1 policy_module(rhgb, 1.9.0)
3 ########################################
10 init_daemon_domain(rhgb_t, rhgb_exec_t)
13 files_tmpfs_file(rhgb_tmpfs_t)
16 term_pty(rhgb_devpts_t)
18 ########################################
23 allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
24 dontaudit rhgb_t self:capability sys_tty_config;
25 allow rhgb_t self:process { setpgid signal_perms };
26 allow rhgb_t self:shm create_shm_perms;
27 allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
28 allow rhgb_t self:fifo_file rw_fifo_file_perms;
29 allow rhgb_t self:tcp_socket create_socket_perms;
30 allow rhgb_t self:udp_socket create_socket_perms;
31 allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
33 allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
34 term_create_pty(rhgb_t, rhgb_devpts_t)
36 manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
37 manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
38 manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
39 manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
40 manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
41 fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file })
43 kernel_read_kernel_sysctls(rhgb_t)
44 kernel_read_system_state(rhgb_t)
46 corecmd_exec_bin(rhgb_t)
47 corecmd_exec_shell(rhgb_t)
49 corenet_all_recvfrom_unlabeled(rhgb_t)
50 corenet_all_recvfrom_netlabel(rhgb_t)
51 corenet_tcp_sendrecv_generic_if(rhgb_t)
52 corenet_udp_sendrecv_generic_if(rhgb_t)
53 corenet_tcp_sendrecv_generic_node(rhgb_t)
54 corenet_udp_sendrecv_generic_node(rhgb_t)
55 corenet_tcp_sendrecv_all_ports(rhgb_t)
56 corenet_udp_sendrecv_all_ports(rhgb_t)
57 corenet_tcp_connect_all_ports(rhgb_t)
58 corenet_sendrecv_all_client_packets(rhgb_t)
60 dev_read_sysfs(rhgb_t)
61 dev_read_urand(rhgb_t)
63 domain_use_interactive_fds(rhgb_t)
65 files_read_etc_files(rhgb_t)
66 files_read_var_files(rhgb_t)
67 files_read_etc_runtime_files(rhgb_t)
68 files_search_tmp(rhgb_t)
69 files_read_usr_files(rhgb_t)
70 files_mounton_mnt(rhgb_t)
71 files_dontaudit_rw_root_dir(rhgb_t)
72 files_dontaudit_read_default_files(rhgb_t)
73 files_dontaudit_search_pids(rhgb_t)
75 files_dontaudit_search_var(rhgb_t)
77 fs_search_auto_mountpoints(rhgb_t)
78 fs_mount_ramfs(rhgb_t)
79 fs_unmount_ramfs(rhgb_t)
80 fs_getattr_tmpfs(rhgb_t)
81 # for ramfs file systems
82 fs_manage_ramfs_dirs(rhgb_t)
83 fs_manage_ramfs_files(rhgb_t)
84 fs_manage_ramfs_pipes(rhgb_t)
85 fs_manage_ramfs_sockets(rhgb_t)
87 selinux_dontaudit_read_fs(rhgb_t)
89 term_use_unallocated_ttys(rhgb_t)
91 term_getattr_pty_fs(rhgb_t)
93 init_write_initctl(rhgb_t)
96 libs_read_lib_files(rhgb_t)
98 logging_send_syslog_msg(rhgb_t)
100 miscfiles_read_localization(rhgb_t)
101 miscfiles_read_fonts(rhgb_t)
102 miscfiles_dontaudit_write_fonts(rhgb_t)
104 seutil_search_default_contexts(rhgb_t)
105 seutil_read_config(rhgb_t)
107 sysnet_read_config(rhgb_t)
108 sysnet_domtrans_ifconfig(rhgb_t)
110 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
111 userdom_dontaudit_search_user_home_content(rhgb_t)
113 xserver_read_tmp_files(rhgb_t)
115 # for running setxkbmap
116 xserver_read_xkb_libs(rhgb_t)
117 xserver_domtrans(rhgb_t)
118 xserver_signal(rhgb_t)
119 xserver_read_xdm_tmp_files(rhgb_t)
120 xserver_stream_connect(rhgb_t)
123 consoletype_exec(rhgb_t)
127 nis_use_ypbind(rhgb_t)
131 seutil_sigchld_newrole(rhgb_t)
139 #this seems a bit much
140 allow domain rhgb_devpts_t:chr_file { read write };
141 allow initrc_t rhgb_gph_t:fd use;
projects / people / stevee / selinux-policy.git / blob