2 policy_module(abrt, 1.1.0)
4 ########################################
11 init_daemon_domain(abrt_t, abrt_exec_t)
13 type abrt_initrc_exec_t;
14 init_script_file(abrt_initrc_exec_t)
18 files_config_file(abrt_etc_t)
22 logging_log_file(abrt_var_log_t)
26 files_tmp_file(abrt_tmp_t)
29 type abrt_var_cache_t;
30 files_type(abrt_var_cache_t)
34 files_pid_file(abrt_var_run_t)
36 # type needed to allow all domains
37 # to handle /var/cache/abrt
39 type abrt_helper_exec_t;
40 application_domain(abrt_helper_t, abrt_helper_exec_t)
41 role system_r types abrt_helper_t;
44 init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
47 ########################################
52 allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
53 dontaudit abrt_t self:capability sys_rawio;
54 allow abrt_t self:process { signal signull setsched getsched };
56 allow abrt_t self:fifo_file rw_fifo_file_perms;
57 allow abrt_t self:tcp_socket create_stream_socket_perms;
58 allow abrt_t self:udp_socket create_socket_perms;
59 allow abrt_t self:unix_dgram_socket create_socket_perms;
60 allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
63 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
66 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
67 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
70 manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
71 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
72 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
74 # abrt var/cache files
75 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
76 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
77 manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
78 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
81 manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
82 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
83 manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
84 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
86 kernel_read_ring_buffer(abrt_t)
87 kernel_read_system_state(abrt_t)
88 kernel_rw_kernel_sysctl(abrt_t)
90 corecmd_exec_bin(abrt_t)
91 corecmd_exec_shell(abrt_t)
92 corecmd_read_all_executables(abrt_t)
94 corenet_all_recvfrom_netlabel(abrt_t)
95 corenet_all_recvfrom_unlabeled(abrt_t)
96 corenet_tcp_sendrecv_generic_if(abrt_t)
97 corenet_tcp_sendrecv_generic_node(abrt_t)
98 corenet_tcp_sendrecv_generic_port(abrt_t)
99 corenet_tcp_bind_generic_node(abrt_t)
100 corenet_tcp_connect_http_port(abrt_t)
101 corenet_tcp_connect_ftp_port(abrt_t)
102 corenet_tcp_connect_all_ports(abrt_t)
103 corenet_sendrecv_http_client_packets(abrt_t)
106 dev_getattr_all_chr_files(abrt_t)
107 dev_read_urand(abrt_t)
109 dev_dontaudit_read_raw_memory(abrt_t)
111 domain_getattr_all_domains(abrt_t)
112 domain_read_all_domains_state(abrt_t)
113 domain_signull_all_domains(abrt_t)
115 files_getattr_all_files(abrt_t)
116 files_read_etc_files(abrt_t)
117 files_read_var_symlinks(abrt_t)
118 files_read_var_lib_files(abrt_t)
119 files_read_usr_files(abrt_t)
120 files_read_generic_tmp_files(abrt_t)
121 files_read_kernel_modules(abrt_t)
122 files_dontaudit_list_default(abrt_t)
123 files_dontaudit_read_default_files(abrt_t)
125 fs_list_inotifyfs(abrt_t)
126 fs_getattr_all_fs(abrt_t)
127 fs_getattr_all_dirs(abrt_t)
128 fs_read_fusefs_files(abrt_t)
129 fs_read_noxattr_fs_files(abrt_t)
130 fs_read_nfs_files(abrt_t)
131 fs_read_nfs_symlinks(abrt_t)
132 fs_search_all(abrt_t)
134 sysnet_read_config(abrt_t)
136 logging_read_generic_logs(abrt_t)
137 logging_send_syslog_msg(abrt_t)
139 miscfiles_read_certs(abrt_t)
140 miscfiles_read_localization(abrt_t)
142 userdom_dontaudit_read_user_home_content_files(abrt_t)
145 dbus_system_domain(abrt_t, abrt_exec_t)
149 nis_use_ypbind(abrt_t)
153 policykit_dbus_chat(abrt_t)
154 policykit_domtrans_auth(abrt_t)
155 policykit_read_lib(abrt_t)
156 policykit_read_reload(abrt_t)
159 # to install debuginfo packages
162 rpm_dontaudit_manage_db(abrt_t)
163 rpm_manage_cache(abrt_t)
164 rpm_manage_pid_files(abrt_t)
169 # to run mailx plugin
171 sendmail_domtrans(abrt_t)
175 sssd_stream_connect(abrt_t)
178 ########################################
180 # abrt--helper local policy
183 allow abrt_helper_t self:capability { chown setgid };
184 allow abrt_helper_t self:process signal;
186 read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
188 manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
189 manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
190 manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
191 files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
193 read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
194 read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
196 domain_read_all_domains_state(abrt_helper_t)
198 files_read_etc_files(abrt_helper_t)
200 fs_list_inotifyfs(abrt_helper_t)
201 fs_getattr_all_fs(abrt_helper_t)
203 auth_use_nsswitch(abrt_helper_t)
205 logging_send_syslog_msg(abrt_helper_t)
207 miscfiles_read_localization(abrt_helper_t)
209 term_dontaudit_use_all_ttys(abrt_helper_t)
210 term_dontaudit_use_all_ptys(abrt_helper_t)
212 ifdef(`hide_broken_symptoms', `
213 userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
214 userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
215 dev_dontaudit_read_all_blk_files(abrt_helper_t)
216 dev_dontaudit_read_all_chr_files(abrt_helper_t)
217 dev_dontaudit_write_all_chr_files(abrt_helper_t)
218 dev_dontaudit_write_all_blk_files(abrt_helper_t)
219 fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
projects / people / stevee / selinux-policy.git / blob