policy/modules/admin/prelink.te

   1
   2 policy_module(prelink, 1.9.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7
   8 attribute prelink_object;
   9
  10 type prelink_t;
  11 type prelink_exec_t;
  12 init_system_domain(prelink_t, prelink_exec_t)
  13 domain_obj_id_change_exemption(prelink_t)
  14
  15 type prelink_cache_t;
  16 files_type(prelink_cache_t)
  17
  18 type prelink_cron_system_t;
  19 type prelink_cron_system_exec_t;
  20 domain_type(prelink_cron_system_t)
  21 domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
  22
  23 type prelink_log_t;
  24 logging_log_file(prelink_log_t)
  25
  26 type prelink_tmp_t;
  27 files_tmp_file(prelink_tmp_t)
  28
  29 type prelink_tmpfs_t;
  30 files_tmpfs_file(prelink_tmpfs_t)
  31
  32 type prelink_var_lib_t;
  33 files_type(prelink_var_lib_t)
  34
  35 ########################################
  36 #
  37 # Local policy
  38 #
  39
  40 allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
  41 allow prelink_t self:process { execheap execmem execstack signal };
  42 allow prelink_t self:fifo_file rw_fifo_file_perms;
  43
  44 allow prelink_t prelink_cache_t:file manage_file_perms;
  45 files_etc_filetrans(prelink_t, prelink_cache_t, file)
  46
  47 allow prelink_t prelink_log_t:dir setattr;
  48 create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
  49 append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
  50 read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
  51 logging_log_filetrans(prelink_t, prelink_log_t, file)
  52
  53 allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
  54 files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
  55
  56 allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
  57 fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
  58
  59 manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  60 manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  61 relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
  62 files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
  63
  64 # prelink misc objects that are not system
  65 # libraries or entrypoints
  66 allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
  67
  68 kernel_read_system_state(prelink_t)
  69 kernel_read_kernel_sysctls(prelink_t)
  70
  71 corecmd_manage_all_executables(prelink_t)
  72 corecmd_relabel_all_executables(prelink_t)
  73 corecmd_mmap_all_executables(prelink_t)
  74 corecmd_read_bin_symlinks(prelink_t)
  75
  76 dev_read_urand(prelink_t)
  77
  78 files_list_all(prelink_t)
  79 files_getattr_all_files(prelink_t)
  80 files_write_non_security_dirs(prelink_t)
  81 files_read_etc_files(prelink_t)
  82 files_read_etc_runtime_files(prelink_t)
  83 files_dontaudit_read_all_symlinks(prelink_t)
  84 files_manage_usr_files(prelink_t)
  85 files_manage_var_files(prelink_t)
  86 files_relabelfrom_usr_files(prelink_t)
  87
  88 fs_getattr_xattr_fs(prelink_t)
  89
  90 selinux_get_enforce_mode(prelink_t)
  91
  92 libs_exec_ld_so(prelink_t)
  93 libs_legacy_use_shared_libs(prelink_t)
  94 libs_manage_ld_so(prelink_t)
  95 libs_relabel_ld_so(prelink_t)
  96 libs_manage_shared_libs(prelink_t)
  97 libs_relabel_shared_libs(prelink_t)
  98 libs_delete_lib_symlinks(prelink_t)
  99
 100 miscfiles_read_localization(prelink_t)
 101
 102 userdom_use_user_terminals(prelink_t)
 103
 104 optional_policy(`
 105         amanda_manage_lib(prelink_t)
 106 ')
 107
 108 optional_policy(`
 109         cron_system_entry(prelink_t, prelink_exec_t)
 110 ')
 111
 112 optional_policy(`
 113         rpm_manage_tmp_files(prelink_t)
 114 ')
 115
 116 optional_policy(`
 117         unconfined_domain(prelink_t)
 118 ')
 119
 120 ########################################
 121 #
 122 # Prelink Cron system Policy
 123 #
 124
 125 optional_policy(`
 126         allow prelink_cron_system_t self:capability setuid;
 127         allow prelink_cron_system_t self:process { setsched setfscreate };
 128         allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
 129         allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
 130
 131         read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
 132         allow prelink_cron_system_t prelink_cache_t:file unlink;
 133
 134         domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
 135         allow prelink_cron_system_t prelink_t:process noatsecure;
 136
 137         manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
 138
 139         manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
 140         files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
 141         allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
 142
 143         kernel_read_system_state(prelink_cron_system_t)
 144
 145         corecmd_exec_bin(prelink_cron_system_t)
 146         corecmd_exec_shell(prelink_cron_system_t)
 147
 148         files_read_etc_files(prelink_cron_system_t)
 149
 150         init_exec(prelink_cron_system_t)
 151
 152         libs_exec_ld_so(prelink_cron_system_t)
 153
 154         logging_search_logs(prelink_cron_system_t)
 155
 156         miscfiles_read_localization(prelink_cron_system_t)
 157
 158         cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
 159
 160         optional_policy(`
 161                 rpm_read_db(prelink_cron_system_t)
 162         ')
 163 ')