policy/modules/system/setrans.te

   1
   2 policy_module(setrans, 1.7.0)
   3
   4 gen_require(`
   5         class context contains;
   6 ')
   7
   8 ########################################
   9 #
  10 # Declarations
  11 #
  12
  13 type setrans_t;
  14 type setrans_exec_t;
  15 init_daemon_domain(setrans_t, setrans_exec_t)
  16
  17 type setrans_initrc_exec_t;
  18 init_script_file(setrans_initrc_exec_t)
  19
  20 type setrans_var_run_t;
  21 files_pid_file(setrans_var_run_t)
  22 mls_trusted_object(setrans_var_run_t)
  23
  24 ifdef(`enable_mcs',`
  25         init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
  26 ')
  27
  28 ifdef(`enable_mls',`
  29         init_ranged_daemon_domain(setrans_t, setrans_exec_t, mls_systemhigh)
  30 ')
  31
  32 ########################################
  33 #
  34 # setrans local policy
  35 #
  36
  37 allow setrans_t self:capability sys_resource;
  38 allow setrans_t self:process { setrlimit getcap setcap signal_perms };
  39 allow setrans_t self:unix_stream_socket create_stream_socket_perms;
  40 allow setrans_t self:unix_dgram_socket create_socket_perms;
  41 allow setrans_t self:netlink_selinux_socket create_socket_perms;
  42 allow setrans_t self:context contains;
  43
  44 can_exec(setrans_t, setrans_exec_t)
  45 corecmd_search_bin(setrans_t)
  46
  47 # create unix domain socket in /var
  48 manage_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
  49 manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
  50 files_pid_filetrans(setrans_t, setrans_var_run_t, file)
  51
  52 kernel_read_kernel_sysctls(setrans_t)
  53 kernel_read_proc_symlinks(setrans_t)
  54
  55 # allow performing getpidcon() on all processes
  56 domain_read_all_domains_state(setrans_t)
  57 domain_dontaudit_search_all_domains_state(setrans_t)
  58 domain_getattr_all_domains(setrans_t)
  59 domain_getsession_all_domains(setrans_t)
  60
  61 files_read_etc_runtime_files(setrans_t)
  62
  63 mls_file_read_all_levels(setrans_t)
  64 mls_file_write_all_levels(setrans_t)
  65 mls_net_receive_all_levels(setrans_t)
  66 mls_socket_write_all_levels(setrans_t)
  67 mls_process_read_up(setrans_t)
  68 mls_socket_read_all_levels(setrans_t)
  69
  70 selinux_compute_access_vector(setrans_t)
  71
  72 term_dontaudit_use_generic_ptys(setrans_t)
  73 term_dontaudit_use_unallocated_ttys(setrans_t)
  74
  75 init_dontaudit_use_script_ptys(setrans_t)
  76
  77 locallogin_dontaudit_use_fds(setrans_t)
  78
  79 logging_send_syslog_msg(setrans_t)
  80
  81 miscfiles_read_localization(setrans_t)
  82
  83 seutil_read_config(setrans_t)
  84
  85 optional_policy(`
  86         rpm_use_script_fds(setrans_t)
  87 ')