1 ## <summary>SELinux troubleshooting service</summary>
3 ########################################
5 ## Connect to setroubleshootd over an unix stream socket.
7 ## <param name="domain">
9 ## Domain allowed access.
13 interface(`setroubleshoot_stream_connect',`
15 type setroubleshootd_t, setroubleshoot_var_run_t;
19 stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
20 allow $1 setroubleshoot_var_run_t:sock_file read;
23 ########################################
25 ## Dontaudit attempts to connect to setroubleshootd
26 ## over an unix stream socket.
28 ## <param name="domain">
30 ## Domain to not audit.
34 interface(`setroubleshoot_dontaudit_stream_connect',`
36 type setroubleshootd_t, setroubleshoot_var_run_t;
39 dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
40 dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
43 ########################################
45 ## Send and receive messages from
46 ## setroubleshoot over dbus.
48 ## <param name="domain">
50 ## Domain allowed access.
54 interface(`setroubleshoot_dbus_chat',`
56 type setroubleshootd_t;
60 allow $1 setroubleshootd_t:dbus send_msg;
61 allow setroubleshootd_t $1:dbus send_msg;
64 ########################################
66 ## Do not audit send and receive messages from
67 ## setroubleshoot over dbus.
69 ## <param name="domain">
71 ## Domain to not audit.
75 interface(`setroubleshoot_dontaudit_dbus_chat',`
77 type setroubleshootd_t;
81 dontaudit $1 setroubleshootd_t:dbus send_msg;
82 dontaudit setroubleshootd_t $1:dbus send_msg;
85 ########################################
87 ## Send and receive messages from
88 ## setroubleshoot over dbus.
90 ## <param name="domain">
92 ## Domain allowed access.
96 interface(`setroubleshoot_dbus_chat_fixit',`
98 type setroubleshoot_fixit_t;
102 allow $1 setroubleshoot_fixit_t:dbus send_msg;
103 allow setroubleshoot_fixit_t $1:dbus send_msg;
106 ########################################
108 ## All of the rules required to administrate
109 ## an setroubleshoot environment
111 ## <param name="domain">
113 ## Domain allowed access.
118 interface(`setroubleshoot_admin',`
120 type setroubleshootd_t, setroubleshoot_log_t;
121 type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
124 allow $1 setroubleshootd_t:process { ptrace signal_perms };
125 ps_process_pattern($1, setroubleshootd_t)
127 logging_list_logs($1)
128 admin_pattern($1, setroubleshoot_log_t)
130 files_list_var_lib($1)
131 admin_pattern($1, setroubleshoot_var_lib_t)
134 admin_pattern($1, setroubleshoot_var_run_t)