[people/stevee/selinux-policy.git] / policy / modules / apps / yam.te


policy_module(yam, 1.2.0)

########################################
#
# Declarations
#

type yam_t alias yam_crond_t;
type yam_exec_t;
application_domain(yam_t, yam_exec_t)

type yam_content_t;
files_mountpoint(yam_content_t)

type yam_etc_t;
files_config_file(yam_etc_t)

type yam_tmp_t;
files_tmp_file(yam_tmp_t)

########################################
#
# Local policy
#

allow yam_t self:capability { chown fowner fsetid dac_override };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow yam_t self:process execmem;
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
allow yam_t self:shm create_shm_perms;
allow yam_t self:sem create_sem_perms;
allow yam_t self:msgq create_msgq_perms;
allow yam_t self:msg { send receive };
allow yam_t self:tcp_socket create_socket_perms;

# Update the content being managed by yam.
manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
manage_files_pattern(yam_t, yam_content_t, yam_content_t)
manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)

allow yam_t yam_etc_t:file read_file_perms;
files_search_etc(yam_t)

manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t)
files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })

kernel_read_kernel_sysctls(yam_t)
kernel_read_proc_symlinks(yam_t)
# Python works fine without reading /proc/meminfo
kernel_dontaudit_read_system_state(yam_t)

corecmd_exec_shell(yam_t)
corecmd_exec_bin(yam_t)

# Rsync and lftp need to network.  They also set files attributes to
# match whats on the remote server.
corenet_all_recvfrom_unlabeled(yam_t)
corenet_all_recvfrom_netlabel(yam_t)
corenet_tcp_sendrecv_generic_if(yam_t)
corenet_tcp_sendrecv_all_nodes(yam_t)
corenet_tcp_sendrecv_all_ports(yam_t)
corenet_tcp_connect_http_port(yam_t)
corenet_tcp_connect_rsync_port(yam_t)
corenet_sendrecv_http_client_packets(yam_t)
corenet_sendrecv_rsync_client_packets(yam_t)

# mktemp
dev_read_urand(yam_t)

files_read_etc_files(yam_t)
files_read_etc_runtime_files(yam_t)
# /usr/share/createrepo/genpkgmetadata.py:
files_exec_usr_files(yam_t)
# Programs invoked to build package lists need various permissions.
# genpkglist creates tmp files in /var/cache/apt/genpkglist
files_rw_var_files(yam_t)

fs_search_auto_mountpoints(yam_t)
# Content can also be on ISO image files.
fs_read_iso9660_files(yam_t)

term_search_ptys(yam_t)

libs_use_ld_so(yam_t)
libs_use_shared_libs(yam_t)

logging_send_syslog_msg(yam_t)

miscfiles_read_localization(yam_t)

seutil_read_config(yam_t)

sysnet_dns_name_resolve(yam_t)
sysnet_read_config(yam_t)

userdom_use_unpriv_users_fds(yam_t)
# Reading dotfiles...
# cjp: ?
userdom_search_all_users_home_dirs(yam_t)

# The whole point of this program is to make updates available on a
# local web server.  Need to go through /var to get to /var/yam
# Go through /var/www to get to /var/www/yam
apache_search_sys_content(yam_t)

optional_policy(`
	cron_system_entry(yam_t, yam_exec_t)
')

optional_policy(`
	mount_domtrans(yam_t)
')

optional_policy(`
	nis_use_ypbind(yam_t)
')

optional_policy(`
	nscd_socket_use(yam_t)
')

optional_policy(`
	rsync_exec(yam_t)
')
Commit	Line	Data
f30e6ea8	1
0bfccda4	2	policy_module(yam, 1.2.0)
f30e6ea8 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type yam_t alias yam_crond_t;
	10	type yam_exec_t;
0bfccda4	11	application_domain(yam_t, yam_exec_t)
f30e6ea8 CP	12
	13	type yam_content_t;
	14	files_mountpoint(yam_content_t)
	15
	16	type yam_etc_t;
	17	files_config_file(yam_etc_t)
	18
	19	type yam_tmp_t;
	20	files_tmp_file(yam_tmp_t)
	21
	22	########################################
	23	#
	24	# Local policy
	25	#
	26
	27	allow yam_t self:capability { chown fowner fsetid dac_override };
	28	allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	29	allow yam_t self:process execmem;
	30	allow yam_t self:fd use;
c0868a7a	31	allow yam_t self:fifo_file rw_fifo_file_perms;
f30e6ea8 CP	32	allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
	33	allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
	34	allow yam_t self:shm create_shm_perms;
	35	allow yam_t self:sem create_sem_perms;
	36	allow yam_t self:msgq create_msgq_perms;
	37	allow yam_t self:msg { send receive };
	38	allow yam_t self:tcp_socket create_socket_perms;
f30e6ea8 CP	39
f30e6ea8 CP	40	# Update the content being managed by yam.
0bfccda4 CP	41	manage_dirs_pattern(yam_t, yam_content_t, yam_content_t)
	42	manage_files_pattern(yam_t, yam_content_t, yam_content_t)
	43	manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t)
f30e6ea8	44
0b36a214	45	allow yam_t yam_etc_t:file read_file_perms;
f30e6ea8 CP	46	files_search_etc(yam_t)
f30e6ea8 CP	47
0bfccda4 CP	48	manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t)
0bfccda4 CP	49	manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t)
f30e6ea8 CP	50	files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
	51
	52	kernel_read_kernel_sysctls(yam_t)
	53	kernel_read_proc_symlinks(yam_t)
	54	# Python works fine without reading /proc/meminfo
	55	kernel_dontaudit_read_system_state(yam_t)
	56
	57	corecmd_exec_shell(yam_t)
	58	corecmd_exec_bin(yam_t)
	59
	60	# Rsync and lftp need to network. They also set files attributes to
	61	# match whats on the remote server.
19006686 CP	62	corenet_all_recvfrom_unlabeled(yam_t)
19006686 CP	63	corenet_all_recvfrom_netlabel(yam_t)
f30e6ea8	64	corenet_tcp_sendrecv_generic_if(yam_t)
f30e6ea8	65	corenet_tcp_sendrecv_all_nodes(yam_t)
f30e6ea8	66	corenet_tcp_sendrecv_all_ports(yam_t)
f30e6ea8 CP	67	corenet_tcp_connect_http_port(yam_t)
f30e6ea8 CP	68	corenet_tcp_connect_rsync_port(yam_t)
c0d8c41e CP	69	corenet_sendrecv_http_client_packets(yam_t)
c0d8c41e CP	70	corenet_sendrecv_rsync_client_packets(yam_t)
f30e6ea8 CP	71
	72	# mktemp
	73	dev_read_urand(yam_t)
	74
	75	files_read_etc_files(yam_t)
	76	files_read_etc_runtime_files(yam_t)
	77	# /usr/share/createrepo/genpkgmetadata.py:
	78	files_exec_usr_files(yam_t)
	79	# Programs invoked to build package lists need various permissions.
	80	# genpkglist creates tmp files in /var/cache/apt/genpkglist
	81	files_rw_var_files(yam_t)
	82
	83	fs_search_auto_mountpoints(yam_t)
	84	# Content can also be on ISO image files.
	85	fs_read_iso9660_files(yam_t)
	86
	87	term_search_ptys(yam_t)
	88
	89	libs_use_ld_so(yam_t)
	90	libs_use_shared_libs(yam_t)
	91
	92	logging_send_syslog_msg(yam_t)
	93
	94	miscfiles_read_localization(yam_t)
	95
	96	seutil_read_config(yam_t)
	97
c0d8c41e	98	sysnet_dns_name_resolve(yam_t)
f30e6ea8 CP	99	sysnet_read_config(yam_t)
	100
	101	userdom_use_unpriv_users_fds(yam_t)
	102	# Reading dotfiles...
	103	# cjp: ?
	104	userdom_search_all_users_home_dirs(yam_t)
	105
	106	# The whole point of this program is to make updates available on a
	107	# local web server. Need to go through /var to get to /var/yam
	108	# Go through /var/www to get to /var/www/yam
	109	apache_search_sys_content(yam_t)
	110
	111	optional_policy(`
0bfccda4	112	cron_system_entry(yam_t, yam_exec_t)
f30e6ea8 CP	113	')
	114
	115	optional_policy(`
	116	mount_domtrans(yam_t)
	117	')
	118
	119	optional_policy(`
	120	nis_use_ypbind(yam_t)
	121	')
	122
	123	optional_policy(`
	124	nscd_socket_use(yam_t)
	125	')
	126
	127	optional_policy(`
	128	rsync_exec(yam_t)
	129	')