#DESC Sxid - SUID/SGID program monitoring
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: sxid
#

#################################
#
# Rules for the sxid_t domain.
#
# sxid_exec_t is the type of the sxid executable.
#
daemon_base_domain(sxid, `, privmail')
tmp_domain(sxid)

allow sxid_t fs_t:filesystem getattr;

ifdef(`crond.te', `
system_crond_entry(sxid_exec_t, sxid_t)
')
#allow system_crond_t sxid_log_t:file create_file_perms;

read_locale(sxid_t)

can_exec(sxid_t, { shell_exec_t bin_t sbin_t mount_exec_t })
allow sxid_t bin_t:lnk_file read;

log_domain(sxid)

allow sxid_t file_type:notdevfile_class_set getattr;
allow sxid_t { device_t device_type }:{ chr_file blk_file } getattr;
allow sxid_t ttyfile:chr_file getattr;
allow sxid_t file_type:dir { getattr read search };
allow sxid_t sysadmfile:file { getattr read };
allow sxid_t fs_type:dir { getattr read search };

# Use the network.
can_network_server(sxid_t)
allow sxid_t self:fifo_file rw_file_perms;
allow sxid_t self:unix_stream_socket create_socket_perms;

allow sxid_t { proc_t self }:{ file lnk_file } { read getattr };
read_sysctl(sxid_t)
allow sxid_t devtty_t:chr_file rw_file_perms;

allow sxid_t self:capability { dac_override dac_read_search fsetid };
dontaudit sxid_t self:capability { setuid setgid };

ifdef(`mta.te', `
# sxid leaves an open file handle to /proc/mounts
dontaudit { system_mail_t mta_user_agent } sxid_t:file { read getattr };

# allow mta to read the log files
allow { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file { getattr read };
# stop warnings if mailx is passed a read/write file handle
dontaudit { system_mail_t mta_user_agent } { sxid_tmp_t sxid_log_t }:file write;
')

allow logrotate_t sxid_t:file { getattr write };

dontaudit sxid_t security_t:dir { getattr read search };