]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/setroubleshoot.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Module version bump for c17ad38 5271920 2a2b6a7 01c4413 c4fbfae a831710
[people/stevee/selinux-policy.git] / policy / modules / services / setroubleshoot.if
1 ## <summary>SELinux troubleshooting service</summary>
2
3 ########################################
4 ## <summary>
5 ## Connect to setroubleshootd over an unix stream socket.
6 ## </summary>
7 ## <param name="domain">
8 ## <summary>
9 ## Domain allowed access.
10 ## </summary>
11 ## </param>
12 #
13 interface(`setroubleshoot_stream_connect',`
14 gen_require(`
15 type setroubleshootd_t, setroubleshoot_var_run_t;
16 ')
17
18 files_search_pids($1)
19 stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t)
20 allow $1 setroubleshoot_var_run_t:sock_file read;
21 ')
22
23 ########################################
24 ## <summary>
25 ## Dontaudit attempts to connect to setroubleshootd
26 ## over an unix stream socket.
27 ## </summary>
28 ## <param name="domain">
29 ## <summary>
30 ## Domain to not audit.
31 ## </summary>
32 ## </param>
33 #
34 interface(`setroubleshoot_dontaudit_stream_connect',`
35 gen_require(`
36 type setroubleshootd_t, setroubleshoot_var_run_t;
37 ')
38
39 dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms;
40 dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
41 ')
42
43 ########################################
44 ## <summary>
45 ## Send and receive messages from
46 ## setroubleshoot over dbus.
47 ## </summary>
48 ## <param name="domain">
49 ## <summary>
50 ## Domain allowed access.
51 ## </summary>
52 ## </param>
53 #
54 interface(`setroubleshoot_dbus_chat',`
55 gen_require(`
56 type setroubleshootd_t;
57 class dbus send_msg;
58 ')
59
60 allow $1 setroubleshootd_t:dbus send_msg;
61 allow setroubleshootd_t $1:dbus send_msg;
62 ')
63
64 ########################################
65 ## <summary>
66 ## Do not audit send and receive messages from
67 ## setroubleshoot over dbus.
68 ## </summary>
69 ## <param name="domain">
70 ## <summary>
71 ## Domain to not audit.
72 ## </summary>
73 ## </param>
74 #
75 interface(`setroubleshoot_dontaudit_dbus_chat',`
76 gen_require(`
77 type setroubleshootd_t;
78 class dbus send_msg;
79 ')
80
81 dontaudit $1 setroubleshootd_t:dbus send_msg;
82 dontaudit setroubleshootd_t $1:dbus send_msg;
83 ')
84
85 ########################################
86 ## <summary>
87 ## Send and receive messages from
88 ## setroubleshoot over dbus.
89 ## </summary>
90 ## <param name="domain">
91 ## <summary>
92 ## Domain allowed access.
93 ## </summary>
94 ## </param>
95 #
96 interface(`setroubleshoot_dbus_chat_fixit',`
97 gen_require(`
98 type setroubleshoot_fixit_t;
99 class dbus send_msg;
100 ')
101
102 allow $1 setroubleshoot_fixit_t:dbus send_msg;
103 allow setroubleshoot_fixit_t $1:dbus send_msg;
104 ')
105
106 ########################################
107 ## <summary>
108 ## All of the rules required to administrate
109 ## an setroubleshoot environment
110 ## </summary>
111 ## <param name="domain">
112 ## <summary>
113 ## Domain allowed access.
114 ## </summary>
115 ## </param>
116 ## <rolecap/>
117 #
118 interface(`setroubleshoot_admin',`
119 gen_require(`
120 type setroubleshootd_t, setroubleshoot_log_t;
121 type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
122 ')
123
124 allow $1 setroubleshootd_t:process { ptrace signal_perms };
125 ps_process_pattern($1, setroubleshootd_t)
126
127 logging_list_logs($1)
128 admin_pattern($1, setroubleshoot_log_t)
129
130 files_list_var_lib($1)
131 admin_pattern($1, setroubleshoot_var_lib_t)
132
133 files_list_pids($1)
134 admin_pattern($1, setroubleshoot_var_run_t)
135 ')
The IPFire selinux policy.