selinux-policy/strict/domains/program/restorecon.te
2005-09-13 13:06:07 +00:00

62 lines
2.3 KiB
Plaintext

#DESC restorecon - Restore or check the context of a file
#
# Authors: Russell Coker <russell@coker.com.au>
# X-Debian-Packages: policycoreutils
#
#################################
#
# Rules for the restorecon_t domain.
#
# restorecon_exec_t is the type of the restorecon executable.
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type restorecon_exec_t, file_type, sysadmfile, exec_type;
role system_r types restorecon_t;
role sysadm_r types restorecon_t;
allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t }, restorecon_exec_t, restorecon_t)
allow restorecon_t { userdomain init_t privfd }:fd use;
uses_shlib(restorecon_t)
allow restorecon_t self:capability { dac_override dac_read_search fowner };
# for upgrading glibc and other shared objects - without this the upgrade
# scripts will put things in a state such that restorecon can not be run!
allow restorecon_t lib_t:file { read execute };
# Get security policy decisions.
can_getsecurity(restorecon_t)
r_dir_file(restorecon_t, policy_config_t)
allow restorecon_t file_type:dir r_dir_perms;
allow restorecon_t file_type:{ dir file lnk_file sock_file fifo_file } { getattr relabelfrom relabelto };
allow restorecon_t unlabeled_t:dir_file_class_set { getattr relabelfrom };
allow restorecon_t unlabeled_t:dir read;
allow restorecon_t { device_t device_type }:{ chr_file blk_file } { getattr relabelfrom relabelto };
ifdef(`distro_redhat', `
allow restorecon_t tmpfs_t:{ chr_file blk_file } { rw_file_perms relabelfrom relabelto };
')
allow restorecon_t ptyfile:chr_file getattr;
allow restorecon_t fs_t:filesystem getattr;
allow restorecon_t etc_runtime_t:file { getattr read };
allow restorecon_t etc_t:file { getattr read };
allow restorecon_t proc_t:file { getattr read };
dontaudit restorecon_t proc_t:lnk_file { getattr read };
allow restorecon_t device_t:file { read write };
allow restorecon_t kernel_t:fd use;
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )