[people/stevee/selinux-policy.git] / policy / modules / admin / prelink.te

policy_module(prelink, 1.10.0)

########################################
#
# Declarations

attribute prelink_object;

type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)

type prelink_cache_t;
files_type(prelink_cache_t)

type prelink_cron_system_t;
type prelink_cron_system_exec_t;
domain_type(prelink_cron_system_t)
domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)

type prelink_log_t;
logging_log_file(prelink_log_t)

type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)

type prelink_tmpfs_t;
files_tmpfs_file(prelink_tmpfs_t)

type prelink_var_lib_t;
files_type(prelink_var_lib_t)

########################################
#
# Local policy
#

allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;

allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)

allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)

allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)

allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)

manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
files_search_var_lib(prelink_t)

# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };

kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)

corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)

dev_read_urand(prelink_t)
dev_getattr_all_chr_files(prelink_t)

files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
files_manage_var_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)

fs_getattr_xattr_fs(prelink_t)

storage_getattr_fixed_disk_dev(prelink_t)

selinux_get_enforce_mode(prelink_t)

libs_exec_ld_so(prelink_t)
libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)

miscfiles_read_localization(prelink_t)

userdom_use_inherited_user_terminals(prelink_t)
userdom_manage_user_home_content(prelink_t)
userdom_execmod_user_home_files(prelink_t)

systemd_read_unit_files(prelink_t)

term_use_all_inherited_terms(prelink_t)

optional_policy(`
	amanda_manage_lib(prelink_t)
')

optional_policy(`
	cron_system_entry(prelink_t, prelink_exec_t)
')

optional_policy(`
	gnome_dontaudit_read_config(prelink_t)
	gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
')

optional_policy(`
	nsplugin_manage_rw_files(prelink_t)
')

optional_policy(`
	rpm_manage_tmp_files(prelink_t)
')

#optional_policy(`
#	unconfined_domain(prelink_t)
#')

########################################
#
# Prelink Cron system Policy
#

optional_policy(`
	allow prelink_cron_system_t self:capability setuid;
	allow prelink_cron_system_t self:process { setsched setfscreate signal };
	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };

	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
	allow prelink_cron_system_t prelink_cache_t:file unlink;
	files_delete_etc_dir_entry(prelink_cron_system_t)

	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
	allow prelink_cron_system_t prelink_t:process noatsecure;

	manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)

	manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
	files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
	allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };

	kernel_read_system_state(prelink_cron_system_t)

	corecmd_exec_bin(prelink_cron_system_t)
	corecmd_exec_shell(prelink_cron_system_t)

	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
	files_read_etc_files(prelink_cron_system_t)
	files_search_var_lib(prelink_cron_system_t)

	fs_search_cgroup_dirs(prelink_cron_system_t)

	init_telinit(prelink_cron_system_t)

	libs_exec_ld_so(prelink_cron_system_t)

	logging_search_logs(prelink_cron_system_t)

	init_stream_connect(prelink_cron_system_t)

	miscfiles_read_localization(prelink_cron_system_t)

	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)

	userdom_dontaudit_list_admin_dir(prelink_cron_system_t)

	optional_policy(`
		rpm_read_db(prelink_cron_system_t)
	')
')
ifdef(`hide_broken_symptoms', `
	optional_policy(`
	      dbus_read_config(prelink_t)
	')
')
Commit	Line	Data
826d0142	1	policy_module(prelink, 1.10.0)
2c243586 CP	2
	3	########################################
	4	#
	5	# Declarations
	6
	7	attribute prelink_object;
	8
	9	type prelink_t;
	10	type prelink_exec_t;
0bfccda4	11	init_system_domain(prelink_t, prelink_exec_t)
87eb5c84	12	domain_obj_id_change_exemption(prelink_t)
2c243586 CP	13
	14	type prelink_cache_t;
	15	files_type(prelink_cache_t)
	16
9fe1b540 CP	17	type prelink_cron_system_t;
	18	type prelink_cron_system_exec_t;
	19	domain_type(prelink_cron_system_t)
	20	domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
	21
2c243586 CP	22	type prelink_log_t;
	23	logging_log_file(prelink_log_t)
	24
6b19be33 CP	25	type prelink_tmp_t;
	26	files_tmp_file(prelink_tmp_t)
	27
9fe1b540 CP	28	type prelink_tmpfs_t;
	29	files_tmpfs_file(prelink_tmpfs_t)
	30
adea5875	31	type prelink_var_lib_t;
9fe1b540	32	files_type(prelink_var_lib_t)
adea5875	33
2c243586 CP	34	########################################
	35	#
	36	# Local policy
	37	#
	38
57f81c62	39	allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
d9845ae9	40	allow prelink_t self:process { execheap execmem execstack signal };
c0868a7a	41	allow prelink_t self:fifo_file rw_fifo_file_perms;
2c243586 CP	42
2c243586 CP	43	allow prelink_t prelink_cache_t:file manage_file_perms;
103fe280	44	files_etc_filetrans(prelink_t, prelink_cache_t, file)
2c243586	45
c0868a7a	46	allow prelink_t prelink_log_t:dir setattr;
0bfccda4 CP	47	create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
	48	append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
	49	read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
1c1ac67f	50	logging_log_filetrans(prelink_t, prelink_log_t, file)
2c243586	51
adea5875	52	allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
6b19be33	53	files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
9fe1b540 CP	54
	55	allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
	56	fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
6b19be33	57
adea5875 CP	58	manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
adea5875 CP	59	manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
9fe1b540 CP	60	relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
9fe1b540 CP	61	files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
3eaa9939	62	files_search_var_lib(prelink_t)
adea5875	63
2c243586 CP	64	# prelink misc objects that are not system
2c243586 CP	65	# libraries or entrypoints
83029ff3	66	allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
2c243586 CP	67
2c243586 CP	68	kernel_read_system_state(prelink_t)
adea5875	69	kernel_read_kernel_sysctls(prelink_t)
2c243586	70
fb63d0b5 CP	71	corecmd_manage_all_executables(prelink_t)
	72	corecmd_relabel_all_executables(prelink_t)
	73	corecmd_mmap_all_executables(prelink_t)
46551033	74	corecmd_read_bin_symlinks(prelink_t)
2c243586 CP	75
2c243586 CP	76	dev_read_urand(prelink_t)
3eaa9939	77	dev_getattr_all_chr_files(prelink_t)
2c243586	78
2c243586 CP	79	files_list_all(prelink_t)
2c243586 CP	80	files_getattr_all_files(prelink_t)
9e04f5c5	81	files_write_non_security_dirs(prelink_t)
a524921a	82	files_read_etc_files(prelink_t)
2c243586	83	files_read_etc_runtime_files(prelink_t)
d6d16b97	84	files_dontaudit_read_all_symlinks(prelink_t)
adea5875 CP	85	files_manage_usr_files(prelink_t)
	86	files_manage_var_files(prelink_t)
	87	files_relabelfrom_usr_files(prelink_t)
2c243586 CP	88
	89	fs_getattr_xattr_fs(prelink_t)
	90
3eaa9939 DW	91	storage_getattr_fixed_disk_dev(prelink_t)
3eaa9939 DW	92
a5e2133b CP	93	selinux_get_enforce_mode(prelink_t)
a5e2133b CP	94
b0d2243c	95	libs_exec_ld_so(prelink_t)
9fe1b540	96	libs_legacy_use_shared_libs(prelink_t)
2c243586 CP	97	libs_manage_ld_so(prelink_t)
2c243586 CP	98	libs_relabel_ld_so(prelink_t)
2c243586 CP	99	libs_manage_shared_libs(prelink_t)
2c243586 CP	100	libs_relabel_shared_libs(prelink_t)
8cf67141	101	libs_delete_lib_symlinks(prelink_t)
2c243586 CP	102
	103	miscfiles_read_localization(prelink_t)
	104
af2d8802	105	userdom_use_inherited_user_terminals(prelink_t)
3eaa9939 DW	106	userdom_manage_user_home_content(prelink_t)
3eaa9939 DW	107	userdom_execmod_user_home_files(prelink_t)
296273a7	108
21fd3a28 DW	109	systemd_read_unit_files(prelink_t)
21fd3a28 DW	110
1852e28a DW	111	term_use_all_inherited_terms(prelink_t)
1852e28a DW	112
d6d16b97 CP	113	optional_policy(`
d6d16b97 CP	114	amanda_manage_lib(prelink_t)
d9845ae9 CP	115	')
d9845ae9 CP	116
bb7170f6	117	optional_policy(`
2c243586 CP	118	cron_system_entry(prelink_t, prelink_exec_t)
2c243586 CP	119	')
adea5875	120
57955a25 DW	121	optional_policy(`
57955a25 DW	122	gnome_dontaudit_read_config(prelink_t)
c98dcd43	123	gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
57955a25 DW	124	')
57955a25 DW	125
3eaa9939 DW	126	optional_policy(`
	127	nsplugin_manage_rw_files(prelink_t)
	128	')
	129
9fe1b540 CP	130	optional_policy(`
	131	rpm_manage_tmp_files(prelink_t)
	132	')
	133
3e407a37 MG	134	#optional_policy(`
	135	# unconfined_domain(prelink_t)
	136	#')
9fe1b540 CP	137
	138	########################################
	139	#
	140	# Prelink Cron system Policy
	141	#
	142
	143	optional_policy(`
	144	allow prelink_cron_system_t self:capability setuid;
a9ef84b5	145	allow prelink_cron_system_t self:process { setsched setfscreate signal };
9fe1b540 CP	146	allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
	147	allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
	148
	149	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
	150	allow prelink_cron_system_t prelink_cache_t:file unlink;
3eaa9939	151	files_delete_etc_dir_entry(prelink_cron_system_t)
9fe1b540 CP	152
	153	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
	154	allow prelink_cron_system_t prelink_t:process noatsecure;
	155
	156	manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
	157
	158	manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
	159	files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
	160	allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
	161
	162	kernel_read_system_state(prelink_cron_system_t)
	163
	164	corecmd_exec_bin(prelink_cron_system_t)
	165	corecmd_exec_shell(prelink_cron_system_t)
	166
a9ef84b5	167	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
9fe1b540	168	files_read_etc_files(prelink_cron_system_t)
a9ef84b5	169	files_search_var_lib(prelink_cron_system_t)
9fe1b540	170
56ad7147 MG	171	fs_search_cgroup_dirs(prelink_cron_system_t)
56ad7147 MG	172
3eaa9939	173	init_telinit(prelink_cron_system_t)
9fe1b540 CP	174
	175	libs_exec_ld_so(prelink_cron_system_t)
	176
	177	logging_search_logs(prelink_cron_system_t)
	178
aa7e2b88 DW	179	init_stream_connect(prelink_cron_system_t)
aa7e2b88 DW	180
9fe1b540 CP	181	miscfiles_read_localization(prelink_cron_system_t)
	182
	183	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
	184
3eaa9939 DW	185	userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
3eaa9939 DW	186
9fe1b540 CP	187	optional_policy(`
	188	rpm_read_db(prelink_cron_system_t)
	189	')
	190	')
3fdb12de DW	191	ifdef(`hide_broken_symptoms', `
	192	optional_policy(`
	193	dbus_read_config(prelink_t)
	194	')
	195	')