[people/stevee/selinux-policy.git] / policy / modules / apps / calamaris.te


policy_module(calamaris, 1.6.0)

########################################
#
# Declarations
#

type calamaris_t;
type calamaris_exec_t;
init_system_domain(calamaris_t, calamaris_exec_t)

type calamaris_www_t;
files_type(calamaris_www_t)

type calamaris_log_t;
logging_log_file(calamaris_log_t)

########################################
#
# Local policy
#

# for when squid has a different UID
allow calamaris_t self:capability dac_override;
allow calamaris_t self:process { fork signal_perms setsched };
allow calamaris_t self:fifo_file rw_fifo_file_perms;
allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
allow calamaris_t self:tcp_socket create_stream_socket_perms;
allow calamaris_t self:udp_socket create_socket_perms;

manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)

manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir })

kernel_read_all_sysctls(calamaris_t)
kernel_read_system_state(calamaris_t)

corecmd_exec_bin(calamaris_t)

corenet_all_recvfrom_unlabeled(calamaris_t)
corenet_all_recvfrom_netlabel(calamaris_t)
corenet_tcp_sendrecv_generic_if(calamaris_t)
corenet_udp_sendrecv_generic_if(calamaris_t)
corenet_tcp_sendrecv_generic_node(calamaris_t)
corenet_udp_sendrecv_generic_node(calamaris_t)
corenet_tcp_sendrecv_all_ports(calamaris_t)
corenet_udp_sendrecv_all_ports(calamaris_t)

dev_read_urand(calamaris_t)

files_search_pids(calamaris_t)
files_read_etc_files(calamaris_t)
files_read_usr_files(calamaris_t)
files_read_var_files(calamaris_t)
files_read_etc_runtime_files(calamaris_t)

libs_read_lib_files(calamaris_t)

auth_use_nsswitch(calamaris_t)

logging_send_syslog_msg(calamaris_t)

miscfiles_read_localization(calamaris_t)

userdom_dontaudit_list_user_home_dirs(calamaris_t)

squid_read_log(calamaris_t)

optional_policy(`
	apache_search_sys_content(calamaris_t)
')

optional_policy(`
	cron_system_entry(calamaris_t, calamaris_exec_t)
')

optional_policy(`
	mta_send_mail(calamaris_t)
')
Commit	Line	Data
99c902f3	1
29af4c13	2	policy_module(calamaris, 1.6.0)
99c902f3 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type calamaris_t;
	10	type calamaris_exec_t;
0bfccda4	11	init_system_domain(calamaris_t, calamaris_exec_t)
99c902f3 CP	12
	13	type calamaris_www_t;
	14	files_type(calamaris_www_t)
	15
	16	type calamaris_log_t;
	17	logging_log_file(calamaris_log_t)
	18
	19	########################################
	20	#
	21	# Local policy
	22	#
	23
	24	# for when squid has a different UID
	25	allow calamaris_t self:capability dac_override;
	26	allow calamaris_t self:process { fork signal_perms setsched };
0b36a214	27	allow calamaris_t self:fifo_file rw_fifo_file_perms;
99c902f3 CP	28	allow calamaris_t self:unix_stream_socket create_stream_socket_perms;
	29	allow calamaris_t self:tcp_socket create_stream_socket_perms;
	30	allow calamaris_t self:udp_socket create_socket_perms;
	31
0bfccda4 CP	32	manage_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
0bfccda4 CP	33	manage_lnk_files_pattern(calamaris_t, calamaris_www_t, calamaris_www_t)
99c902f3	34
0bfccda4 CP	35	manage_files_pattern(calamaris_t, calamaris_log_t, calamaris_log_t)
0bfccda4 CP	36	logging_log_filetrans(calamaris_t, calamaris_log_t, { file dir })
99c902f3 CP	37
	38	kernel_read_all_sysctls(calamaris_t)
	39	kernel_read_system_state(calamaris_t)
	40
	41	corecmd_exec_bin(calamaris_t)
	42
19006686 CP	43	corenet_all_recvfrom_unlabeled(calamaris_t)
19006686 CP	44	corenet_all_recvfrom_netlabel(calamaris_t)
99c902f3 CP	45	corenet_tcp_sendrecv_generic_if(calamaris_t)
99c902f3 CP	46	corenet_udp_sendrecv_generic_if(calamaris_t)
c1262146 CP	47	corenet_tcp_sendrecv_generic_node(calamaris_t)
c1262146 CP	48	corenet_udp_sendrecv_generic_node(calamaris_t)
99c902f3 CP	49	corenet_tcp_sendrecv_all_ports(calamaris_t)
99c902f3 CP	50	corenet_udp_sendrecv_all_ports(calamaris_t)
99c902f3 CP	51
	52	dev_read_urand(calamaris_t)
	53
	54	files_search_pids(calamaris_t)
	55	files_read_etc_files(calamaris_t)
	56	files_read_usr_files(calamaris_t)
	57	files_read_var_files(calamaris_t)
	58	files_read_etc_runtime_files(calamaris_t)
	59
	60	libs_read_lib_files(calamaris_t)
99c902f3	61
962d6fb9 CP	62	auth_use_nsswitch(calamaris_t)
962d6fb9 CP	63
99c902f3 CP	64	logging_send_syslog_msg(calamaris_t)
	65
	66	miscfiles_read_localization(calamaris_t)
	67
296273a7	68	userdom_dontaudit_list_user_home_dirs(calamaris_t)
99c902f3 CP	69
	70	squid_read_log(calamaris_t)
	71
bb7170f6	72	optional_policy(`
99c902f3 CP	73	apache_search_sys_content(calamaris_t)
	74	')
	75
bb7170f6	76	optional_policy(`
0bfccda4	77	cron_system_entry(calamaris_t, calamaris_exec_t)
99c902f3 CP	78	')
99c902f3 CP	79
bb7170f6	80	optional_policy(`
99c902f3 CP	81	mta_send_mail(calamaris_t)
99c902f3 CP	82	')