[people/stevee/selinux-policy.git] / policy / modules / apps / podsleuth.te


policy_module(podsleuth, 1.3.0)

########################################
#
# Declarations
#

type podsleuth_t;
type podsleuth_exec_t;
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;

type podsleuth_cache_t;
files_type(podsleuth_cache_t)
ubac_constrained(podsleuth_cache_t)

type podsleuth_tmp_t;
files_tmp_file(podsleuth_tmp_t)
ubac_constrained(podsleuth_tmp_t)

type podsleuth_tmpfs_t;
files_tmpfs_file(podsleuth_tmpfs_t)
ubac_constrained(podsleuth_tmpfs_t)

########################################
#
# podsleuth local policy
#
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
allow podsleuth_t self:fifo_file rw_file_perms;
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
allow podsleuth_t self:sem create_sem_perms;
allow podsleuth_t self:tcp_socket create_stream_socket_perms;
allow podsleuth_t self:udp_socket create_socket_perms;

manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })

allow podsleuth_t podsleuth_tmp_t:dir mounton;
manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })

manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })

kernel_read_system_state(podsleuth_t)

corecmd_exec_bin(podsleuth_t)

corenet_tcp_connect_http_port(podsleuth_t)

dev_read_urand(podsleuth_t)

files_read_etc_files(podsleuth_t)

fs_mount_dos_fs(podsleuth_t)
fs_unmount_dos_fs(podsleuth_t)
fs_getattr_dos_fs(podsleuth_t)
fs_read_dos_files(podsleuth_t)
fs_search_dos(podsleuth_t)
fs_getattr_tmpfs(podsleuth_t)
fs_list_tmpfs(podsleuth_t)

miscfiles_read_localization(podsleuth_t)

sysnet_dns_name_resolve(podsleuth_t)

userdom_signal_unpriv_users(podsleuth_t)

optional_policy(`
	dbus_system_bus_client(podsleuth_t)

	optional_policy(`
		hal_dbus_chat(podsleuth_t)
	')
')

optional_policy(`
	mono_exec(podsleuth_t)
')
Commit	Line	Data
131634a5	1
29af4c13	2	policy_module(podsleuth, 1.3.0)
131634a5 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type podsleuth_t;
	10	type podsleuth_exec_t;
	11	application_domain(podsleuth_t, podsleuth_exec_t)
	12	role system_r types podsleuth_t;
	13
5bb5ec1d CP	14	type podsleuth_cache_t;
	15	files_type(podsleuth_cache_t)
	16	ubac_constrained(podsleuth_cache_t)
	17
	18	type podsleuth_tmp_t;
	19	files_tmp_file(podsleuth_tmp_t)
	20	ubac_constrained(podsleuth_tmp_t)
	21
	22	type podsleuth_tmpfs_t;
	23	files_tmpfs_file(podsleuth_tmpfs_t)
	24	ubac_constrained(podsleuth_tmpfs_t)
	25
131634a5 CP	26	########################################
	27	#
	28	# podsleuth local policy
	29	#
5bb5ec1d CP	30	allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
5bb5ec1d CP	31	allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
131634a5 CP	32	allow podsleuth_t self:fifo_file rw_file_perms;
131634a5 CP	33	allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
5bb5ec1d CP	34	allow podsleuth_t self:sem create_sem_perms;
	35	allow podsleuth_t self:tcp_socket create_stream_socket_perms;
	36	allow podsleuth_t self:udp_socket create_socket_perms;
	37
	38	manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
	39	manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
	40	files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
	41
	42	allow podsleuth_t podsleuth_tmp_t:dir mounton;
	43	manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
	44	manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
	45	files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
	46
	47	manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
	48	manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
	49	manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t)
	50	fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
131634a5 CP	51
	52	kernel_read_system_state(podsleuth_t)
	53
5bb5ec1d CP	54	corecmd_exec_bin(podsleuth_t)
	55
	56	corenet_tcp_connect_http_port(podsleuth_t)
	57
131634a5 CP	58	dev_read_urand(podsleuth_t)
	59
	60	files_read_etc_files(podsleuth_t)
	61
5bb5ec1d CP	62	fs_mount_dos_fs(podsleuth_t)
	63	fs_unmount_dos_fs(podsleuth_t)
	64	fs_getattr_dos_fs(podsleuth_t)
	65	fs_read_dos_files(podsleuth_t)
	66	fs_search_dos(podsleuth_t)
	67	fs_getattr_tmpfs(podsleuth_t)
	68	fs_list_tmpfs(podsleuth_t)
	69
131634a5 CP	70	miscfiles_read_localization(podsleuth_t)
131634a5 CP	71
5bb5ec1d CP	72	sysnet_dns_name_resolve(podsleuth_t)
5bb5ec1d CP	73
6394ea61 CP	74	userdom_signal_unpriv_users(podsleuth_t)
6394ea61 CP	75
5bb5ec1d CP	76	optional_policy(`
5bb5ec1d CP	77	dbus_system_bus_client(podsleuth_t)
131634a5	78
5bb5ec1d CP	79	optional_policy(`
	80	hal_dbus_chat(podsleuth_t)
	81	')
	82	')
131634a5	83
5bb5ec1d CP	84	optional_policy(`
	85	mono_exec(podsleuth_t)
	86	')