[people/stevee/selinux-policy.git] / refpolicy / policy / modules / admin / prelink.te


policy_module(prelink,1.0.2)

########################################
#
# Declarations

attribute prelink_object;

type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t,prelink_exec_t)

type prelink_cache_t;
files_type(prelink_cache_t)

type prelink_log_t;
logging_log_file(prelink_log_t)

########################################
#
# Local policy
#

allow prelink_t self:capability { chown dac_override fowner fsetid };
allow prelink_t self:process { execheap execmem execstack };
allow prelink_t self:fifo_file rw_file_perms;

allow prelink_t prelink_cache_t:file manage_file_perms;
files_filetrans_etc(prelink_t, prelink_cache_t, file)
files_filetrans_var_lib(prelink_t, prelink_cache_t, file)

allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
allow prelink_t prelink_log_t:file { create ra_file_perms };
allow prelink_t prelink_log_t:lnk_file read;
logging_filetrans_log(prelink_t, prelink_log_t)

# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };

kernel_read_system_state(prelink_t)
kernel_dontaudit_search_kernel_sysctl(prelink_t)
kernel_dontaudit_search_sysctl(prelink_t)

corecmd_manage_bin_files(prelink_t)
corecmd_relabel_bin_files(prelink_t)
corecmd_mmap_bin_files(prelink_t)
corecmd_manage_sbin_files(prelink_t)
corecmd_relabel_sbin_files(prelink_t)
corecmd_mmap_sbin_files(prelink_t)

dev_read_urand(prelink_t)

domain_manage_all_entry_files(prelink_t)
domain_relabel_all_entry_files(prelink_t)
domain_mmap_all_entry_files(prelink_t)

files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)

fs_getattr_xattr_fs(prelink_t)

libs_use_ld_so(prelink_t)
libs_exec_ld_so(prelink_t)
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_use_shared_libs(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_use_lib_files(prelink_t)
libs_manage_lib_files(prelink_t)
libs_relabel_lib_files(prelink_t)

miscfiles_read_localization(prelink_t)

optional_policy(`cron',`
	cron_system_entry(prelink_t, prelink_exec_t)
')
Commit	Line	Data
2c243586	1
b0d2243c	2	policy_module(prelink,1.0.2)
2c243586 CP	3
	4	########################################
	5	#
	6	# Declarations
	7
	8	attribute prelink_object;
	9
	10	type prelink_t;
	11	type prelink_exec_t;
	12	init_system_domain(prelink_t,prelink_exec_t)
	13
	14	type prelink_cache_t;
	15	files_type(prelink_cache_t)
	16
	17	type prelink_log_t;
	18	logging_log_file(prelink_log_t)
	19
	20	########################################
	21	#
	22	# Local policy
	23	#
	24
	25	allow prelink_t self:capability { chown dac_override fowner fsetid };
	26	allow prelink_t self:process { execheap execmem execstack };
	27	allow prelink_t self:fifo_file rw_file_perms;
	28
	29	allow prelink_t prelink_cache_t:file manage_file_perms;
9d594986	30	files_filetrans_etc(prelink_t, prelink_cache_t, file)
a524921a	31	files_filetrans_var_lib(prelink_t, prelink_cache_t, file)
2c243586 CP	32
	33	allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
	34	allow prelink_t prelink_log_t:file { create ra_file_perms };
	35	allow prelink_t prelink_log_t:lnk_file read;
9d594986	36	logging_filetrans_log(prelink_t, prelink_log_t)
2c243586 CP	37
	38	# prelink misc objects that are not system
	39	# libraries or entrypoints
	40	allow prelink_t prelink_object:file { create_file_perms execute relabelto relabelfrom };
	41
	42	kernel_read_system_state(prelink_t)
	43	kernel_dontaudit_search_kernel_sysctl(prelink_t)
	44	kernel_dontaudit_search_sysctl(prelink_t)
	45
	46	corecmd_manage_bin_files(prelink_t)
	47	corecmd_relabel_bin_files(prelink_t)
	48	corecmd_mmap_bin_files(prelink_t)
	49	corecmd_manage_sbin_files(prelink_t)
	50	corecmd_relabel_sbin_files(prelink_t)
	51	corecmd_mmap_sbin_files(prelink_t)
	52
	53	dev_read_urand(prelink_t)
	54
	55	domain_manage_all_entry_files(prelink_t)
	56	domain_relabel_all_entry_files(prelink_t)
	57	domain_mmap_all_entry_files(prelink_t)
	58
	59	files_list_all(prelink_t)
	60	files_getattr_all_files(prelink_t)
9e04f5c5	61	files_write_non_security_dirs(prelink_t)
a524921a	62	files_read_etc_files(prelink_t)
2c243586 CP	63	files_read_etc_runtime_files(prelink_t)
	64
	65	fs_getattr_xattr_fs(prelink_t)
	66
	67	libs_use_ld_so(prelink_t)
b0d2243c	68	libs_exec_ld_so(prelink_t)
2c243586 CP	69	libs_manage_ld_so(prelink_t)
	70	libs_relabel_ld_so(prelink_t)
	71	libs_use_shared_libs(prelink_t)
	72	libs_manage_shared_libs(prelink_t)
	73	libs_relabel_shared_libs(prelink_t)
1815bad1	74	libs_use_lib_files(prelink_t)
2c243586 CP	75	libs_manage_lib_files(prelink_t)
	76	libs_relabel_lib_files(prelink_t)
	77
	78	miscfiles_read_localization(prelink_t)
	79
	80	optional_policy(`cron',`
	81	cron_system_entry(prelink_t, prelink_exec_t)
	82	')