selinux-policy/strict/domains/program/slocate.te
2005-09-16 13:36:26 +00:00

78 lines
2.2 KiB
Plaintext

#DESC LOCATE - Security Enhanced version of the GNU Locate
#
# Author: Dan Walsh <dwalsh@redhat.com>
#
#################################
#
# Rules for the locate_t domain.
#
# locate_exec_t is the type of the locate executable.
#
daemon_base_domain(locate)
role system_r types locate_t;
role sysadm_r types locate_t;
allow locate_t fs_t:filesystem getattr;
ifdef(`crond.te', `
system_crond_entry(locate_exec_t, locate_t)
allow system_crond_t locate_log_t:dir rw_dir_perms;
allow system_crond_t locate_log_t:file { create append getattr };
allow system_crond_t locate_etc_t:file { getattr read };
')
allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
allow locate_t { fs_type file_type }:dir r_dir_perms;
dontaudit locate_t sysctl_t:dir getattr;
allow locate_t file_type:lnk_file r_file_perms;
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
dontaudit locate_t security_t:dir getattr;
dontaudit locate_t shadow_t:file getattr;
allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
allow locate_t unlabeled_t:dir_file_class_set getattr;
allow locate_t unlabeled_t:dir read;
logdir_domain(locate)
etcdir_domain(locate)
type locate_var_lib_t, file_type, sysadmfile;
typealias locate_var_lib_t alias var_lib_locate_t;
create_dir_file(locate_t, locate_var_lib_t)
dontaudit locate_t sysadmfile:file getattr;
allow locate_t proc_t:file { getattr read };
allow locate_t self:unix_stream_socket create_socket_perms;
#
# Need to be able to exec renice
#
can_exec(locate_t, bin_t)
dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
dontaudit locate_t rpc_pipefs_t:file getattr;
#
# Read Mtab file
#
allow locate_t etc_runtime_t:file { getattr read };
#
# Read nsswitch file
#
allow locate_t etc_t:file { getattr read };
dontaudit locate_t self:capability dac_override;
allow locate_t self:capability dac_read_search;
# sysadm_t runs locate in his own domain.
# We use a type alias to simplify the rest of the policy,
# which often refers to $1_locate_t for the user domains.
typealias sysadm_t alias sysadm_locate_t;
allow locate_t userdomain:fd use;
ifdef(`cardmgr.te', `
allow locate_t cardmgr_var_run_t:chr_file getattr;
')