]>
Commit | Line | Data |
---|---|---|
096ae611 CP |
1 | |
2 | policy_module(cipe,1.0.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type ciped_t; | |
10 | type ciped_exec_t; | |
11 | init_daemon_domain(ciped_t,ciped_exec_t) | |
12 | ||
13 | ######################################## | |
14 | # | |
15 | # Local policy | |
16 | # | |
17 | ||
18 | allow ciped_t self:capability { net_admin ipc_lock sys_tty_config }; | |
19 | dontaudit ciped_t self:capability sys_tty_config; | |
20 | allow ciped_t self:process signal_perms; | |
21 | allow ciped_t self:fifo_file rw_file_perms; | |
22 | allow ciped_t self:unix_dgram_socket create_socket_perms; | |
23 | allow ciped_t self:unix_stream_socket create_socket_perms; | |
24 | allow ciped_t self:udp_socket create_socket_perms; | |
25 | ||
26 | kernel_read_kernel_sysctls(ciped_t) | |
27 | kernel_read_system_state(ciped_t) | |
28 | ||
29 | corecmd_exec_shell(ciped_t) | |
30 | corecmd_exec_bin(ciped_t) | |
31 | corecmd_exec_sbin(ciped_t) | |
32 | ||
33 | corenet_udp_sendrecv_generic_if(ciped_t) | |
34 | corenet_raw_sendrecv_generic_if(ciped_t) | |
35 | corenet_udp_sendrecv_all_nodes(ciped_t) | |
36 | corenet_raw_sendrecv_all_nodes(ciped_t) | |
37 | corenet_udp_sendrecv_all_ports(ciped_t) | |
38 | corenet_non_ipsec_sendrecv(ciped_t) | |
39 | corenet_udp_bind_all_nodes(ciped_t) | |
40 | # cipe uses the afs3-bos port (udp 7007) | |
41 | corenet_udp_bind_afs_bos_port(ciped_t) | |
42 | ||
43 | dev_read_sysfs(ciped_t) | |
44 | dev_read_rand(ciped_t) | |
45 | # for SSP | |
46 | dev_read_urand(ciped_t) | |
47 | ||
48 | domain_use_interactive_fds(ciped_t) | |
49 | ||
50 | files_read_etc_files(ciped_t) | |
51 | files_read_etc_runtime_files(ciped_t) | |
52 | files_dontaudit_search_var(ciped_t) | |
53 | ||
54 | fs_search_auto_mountpoints(ciped_t) | |
55 | ||
56 | term_dontaudit_use_console(ciped_t) | |
57 | ||
58 | init_use_fds(ciped_t) | |
59 | init_use_script_ptys(ciped_t) | |
60 | ||
61 | libs_use_ld_so(ciped_t) | |
62 | libs_use_shared_libs(ciped_t) | |
63 | ||
64 | logging_send_syslog_msg(ciped_t) | |
65 | ||
66 | miscfiles_read_localization(ciped_t) | |
67 | ||
68 | sysnet_read_config(ciped_t) | |
69 | ||
70 | userdom_dontaudit_use_unpriv_user_fds(ciped_t) | |
71 | ||
72 | ifdef(`targeted_policy',` | |
73 | term_dontaudit_use_unallocated_ttys(ciped_t) | |
74 | term_dontaudit_use_generic_ptys(ciped_t) | |
75 | files_dontaudit_read_root_files(ciped_t) | |
76 | ') | |
77 | ||
78 | optional_policy(` | |
79 | nis_use_ypbind(ciped_t) | |
80 | ') | |
81 | ||
82 | optional_policy(` | |
83 | seutil_sigchld_newrole(ciped_t) | |
84 | ') | |
85 | ||
86 | optional_policy(` | |
87 | udev_read_db(ciped_t) | |
88 | ') |