]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/services/tor.te
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
trunk: Enable open permission checks policy capability.
[people/stevee/selinux-policy.git] / policy / modules / services / tor.te
CommitLineData
ce3145e3 1
5d4f4b53 2policy_module(tor, 1.5.0)
ce3145e3
CP		 3
4########################################
5#
6# Declarations
7#
8
9type tor_t;
10type tor_exec_t;
11init_daemon_domain(tor_t, tor_exec_t)
12
13# etc/tor
14type tor_etc_t;
15files_config_file(tor_etc_t)
16
e87221ce
CP		 17type tor_initrc_exec_t;
18init_script_file(tor_initrc_exec_t)
19
ce3145e3
CP		 20# var/lib/tor
21type tor_var_lib_t;
22files_type(tor_var_lib_t)
23
24# log files
25type tor_var_log_t;
26logging_log_file(tor_var_log_t)
27
28# pid files
29type tor_var_run_t;
30files_pid_file(tor_var_run_t)
31
32########################################
33#
34# tor local policy
35#
36
e87221ce 37allow tor_t self:capability { setgid setuid };
0b36a214 38allow tor_t self:fifo_file rw_fifo_file_perms;
ce3145e3
CP		 39allow tor_t self:unix_stream_socket create_stream_socket_perms;
40allow tor_t self:netlink_route_socket r_netlink_socket_perms;
aa5f871d 41allow tor_t self:tcp_socket create_stream_socket_perms;
ce3145e3
CP		 42
43# configuration files
c0868a7a 44allow tor_t tor_etc_t:dir list_dir_perms;
0bfccda4
CP		 45read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
46read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
ce3145e3
CP		 47
48# var/lib/tor files
0bfccda4
CP		 49manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
50manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
51manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
52files_usr_filetrans(tor_t, tor_var_lib_t, file)
53files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
54files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
ce3145e3
CP		 55
56# log files
c0868a7a 57allow tor_t tor_var_log_t:dir setattr;
0bfccda4
CP		 58manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
59manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
60logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
ce3145e3
CP		 61
62# pid file
0bfccda4
CP		 63manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
64manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
65files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file })
ce3145e3 66
13d7cec6
CP		 67kernel_read_system_state(tor_t)
68
ce3145e3 69# networking basics
19006686
CP		 70corenet_all_recvfrom_unlabeled(tor_t)
71corenet_all_recvfrom_netlabel(tor_t)
ce3145e3
CP		 72corenet_tcp_sendrecv_all_if(tor_t)
73corenet_tcp_sendrecv_all_nodes(tor_t)
74corenet_tcp_sendrecv_all_ports(tor_t)
75corenet_tcp_sendrecv_all_reserved_ports(tor_t)
141cffdd
CP		 76corenet_tcp_bind_all_nodes(tor_t)
77corenet_tcp_bind_tor_port(tor_t)
78corenet_sendrecv_tor_server_packets(tor_t)
ce3145e3
CP		 79# TOR will need to connect to various ports
80corenet_tcp_connect_all_ports(tor_t)
141cffdd 81corenet_sendrecv_all_client_packets(tor_t)
ce3145e3
CP		 82# ... especially including port 80 and other privileged ports
83corenet_tcp_connect_all_reserved_ports(tor_t)
ce3145e3
CP		 84
85# tor uses crypto and needs random
86dev_read_urand(tor_t)
87
88domain_use_interactive_fds(tor_t)
89
90files_read_etc_files(tor_t)
13d7cec6
CP		 91files_read_etc_runtime_files(tor_t)
92
e87221ce
CP		 93auth_use_nsswitch(tor_t)
94
ce3145e3
CP		 95libs_use_ld_so(tor_t)
96libs_use_shared_libs(tor_t)
97
98miscfiles_read_localization(tor_t)
99
bb7170f6 100optional_policy(`
ce3145e3
CP		 101 seutil_sigchld_newrole(tor_t)
102')
The IPFire selinux policy.