selinux-policy/policy/modules/services/boinc.te

policy_module(boinc, 1.0.0)

########################################
#
# Declarations
#

type boinc_t;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)

type boinc_initrc_exec_t;
init_script_file(boinc_initrc_exec_t)

type boinc_tmp_t;
files_tmp_file(boinc_tmp_t)

type boinc_tmpfs_t;
files_tmpfs_file(boinc_tmpfs_t)

type boinc_var_lib_t;
files_type(boinc_var_lib_t)

type boinc_project_t;
domain_type(boinc_project_t)
role system_r types boinc_project_t;

permissive boinc_project_t;

type boinc_project_tmp_t;
files_tmp_file(boinc_project_tmp_t)

type boinc_project_var_lib_t;
files_type(boinc_project_var_lib_t)

########################################
#
# boinc local policy
#

allow boinc_t self:capability { kill };
allow boinc_t self:process { setsched sigkill };

allow boinc_t self:fifo_file rw_fifo_file_perms;
allow boinc_t self:unix_stream_socket create_stream_socket_perms;
allow boinc_t self:tcp_socket create_stream_socket_perms;
allow boinc_t self:sem create_sem_perms;
allow boinc_t self:shm create_shm_perms;

manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })

manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)

exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir)

manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)

kernel_read_system_state(boinc_t)

files_getattr_all_dirs(boinc_t)
files_getattr_all_files(boinc_t)

corecmd_exec_bin(boinc_t)
corecmd_exec_shell(boinc_t)

corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
corenet_tcp_sendrecv_generic_if(boinc_t)
corenet_udp_sendrecv_generic_if(boinc_t)
corenet_tcp_sendrecv_generic_node(boinc_t)
corenet_udp_sendrecv_generic_node(boinc_t)
corenet_tcp_sendrecv_all_ports(boinc_t)
corenet_udp_sendrecv_all_ports(boinc_t)
corenet_tcp_bind_generic_node(boinc_t)
corenet_udp_bind_generic_node(boinc_t)
corenet_tcp_bind_boinc_port(boinc_t)
corenet_tcp_connect_boinc_port(boinc_t)
corenet_tcp_connect_http_port(boinc_t)
corenet_tcp_connect_http_cache_port(boinc_t)

dev_list_sysfs(boinc_t)
dev_read_rand(boinc_t)
dev_read_urand(boinc_t)
dev_read_sysfs(boinc_t)

domain_read_all_domains_state(boinc_t)

files_dontaudit_getattr_boot_dirs(boinc_t)

files_read_etc_files(boinc_t)
files_read_usr_files(boinc_t)

fs_getattr_all_fs(boinc_t)

term_dontaudit_getattr_ptmx(boinc_t)

miscfiles_read_localization(boinc_t)
miscfiles_read_generic_certs(boinc_t)

logging_send_syslog_msg(boinc_t)

sysnet_dns_name_resolve(boinc_t)

mta_send_mail(boinc_t)

########################################
#
# boinc-projects local policy
#

domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
allow boinc_t boinc_project_t:process sigkill;

allow boinc_project_t self:process { ptrace setsched signal signull sigkill sigstop };
allow boinc_project_t self:process { execmem execstack };

allow boinc_project_t self:fifo_file rw_fifo_file_perms;
allow boinc_project_t self:sem create_sem_perms;

manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })

allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, { file dir })

allow boinc_project_t boinc_project_var_lib_t:file execmod;

allow boinc_project_t boinc_t:shm rw_shm_perms;
allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;

list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)

kernel_read_system_state(boinc_project_t)
kernel_read_kernel_sysctls(boinc_project_t)
kernel_search_vm_sysctl(boinc_project_t)
kernel_read_network_state(boinc_project_t)

corecmd_exec_bin(boinc_project_t)
corecmd_exec_shell(boinc_project_t)

corenet_tcp_connect_boinc_port(boinc_project_t)

dev_read_rand(boinc_project_t)
dev_read_urand(boinc_project_t)
dev_read_sysfs(boinc_project_t)
dev_rw_xserver_misc(boinc_project_t)

files_read_etc_files(boinc_project_t)

miscfiles_read_fonts(boinc_project_t)
miscfiles_read_localization(boinc_project_t)

optional_policy(`
	java_exec(boinc_project_t)
')