selinux-policy/policy/modules/services/prelude.te
Dominick Grift 0f7c400223 Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-23 14:59:23 +02:00

308 lines
9.0 KiB
Plaintext

policy_module(prelude, 1.2.1)
########################################
#
# Declarations
#
type prelude_t;
type prelude_exec_t;
init_daemon_domain(prelude_t, prelude_exec_t)
type prelude_initrc_exec_t;
init_script_file(prelude_initrc_exec_t)
type prelude_spool_t;
files_type(prelude_spool_t)
type prelude_log_t;
logging_log_file(prelude_log_t)
type prelude_var_run_t;
files_pid_file(prelude_var_run_t)
type prelude_var_lib_t;
files_type(prelude_var_lib_t)
type prelude_audisp_t;
type prelude_audisp_exec_t;
init_daemon_domain(prelude_audisp_t, prelude_audisp_exec_t)
logging_dispatcher_domain(prelude_audisp_t, prelude_audisp_exec_t)
type prelude_audisp_var_run_t;
files_pid_file(prelude_audisp_var_run_t)
type prelude_correlator_t;
type prelude_correlator_exec_t;
init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
type prelude_correlator_config_t;
files_config_file(prelude_correlator_config_t)
type prelude_lml_t;
type prelude_lml_exec_t;
init_daemon_domain(prelude_lml_t, prelude_lml_exec_t)
type prelude_lml_tmp_t;
files_tmp_file(prelude_lml_tmp_t)
type prelude_lml_var_run_t;
files_pid_file(prelude_lml_var_run_t)
########################################
#
# prelude local policy
#
allow prelude_t self:capability { dac_override sys_tty_config };
allow prelude_t self:fifo_file rw_file_perms;
allow prelude_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
allow prelude_t self:tcp_socket create_stream_socket_perms;
manage_files_pattern(prelude_t, prelude_log_t, prelude_log_t)
logging_log_filetrans(prelude_t, prelude_log_t, file)
manage_dirs_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
manage_files_pattern(prelude_t, prelude_spool_t, prelude_spool_t)
files_search_spool(prelude_t)
manage_dirs_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
manage_files_pattern(prelude_t, prelude_var_lib_t, prelude_var_lib_t)
files_search_var_lib(prelude_t)
manage_dirs_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
manage_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
manage_sock_files_pattern(prelude_t, prelude_var_run_t, prelude_var_run_t)
files_pid_filetrans(prelude_t, prelude_var_run_t, { dir file })
kernel_read_system_state(prelude_t)
kernel_read_sysctl(prelude_t)
corecmd_search_bin(prelude_t)
corenet_all_recvfrom_unlabeled(prelude_t)
corenet_all_recvfrom_netlabel(prelude_t)
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
corenet_tcp_bind_generic_node(prelude_t)
corenet_tcp_bind_prelude_port(prelude_t)
corenet_tcp_connect_prelude_port(prelude_t)
corenet_tcp_connect_postgresql_port(prelude_t)
corenet_tcp_connect_mysqld_port(prelude_t)
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
files_read_etc_files(prelude_t)
files_read_etc_runtime_files(prelude_t)
files_read_usr_files(prelude_t)
files_search_tmp(prelude_t)
fs_rw_anon_inodefs_files(prelude_t)
auth_use_nsswitch(prelude_t)
logging_send_audit_msgs(prelude_t)
logging_send_syslog_msg(prelude_t)
miscfiles_read_localization(prelude_t)
optional_policy(`
mysql_search_db(prelude_t)
mysql_stream_connect(prelude_t)
')
optional_policy(`
postgresql_stream_connect(prelude_t)
')
########################################
#
# prelude_audisp local policy
#
allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
allow prelude_audisp_t self:process { getcap setcap };
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
allow prelude_audisp_t self:netlink_route_socket r_netlink_socket_perms;
allow prelude_audisp_t self:tcp_socket create_socket_perms;
manage_dirs_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
manage_files_pattern(prelude_audisp_t, prelude_spool_t, prelude_spool_t)
files_search_spool(prelude_audisp_t)
manage_sock_files_pattern(prelude_audisp_t, prelude_audisp_var_run_t, prelude_audisp_var_run_t)
files_pid_filetrans(prelude_audisp_t, prelude_audisp_var_run_t, sock_file)
kernel_read_sysctl(prelude_audisp_t)
kernel_read_system_state(prelude_audisp_t)
corecmd_search_bin(prelude_audisp_t)
corenet_all_recvfrom_unlabeled(prelude_audisp_t)
corenet_all_recvfrom_netlabel(prelude_audisp_t)
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
corenet_tcp_bind_generic_node(prelude_audisp_t)
corenet_tcp_connect_prelude_port(prelude_audisp_t)
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
files_read_etc_files(prelude_audisp_t)
files_read_etc_runtime_files(prelude_audisp_t)
files_search_tmp(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
miscfiles_read_localization(prelude_audisp_t)
sysnet_dns_name_resolve(prelude_audisp_t)
########################################
#
# prelude_correlator local policy
#
allow prelude_correlator_t self:capability dac_override;
allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
kernel_read_sysctl(prelude_correlator_t)
corecmd_search_bin(prelude_correlator_t)
corenet_all_recvfrom_unlabeled(prelude_correlator_t)
corenet_all_recvfrom_netlabel(prelude_correlator_t)
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
corenet_tcp_connect_prelude_port(prelude_correlator_t)
dev_read_rand(prelude_correlator_t)
dev_read_urand(prelude_correlator_t)
files_read_etc_files(prelude_correlator_t)
files_read_usr_files(prelude_correlator_t)
files_search_spool(prelude_correlator_t)
logging_send_syslog_msg(prelude_correlator_t)
miscfiles_read_localization(prelude_correlator_t)
sysnet_dns_name_resolve(prelude_correlator_t)
prelude_manage_spool(prelude_correlator_t)
########################################
#
# prelude_lml local declarations
#
allow prelude_lml_t self:capability dac_override;
allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
manage_dirs_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
manage_files_pattern(prelude_lml_t, prelude_lml_tmp_t, prelude_lml_tmp_t)
files_tmp_filetrans(prelude_lml_t, prelude_lml_tmp_t, { file dir })
files_list_tmp(prelude_lml_t)
manage_dirs_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
manage_files_pattern(prelude_lml_t, prelude_spool_t, prelude_spool_t)
files_search_spool(prelude_lml_t)
manage_dirs_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
manage_files_pattern(prelude_lml_t, prelude_var_lib_t, prelude_var_lib_t)
files_search_var_lib(prelude_lml_t)
manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
kernel_read_system_state(prelude_lml_t)
kernel_read_sysctl(prelude_lml_t)
corecmd_exec_bin(prelude_lml_t)
corenet_tcp_sendrecv_generic_if(prelude_lml_t)
corenet_tcp_sendrecv_generic_node(prelude_lml_t)
corenet_tcp_recvfrom_netlabel(prelude_lml_t)
corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
corenet_sendrecv_unlabeled_packets(prelude_lml_t)
corenet_tcp_connect_prelude_port(prelude_lml_t)
dev_read_rand(prelude_lml_t)
dev_read_urand(prelude_lml_t)
files_list_etc(prelude_lml_t)
files_read_etc_files(prelude_lml_t)
files_read_etc_runtime_files(prelude_lml_t)
fs_getattr_all_fs(prelude_lml_t)
fs_list_inotifyfs(prelude_lml_t)
fs_rw_anon_inodefs_files(prelude_lml_t)
auth_use_nsswitch(prelude_lml_t)
libs_exec_lib_files(prelude_lml_t)
libs_read_lib_files(prelude_lml_t)
logging_send_syslog_msg(prelude_lml_t)
logging_read_generic_logs(prelude_lml_t)
miscfiles_read_localization(prelude_lml_t)
sysnet_dns_name_resolve(prelude_lml_t)
userdom_read_all_users_state(prelude_lml_t)
optional_policy(`
apache_search_sys_content(prelude_lml_t)
apache_read_log(prelude_lml_t)
')
########################################
#
# prewikka_cgi Declarations
#
optional_policy(`
apache_content_template(prewikka)
can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
files_read_etc_files(httpd_prewikka_script_t)
files_search_tmp(httpd_prewikka_script_t)
kernel_read_sysctl(httpd_prewikka_script_t)
kernel_search_network_sysctl(httpd_prewikka_script_t)
corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
auth_use_nsswitch(httpd_prewikka_script_t)
logging_send_syslog_msg(httpd_prewikka_script_t)
apache_search_sys_content(httpd_prewikka_script_t)
optional_policy(`
mysql_search_db(httpd_prewikka_script_t)
mysql_stream_connect(httpd_prewikka_script_t)
')
optional_policy(`
postgresql_stream_connect(httpd_prewikka_script_t)
')
')