selinux-policy/policy/modules/services/abrt.te
Dominick Grift ef521e9919 Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
2010-09-22 15:41:43 +02:00

275 lines
6.9 KiB
Plaintext

policy_module(abrt, 1.1.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow ABRT to modify public files
## used for public file transfer services.
## </p>
## </desc>
gen_tunable(abrt_anon_write, false)
type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)
# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)
# log files
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)
# tmp files
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)
# var/cache files
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
# pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
# type needed to allow all domains
# to handle /var/cache/abrt
type abrt_helper_t;
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
########################################
#
# abrt local policy
#
allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { sigkill signal signull setsched getsched };
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
allow abrt_t self:udp_socket create_socket_perms;
allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
can_exec(abrt_t, abrt_tmp_t)
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
userdom_dontaudit_read_admin_home_files(abrt_t)
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
')
optional_policy(`
apache_read_modules(abrt_t)
')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
')
optional_policy(`
nis_use_ypbind(abrt_t)
')
optional_policy(`
nsplugin_read_rw_files(abrt_t)
nsplugin_read_home(abrt_t)
')
optional_policy(`
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
')
optional_policy(`
prelink_exec(abrt_t)
libs_exec_ld_so(abrt_t)
corecmd_exec_all_executables(abrt_t)
')
# to install debuginfo packages
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
')
# to run mailx plugin
optional_policy(`
sendmail_domtrans(abrt_t)
')
optional_policy(`
sosreport_domtrans(abrt_t)
sosreport_read_tmp_files(abrt_t)
sosreport_delete_tmp_files(abrt_t)
')
optional_policy(`
sssd_stream_connect(abrt_t)
')
########################################
#
# abrt-helper local policy
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
allow abrt_helper_t self:process signal;
read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
files_search_spool(abrt_helper_t)
manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
auth_use_nsswitch(abrt_helper_t)
logging_send_syslog_msg(abrt_helper_t)
miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
ifdef(`hide_broken_symptoms',`
domain_dontaudit_leaks(abrt_helper_t)
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
dev_dontaudit_read_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
optional_policy(`
rpm_dontaudit_leaks(abrt_helper_t)
')
')
ifdef(`hide_broken_symptoms',`
gen_require(`
attribute domain;
')
allow abrt_t self:capability sys_resource;
allow abrt_t domain:file write;
allow abrt_t domain:process setrlimit;
')