selinux-policy/targeted/domains/program/setfiles.te

#DESC Setfiles - SELinux filesystem labeling utilities
#
# Authors:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: policycoreutils
#

#################################
#
# Rules for the setfiles_t domain.
#
# setfiles_exec_t is the type of the setfiles executable.
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type setfiles_exec_t, file_type, sysadmfile, exec_type;

role system_r types setfiles_t;
role sysadm_r types setfiles_t;
role secadm_r types setfiles_t;

ifdef(`distro_redhat', `
domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
')
can_access_pty(hostname_t, initrc)
allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };

allow setfiles_t self:unix_dgram_socket create_socket_perms;

domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)
allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;

uses_shlib(setfiles_t)
allow setfiles_t self:capability { dac_override dac_read_search fowner };

# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that setfiles can not be run!
allow setfiles_t lib_t:file { read execute };

# Get security policy decisions.
can_getsecurity(setfiles_t)

r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })

allow setfiles_t file_type:dir r_dir_perms;
allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };
allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;
allow setfiles_t unlabeled_t:dir read;
allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };
allow setfiles_t { ttyfile ptyfile }:chr_file getattr;
# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal
dontaudit setfiles_t ttyfile:chr_file relabelfrom;

allow setfiles_t fs_t:filesystem getattr;
allow setfiles_t fs_type:dir r_dir_perms;

read_locale(setfiles_t)

allow setfiles_t etc_runtime_t:file { getattr read };
allow setfiles_t etc_t:file { getattr read };
allow setfiles_t proc_t:file { getattr read };
dontaudit setfiles_t proc_t:lnk_file { getattr read };

# for config files in a home directory
allow setfiles_t home_type:file r_file_perms;
dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;
add 1.27.1-22 targeted policy 2005-10-21 18:05:21 +00:00			`#DESC Setfiles - SELinux filesystem labeling utilities`
			`#`
			`# Authors: Russell Coker <russell@coker.com.au>`
			`# X-Debian-Packages: policycoreutils`
			`#`

			`#################################`
			`#`
			`# Rules for the setfiles_t domain.`
			`#`
			`# setfiles_exec_t is the type of the setfiles executable.`
			`#`
			`# needs auth_write attribute because it has relabelfrom/relabelto`
			`# access to shadow_t`
			`type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;`
			`type setfiles_exec_t, file_type, sysadmfile, exec_type;`

			`role system_r types setfiles_t;`
			`role sysadm_r types setfiles_t;`
			`role secadm_r types setfiles_t;`

			ifdef(`distro_redhat', `
			`domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)`
			`')`
			`can_access_pty(hostname_t, initrc)`
			`allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };`

			`allow setfiles_t self:unix_dgram_socket create_socket_perms;`

			`domain_auto_trans(secadmin, setfiles_exec_t, setfiles_t)`
			`allow setfiles_t { userdomain privfd initrc_t init_t }:fd use;`

			`uses_shlib(setfiles_t)`
			`allow setfiles_t self:capability { dac_override dac_read_search fowner };`

			`# for upgrading glibc and other shared objects - without this the upgrade`
			`# scripts will put things in a state such that setfiles can not be run!`
			`allow setfiles_t lib_t:file { read execute };`

			`# Get security policy decisions.`
			`can_getsecurity(setfiles_t)`

			`r_dir_file(setfiles_t, { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t })`

			`allow setfiles_t file_type:dir r_dir_perms;`
			`allow setfiles_t { file_type unlabeled_t device_type }:dir_file_class_set { getattr relabelfrom };`
			`allow setfiles_t file_type:{ dir file lnk_file sock_file fifo_file } relabelto;`
			`allow setfiles_t unlabeled_t:dir read;`
			`allow setfiles_t { device_type device_t }:{ chr_file blk_file } { getattr relabelfrom relabelto };`
			`allow setfiles_t { ttyfile ptyfile }:chr_file getattr;`
			`# dontaudit access to ttyfile - we do not want setfiles to relabel our terminal`
			`dontaudit setfiles_t ttyfile:chr_file relabelfrom;`

			`allow setfiles_t fs_t:filesystem getattr;`
			`allow setfiles_t fs_type:dir r_dir_perms;`

			`read_locale(setfiles_t)`

			`allow setfiles_t etc_runtime_t:file { getattr read };`
			`allow setfiles_t etc_t:file { getattr read };`
			`allow setfiles_t proc_t:file { getattr read };`
			`dontaudit setfiles_t proc_t:lnk_file { getattr read };`

			`# for config files in a home directory`
			`allow setfiles_t home_type:file r_file_perms;`
			`dontaudit setfiles_t sysadm_tty_device_t:chr_file relabelfrom;`