[people/stevee/selinux-policy.git] / policy / modules / services / tor.te


policy_module(tor, 1.5.3)

########################################
#
# Declarations
#

type tor_t;
type tor_exec_t;
init_daemon_domain(tor_t, tor_exec_t)

# etc/tor
type tor_etc_t;
files_config_file(tor_etc_t)

type tor_initrc_exec_t;
init_script_file(tor_initrc_exec_t)

# var/lib/tor
type tor_var_lib_t;
files_type(tor_var_lib_t)

# log files
type tor_var_log_t;
logging_log_file(tor_var_log_t)

# pid files
type tor_var_run_t;
files_pid_file(tor_var_run_t)

########################################
#
# tor local policy
#

allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
allow tor_t self:tcp_socket create_stream_socket_perms;

# configuration files
allow tor_t tor_etc_t:dir list_dir_perms;
read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)

# var/lib/tor files
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
files_usr_filetrans(tor_t, tor_var_lib_t, file)
files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
files_var_lib_filetrans(tor_t, tor_var_lib_t, file)

# log files
allow tor_t tor_var_log_t:dir setattr;
manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })

# pid file
manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file })

kernel_read_system_state(tor_t)

# networking basics
corenet_all_recvfrom_unlabeled(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
corenet_tcp_sendrecv_generic_node(tor_t)
corenet_tcp_sendrecv_all_ports(tor_t)
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
corenet_tcp_bind_generic_node(tor_t)
corenet_tcp_bind_tor_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
# TOR will need to connect to various ports
corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)

# tor uses crypto and needs random
dev_read_urand(tor_t)

domain_use_interactive_fds(tor_t)

files_read_etc_files(tor_t)
files_read_etc_runtime_files(tor_t)

auth_use_nsswitch(tor_t)

miscfiles_read_localization(tor_t)

optional_policy(`
	seutil_sigchld_newrole(tor_t)
')
Commit	Line	Data
ce3145e3	1
3392356f	2	policy_module(tor, 1.5.3)
ce3145e3 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type tor_t;
	10	type tor_exec_t;
	11	init_daemon_domain(tor_t, tor_exec_t)
	12
	13	# etc/tor
	14	type tor_etc_t;
	15	files_config_file(tor_etc_t)
	16
e87221ce CP	17	type tor_initrc_exec_t;
	18	init_script_file(tor_initrc_exec_t)
	19
ce3145e3 CP	20	# var/lib/tor
	21	type tor_var_lib_t;
	22	files_type(tor_var_lib_t)
	23
	24	# log files
	25	type tor_var_log_t;
	26	logging_log_file(tor_var_log_t)
	27
	28	# pid files
	29	type tor_var_run_t;
	30	files_pid_file(tor_var_run_t)
	31
	32	########################################
	33	#
	34	# tor local policy
	35	#
	36
3392356f	37	allow tor_t self:capability { setgid setuid sys_tty_config };
0b36a214	38	allow tor_t self:fifo_file rw_fifo_file_perms;
ce3145e3 CP	39	allow tor_t self:unix_stream_socket create_stream_socket_perms;
ce3145e3 CP	40	allow tor_t self:netlink_route_socket r_netlink_socket_perms;
aa5f871d	41	allow tor_t self:tcp_socket create_stream_socket_perms;
ce3145e3 CP	42
ce3145e3 CP	43	# configuration files
c0868a7a	44	allow tor_t tor_etc_t:dir list_dir_perms;
0bfccda4 CP	45	read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
0bfccda4 CP	46	read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
ce3145e3 CP	47
ce3145e3 CP	48	# var/lib/tor files
0bfccda4 CP	49	manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
	50	manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
	51	manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
	52	files_usr_filetrans(tor_t, tor_var_lib_t, file)
	53	files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
	54	files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
ce3145e3 CP	55
ce3145e3 CP	56	# log files
c0868a7a	57	allow tor_t tor_var_log_t:dir setattr;
0bfccda4 CP	58	manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
	59	manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
	60	logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
ce3145e3 CP	61
ce3145e3 CP	62	# pid file
0bfccda4 CP	63	manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
	64	manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
	65	files_pid_filetrans(tor_t, tor_var_run_t, { file sock_file })
ce3145e3	66
13d7cec6 CP	67	kernel_read_system_state(tor_t)
13d7cec6 CP	68
ce3145e3	69	# networking basics
19006686 CP	70	corenet_all_recvfrom_unlabeled(tor_t)
19006686 CP	71	corenet_all_recvfrom_netlabel(tor_t)
668b3093	72	corenet_tcp_sendrecv_generic_if(tor_t)
c1262146	73	corenet_tcp_sendrecv_generic_node(tor_t)
ce3145e3 CP	74	corenet_tcp_sendrecv_all_ports(tor_t)
ce3145e3 CP	75	corenet_tcp_sendrecv_all_reserved_ports(tor_t)
c1262146	76	corenet_tcp_bind_generic_node(tor_t)
141cffdd CP	77	corenet_tcp_bind_tor_port(tor_t)
141cffdd CP	78	corenet_sendrecv_tor_server_packets(tor_t)
ce3145e3 CP	79	# TOR will need to connect to various ports
ce3145e3 CP	80	corenet_tcp_connect_all_ports(tor_t)
141cffdd	81	corenet_sendrecv_all_client_packets(tor_t)
ce3145e3 CP	82	# ... especially including port 80 and other privileged ports
ce3145e3 CP	83	corenet_tcp_connect_all_reserved_ports(tor_t)
ce3145e3 CP	84
	85	# tor uses crypto and needs random
	86	dev_read_urand(tor_t)
	87
	88	domain_use_interactive_fds(tor_t)
	89
	90	files_read_etc_files(tor_t)
13d7cec6 CP	91	files_read_etc_runtime_files(tor_t)
13d7cec6 CP	92
e87221ce CP	93	auth_use_nsswitch(tor_t)
e87221ce CP	94
ce3145e3 CP	95	miscfiles_read_localization(tor_t)
ce3145e3 CP	96
bb7170f6	97	optional_policy(`
ce3145e3 CP	98	seutil_sigchld_newrole(tor_t)
ce3145e3 CP	99	')