]>
Commit | Line | Data |
---|---|---|
ce3145e3 | 1 | |
5d4f4b53 | 2 | policy_module(tor, 1.5.0) |
ce3145e3 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type tor_t; | |
10 | type tor_exec_t; | |
11 | init_daemon_domain(tor_t, tor_exec_t) | |
12 | ||
13 | # etc/tor | |
14 | type tor_etc_t; | |
15 | files_config_file(tor_etc_t) | |
16 | ||
e87221ce CP |
17 | type tor_initrc_exec_t; |
18 | init_script_file(tor_initrc_exec_t) | |
19 | ||
ce3145e3 CP |
20 | # var/lib/tor |
21 | type tor_var_lib_t; | |
22 | files_type(tor_var_lib_t) | |
23 | ||
24 | # log files | |
25 | type tor_var_log_t; | |
26 | logging_log_file(tor_var_log_t) | |
27 | ||
28 | # pid files | |
29 | type tor_var_run_t; | |
30 | files_pid_file(tor_var_run_t) | |
31 | ||
32 | ######################################## | |
33 | # | |
34 | # tor local policy | |
35 | # | |
36 | ||
e87221ce | 37 | allow tor_t self:capability { setgid setuid }; |
0b36a214 | 38 | allow tor_t self:fifo_file rw_fifo_file_perms; |
ce3145e3 CP |
39 | allow tor_t self:unix_stream_socket create_stream_socket_perms; |
40 | allow tor_t self:netlink_route_socket r_netlink_socket_perms; | |
aa5f871d | 41 | allow tor_t self:tcp_socket create_stream_socket_perms; |
ce3145e3 CP |
42 | |
43 | # configuration files | |
c0868a7a | 44 | allow tor_t tor_etc_t:dir list_dir_perms; |
0bfccda4 CP |
45 | read_files_pattern(tor_t, tor_etc_t, tor_etc_t) |
46 | read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t) | |
ce3145e3 CP |
47 | |
48 | # var/lib/tor files | |
0bfccda4 CP |
49 | manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) |
50 | manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) | |
51 | manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) | |
52 | files_usr_filetrans(tor_t, tor_var_lib_t, file) | |
53 | files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file }) | |
54 | files_var_lib_filetrans(tor_t, tor_var_lib_t, file) | |
ce3145e3 CP |
55 | |
56 | # log files | |
c0868a7a | 57 | allow tor_t tor_var_log_t:dir setattr; |
0bfccda4 CP |
58 | manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) |
59 | manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) | |
60 | logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) | |
ce3145e3 CP |
61 | |
62 | # pid file | |
0bfccda4 CP |
63 | manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) |
64 | manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t) | |
65 | files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file }) | |
ce3145e3 | 66 | |
13d7cec6 CP |
67 | kernel_read_system_state(tor_t) |
68 | ||
ce3145e3 | 69 | # networking basics |
19006686 CP |
70 | corenet_all_recvfrom_unlabeled(tor_t) |
71 | corenet_all_recvfrom_netlabel(tor_t) | |
ce3145e3 CP |
72 | corenet_tcp_sendrecv_all_if(tor_t) |
73 | corenet_tcp_sendrecv_all_nodes(tor_t) | |
74 | corenet_tcp_sendrecv_all_ports(tor_t) | |
75 | corenet_tcp_sendrecv_all_reserved_ports(tor_t) | |
141cffdd CP |
76 | corenet_tcp_bind_all_nodes(tor_t) |
77 | corenet_tcp_bind_tor_port(tor_t) | |
78 | corenet_sendrecv_tor_server_packets(tor_t) | |
ce3145e3 CP |
79 | # TOR will need to connect to various ports |
80 | corenet_tcp_connect_all_ports(tor_t) | |
141cffdd | 81 | corenet_sendrecv_all_client_packets(tor_t) |
ce3145e3 CP |
82 | # ... especially including port 80 and other privileged ports |
83 | corenet_tcp_connect_all_reserved_ports(tor_t) | |
ce3145e3 CP |
84 | |
85 | # tor uses crypto and needs random | |
86 | dev_read_urand(tor_t) | |
87 | ||
88 | domain_use_interactive_fds(tor_t) | |
89 | ||
90 | files_read_etc_files(tor_t) | |
13d7cec6 CP |
91 | files_read_etc_runtime_files(tor_t) |
92 | ||
e87221ce CP |
93 | auth_use_nsswitch(tor_t) |
94 | ||
ce3145e3 CP |
95 | libs_use_ld_so(tor_t) |
96 | libs_use_shared_libs(tor_t) | |
97 | ||
98 | miscfiles_read_localization(tor_t) | |
99 | ||
bb7170f6 | 100 | optional_policy(` |
ce3145e3 CP |
101 | seutil_sigchld_newrole(tor_t) |
102 | ') |