudit cvesync_t nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
4981 | #line 43
4982 |
4983 | #line 43
4984 | ##### begin files_search_pids(cvesync_t) depth: 4
4985 | #line 43
4986 |
4987 | #line 43
4988 |
4989 | #line 43
4990 |
4991 | #line 43
4992 | require {
4993 | #line 43
4994 |
4995 | #line 43
4996 | type var_t, var_run_t;
4997 | #line 43
4998 |
4999 | #line 43
5000 | } # end require
5001 | #line 43
5002 |
5003 | #line 43
5004 |
5005 | #line 43
5006 |
5007 | #line 43
5008 | allow cvesync_t var_t:lnk_file { getattr read };
5009 | #line 43
5010 | allow cvesync_t var_run_t:lnk_file { getattr read };
5011 | #line 43
5012 |
5013 | #line 43
5014 | allow cvesync_t var_t:dir { getattr search open };
5015 | #line 43
5016 | allow cvesync_t var_run_t:dir { getattr search open };
5017 | #line 43
5018 |
5019 | #line 43
5020 |
5021 | #line 43
5022 |
5023 | #line 43
5024 | ##### end files_search_pids(cvesync_t) depth: 3
5025 | #line 43
5026 |
5027 | #line 43
5028 |
5029 | #line 43
5030 | allow cvesync_t nscd_var_run_t:dir { getattr search open };
5031 | #line 43
5032 | allow cvesync_t nscd_var_run_t:sock_file { getattr write open append };
5033 | #line 43
5034 | allow cvesync_t nscd_t:unix_stream_socket connectto;
5035 | #line 43
5036 |
5037 | #line 43
5038 | dontaudit cvesync_t nscd_var_run_t:file { open { getattr read ioctl lock } };
5039 | #line 43
5040 |
5041 | #line 43
5042 | allow nscd_t cvesync_t:dir { getattr search open read lock ioctl };
5043 | #line 43
5044 | allow nscd_t cvesync_t:file { open { getattr read ioctl lock } };
5045 | #line 43
5046 | allow nscd_t cvesync_t:lnk_file { getattr read };
5047 | #line 43
5048 | allow nscd_t cvesync_t:process getattr;
5049 | #line 43
5050 |
5051 | #line 43
5052 |
5053 | #line 43
5054 |
5055 | #line 43
5056 | ##### end nscd_socket_use(cvesync_t) depth: 2
5057 | #line 43
5058 |
5059 | #line 43
5060 |
5061 | #line 43
5062 | }
5063 | #line 43
5064 |
5065 | #line 43
5066 |
5067 | #line 43
5068 |
5069 | #line 43
5070 | ##### end nscd_use(cvesync_t) depth: 1
5071 | #line 43
5072 |
5073 | #line 43
5074 |
5075 | #line 43
5076 | } # end optional
5077 | #line 43
5078 |
5079 | #line 43
5080 |
5081 | #line 43
5082 |
5083 | #line 43
5084 | ##### end sysnet_dns_name_resolve(cvesync_t) depth: 0
5085 | #line 43
5086 |
5087 |
5088 | # Transition to exec_t
5089 | role unconfined_r types cvesync_exec_t;
5090 | allow unconfined_t cvesync_exec_t:file execute;
5091 | type_transition unconfined_t cvesync_exec_t:process cvesync_exec_t;
5092 | allow unconfined_t cvesync_exec_t:process { siginh rlimitinh noatsecure transition };
5093 | allow cvesync_exec_t self:file entrypoint;
5094 |
5095 | # Basic rights
5096 |
5097 | #line 53
5098 | ##### begin domain_base_type(cvesync_exec_t) depth: 1
5099 | #line 53
5100 |
5101 | #line 53
5102 |
5103 | #line 53
5104 |
5105 | #line 53
5106 | require {
5107 | #line 53
5108 |
5109 | #line 53
5110 | attribute domain;
5111 | #line 53
5112 |
5113 | #line 53
5114 | } # end require
5115 | #line 53
5116 |
5117 | #line 53
5118 |
5119 | #line 53
5120 |
5121 | #line 53
5122 | typeattribute cvesync_exec_t domain;
5123 | #line 53
5124 |
5125 | #line 53
5126 |
5127 | #line 53
5128 | ##### end domain_base_type(cvesync_exec_t) depth: 0
5129 | #line 53
5130 |
5131 |
5132 | #line 54
5133 | ##### begin files_list_root(cvesync_exec_t) depth: 1
5134 | #line 54
5135 |
5136 | #line 54
5137 |
5138 | #line 54
5139 |
5140 | #line 54
5141 | require {
5142 | #line 54
5143 |
5144 | #line 54
5145 | type root_t;
5146 | #line 54
5147 |
5148 | #line 54
5149 | } # end require
5150 | #line 54
5151 |
5152 | #line 54
5153 |
5154 | #line 54
5155 |
5156 | #line 54
5157 | allow cvesync_exec_t root_t:dir { getattr search open read lock ioctl };
5158 | #line 54
5159 | allow cvesync_exec_t root_t:lnk_file { { getattr read } ioctl lock };
5160 | #line 54
5161 |
5162 | #line 54
5163 |
5164 | #line 54
5165 | ##### end files_list_root(cvesync_exec_t) depth: 0
5166 | #line 54
5167 |
5168 |
5169 | #line 55
5170 | ##### begin unconfined_use_fds(cvesync_exec_t) depth: 1
5171 | #line 55
5172 |
5173 | #line 55
5174 |
5175 | #line 55
5176 |
5177 | #line 55
5178 | require {
5179 | #line 55
5180 |
5181 | #line 55
5182 | type unconfined_t;
5183 | #line 55
5184 |
5185 | #line 55
5186 | } # end require
5187 | #line 55
5188 |
5189 | #line 55
5190 |
5191 | #line 55
5192 |
5193 | #line 55
5194 | allow cvesync_exec_t unconfined_t:fd use;
5195 | #line 55
5196 |
5197 | #line 55
5198 |
5199 | #line 55
5200 | ##### end unconfined_use_fds(cvesync_exec_t) depth: 0
5201 | #line 55
5202 |
5203 |
5204 | #line 56
5205 | ##### begin userdom_use_inherited_user_ptys(cvesync_exec_t) depth: 1
5206 | #line 56
5207 |
5208 | #line 56
5209 |
5210 | #line 56
5211 |
5212 | #line 56
5213 | require {
5214 | #line 56
5215 |
5216 | #line 56
5217 | type user_devpts_t;
5218 | #line 56
5219 |
5220 | #line 56
5221 | } # end require
5222 | #line 56
5223 |
5224 | #line 56
5225 |
5226 | #line 56
5227 |
5228 | #line 56
5229 | allow cvesync_exec_t user_devpts_t:chr_file { getattr lock read write append ioctl };
5230 | #line 56
5231 |
5232 | #line 56
5233 |
5234 | #line 56
5235 | ##### end userdom_use_inherited_user_ptys(cvesync_exec_t) depth: 0
5236 | #line 56
5237 |
5238 |
5239 | #line 57
5240 | ##### begin kernel_read_unix_sysctls(cvesync_exec_t) depth: 1
5241 | #line 57
5242 |
5243 | #line 57
5244 |
5245 | #line 57
5246 |
5247 | #line 57
5248 | require {
5249 | #line 57
5250 |
5251 | #line 57
5252 | type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t;
5253 | #line 57
5254 |
5255 | #line 57
5256 | } # end require
5257 | #line 57
5258 |
5259 | #line 57
5260 |
5261 | #line 57
5262 |
5263 | #line 57
5264 |
5265 | #line 57
5266 | allow cvesync_exec_t { proc_t sysctl_t sysctl_net_t }:dir { getattr search open };
5267 | #line 57
5268 | allow cvesync_exec_t sysctl_net_unix_t:file { open { getattr read ioctl lock } };
5269 | #line 57
5270 |
5271 | #line 57
5272 |
5273 | #line 57
5274 | allow cvesync_exec_t { proc_t sysctl_t }:dir { getattr search open };
5275 | #line 57
5276 | allow cvesync_exec_t sysctl_net_t:dir { getattr search open read lock ioctl };
5277 | #line 57
5278 |
5279 | #line 57
5280 |
5281 | #line 57
5282 |
5283 | #line 57
5284 | ##### end kernel_read_unix_sysctls(cvesync_exec_t) depth: 0
5285 | #line 57
5286 |
5287 |
5288 | #line 58
5289 | ##### begin init_read_pipes(cvesync_exec_t) depth: 1
5290 | #line 58
5291 |
5292 | #line 58
5293 |
5294 | #line 58
5295 |
5296 | #line 58
5297 | require {
5298 | #line 58
5299 |
5300 | #line 58
5301 | type init_var_run_t;
5302 | #line 58
5303 |
5304 | #line 58
5305 | } # end require
5306 | #line 58
5307 |
5308 | #line 58
5309 |
5310 | #line 58
5311 |
5312 | #line 58
5313 |
5314 | #line 58
5315 | allow cvesync_exec_t init_var_run_t:dir { getattr search open };
5316 | #line 58
5317 | allow cvesync_exec_t init_var_run_t:fifo_file { getattr open read lock ioctl };
5318 | #line 58
5319 |
5320 | #line 58
5321 |
5322 | #line 58
5323 |
5324 | #line 58
5325 | ##### end init_read_pipes(cvesync_exec_t) depth: 0
5326 | #line 58
5327 |
5328 |
5329 | #line 59
5330 | ##### begin virt_sandbox_domain(cvesync_exec_t) depth: 1
5331 | #line 59
5332 |
5333 | #line 59
5334 |
5335 | #line 59
5336 |
5337 | #line 59
5338 | require {
5339 | #line 59
5340 |
5341 | #line 59
5342 | attribute svirt_sandbox_domain;
5343 | #line 59
5344 |
5345 | #line 59
5346 | } # end require
5347 | #line 59
5348 |
5349 | #line 59
5350 |
5351 | #line 59
5352 |
5353 | #line 59
5354 | typeattribute cvesync_exec_t svirt_sandbox_domain;
5355 | #line 59
5356 |
5357 | #line 59
5358 | ##### end virt_sandbox_domain(cvesync_exec_t) depth: 0
5359 | #line 59
5360 |
5361 |
5362 | #line 60
5363 | ##### begin logging_send_syslog_msg(cvesync_exec_t) depth: 1
5364 | #line 60
5365 |
5366 | #line 60
5367 |
5368 | #line 60
5369 |
5370 | #line 60
5371 | require {
5372 | #line 60
5373 |
5374 | #line 60
5375 | attribute syslog_client_type;
5376 | #line 60
5377 |
5378 | #line 60
5379 | } # end require
5380 | #line 60
5381 |
5382 | #line 60
5383 |
5384 | #line 60
5385 |
5386 | #line 60
5387 | typeattribute cvesync_exec_t syslog_client_type;
5388 | #line 60
5389 |
5390 | #line 60
5391 |
5392 | #line 60
5393 | ##### end logging_send_syslog_msg(cvesync_exec_t) depth: 0
5394 | #line 60
5395 |
5396 |
5397 | # Process control
5398 |
5399 | #line 63
5400 | ##### begin unconfined_sigchld(cvesync_exec_t) depth: 1
5401 | #line 63
5402 |
5403 | #line 63
5404 |
5405 | #line 63
5406 |
5407 | #line 63
5408 | require {
5409 | #line 63
5410 |
5411 | #line 63
5412 | type unconfined_t;
5413 | #line 63
5414 |
5415 | #line 63
5416 | } # end require
5417 | #line 63
5418 |
5419 | #line 63
5420 |
5421 | #line 63
5422 |
5423 | #line 63
5424 | allow cvesync_exec_t unconfined_t:process sigchld;
5425 | #line 63
5426 |
5427 | #line 63
5428 |
5429 | #line 63
5430 | ##### end unconfined_sigchld(cvesync_exec_t) depth: 0
5431 | #line 63
5432 |
5433 |
5434 | # Allow labeling files
5435 | allow unconfined_t cvesync_t:dir { relabelfrom relabelto };
5436 | allow unconfined_t cvesync_rw_t:dir { relabelfrom relabelto };
5437 | allow unconfined_t cvesync_t:file { relabelfrom relabelto };
5438 | allow unconfined_t cvesync_rw_t:file { relabelfrom relabelto };
5439 | allow unconfined_t cvesync_exec_t:file { relabelfrom relabelto };
5440 |
5441 | # Allow unconfined users still manage files, when necessary
5442 | allow unconfined_t cvesync_t:dir { search unlink read setattr create write getattr rmdir remove_name open add_name };
5443 | allow unconfined_t cvesync_t:file { unlink rename setattr read lock create write getattr open append };
5444 | allow unconfined_t cvesync_rw_t:dir { search unlink read setattr create write getattr rmdir remove_name open add_name };
5445 | allow unconfined_t cvesync_rw_t:file { unlink rename setattr read lock create write getattr open append };
5446 | allow unconfined_t cvesync_exec_t:file { unlink rename setattr read lock create write getattr open append };
5447 |
5448 | allow unconfined_t cvesync_t:dir setattr;
5449 |
5450 | # Allow file operations
5451 | allow cvesync_exec_t cvesync_t:dir search;
5452 | allow cvesync_exec_t cvesync_t:file { read getattr open };
5453 | allow cvesync_exec_t cvesync_rw_t:dir { search unlink read create write getattr rmdir remove_name open add_name };
5454 | allow cvesync_exec_t cvesync_rw_t:file { unlink rename setattr read lock create write getattr open append };
5455 | allow cvesync_rw_t fs_t:filesystem associate;
5456 |
5457 | # Networking capabilities
5458 | allow cvesync_exec_t self:unix_dgram_socket { create connect };
5459 | allow cvesync_exec_t self:capability net_admin;
5460 | allow cvesync_exec_t self:tcp_socket { setopt read write getattr getopt listen bind connect create };
5461 | allow cvesync_exec_t self:udp_socket { getattr create connect read sendto write listen accept };
5462 | allow cvesync_exec_t self:netlink_route_socket { create bind getattr };
5463 |
5464 | #line 94
5465 | ##### begin corenet_tcp_bind_generic_node(cvesync_exec_t) depth: 1
5466 | #line 94
5467 |
5468 | #line 94
5469 |
5470 | #line 94
5471 |
5472 | #line 94
5473 | require {
5474 | #line 94
5475 |
5476 | #line 94
5477 | type node_t;
5478 | #line 94
5479 |
5480 | #line 94
5481 | } # end require
5482 | #line 94
5483 |
5484 | #line 94
5485 |
5486 | #line 94
5487 |
5488 | #line 94
5489 | allow cvesync_exec_t node_t:tcp_socket node_bind;
5490 | #line 94
5491 |
5492 | #line 94
5493 |
5494 | #line 94
5495 | ##### end corenet_tcp_bind_generic_node(cvesync_exec_t) depth: 0
5496 | #line 94
5497 |
5498 | # :80, :443
5499 |
5500 | #line 96
5501 | ##### begin corenet_tcp_connect_http_port(cvesync_exec_t) depth: 1
5502 | #line 96
5503 |
5504 | #line 96
5505 |
5506 | #line 96
5507 |
5508 | #line 96
5509 | require {
5510 | #line 96
5511 |
5512 | #line 96
5513 | type http_port_t;
5514 | #line 96
5515 |
5516 | #line 96
5517 | } # end require
5518 | #line 96
5519 |
5520 | #line 96
5521 |
5522 | #line 96
5523 |
5524 | #line 96
5525 | allow cvesync_exec_t http_port_t:tcp_socket name_connect;
5526 | #line 96
5527 |
5528 | #line 96
5529 |
5530 | #line 96
5531 | ##### end corenet_tcp_connect_http_port(cvesync_exec_t) depth: 0
5532 | #line 96
5533 |
5534 | # Jira is by default on :8080
5535 |
5536 | #line 98
5537 | ##### begin corenet_tcp_connect_http_cache_port(cvesync_exec_t) depth: 1
5538 | #line 98
5539 |
5540 | #line 98
5541 |
5542 | #line 98
5543 |
5544 | #line 98
5545 | require {
5546 | #line 98
5547 |
5548 | #line 98
5549 | type http_cache_port_t;
5550 | #line 98
5551 |
5552 | #line 98
5553 | } # end require
5554 | #line 98
5555 |
5556 | #line 98
5557 |
5558 | #line 98
5559 |
5560 | #line 98
5561 | allow cvesync_exec_t http_cache_port_t:tcp_socket name_connect;
5562 | #line 98
5563 |
5564 | #line 98
5565 |
5566 | #line 98
5567 | ##### end corenet_tcp_connect_http_cache_port(cvesync_exec_t) depth: 0
5568 | #line 98
5569 |
5570 |
5571 | # For tls implementation
5572 | allow cvesync_exec_t urandom_device_t:chr_file { read open };
5573 |
--------------------------------------------------------------------------------