[people/stevee/selinux-policy.git] / policy / modules / services / abrt.te

policy_module(abrt, 1.1.1)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow ABRT to modify public files
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(abrt_anon_write, false)

type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)

type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)

# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)

# log files
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)

# tmp files
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)

# var/cache files
type abrt_var_cache_t;
files_type(abrt_var_cache_t)

# pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)

# type needed to allow all domains
# to handle /var/cache/abrt
type abrt_helper_t;
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')

########################################
#
# abrt local policy
#

allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { sigkill signal signull setsched getsched };

allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
allow abrt_t self:udp_socket create_socket_perms;
allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;

# abrt etc files
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)

# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)

# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
can_exec(abrt_t, abrt_tmp_t)

# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)

# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })

kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)

corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)

corenet_all_recvfrom_netlabel(abrt_t)
corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)

dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)

domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)

files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)

fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)

sysnet_dns_name_resolve(abrt_t)

logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)

miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)

userdom_dontaudit_read_user_home_content_files(abrt_t)
userdom_dontaudit_read_admin_home_files(abrt_t)

tunable_policy(`abrt_anon_write',`
	miscfiles_manage_public_files(abrt_t)
')

optional_policy(`
	apache_read_modules(abrt_t)
')

optional_policy(`
	dbus_system_domain(abrt_t, abrt_exec_t)
')

optional_policy(`
	nis_use_ypbind(abrt_t)
')

optional_policy(`
	nsplugin_read_rw_files(abrt_t)
	nsplugin_read_home(abrt_t)
')

optional_policy(`
	policykit_dbus_chat(abrt_t)
	policykit_domtrans_auth(abrt_t)
	policykit_read_lib(abrt_t)
	policykit_read_reload(abrt_t)
')

optional_policy(`
	prelink_exec(abrt_t)
	libs_exec_ld_so(abrt_t)
	corecmd_exec_all_executables(abrt_t)
')

# to install debuginfo packages
optional_policy(`
	rpm_exec(abrt_t)
	rpm_dontaudit_manage_db(abrt_t)
	rpm_manage_cache(abrt_t)
	rpm_manage_pid_files(abrt_t)
	rpm_read_db(abrt_t)
	rpm_signull(abrt_t)
')

# to run mailx plugin
optional_policy(`
	sendmail_domtrans(abrt_t)
')

optional_policy(`
	sosreport_domtrans(abrt_t)
	sosreport_read_tmp_files(abrt_t)
	sosreport_delete_tmp_files(abrt_t)
')

optional_policy(`
	sssd_stream_connect(abrt_t)
')

########################################
#
# abrt-helper local policy
#

allow abrt_helper_t self:capability { chown setgid sys_nice };
allow abrt_helper_t self:process signal;

read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)

files_search_spool(abrt_helper_t)
manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })

read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)

domain_read_all_domains_state(abrt_helper_t)

files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)

fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)

auth_use_nsswitch(abrt_helper_t)

logging_send_syslog_msg(abrt_helper_t)

miscfiles_read_localization(abrt_helper_t)

term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)

ifdef(`hide_broken_symptoms',`
	domain_dontaudit_leaks(abrt_helper_t)
	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)

	optional_policy(`
		rpm_dontaudit_leaks(abrt_helper_t)
	')

	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
')

ifdef(`hide_broken_symptoms',`
	gen_require(`
		attribute domain;
	')

	allow abrt_t self:capability sys_resource;
	allow abrt_t domain:file write;
	allow abrt_t domain:process setrlimit;
')
Commit	Line	Data
b5212295	1	policy_module(abrt, 1.1.1)
e3a90e35 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
3eaa9939	8	## <desc>
9a0f7994 DG	9	## <p>
	10	## Allow ABRT to modify public files
	11	## used for public file transfer services.
	12	## </p>
3eaa9939 DW	13	## </desc>
	14	gen_tunable(abrt_anon_write, false)
	15
e3a90e35 CP	16	type abrt_t;
	17	type abrt_exec_t;
	18	init_daemon_domain(abrt_t, abrt_exec_t)
	19
	20	type abrt_initrc_exec_t;
	21	init_script_file(abrt_initrc_exec_t)
	22
	23	# etc files
	24	type abrt_etc_t;
	25	files_config_file(abrt_etc_t)
	26
	27	# log files
	28	type abrt_var_log_t;
	29	logging_log_file(abrt_var_log_t)
	30
	31	# tmp files
	32	type abrt_tmp_t;
	33	files_tmp_file(abrt_tmp_t)
	34
	35	# var/cache files
	36	type abrt_var_cache_t;
	37	files_type(abrt_var_cache_t)
	38
	39	# pid files
	40	type abrt_var_run_t;
	41	files_pid_file(abrt_var_run_t)
	42
1b2f08ea CP	43	# type needed to allow all domains
	44	# to handle /var/cache/abrt
	45	type abrt_helper_t;
	46	type abrt_helper_exec_t;
	47	application_domain(abrt_helper_t, abrt_helper_exec_t)
	48	role system_r types abrt_helper_t;
	49
	50	ifdef(`enable_mcs',`
	51	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
	52	')
	53
e3a90e35 CP	54	########################################
	55	#
	56	# abrt local policy
	57	#
	58
1b2f08ea CP	59	allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
1b2f08ea CP	60	dontaudit abrt_t self:capability sys_rawio;
3eaa9939	61	allow abrt_t self:process { sigkill signal signull setsched getsched };
e3a90e35 CP	62
	63	allow abrt_t self:fifo_file rw_fifo_file_perms;
	64	allow abrt_t self:tcp_socket create_stream_socket_perms;
	65	allow abrt_t self:udp_socket create_socket_perms;
	66	allow abrt_t self:unix_dgram_socket create_socket_perms;
	67	allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
	68
	69	# abrt etc files
	70	rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
	71
	72	# log file
	73	manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
	74	logging_log_filetrans(abrt_t, abrt_var_log_t, file)
	75
1b2f08ea	76	# abrt tmp files
e3a90e35 CP	77	manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	78	manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	79	files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
3eaa9939	80	can_exec(abrt_t, abrt_tmp_t)
e3a90e35 CP	81
	82	# abrt var/cache files
	83	manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
	84	manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
1b2f08ea	85	manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
e3a90e35	86	files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
b5212295	87	files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
e3a90e35 CP	88
	89	# abrt pid files
	90	manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
	91	manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
b5212295	92	manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
1b2f08ea	93	manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
3eaa9939	94	files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
e3a90e35 CP	95
	96	kernel_read_ring_buffer(abrt_t)
	97	kernel_read_system_state(abrt_t)
	98	kernel_rw_kernel_sysctl(abrt_t)
	99
	100	corecmd_exec_bin(abrt_t)
	101	corecmd_exec_shell(abrt_t)
1b2f08ea	102	corecmd_read_all_executables(abrt_t)
e3a90e35	103
cd173453 DG	104	corenet_all_recvfrom_netlabel(abrt_t)
cd173453 DG	105	corenet_all_recvfrom_unlabeled(abrt_t)
cd173453 DG	106	corenet_tcp_sendrecv_generic_if(abrt_t)
	107	corenet_tcp_sendrecv_generic_node(abrt_t)
	108	corenet_tcp_sendrecv_generic_port(abrt_t)
1b2f08ea CP	109	corenet_tcp_bind_generic_node(abrt_t)
	110	corenet_tcp_connect_http_port(abrt_t)
	111	corenet_tcp_connect_ftp_port(abrt_t)
	112	corenet_tcp_connect_all_ports(abrt_t)
	113	corenet_sendrecv_http_client_packets(abrt_t)
	114
1b2f08ea	115	dev_getattr_all_chr_files(abrt_t)
e3a90e35	116	dev_read_urand(abrt_t)
1b2f08ea CP	117	dev_rw_sysfs(abrt_t)
	118	dev_dontaudit_read_raw_memory(abrt_t)
	119
	120	domain_getattr_all_domains(abrt_t)
	121	domain_read_all_domains_state(abrt_t)
	122	domain_signull_all_domains(abrt_t)
e3a90e35 CP	123
	124	files_getattr_all_files(abrt_t)
	125	files_read_etc_files(abrt_t)
1b2f08ea CP	126	files_read_var_symlinks(abrt_t)
1b2f08ea CP	127	files_read_var_lib_files(abrt_t)
e3a90e35	128	files_read_usr_files(abrt_t)
1b2f08ea CP	129	files_read_generic_tmp_files(abrt_t)
	130	files_read_kernel_modules(abrt_t)
	131	files_dontaudit_list_default(abrt_t)
	132	files_dontaudit_read_default_files(abrt_t)
3eaa9939 DW	133	files_dontaudit_read_all_symlinks(abrt_t)
3eaa9939 DW	134	files_dontaudit_getattr_all_sockets(abrt_t)
e3a90e35 CP	135
	136	fs_list_inotifyfs(abrt_t)
	137	fs_getattr_all_fs(abrt_t)
	138	fs_getattr_all_dirs(abrt_t)
1b2f08ea CP	139	fs_read_fusefs_files(abrt_t)
	140	fs_read_noxattr_fs_files(abrt_t)
	141	fs_read_nfs_files(abrt_t)
	142	fs_read_nfs_symlinks(abrt_t)
	143	fs_search_all(abrt_t)
e3a90e35	144
3eaa9939	145	sysnet_dns_name_resolve(abrt_t)
e3a90e35 CP	146
	147	logging_read_generic_logs(abrt_t)
	148	logging_send_syslog_msg(abrt_t)
	149
83406219	150	miscfiles_read_generic_certs(abrt_t)
e3a90e35 CP	151	miscfiles_read_localization(abrt_t)
e3a90e35 CP	152
1b2f08ea	153	userdom_dontaudit_read_user_home_content_files(abrt_t)
3eaa9939 DW	154	userdom_dontaudit_read_admin_home_files(abrt_t)
	155
	156	tunable_policy(`abrt_anon_write',`
9a0f7994	157	miscfiles_manage_public_files(abrt_t)
3eaa9939 DW	158	')
	159
	160	optional_policy(`
	161	apache_read_modules(abrt_t)
	162	')
e3a90e35 CP	163
e3a90e35 CP	164	optional_policy(`
1b2f08ea	165	dbus_system_domain(abrt_t, abrt_exec_t)
e3a90e35 CP	166	')
e3a90e35 CP	167
e3a90e35	168	optional_policy(`
1b2f08ea CP	169	nis_use_ypbind(abrt_t)
	170	')
	171
	172	optional_policy(`
3eaa9939 DW	173	nsplugin_read_rw_files(abrt_t)
	174	nsplugin_read_home(abrt_t)
	175	')
	176
	177	optional_policy(`
9a0f7994	178	policykit_dbus_chat(abrt_t)
1b2f08ea CP	179	policykit_domtrans_auth(abrt_t)
	180	policykit_read_lib(abrt_t)
	181	policykit_read_reload(abrt_t)
	182	')
	183
b5212295 CP	184	optional_policy(`
	185	prelink_exec(abrt_t)
	186	libs_exec_ld_so(abrt_t)
	187	corecmd_exec_all_executables(abrt_t)
	188	')
	189
1b2f08ea CP	190	# to install debuginfo packages
	191	optional_policy(`
	192	rpm_exec(abrt_t)
	193	rpm_dontaudit_manage_db(abrt_t)
	194	rpm_manage_cache(abrt_t)
	195	rpm_manage_pid_files(abrt_t)
	196	rpm_read_db(abrt_t)
	197	rpm_signull(abrt_t)
e3a90e35 CP	198	')
	199
	200	# to run mailx plugin
	201	optional_policy(`
	202	sendmail_domtrans(abrt_t)
	203	')
1b2f08ea	204
3eaa9939 DW	205	optional_policy(`
	206	sosreport_domtrans(abrt_t)
	207	sosreport_read_tmp_files(abrt_t)
	208	sosreport_delete_tmp_files(abrt_t)
	209	')
	210
1b2f08ea CP	211	optional_policy(`
	212	sssd_stream_connect(abrt_t)
	213	')
	214
	215	########################################
	216	#
9a0f7994	217	# abrt-helper local policy
1b2f08ea CP	218	#
1b2f08ea CP	219
b5212295	220	allow abrt_helper_t self:capability { chown setgid sys_nice };
1b2f08ea CP	221	allow abrt_helper_t self:process signal;
	222
	223	read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
	224
b5212295	225	files_search_spool(abrt_helper_t)
1b2f08ea CP	226	manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	227	manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	228	manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	229	files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
	230
	231	read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	232	read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	233
	234	domain_read_all_domains_state(abrt_helper_t)
	235
	236	files_read_etc_files(abrt_helper_t)
3eaa9939	237	files_dontaudit_all_non_security_leaks(abrt_helper_t)
1b2f08ea CP	238
	239	fs_list_inotifyfs(abrt_helper_t)
	240	fs_getattr_all_fs(abrt_helper_t)
	241
	242	auth_use_nsswitch(abrt_helper_t)
	243
	244	logging_send_syslog_msg(abrt_helper_t)
	245
	246	miscfiles_read_localization(abrt_helper_t)
	247
	248	term_dontaudit_use_all_ttys(abrt_helper_t)
	249	term_dontaudit_use_all_ptys(abrt_helper_t)
	250
9a0f7994	251	ifdef(`hide_broken_symptoms',`
3eaa9939	252	domain_dontaudit_leaks(abrt_helper_t)
1b2f08ea CP	253	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
1b2f08ea CP	254	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
9a0f7994	255
3eaa9939 DW	256	optional_policy(`
	257	rpm_dontaudit_leaks(abrt_helper_t)
	258	')
9a0f7994	259
1b2f08ea CP	260	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	261	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	262	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	263	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	264	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
	265	')
3eaa9939	266
9a0f7994	267	ifdef(`hide_broken_symptoms',`
3eaa9939	268	gen_require(`
9a0f7994	269	attribute domain;
3eaa9939 DW	270	')
3eaa9939 DW	271
9a0f7994	272	allow abrt_t self:capability sys_resource;
3eaa9939 DW	273	allow abrt_t domain:file write;
	274	allow abrt_t domain:process setrlimit;
	275	')