refpolicy/policy/modules/services/gatekeeper.te

   1
   2 policy_module(gatekeeper,1.0.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type gatekeeper_t;
  10 type gatekeeper_exec_t;
  11 init_daemon_domain(gatekeeper_t,gatekeeper_exec_t)
  12
  13 type gatekeeper_etc_t;
  14 files_config_file(gatekeeper_etc_t)
  15
  16 type gatekeeper_log_t;
  17 logging_log_file(gatekeeper_log_t)
  18
  19 # for stupid symlinks
  20 type gatekeeper_tmp_t;
  21 files_tmp_file(gatekeeper_tmp_t)
  22
  23 type gatekeeper_var_run_t;
  24 files_pid_file(gatekeeper_var_run_t)
  25
  26 ########################################
  27 #
  28 # Local policy
  29 #
  30
  31 dontaudit gatekeeper_t self:capability sys_tty_config;
  32 allow gatekeeper_t self:process { setsched signal_perms };
  33 allow gatekeeper_t self:fifo_file rw_file_perms;
  34
  35 allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
  36 allow gatekeeper_t self:udp_socket create_socket_perms;
  37
  38 allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
  39 allow gatekeeper_t gatekeeper_etc_t:file { getattr read };
  40 files_search_etc(gatekeeper_t)
  41
  42 allow gatekeeper_t gatekeeper_log_t:file create_file_perms;
  43 allow gatekeeper_t gatekeeper_log_t:dir rw_dir_perms;
  44 logging_log_filetrans(gatekeeper_t,gatekeeper_log_t,{ file dir })
  45
  46 allow gatekeeper_t gatekeeper_tmp_t:dir create_dir_perms;
  47 allow gatekeeper_t gatekeeper_tmp_t:file create_file_perms;
  48 files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
  49
  50 allow gatekeeper_t gatekeeper_var_run_t:file create_file_perms;
  51 allow gatekeeper_t gatekeeper_var_run_t:dir rw_dir_perms;
  52 files_pid_filetrans(gatekeeper_t,gatekeeper_var_run_t,file)
  53
  54 kernel_read_system_state(gatekeeper_t)
  55 kernel_read_kernel_sysctls(gatekeeper_t)
  56
  57 corecmd_list_sbin(gatekeeper_t)
  58
  59 corenet_non_ipsec_sendrecv(gatekeeper_t)
  60 corenet_tcp_sendrecv_generic_if(gatekeeper_t)
  61 corenet_udp_sendrecv_generic_if(gatekeeper_t)
  62 corenet_raw_sendrecv_generic_if(gatekeeper_t)
  63 corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
  64 corenet_udp_sendrecv_all_nodes(gatekeeper_t)
  65 corenet_raw_sendrecv_all_nodes(gatekeeper_t)
  66 corenet_tcp_sendrecv_all_ports(gatekeeper_t)
  67 corenet_udp_sendrecv_all_ports(gatekeeper_t)
  68 corenet_tcp_bind_all_nodes(gatekeeper_t)
  69 corenet_udp_bind_all_nodes(gatekeeper_t)
  70 corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
  71 corenet_udp_bind_gatekeeper_port(gatekeeper_t)
  72
  73 dev_read_sysfs(gatekeeper_t)
  74 # for SSP
  75 dev_read_urand(gatekeeper_t)
  76
  77 domain_use_interactive_fds(gatekeeper_t)
  78
  79 files_read_etc_files(gatekeeper_t)
  80
  81 fs_getattr_all_fs(gatekeeper_t)
  82 fs_search_auto_mountpoints(gatekeeper_t)
  83
  84 term_dontaudit_use_console(gatekeeper_t)
  85
  86 init_use_fds(gatekeeper_t)
  87 init_use_script_ptys(gatekeeper_t)
  88
  89 libs_use_ld_so(gatekeeper_t)
  90 libs_use_shared_libs(gatekeeper_t)
  91
  92 logging_send_syslog_msg(gatekeeper_t)
  93
  94 miscfiles_read_localization(gatekeeper_t)
  95
  96 sysnet_read_config(gatekeeper_t)
  97
  98 userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
  99 userdom_dontaudit_search_sysadm_home_dirs(gatekeeper_t)
 100
 101 ifdef(`targeted_policy',`
 102         term_dontaudit_use_unallocated_ttys(gatekeeper_t)
 103         term_dontaudit_use_generic_ptys(gatekeeper_t)
 104         files_dontaudit_read_root_files(gatekeeper_t)
 105 ')
 106
 107 optional_policy(`
 108         nis_use_ypbind(gatekeeper_t)
 109 ')
 110
 111 optional_policy(`
 112         seutil_sigchld_newrole(gatekeeper_t)
 113 ')
 114
 115 optional_policy(`
 116         udev_read_db(gatekeeper_t)
 117 ')
 118
 119 ifdef(`TODO',`
 120 # for local users to run VOIP software
 121 allow userdomain gatekeeper_t:udp_socket sendto;
 122 allow gatekeeper_t userdomain:udp_socket recvfrom;
 123 allow gatekeeper_t userdomain:udp_socket sendto;
 124 allow userdomain gatekeeper_t:udp_socket recvfrom;
 125
 126 allow gatekeeper_t userdomain:tcp_socket { connectto recvfrom };
 127 allow userdomain gatekeeper_t:tcp_socket { acceptfrom recvfrom };
 128 kernel_tcp_recvfrom(gatekeeper_t)
 129 kernel_tcp_recvfrom(userdomain)
 130 ')