projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| b5212295 | 1 | policy_module(abrt, 1.1.1) |
| e3a90e35 CP |
2 | |
| 3 | ######################################## | |
| 4 | # | |
| 5 | # Declarations | |
| 6 | # | |
| 7 | ||
| 8 | type abrt_t; | |
| 9 | type abrt_exec_t; | |
| 10 | init_daemon_domain(abrt_t, abrt_exec_t) | |
| 11 | ||
| 12 | type abrt_initrc_exec_t; | |
| 13 | init_script_file(abrt_initrc_exec_t) | |
| 14 | ||
| 15 | # etc files | |
| 16 | type abrt_etc_t; | |
| 17 | files_config_file(abrt_etc_t) | |
| 18 | ||
| 19 | # log files | |
| 20 | type abrt_var_log_t; | |
| 21 | logging_log_file(abrt_var_log_t) | |
| 22 | ||
| 23 | # tmp files | |
| 24 | type abrt_tmp_t; | |
| 25 | files_tmp_file(abrt_tmp_t) | |
| 26 | ||
| 27 | # var/cache files | |
| 28 | type abrt_var_cache_t; | |
| 29 | files_type(abrt_var_cache_t) | |
| 30 | ||
| 31 | # pid files | |
| 32 | type abrt_var_run_t; | |
| 33 | files_pid_file(abrt_var_run_t) | |
| 34 | ||
| 1b2f08ea CP |
35 | # type needed to allow all domains |
| 36 | # to handle /var/cache/abrt | |
| 37 | type abrt_helper_t; | |
| 38 | type abrt_helper_exec_t; | |
| 39 | application_domain(abrt_helper_t, abrt_helper_exec_t) | |
| 40 | role system_r types abrt_helper_t; | |
| 41 | ||
| 42 | ifdef(`enable_mcs',` | |
| 43 | init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) | |
| 44 | ') | |
| 45 | ||
| e3a90e35 CP |
46 | ######################################## |
| 47 | # | |
| 48 | # abrt local policy | |
| 49 | # | |
| 50 | ||
| 1b2f08ea CP |
51 | allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; |
| 52 | dontaudit abrt_t self:capability sys_rawio; | |
| e3a90e35 CP |
53 | allow abrt_t self:process { signal signull setsched getsched }; |
| 54 | ||
| 55 | allow abrt_t self:fifo_file rw_fifo_file_perms; | |
| 56 | allow abrt_t self:tcp_socket create_stream_socket_perms; | |
| 57 | allow abrt_t self:udp_socket create_socket_perms; | |
| 58 | allow abrt_t self:unix_dgram_socket create_socket_perms; | |
| 59 | allow abrt_t self:netlink_route_socket r_netlink_socket_perms; | |
| 60 | ||
| 61 | # abrt etc files | |
| 62 | rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) | |
| 63 | ||
| 64 | # log file | |
| 65 | manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) | |
| 66 | logging_log_filetrans(abrt_t, abrt_var_log_t, file) | |
| 67 | ||
| 1b2f08ea | 68 | # abrt tmp files |
| e3a90e35 CP |
69 | manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) |
| 70 | manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) | |
| 71 | files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) | |
| 72 | ||
| 73 | # abrt var/cache files | |
| 74 | manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
| 75 | manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
| 1b2f08ea | 76 | manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) |
| e3a90e35 | 77 | files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) |
| b5212295 | 78 | files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) |
| e3a90e35 CP |
79 | |
| 80 | # abrt pid files | |
| 81 | manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
| 82 | manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
| b5212295 | 83 | manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
| 1b2f08ea | 84 | manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
| e3a90e35 CP |
85 | files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) |
| 86 | ||
| 87 | kernel_read_ring_buffer(abrt_t) | |
| 88 | kernel_read_system_state(abrt_t) | |
| 89 | kernel_rw_kernel_sysctl(abrt_t) | |
| 90 | ||
| 91 | corecmd_exec_bin(abrt_t) | |
| 92 | corecmd_exec_shell(abrt_t) | |
| 1b2f08ea | 93 | corecmd_read_all_executables(abrt_t) |
| e3a90e35 | 94 | |
| cd173453 DG |
95 | corenet_all_recvfrom_netlabel(abrt_t) |
| 96 | corenet_all_recvfrom_unlabeled(abrt_t) | |
| cd173453 DG |
97 | corenet_tcp_sendrecv_generic_if(abrt_t) |
| 98 | corenet_tcp_sendrecv_generic_node(abrt_t) | |
| 99 | corenet_tcp_sendrecv_generic_port(abrt_t) | |
| 1b2f08ea CP |
100 | corenet_tcp_bind_generic_node(abrt_t) |
| 101 | corenet_tcp_connect_http_port(abrt_t) | |
| 102 | corenet_tcp_connect_ftp_port(abrt_t) | |
| 103 | corenet_tcp_connect_all_ports(abrt_t) | |
| 104 | corenet_sendrecv_http_client_packets(abrt_t) | |
| 105 | ||
| 1b2f08ea | 106 | dev_getattr_all_chr_files(abrt_t) |
| e3a90e35 | 107 | dev_read_urand(abrt_t) |
| 1b2f08ea CP |
108 | dev_rw_sysfs(abrt_t) |
| 109 | dev_dontaudit_read_raw_memory(abrt_t) | |
| 110 | ||
| 111 | domain_getattr_all_domains(abrt_t) | |
| 112 | domain_read_all_domains_state(abrt_t) | |
| 113 | domain_signull_all_domains(abrt_t) | |
| e3a90e35 CP |
114 | |
| 115 | files_getattr_all_files(abrt_t) | |
| 116 | files_read_etc_files(abrt_t) | |
| 1b2f08ea CP |
117 | files_read_var_symlinks(abrt_t) |
| 118 | files_read_var_lib_files(abrt_t) | |
| e3a90e35 | 119 | files_read_usr_files(abrt_t) |
| 1b2f08ea CP |
120 | files_read_generic_tmp_files(abrt_t) |
| 121 | files_read_kernel_modules(abrt_t) | |
| 122 | files_dontaudit_list_default(abrt_t) | |
| 123 | files_dontaudit_read_default_files(abrt_t) | |
| e3a90e35 CP |
124 | |
| 125 | fs_list_inotifyfs(abrt_t) | |
| 126 | fs_getattr_all_fs(abrt_t) | |
| 127 | fs_getattr_all_dirs(abrt_t) | |
| 1b2f08ea CP |
128 | fs_read_fusefs_files(abrt_t) |
| 129 | fs_read_noxattr_fs_files(abrt_t) | |
| 130 | fs_read_nfs_files(abrt_t) | |
| 131 | fs_read_nfs_symlinks(abrt_t) | |
| 132 | fs_search_all(abrt_t) | |
| e3a90e35 CP |
133 | |
| 134 | sysnet_read_config(abrt_t) | |
| 135 | ||
| 136 | logging_read_generic_logs(abrt_t) | |
| 137 | logging_send_syslog_msg(abrt_t) | |
| 138 | ||
| 139 | miscfiles_read_certs(abrt_t) | |
| 140 | miscfiles_read_localization(abrt_t) | |
| 141 | ||
| 1b2f08ea | 142 | userdom_dontaudit_read_user_home_content_files(abrt_t) |
| e3a90e35 CP |
143 | |
| 144 | optional_policy(` | |
| 1b2f08ea | 145 | dbus_system_domain(abrt_t, abrt_exec_t) |
| e3a90e35 CP |
146 | ') |
| 147 | ||
| e3a90e35 | 148 | optional_policy(` |
| 1b2f08ea CP |
149 | nis_use_ypbind(abrt_t) |
| 150 | ') | |
| 151 | ||
| 152 | optional_policy(` | |
| 153 | policykit_dbus_chat(abrt_t) | |
| 154 | policykit_domtrans_auth(abrt_t) | |
| 155 | policykit_read_lib(abrt_t) | |
| 156 | policykit_read_reload(abrt_t) | |
| 157 | ') | |
| 158 | ||
| b5212295 CP |
159 | optional_policy(` |
| 160 | prelink_exec(abrt_t) | |
| 161 | libs_exec_ld_so(abrt_t) | |
| 162 | corecmd_exec_all_executables(abrt_t) | |
| 163 | ') | |
| 164 | ||
| 1b2f08ea CP |
165 | # to install debuginfo packages |
| 166 | optional_policy(` | |
| 167 | rpm_exec(abrt_t) | |
| 168 | rpm_dontaudit_manage_db(abrt_t) | |
| 169 | rpm_manage_cache(abrt_t) | |
| 170 | rpm_manage_pid_files(abrt_t) | |
| 171 | rpm_read_db(abrt_t) | |
| 172 | rpm_signull(abrt_t) | |
| e3a90e35 CP |
173 | ') |
| 174 | ||
| 175 | # to run mailx plugin | |
| 176 | optional_policy(` | |
| 177 | sendmail_domtrans(abrt_t) | |
| 178 | ') | |
| 1b2f08ea CP |
179 | |
| 180 | optional_policy(` | |
| 181 | sssd_stream_connect(abrt_t) | |
| 182 | ') | |
| 183 | ||
| 184 | ######################################## | |
| 185 | # | |
| 186 | # abrt--helper local policy | |
| 187 | # | |
| 188 | ||
| b5212295 | 189 | allow abrt_helper_t self:capability { chown setgid sys_nice }; |
| 1b2f08ea CP |
190 | allow abrt_helper_t self:process signal; |
| 191 | ||
| 192 | read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) | |
| 193 | ||
| b5212295 | 194 | files_search_spool(abrt_helper_t) |
| 1b2f08ea CP |
195 | manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) |
| 196 | manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
| 197 | manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
| 198 | files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) | |
| 199 | ||
| 200 | read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
| 201 | read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
| 202 | ||
| 203 | domain_read_all_domains_state(abrt_helper_t) | |
| 204 | ||
| 205 | files_read_etc_files(abrt_helper_t) | |
| 206 | ||
| 207 | fs_list_inotifyfs(abrt_helper_t) | |
| 208 | fs_getattr_all_fs(abrt_helper_t) | |
| 209 | ||
| 210 | auth_use_nsswitch(abrt_helper_t) | |
| 211 | ||
| 212 | logging_send_syslog_msg(abrt_helper_t) | |
| 213 | ||
| 214 | miscfiles_read_localization(abrt_helper_t) | |
| 215 | ||
| 216 | term_dontaudit_use_all_ttys(abrt_helper_t) | |
| 217 | term_dontaudit_use_all_ptys(abrt_helper_t) | |
| 218 | ||
| 219 | ifdef(`hide_broken_symptoms', ` | |
| 220 | userdom_dontaudit_read_user_home_content_files(abrt_helper_t) | |
| 221 | userdom_dontaudit_read_user_tmp_files(abrt_helper_t) | |
| 222 | dev_dontaudit_read_all_blk_files(abrt_helper_t) | |
| 223 | dev_dontaudit_read_all_chr_files(abrt_helper_t) | |
| 224 | dev_dontaudit_write_all_chr_files(abrt_helper_t) | |
| 225 | dev_dontaudit_write_all_blk_files(abrt_helper_t) | |
| 226 | fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) | |
| 227 | ') |