]>
Commit | Line | Data |
---|---|---|
131634a5 | 1 | |
29af4c13 | 2 | policy_module(podsleuth, 1.3.0) |
131634a5 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type podsleuth_t; | |
10 | type podsleuth_exec_t; | |
11 | application_domain(podsleuth_t, podsleuth_exec_t) | |
12 | role system_r types podsleuth_t; | |
13 | ||
5bb5ec1d CP |
14 | type podsleuth_cache_t; |
15 | files_type(podsleuth_cache_t) | |
16 | ubac_constrained(podsleuth_cache_t) | |
17 | ||
18 | type podsleuth_tmp_t; | |
19 | files_tmp_file(podsleuth_tmp_t) | |
20 | ubac_constrained(podsleuth_tmp_t) | |
21 | ||
22 | type podsleuth_tmpfs_t; | |
23 | files_tmpfs_file(podsleuth_tmpfs_t) | |
24 | ubac_constrained(podsleuth_tmpfs_t) | |
25 | ||
131634a5 CP |
26 | ######################################## |
27 | # | |
28 | # podsleuth local policy | |
29 | # | |
5bb5ec1d CP |
30 | allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio }; |
31 | allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack }; | |
131634a5 CP |
32 | allow podsleuth_t self:fifo_file rw_file_perms; |
33 | allow podsleuth_t self:unix_stream_socket create_stream_socket_perms; | |
5bb5ec1d CP |
34 | allow podsleuth_t self:sem create_sem_perms; |
35 | allow podsleuth_t self:tcp_socket create_stream_socket_perms; | |
36 | allow podsleuth_t self:udp_socket create_socket_perms; | |
37 | ||
38 | manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) | |
39 | manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t) | |
40 | files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir }) | |
41 | ||
42 | allow podsleuth_t podsleuth_tmp_t:dir mounton; | |
43 | manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) | |
44 | manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t) | |
45 | files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir }) | |
46 | ||
47 | manage_dirs_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) | |
48 | manage_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) | |
49 | manage_lnk_files_pattern(podsleuth_t, podsleuth_tmpfs_t, podsleuth_tmpfs_t) | |
50 | fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file }) | |
131634a5 CP |
51 | |
52 | kernel_read_system_state(podsleuth_t) | |
53 | ||
5bb5ec1d CP |
54 | corecmd_exec_bin(podsleuth_t) |
55 | ||
56 | corenet_tcp_connect_http_port(podsleuth_t) | |
57 | ||
131634a5 CP |
58 | dev_read_urand(podsleuth_t) |
59 | ||
60 | files_read_etc_files(podsleuth_t) | |
61 | ||
5bb5ec1d CP |
62 | fs_mount_dos_fs(podsleuth_t) |
63 | fs_unmount_dos_fs(podsleuth_t) | |
64 | fs_getattr_dos_fs(podsleuth_t) | |
65 | fs_read_dos_files(podsleuth_t) | |
66 | fs_search_dos(podsleuth_t) | |
67 | fs_getattr_tmpfs(podsleuth_t) | |
68 | fs_list_tmpfs(podsleuth_t) | |
69 | ||
131634a5 CP |
70 | miscfiles_read_localization(podsleuth_t) |
71 | ||
5bb5ec1d CP |
72 | sysnet_dns_name_resolve(podsleuth_t) |
73 | ||
6394ea61 CP |
74 | userdom_signal_unpriv_users(podsleuth_t) |
75 | ||
5bb5ec1d CP |
76 | optional_policy(` |
77 | dbus_system_bus_client(podsleuth_t) | |
131634a5 | 78 | |
5bb5ec1d CP |
79 | optional_policy(` |
80 | hal_dbus_chat(podsleuth_t) | |
81 | ') | |
82 | ') | |
131634a5 | 83 | |
5bb5ec1d CP |
84 | optional_policy(` |
85 | mono_exec(podsleuth_t) | |
86 | ') |