]>
Commit | Line | Data |
---|---|---|
b5212295 | 1 | policy_module(abrt, 1.1.1) |
e3a90e35 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
3eaa9939 | 8 | ## <desc> |
9a0f7994 DG |
9 | ## <p> |
10 | ## Allow ABRT to modify public files | |
11 | ## used for public file transfer services. | |
12 | ## </p> | |
3eaa9939 DW |
13 | ## </desc> |
14 | gen_tunable(abrt_anon_write, false) | |
15 | ||
e3a90e35 CP |
16 | type abrt_t; |
17 | type abrt_exec_t; | |
18 | init_daemon_domain(abrt_t, abrt_exec_t) | |
19 | ||
20 | type abrt_initrc_exec_t; | |
21 | init_script_file(abrt_initrc_exec_t) | |
22 | ||
23 | # etc files | |
24 | type abrt_etc_t; | |
25 | files_config_file(abrt_etc_t) | |
26 | ||
27 | # log files | |
28 | type abrt_var_log_t; | |
29 | logging_log_file(abrt_var_log_t) | |
30 | ||
31 | # tmp files | |
32 | type abrt_tmp_t; | |
33 | files_tmp_file(abrt_tmp_t) | |
34 | ||
35 | # var/cache files | |
36 | type abrt_var_cache_t; | |
37 | files_type(abrt_var_cache_t) | |
38 | ||
39 | # pid files | |
40 | type abrt_var_run_t; | |
41 | files_pid_file(abrt_var_run_t) | |
42 | ||
1b2f08ea CP |
43 | # type needed to allow all domains |
44 | # to handle /var/cache/abrt | |
45 | type abrt_helper_t; | |
46 | type abrt_helper_exec_t; | |
47 | application_domain(abrt_helper_t, abrt_helper_exec_t) | |
48 | role system_r types abrt_helper_t; | |
49 | ||
50 | ifdef(`enable_mcs',` | |
51 | init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) | |
52 | ') | |
53 | ||
e3a90e35 CP |
54 | ######################################## |
55 | # | |
56 | # abrt local policy | |
57 | # | |
58 | ||
1b2f08ea CP |
59 | allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; |
60 | dontaudit abrt_t self:capability sys_rawio; | |
3eaa9939 | 61 | allow abrt_t self:process { sigkill signal signull setsched getsched }; |
e3a90e35 CP |
62 | |
63 | allow abrt_t self:fifo_file rw_fifo_file_perms; | |
64 | allow abrt_t self:tcp_socket create_stream_socket_perms; | |
65 | allow abrt_t self:udp_socket create_socket_perms; | |
66 | allow abrt_t self:unix_dgram_socket create_socket_perms; | |
67 | allow abrt_t self:netlink_route_socket r_netlink_socket_perms; | |
68 | ||
69 | # abrt etc files | |
70 | rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) | |
71 | ||
72 | # log file | |
73 | manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) | |
74 | logging_log_filetrans(abrt_t, abrt_var_log_t, file) | |
75 | ||
1b2f08ea | 76 | # abrt tmp files |
e3a90e35 CP |
77 | manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) |
78 | manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) | |
79 | files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) | |
3eaa9939 | 80 | can_exec(abrt_t, abrt_tmp_t) |
e3a90e35 CP |
81 | |
82 | # abrt var/cache files | |
83 | manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
84 | manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
1b2f08ea | 85 | manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) |
e3a90e35 | 86 | files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) |
b5212295 | 87 | files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) |
e3a90e35 CP |
88 | |
89 | # abrt pid files | |
90 | manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
91 | manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
b5212295 | 92 | manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
1b2f08ea | 93 | manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
3eaa9939 | 94 | files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) |
e3a90e35 CP |
95 | |
96 | kernel_read_ring_buffer(abrt_t) | |
97 | kernel_read_system_state(abrt_t) | |
98 | kernel_rw_kernel_sysctl(abrt_t) | |
99 | ||
100 | corecmd_exec_bin(abrt_t) | |
101 | corecmd_exec_shell(abrt_t) | |
1b2f08ea | 102 | corecmd_read_all_executables(abrt_t) |
e3a90e35 | 103 | |
cd173453 DG |
104 | corenet_all_recvfrom_netlabel(abrt_t) |
105 | corenet_all_recvfrom_unlabeled(abrt_t) | |
cd173453 DG |
106 | corenet_tcp_sendrecv_generic_if(abrt_t) |
107 | corenet_tcp_sendrecv_generic_node(abrt_t) | |
108 | corenet_tcp_sendrecv_generic_port(abrt_t) | |
1b2f08ea CP |
109 | corenet_tcp_bind_generic_node(abrt_t) |
110 | corenet_tcp_connect_http_port(abrt_t) | |
111 | corenet_tcp_connect_ftp_port(abrt_t) | |
112 | corenet_tcp_connect_all_ports(abrt_t) | |
113 | corenet_sendrecv_http_client_packets(abrt_t) | |
114 | ||
1b2f08ea | 115 | dev_getattr_all_chr_files(abrt_t) |
e3a90e35 | 116 | dev_read_urand(abrt_t) |
1b2f08ea CP |
117 | dev_rw_sysfs(abrt_t) |
118 | dev_dontaudit_read_raw_memory(abrt_t) | |
119 | ||
120 | domain_getattr_all_domains(abrt_t) | |
121 | domain_read_all_domains_state(abrt_t) | |
122 | domain_signull_all_domains(abrt_t) | |
e3a90e35 CP |
123 | |
124 | files_getattr_all_files(abrt_t) | |
125 | files_read_etc_files(abrt_t) | |
1b2f08ea CP |
126 | files_read_var_symlinks(abrt_t) |
127 | files_read_var_lib_files(abrt_t) | |
e3a90e35 | 128 | files_read_usr_files(abrt_t) |
1b2f08ea CP |
129 | files_read_generic_tmp_files(abrt_t) |
130 | files_read_kernel_modules(abrt_t) | |
131 | files_dontaudit_list_default(abrt_t) | |
132 | files_dontaudit_read_default_files(abrt_t) | |
3eaa9939 DW |
133 | files_dontaudit_read_all_symlinks(abrt_t) |
134 | files_dontaudit_getattr_all_sockets(abrt_t) | |
e3a90e35 CP |
135 | |
136 | fs_list_inotifyfs(abrt_t) | |
137 | fs_getattr_all_fs(abrt_t) | |
138 | fs_getattr_all_dirs(abrt_t) | |
1b2f08ea CP |
139 | fs_read_fusefs_files(abrt_t) |
140 | fs_read_noxattr_fs_files(abrt_t) | |
141 | fs_read_nfs_files(abrt_t) | |
142 | fs_read_nfs_symlinks(abrt_t) | |
143 | fs_search_all(abrt_t) | |
e3a90e35 | 144 | |
3eaa9939 | 145 | sysnet_dns_name_resolve(abrt_t) |
e3a90e35 CP |
146 | |
147 | logging_read_generic_logs(abrt_t) | |
148 | logging_send_syslog_msg(abrt_t) | |
149 | ||
83406219 | 150 | miscfiles_read_generic_certs(abrt_t) |
e3a90e35 CP |
151 | miscfiles_read_localization(abrt_t) |
152 | ||
1b2f08ea | 153 | userdom_dontaudit_read_user_home_content_files(abrt_t) |
3eaa9939 DW |
154 | userdom_dontaudit_read_admin_home_files(abrt_t) |
155 | ||
156 | tunable_policy(`abrt_anon_write',` | |
9a0f7994 | 157 | miscfiles_manage_public_files(abrt_t) |
3eaa9939 DW |
158 | ') |
159 | ||
160 | optional_policy(` | |
161 | apache_read_modules(abrt_t) | |
162 | ') | |
e3a90e35 CP |
163 | |
164 | optional_policy(` | |
1b2f08ea | 165 | dbus_system_domain(abrt_t, abrt_exec_t) |
e3a90e35 CP |
166 | ') |
167 | ||
e3a90e35 | 168 | optional_policy(` |
1b2f08ea CP |
169 | nis_use_ypbind(abrt_t) |
170 | ') | |
171 | ||
172 | optional_policy(` | |
3eaa9939 DW |
173 | nsplugin_read_rw_files(abrt_t) |
174 | nsplugin_read_home(abrt_t) | |
175 | ') | |
176 | ||
177 | optional_policy(` | |
9a0f7994 | 178 | policykit_dbus_chat(abrt_t) |
1b2f08ea CP |
179 | policykit_domtrans_auth(abrt_t) |
180 | policykit_read_lib(abrt_t) | |
181 | policykit_read_reload(abrt_t) | |
182 | ') | |
183 | ||
b5212295 CP |
184 | optional_policy(` |
185 | prelink_exec(abrt_t) | |
186 | libs_exec_ld_so(abrt_t) | |
187 | corecmd_exec_all_executables(abrt_t) | |
188 | ') | |
189 | ||
1b2f08ea CP |
190 | # to install debuginfo packages |
191 | optional_policy(` | |
192 | rpm_exec(abrt_t) | |
193 | rpm_dontaudit_manage_db(abrt_t) | |
194 | rpm_manage_cache(abrt_t) | |
195 | rpm_manage_pid_files(abrt_t) | |
196 | rpm_read_db(abrt_t) | |
197 | rpm_signull(abrt_t) | |
e3a90e35 CP |
198 | ') |
199 | ||
200 | # to run mailx plugin | |
201 | optional_policy(` | |
202 | sendmail_domtrans(abrt_t) | |
203 | ') | |
1b2f08ea | 204 | |
3eaa9939 DW |
205 | optional_policy(` |
206 | sosreport_domtrans(abrt_t) | |
207 | sosreport_read_tmp_files(abrt_t) | |
208 | sosreport_delete_tmp_files(abrt_t) | |
209 | ') | |
210 | ||
1b2f08ea CP |
211 | optional_policy(` |
212 | sssd_stream_connect(abrt_t) | |
213 | ') | |
214 | ||
215 | ######################################## | |
216 | # | |
9a0f7994 | 217 | # abrt-helper local policy |
1b2f08ea CP |
218 | # |
219 | ||
b5212295 | 220 | allow abrt_helper_t self:capability { chown setgid sys_nice }; |
1b2f08ea CP |
221 | allow abrt_helper_t self:process signal; |
222 | ||
223 | read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) | |
224 | ||
b5212295 | 225 | files_search_spool(abrt_helper_t) |
1b2f08ea CP |
226 | manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) |
227 | manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
228 | manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
229 | files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) | |
230 | ||
231 | read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
232 | read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
233 | ||
234 | domain_read_all_domains_state(abrt_helper_t) | |
235 | ||
236 | files_read_etc_files(abrt_helper_t) | |
3eaa9939 | 237 | files_dontaudit_all_non_security_leaks(abrt_helper_t) |
1b2f08ea CP |
238 | |
239 | fs_list_inotifyfs(abrt_helper_t) | |
240 | fs_getattr_all_fs(abrt_helper_t) | |
241 | ||
242 | auth_use_nsswitch(abrt_helper_t) | |
243 | ||
244 | logging_send_syslog_msg(abrt_helper_t) | |
245 | ||
246 | miscfiles_read_localization(abrt_helper_t) | |
247 | ||
248 | term_dontaudit_use_all_ttys(abrt_helper_t) | |
249 | term_dontaudit_use_all_ptys(abrt_helper_t) | |
250 | ||
9a0f7994 | 251 | ifdef(`hide_broken_symptoms',` |
3eaa9939 | 252 | domain_dontaudit_leaks(abrt_helper_t) |
1b2f08ea CP |
253 | userdom_dontaudit_read_user_home_content_files(abrt_helper_t) |
254 | userdom_dontaudit_read_user_tmp_files(abrt_helper_t) | |
9a0f7994 | 255 | |
3eaa9939 DW |
256 | optional_policy(` |
257 | rpm_dontaudit_leaks(abrt_helper_t) | |
258 | ') | |
9a0f7994 | 259 | |
1b2f08ea CP |
260 | dev_dontaudit_read_all_blk_files(abrt_helper_t) |
261 | dev_dontaudit_read_all_chr_files(abrt_helper_t) | |
262 | dev_dontaudit_write_all_chr_files(abrt_helper_t) | |
263 | dev_dontaudit_write_all_blk_files(abrt_helper_t) | |
264 | fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) | |
265 | ') | |
3eaa9939 | 266 | |
9a0f7994 | 267 | ifdef(`hide_broken_symptoms',` |
3eaa9939 | 268 | gen_require(` |
9a0f7994 | 269 | attribute domain; |
3eaa9939 DW |
270 | ') |
271 | ||
9a0f7994 | 272 | allow abrt_t self:capability sys_resource; |
3eaa9939 DW |
273 | allow abrt_t domain:file write; |
274 | allow abrt_t domain:process setrlimit; | |
275 | ') |