145 lines
3.2 KiB
Plaintext
145 lines
3.2 KiB
Plaintext
|
|
policy_module(pyzor,1.2.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type pyzor_t;
|
|
type pyzor_exec_t;
|
|
domain_type(pyzor_t)
|
|
domain_entry_file(pyzor_t,pyzor_exec_t)
|
|
role system_r types pyzor_t;
|
|
|
|
type pyzord_t;
|
|
type pyzord_exec_t;
|
|
domain_type(pyzord_t)
|
|
init_daemon_domain(pyzord_t,pyzord_exec_t)
|
|
|
|
type pyzor_etc_t;
|
|
files_type(pyzor_etc_t)
|
|
|
|
type pyzord_log_t;
|
|
logging_log_file(pyzord_log_t)
|
|
|
|
type pyzor_tmp_t;
|
|
files_tmp_file(pyzor_tmp_t)
|
|
|
|
type pyzor_var_lib_t;
|
|
files_type(pyzor_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
# Pyzor local policy
|
|
#
|
|
|
|
allow pyzor_t self:udp_socket create_socket_perms;
|
|
|
|
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
|
|
read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
|
|
files_search_var_lib(pyzor_t)
|
|
|
|
manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
|
|
manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
|
|
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
|
|
|
|
kernel_read_kernel_sysctls(pyzor_t)
|
|
kernel_read_system_state(pyzor_t)
|
|
|
|
corecmd_list_bin(pyzor_t)
|
|
corecmd_getattr_bin_files(pyzor_t)
|
|
|
|
corenet_udp_sendrecv_all_if(pyzor_t)
|
|
corenet_udp_sendrecv_all_nodes(pyzor_t)
|
|
corenet_udp_sendrecv_all_ports(pyzor_t)
|
|
|
|
dev_read_urand(pyzor_t)
|
|
|
|
files_read_etc_files(pyzor_t)
|
|
|
|
auth_use_nsswitch(pyzor_t)
|
|
|
|
libs_use_ld_so(pyzor_t)
|
|
libs_use_shared_libs(pyzor_t)
|
|
|
|
miscfiles_read_localization(pyzor_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
userdom_read_generic_user_home_content_files(pyzor_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
amavis_manage_lib_files(pyzor_t)
|
|
amavis_manage_spool_files(pyzor_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
spamassassin_read_spamd_tmp_files(pyzor_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Pyzord local policy
|
|
#
|
|
|
|
allow pyzord_t self:udp_socket create_socket_perms;
|
|
|
|
manage_files_pattern(pyzord_t,pyzor_var_lib_t,pyzor_var_lib_t)
|
|
allow pyzord_t pyzor_var_lib_t:dir setattr;
|
|
files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
|
|
|
|
read_files_pattern(pyzord_t,pyzor_etc_t,pyzor_etc_t)
|
|
allow pyzord_t pyzor_etc_t:dir list_dir_perms;
|
|
|
|
can_exec(pyzord_t,pyzor_exec_t)
|
|
|
|
manage_files_pattern(pyzord_t,pyzord_log_t,pyzord_log_t)
|
|
allow pyzord_t pyzord_log_t:dir setattr;
|
|
logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
|
|
|
|
kernel_read_kernel_sysctls(pyzord_t)
|
|
kernel_read_system_state(pyzord_t)
|
|
|
|
dev_read_urand(pyzord_t)
|
|
|
|
corecmd_exec_bin(pyzord_t)
|
|
|
|
corenet_non_ipsec_sendrecv(pyzord_t)
|
|
corenet_udp_sendrecv_all_if(pyzord_t)
|
|
corenet_udp_sendrecv_all_nodes(pyzord_t)
|
|
corenet_udp_sendrecv_all_ports(pyzord_t)
|
|
corenet_udp_bind_all_nodes(pyzord_t)
|
|
corenet_udp_bind_pyzor_port(pyzord_t)
|
|
corenet_sendrecv_pyzor_server_packets(pyzord_t)
|
|
|
|
files_read_etc_files(pyzord_t)
|
|
|
|
auth_use_nsswitch(pyzord_t)
|
|
|
|
libs_use_ld_so(pyzord_t)
|
|
libs_use_shared_libs(pyzord_t)
|
|
|
|
locallogin_dontaudit_use_fds(pyzord_t)
|
|
|
|
miscfiles_read_localization(pyzord_t)
|
|
|
|
# Do not audit attempts to access /root.
|
|
userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
|
|
userdom_dontaudit_search_staff_home_dirs(pyzord_t)
|
|
|
|
mta_manage_spool(pyzord_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_generic_ptys(pyzord_t)
|
|
term_dontaudit_use_unallocated_ttys(pyzord_t)
|
|
|
|
userdom_read_generic_user_home_content_files(pyzord_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
logging_send_syslog_msg(pyzord_t)
|
|
')
|