72ba80bf88
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
113 lines
3.1 KiB
Plaintext
113 lines
3.1 KiB
Plaintext
policy_module(avahi, 1.12.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type avahi_t;
|
|
type avahi_exec_t;
|
|
init_daemon_domain(avahi_t, avahi_exec_t)
|
|
|
|
type avahi_initrc_exec_t;
|
|
init_script_file(avahi_initrc_exec_t)
|
|
|
|
type avahi_var_lib_t;
|
|
files_pid_file(avahi_var_lib_t)
|
|
|
|
type avahi_var_run_t;
|
|
files_pid_file(avahi_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
|
|
dontaudit avahi_t self:capability sys_tty_config;
|
|
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
|
|
allow avahi_t self:fifo_file rw_fifo_file_perms;
|
|
allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow avahi_t self:unix_dgram_socket create_socket_perms;
|
|
allow avahi_t self:tcp_socket create_stream_socket_perms;
|
|
allow avahi_t self:udp_socket create_socket_perms;
|
|
allow avahi_t self:packet_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
|
|
manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
|
|
files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
|
|
|
|
manage_dirs_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
|
manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
|
manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
|
|
allow avahi_t avahi_var_run_t:dir setattr_dir_perms;
|
|
files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
|
|
|
|
kernel_read_system_state(avahi_t)
|
|
kernel_read_kernel_sysctls(avahi_t)
|
|
kernel_read_network_state(avahi_t)
|
|
|
|
corecmd_exec_bin(avahi_t)
|
|
corecmd_exec_shell(avahi_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(avahi_t)
|
|
corenet_all_recvfrom_netlabel(avahi_t)
|
|
corenet_tcp_sendrecv_generic_if(avahi_t)
|
|
corenet_udp_sendrecv_generic_if(avahi_t)
|
|
corenet_tcp_sendrecv_generic_node(avahi_t)
|
|
corenet_udp_sendrecv_generic_node(avahi_t)
|
|
corenet_tcp_sendrecv_all_ports(avahi_t)
|
|
corenet_udp_sendrecv_all_ports(avahi_t)
|
|
corenet_tcp_bind_generic_node(avahi_t)
|
|
corenet_udp_bind_generic_node(avahi_t)
|
|
corenet_tcp_bind_howl_port(avahi_t)
|
|
corenet_udp_bind_howl_port(avahi_t)
|
|
corenet_send_howl_client_packets(avahi_t)
|
|
corenet_receive_howl_server_packets(avahi_t)
|
|
|
|
dev_read_sysfs(avahi_t)
|
|
dev_read_urand(avahi_t)
|
|
|
|
fs_getattr_all_fs(avahi_t)
|
|
fs_search_auto_mountpoints(avahi_t)
|
|
fs_list_inotifyfs(avahi_t)
|
|
|
|
domain_use_interactive_fds(avahi_t)
|
|
|
|
files_read_etc_files(avahi_t)
|
|
files_read_etc_runtime_files(avahi_t)
|
|
files_read_usr_files(avahi_t)
|
|
|
|
auth_use_nsswitch(avahi_t)
|
|
|
|
init_signal_script(avahi_t)
|
|
init_signull_script(avahi_t)
|
|
|
|
logging_send_syslog_msg(avahi_t)
|
|
|
|
miscfiles_read_localization(avahi_t)
|
|
miscfiles_read_generic_certs(avahi_t)
|
|
|
|
sysnet_domtrans_ifconfig(avahi_t)
|
|
sysnet_manage_config(avahi_t)
|
|
sysnet_etc_filetrans_config(avahi_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
|
userdom_dontaudit_search_user_home_dirs(avahi_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(avahi_t, avahi_exec_t)
|
|
dbus_system_bus_client(avahi_t)
|
|
dbus_connect_system_bus(avahi_t)
|
|
|
|
init_dbus_chat_script(avahi_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(avahi_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(avahi_t)
|
|
')
|