selinux-policy/policy/modules/services/pyzor.te

policy_module(pyzor,1.2.2)

########################################
#
# Declarations
#

type pyzor_t;
type pyzor_exec_t;
domain_type(pyzor_t)
domain_entry_file(pyzor_t,pyzor_exec_t)
role system_r types pyzor_t;

type pyzord_t;
type pyzord_exec_t;
domain_type(pyzord_t)
init_daemon_domain(pyzord_t,pyzord_exec_t)

type pyzor_etc_t;
files_type(pyzor_etc_t)

type pyzord_log_t;
logging_log_file(pyzord_log_t)

type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)

type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)

########################################
#
# Pyzor local policy
#

allow pyzor_t self:udp_socket create_socket_perms;

allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
files_search_var_lib(pyzor_t)

manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })

kernel_read_kernel_sysctls(pyzor_t)  
kernel_read_system_state(pyzor_t)

corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)

corenet_tcp_sendrecv_all_if(pyzor_t)
corenet_udp_sendrecv_all_if(pyzor_t)
corenet_tcp_sendrecv_all_nodes(pyzor_t)
corenet_udp_sendrecv_all_nodes(pyzor_t)
corenet_tcp_sendrecv_all_ports(pyzor_t)
corenet_udp_sendrecv_all_ports(pyzor_t)
corenet_tcp_connect_http_port(pyzor_t)

dev_read_urand(pyzor_t)

files_read_etc_files(pyzor_t)

auth_use_nsswitch(pyzor_t)

libs_use_ld_so(pyzor_t)
libs_use_shared_libs(pyzor_t)

miscfiles_read_localization(pyzor_t)

userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)

ifdef(`targeted_policy',`
	userdom_read_generic_user_home_content_files(pyzor_t)
')

optional_policy(`
	amavis_manage_lib_files(pyzor_t)
	amavis_manage_spool_files(pyzor_t)
')

optional_policy(`
	spamassassin_signal_spamd(pyzor_t)
	spamassassin_read_spamd_tmp_files(pyzor_t)
')

########################################
#
# Pyzord local policy
#

allow pyzord_t self:udp_socket create_socket_perms;

manage_files_pattern(pyzord_t,pyzor_var_lib_t,pyzor_var_lib_t)
allow pyzord_t pyzor_var_lib_t:dir setattr;
files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })

read_files_pattern(pyzord_t,pyzor_etc_t,pyzor_etc_t)
allow pyzord_t pyzor_etc_t:dir list_dir_perms;

can_exec(pyzord_t,pyzor_exec_t)

manage_files_pattern(pyzord_t,pyzord_log_t,pyzord_log_t)
allow pyzord_t pyzord_log_t:dir setattr;
logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )

kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)

dev_read_urand(pyzord_t)

corecmd_exec_bin(pyzord_t)

corenet_all_recvfrom_unlabeled(pyzord_t)
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
corenet_udp_sendrecv_all_ports(pyzord_t)
corenet_udp_bind_all_nodes(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
corenet_sendrecv_pyzor_server_packets(pyzord_t)

files_read_etc_files(pyzord_t)

auth_use_nsswitch(pyzord_t)

libs_use_ld_so(pyzord_t)
libs_use_shared_libs(pyzord_t)

locallogin_dontaudit_use_fds(pyzord_t)

miscfiles_read_localization(pyzord_t)

# Do not audit attempts to access /root.
userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
userdom_dontaudit_search_staff_home_dirs(pyzord_t)

mta_manage_spool(pyzord_t)

ifdef(`targeted_policy',`
	term_dontaudit_use_generic_ptys(pyzord_t)
	term_dontaudit_use_unallocated_ttys(pyzord_t)

	userdom_read_generic_user_home_content_files(pyzord_t)
')

optional_policy(`
	logging_send_syslog_msg(pyzord_t)
')