1 ## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
4 ## A distributed, collaborative, spam detection and filtering network.
7 ## This policy will work with either the ATrpms provided config
8 ## file in /etc/razor, or with the default of dumping everything into
13 #######################################
15 ## Template to create types and rules common to
18 ## <param name="prefix">
20 ## The prefix of the domain (e.g., user
21 ## is the prefix for user_t).
25 template(`razor_common_domain_template',`
27 type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
32 domain_entry_file($1_t, razor_exec_t)
34 allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
35 allow $1_t self:fd use;
36 allow $1_t self:fifo_file rw_fifo_file_perms;
37 allow $1_t self:unix_dgram_socket create_socket_perms;
38 allow $1_t self:unix_stream_socket create_stream_socket_perms;
39 allow $1_t self:unix_dgram_socket sendto;
40 allow $1_t self:unix_stream_socket connectto;
41 allow $1_t self:shm create_shm_perms;
42 allow $1_t self:sem create_sem_perms;
43 allow $1_t self:msgq create_msgq_perms;
44 allow $1_t self:msg { send receive };
45 allow $1_t self:tcp_socket create_socket_perms;
47 # Read system config file
48 allow $1_t razor_etc_t:dir list_dir_perms;
49 allow $1_t razor_etc_t:file read_file_perms;
50 allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
52 manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
53 manage_files_pattern($1_t, razor_log_t, razor_log_t)
54 manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
55 logging_log_filetrans($1_t, razor_log_t, file)
57 manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
58 manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
59 manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
60 files_search_var_lib($1_t)
62 # Razor is one executable and several symlinks
63 allow $1_t razor_exec_t:file read_file_perms;
64 allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
66 kernel_read_system_state($1_t)
67 kernel_read_network_state($1_t)
68 kernel_read_software_raid_state($1_t)
69 kernel_getattr_core_if($1_t)
70 kernel_getattr_message_if($1_t)
71 kernel_read_kernel_sysctls($1_t)
73 corecmd_exec_bin($1_t)
75 corenet_all_recvfrom_unlabeled($1_t)
76 corenet_all_recvfrom_netlabel($1_t)
77 corenet_tcp_sendrecv_generic_if($1_t)
78 corenet_raw_sendrecv_generic_if($1_t)
79 corenet_tcp_sendrecv_generic_node($1_t)
80 corenet_raw_sendrecv_generic_node($1_t)
81 corenet_tcp_sendrecv_razor_port($1_t)
83 # mktemp and other randoms
87 files_search_pids($1_t)
88 # Allow access to various files in the /etc/directory including mtab
90 files_read_etc_files($1_t)
91 files_read_etc_runtime_files($1_t)
93 fs_search_auto_mountpoints($1_t)
95 libs_read_lib_files($1_t)
97 miscfiles_read_localization($1_t)
99 sysnet_read_config($1_t)
100 sysnet_dns_name_resolve($1_t)
107 ########################################
109 ## Role access for razor
111 ## <param name="role">
113 ## Role allowed access
116 ## <param name="domain">
118 ## User domain for the role
123 interface(`razor_role',`
125 type razor_t, razor_exec_t, razor_home_t;
128 role $1 types razor_t;
130 # Transition from the user domain to the derived domain.
131 domtrans_pattern($2, razor_exec_t, razor_t)
133 # allow ps to show razor and allow the user to kill it
134 ps_process_pattern($2, razor_t)
135 allow $2 razor_t:process signal_perms;
136 tunable_policy(`deny_ptrace',`',`
137 allow $2 razor_t:process ptrace;
140 manage_dirs_pattern($2, razor_home_t, razor_home_t)
141 manage_files_pattern($2, razor_home_t, razor_home_t)
142 manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
143 relabel_dirs_pattern($2, razor_home_t, razor_home_t)
144 relabel_files_pattern($2, razor_home_t, razor_home_t)
145 relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
148 ########################################
150 ## Execute razor in the system razor domain.
152 ## <param name="domain">
154 ## Domain allowed to transition.
158 interface(`razor_domtrans',`
160 type razor_t, razor_exec_t;
163 domtrans_pattern($1, razor_exec_t, razor_t)
166 ########################################
168 ## Create, read, write, and delete razor files
169 ## in a user home subdirectory.
171 ## <param name="domain">
173 ## Domain allowed access.
177 interface(`razor_manage_user_home_files',`
182 userdom_search_user_home_dirs($1)
183 manage_files_pattern($1, razor_home_t, razor_home_t)
184 read_lnk_files_pattern($1, razor_home_t, razor_home_t)
187 ########################################
189 ## read razor lib files.
191 ## <param name="domain">
193 ## Domain allowed access.
197 interface(`razor_read_lib_files',`
199 type razor_var_lib_t;
202 files_search_var_lib($1)
203 read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)