projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| eac818f0 | 1 | |
| cfcf5004 | 2 | policy_module(setroubleshoot, 1.7.0) |
| eac818f0 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| 8 | ||
| 9 | type setroubleshootd_t alias setroubleshoot_t; | |
| 10 | type setroubleshootd_exec_t; | |
| 11 | domain_type(setroubleshootd_t) | |
| 12 | init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) | |
| 13 | ||
| 14 | type setroubleshoot_var_lib_t; | |
| 15 | files_type(setroubleshoot_var_lib_t) | |
| 16 | ||
| 17 | # log files | |
| 18 | type setroubleshoot_var_log_t; | |
| 19 | logging_log_file(setroubleshoot_var_log_t) | |
| 20 | ||
| 21 | # pid files | |
| 22 | type setroubleshoot_var_run_t; | |
| 23 | files_pid_file(setroubleshoot_var_run_t) | |
| 24 | ||
| 25 | ######################################## | |
| 26 | # | |
| 27 | # setroubleshootd local policy | |
| 28 | # | |
| 29 | ||
| 30 | allow setroubleshootd_t self:capability { dac_override sys_tty_config }; | |
| f6a590d7 | 31 | allow setroubleshootd_t self:process { signull signal getattr getsched }; |
| c0868a7a | 32 | allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; |
| eac818f0 CP |
33 | allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; |
| 34 | allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
| 35 | allow setroubleshootd_t self:unix_dgram_socket create_socket_perms; | |
| eac818f0 CP |
36 | |
| 37 | # database files | |
| c0868a7a CP |
38 | allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr; |
| 39 | manage_files_pattern(setroubleshootd_t,setroubleshoot_var_lib_t,setroubleshoot_var_lib_t) | |
| eac818f0 CP |
40 | files_var_lib_filetrans(setroubleshootd_t,setroubleshoot_var_lib_t,{ file dir }) |
| 41 | ||
| 42 | # log files | |
| c0868a7a CP |
43 | allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr; |
| 44 | manage_files_pattern(setroubleshootd_t,setroubleshoot_var_log_t,setroubleshoot_var_log_t) | |
| 45 | manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_log_t,setroubleshoot_var_log_t) | |
| eac818f0 CP |
46 | logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir }) |
| 47 | ||
| 48 | # pid file | |
| c0868a7a CP |
49 | manage_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t) |
| 50 | manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t) | |
| eac818f0 CP |
51 | files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file }) |
| 52 | ||
| 53 | kernel_read_kernel_sysctls(setroubleshootd_t) | |
| 54 | kernel_read_system_state(setroubleshootd_t) | |
| 6b19be33 | 55 | kernel_read_network_state(setroubleshootd_t) |
| eac818f0 | 56 | |
| eac818f0 CP |
57 | corecmd_exec_bin(setroubleshootd_t) |
| 58 | corecmd_exec_shell(setroubleshootd_t) | |
| 59 | ||
| 19006686 CP |
60 | corenet_all_recvfrom_unlabeled(setroubleshootd_t) |
| 61 | corenet_all_recvfrom_netlabel(setroubleshootd_t) | |
| eac818f0 CP |
62 | corenet_tcp_sendrecv_generic_if(setroubleshootd_t) |
| 63 | corenet_tcp_sendrecv_all_nodes(setroubleshootd_t) | |
| 64 | corenet_tcp_sendrecv_all_ports(setroubleshootd_t) | |
| 65 | corenet_tcp_bind_all_nodes(setroubleshootd_t) | |
| eac818f0 | 66 | corenet_tcp_connect_smtp_port(setroubleshootd_t) |
| eac818f0 CP |
67 | corenet_sendrecv_smtp_client_packets(setroubleshootd_t) |
| 68 | ||
| 69 | dev_read_urand(setroubleshootd_t) | |
| cdf98fed | 70 | dev_read_sysfs(setroubleshootd_t) |
| eac818f0 | 71 | |
| 8708d9be CP |
72 | domain_dontaudit_search_all_domains_state(setroubleshootd_t) |
| 73 | ||
| eac818f0 CP |
74 | files_read_usr_files(setroubleshootd_t) |
| 75 | files_read_etc_files(setroubleshootd_t) | |
| 76 | files_getattr_all_dirs(setroubleshootd_t) | |
| 7aca2aa8 | 77 | files_getattr_all_files(setroubleshootd_t) |
| eac818f0 | 78 | |
| 0a0b8078 CP |
79 | fs_getattr_all_dirs(setroubleshootd_t) |
| 80 | fs_getattr_all_files(setroubleshootd_t) | |
| 81 | ||
| eac818f0 | 82 | selinux_get_enforce_mode(setroubleshootd_t) |
| 7aca2aa8 | 83 | selinux_validate_context(setroubleshootd_t) |
| eac818f0 | 84 | |
| eac818f0 CP |
85 | term_dontaudit_use_all_user_ptys(setroubleshootd_t) |
| 86 | term_dontaudit_use_all_user_ttys(setroubleshootd_t) | |
| 87 | ||
| 0a0b8078 CP |
88 | auth_use_nsswitch(setroubleshootd_t) |
| 89 | ||
| eac818f0 CP |
90 | init_read_utmp(setroubleshootd_t) |
| 91 | init_dontaudit_write_utmp(setroubleshootd_t) | |
| eac818f0 CP |
92 | |
| 93 | libs_use_ld_so(setroubleshootd_t) | |
| 94 | libs_use_shared_libs(setroubleshootd_t) | |
| 95 | ||
| 96 | miscfiles_read_localization(setroubleshootd_t) | |
| 97 | ||
| 98 | locallogin_dontaudit_use_fds(setroubleshootd_t) | |
| 99 | ||
| 100 | logging_send_syslog_msg(setroubleshootd_t) | |
| 101 | logging_stream_connect_auditd(setroubleshootd_t) | |
| 102 | ||
| 103 | seutil_read_config(setroubleshootd_t) | |
| 7aca2aa8 | 104 | seutil_read_file_contexts(setroubleshootd_t) |
| eac818f0 CP |
105 | |
| 106 | sysnet_read_config(setroubleshootd_t) | |
| 107 | ||
| e9c6cda7 | 108 | sysadm_dontaudit_read_home_content_files(setroubleshootd_t) |
| 7aca2aa8 | 109 | |
| cdf98fed CP |
110 | optional_policy(` |
| 111 | dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t) | |
| cdf98fed CP |
112 | dbus_connect_system_bus(setroubleshootd_t) |
| 113 | ') | |
| 114 | ||
| eac818f0 CP |
115 | optional_policy(` |
| 116 | rpm_read_db(setroubleshootd_t) | |
| 117 | rpm_dontaudit_manage_db(setroubleshootd_t) | |
| 118 | rpm_use_script_fds(setroubleshootd_t) | |
| 119 | ') |