policy/modules/services/razor.if

   1 ## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
   2 ## <desc>
   3 ##      <p>
   4 ##      A distributed, collaborative, spam detection and filtering network.
   5 ##      </p>
   6 ##      <p>
   7 ##      This policy will work with either the ATrpms provided config
   8 ##      file in /etc/razor, or with the default of dumping everything into
   9 ##      $HOME/.razor.
  10 ##      </p>
  11 ## </desc>
  12
  13 #######################################
  14 ## <summary>
  15 ##      Template to create types and rules common to
  16 ##      all razor domains.
  17 ## </summary>
  18 ## <param name="prefix">
  19 ##      <summary>
  20 ##      The prefix of the domain (e.g., user
  21 ##      is the prefix for user_t).
  22 ##      </summary>
  23 ## </param>
  24 #
  25 template(`razor_common_domain_template',`
  26         gen_require(`
  27                 type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
  28         ')
  29
  30         type $1_t;
  31         domain_type($1_t)
  32         domain_entry_file($1_t, razor_exec_t)
  33
  34         allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  35         allow $1_t self:fd use;
  36         allow $1_t self:fifo_file rw_fifo_file_perms;
  37         allow $1_t self:unix_dgram_socket create_socket_perms;
  38         allow $1_t self:unix_stream_socket create_stream_socket_perms;
  39         allow $1_t self:unix_dgram_socket sendto;
  40         allow $1_t self:unix_stream_socket connectto;
  41         allow $1_t self:shm create_shm_perms;
  42         allow $1_t self:sem create_sem_perms;
  43         allow $1_t self:msgq create_msgq_perms;
  44         allow $1_t self:msg { send receive };
  45         allow $1_t self:tcp_socket create_socket_perms;
  46
  47         # Read system config file
  48         allow $1_t razor_etc_t:dir list_dir_perms;
  49         allow $1_t razor_etc_t:file read_file_perms;
  50         allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
  51
  52         manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
  53         manage_files_pattern($1_t, razor_log_t, razor_log_t)
  54         manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
  55         logging_log_filetrans($1_t, razor_log_t, file)
  56
  57         manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
  58         manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
  59         manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
  60         files_search_var_lib($1_t)
  61
  62         # Razor is one executable and several symlinks
  63         allow $1_t razor_exec_t:file read_file_perms;
  64         allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
  65
  66         kernel_read_system_state($1_t)
  67         kernel_read_network_state($1_t)
  68         kernel_read_software_raid_state($1_t)
  69         kernel_getattr_core_if($1_t)
  70         kernel_getattr_message_if($1_t)
  71         kernel_read_kernel_sysctls($1_t)
  72
  73         corecmd_exec_bin($1_t)
  74
  75         corenet_all_recvfrom_unlabeled($1_t)
  76         corenet_all_recvfrom_netlabel($1_t)
  77         corenet_tcp_sendrecv_generic_if($1_t)
  78         corenet_raw_sendrecv_generic_if($1_t)
  79         corenet_tcp_sendrecv_generic_node($1_t)
  80         corenet_raw_sendrecv_generic_node($1_t)
  81         corenet_tcp_sendrecv_razor_port($1_t)
  82
  83         # mktemp and other randoms
  84         dev_read_rand($1_t)
  85         dev_read_urand($1_t)
  86
  87         files_search_pids($1_t)
  88         # Allow access to various files in the /etc/directory including mtab
  89         # and nsswitch
  90         files_read_etc_files($1_t)
  91         files_read_etc_runtime_files($1_t)
  92
  93         fs_search_auto_mountpoints($1_t)
  94
  95         libs_read_lib_files($1_t)
  96
  97         miscfiles_read_localization($1_t)
  98
  99         sysnet_read_config($1_t)
 100         sysnet_dns_name_resolve($1_t)
 101
 102         optional_policy(`
 103                 nis_use_ypbind($1_t)
 104         ')
 105 ')
 106
 107 ########################################
 108 ## <summary>
 109 ##      Role access for razor
 110 ## </summary>
 111 ## <param name="role">
 112 ##      <summary>
 113 ##      Role allowed access
 114 ##      </summary>
 115 ## </param>
 116 ## <param name="domain">
 117 ##      <summary>
 118 ##      User domain for the role
 119 ##      </summary>
 120 ## </param>
 121 ## <rolecap/>
 122 #
 123 interface(`razor_role',`
 124         gen_require(`
 125                 type razor_t, razor_exec_t, razor_home_t;
 126         ')
 127
 128         role $1 types razor_t;
 129
 130         # Transition from the user domain to the derived domain.
 131         domtrans_pattern($2, razor_exec_t, razor_t)
 132
 133         # allow ps to show razor and allow the user to kill it
 134         ps_process_pattern($2, razor_t)
 135         allow $2 razor_t:process signal_perms;
 136         tunable_policy(`deny_ptrace',`',`
 137                 allow $2 razor_t:process ptrace;
 138         ')
 139
 140         manage_dirs_pattern($2, razor_home_t, razor_home_t)
 141         manage_files_pattern($2, razor_home_t, razor_home_t)
 142         manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
 143         relabel_dirs_pattern($2, razor_home_t, razor_home_t)
 144         relabel_files_pattern($2, razor_home_t, razor_home_t)
 145         relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
 146 ')
 147
 148 ########################################
 149 ## <summary>
 150 ##      Execute razor in the system razor domain.
 151 ## </summary>
 152 ## <param name="domain">
 153 ##      <summary>
 154 ##      Domain allowed to transition.
 155 ##      </summary>
 156 ## </param>
 157 #
 158 interface(`razor_domtrans',`
 159         gen_require(`
 160                 type razor_t, razor_exec_t;
 161         ')
 162
 163         domtrans_pattern($1, razor_exec_t, razor_t)
 164 ')
 165
 166 ########################################
 167 ## <summary>
 168 ##      Create, read, write, and delete razor files
 169 ##      in a user home subdirectory.
 170 ## </summary>
 171 ## <param name="domain">
 172 ##      <summary>
 173 ##      Domain allowed access.
 174 ##      </summary>
 175 ## </param>
 176 #
 177 interface(`razor_manage_user_home_files',`
 178         gen_require(`
 179                 type razor_home_t;
 180         ')
 181
 182         userdom_search_user_home_dirs($1)
 183         manage_files_pattern($1, razor_home_t, razor_home_t)
 184         read_lnk_files_pattern($1, razor_home_t, razor_home_t)
 185 ')
 186
 187 ########################################
 188 ## <summary>
 189 ##      read razor lib files.
 190 ## </summary>
 191 ## <param name="domain">
 192 ##      <summary>
 193 ##      Domain allowed access.
 194 ##      </summary>
 195 ## </param>
 196 #
 197 interface(`razor_read_lib_files',`
 198         gen_require(`
 199                 type razor_var_lib_t;
 200         ')
 201
 202         files_search_var_lib($1)
 203         read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
 204 ')