[people/stevee/selinux-policy.git] / policy / modules / services / abrt.te

policy_module(abrt, 1.2.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow ABRT to modify public files
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(abrt_anon_write, false)

type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)

type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)

# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)

# log files
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)

# tmp files
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)

# var/cache files
type abrt_var_cache_t;
files_type(abrt_var_cache_t)

# pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)

# type needed to allow all domains
# to handle /var/cache/abrt
type abrt_helper_t;
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')

########################################
#
# abrt local policy
#

allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { sigkill signal signull setsched getsched };

allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
allow abrt_t self:udp_socket create_socket_perms;
allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;

# abrt etc files
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)

# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)

# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
can_exec(abrt_t, abrt_tmp_t)

# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)

# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })

kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)

corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)

corenet_all_recvfrom_netlabel(abrt_t)
corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)

dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)

domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)

files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)

fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)

sysnet_dns_name_resolve(abrt_t)

logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)

miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)

userdom_dontaudit_read_user_home_content_files(abrt_t)
userdom_dontaudit_read_admin_home_files(abrt_t)

tunable_policy(`abrt_anon_write',`
	miscfiles_manage_public_files(abrt_t)
')

optional_policy(`
	apache_read_modules(abrt_t)
')

optional_policy(`
	dbus_system_domain(abrt_t, abrt_exec_t)
')

optional_policy(`
	nis_use_ypbind(abrt_t)
')

optional_policy(`
	nsplugin_read_rw_files(abrt_t)
	nsplugin_read_home(abrt_t)
')

optional_policy(`
	policykit_dbus_chat(abrt_t)
	policykit_domtrans_auth(abrt_t)
	policykit_read_lib(abrt_t)
	policykit_read_reload(abrt_t)
')

optional_policy(`
	prelink_exec(abrt_t)
	libs_exec_ld_so(abrt_t)
	corecmd_exec_all_executables(abrt_t)
')

# to install debuginfo packages
optional_policy(`
	rpm_exec(abrt_t)
	rpm_dontaudit_manage_db(abrt_t)
	rpm_manage_cache(abrt_t)
	rpm_manage_pid_files(abrt_t)
	rpm_read_db(abrt_t)
	rpm_signull(abrt_t)
')

# to run mailx plugin
optional_policy(`
	sendmail_domtrans(abrt_t)
')

optional_policy(`
	sosreport_domtrans(abrt_t)
	sosreport_read_tmp_files(abrt_t)
	sosreport_delete_tmp_files(abrt_t)
')

optional_policy(`
	sssd_stream_connect(abrt_t)
')

########################################
#
# abrt-helper local policy
#

allow abrt_helper_t self:capability { chown setgid sys_nice };
allow abrt_helper_t self:process signal;

read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)

files_search_spool(abrt_helper_t)
manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })

read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)

domain_read_all_domains_state(abrt_helper_t)

files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)

fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)

auth_use_nsswitch(abrt_helper_t)

logging_send_syslog_msg(abrt_helper_t)

miscfiles_read_localization(abrt_helper_t)

term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)

ifdef(`hide_broken_symptoms',`
	domain_dontaudit_leaks(abrt_helper_t)
	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)

	optional_policy(`
		rpm_dontaudit_leaks(abrt_helper_t)
	')
')

ifdef(`hide_broken_symptoms',`
	gen_require(`
		attribute domain;
	')

	allow abrt_t self:capability sys_resource;
	allow abrt_t domain:file write;
	allow abrt_t domain:process setrlimit;
')
Commit	Line	Data
826d0142	1	policy_module(abrt, 1.2.0)
e3a90e35 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
3eaa9939	8	## <desc>
9a0f7994 DG	9	## <p>
	10	## Allow ABRT to modify public files
	11	## used for public file transfer services.
	12	## </p>
3eaa9939 DW	13	## </desc>
	14	gen_tunable(abrt_anon_write, false)
	15
e3a90e35 CP	16	type abrt_t;
	17	type abrt_exec_t;
	18	init_daemon_domain(abrt_t, abrt_exec_t)
	19
	20	type abrt_initrc_exec_t;
	21	init_script_file(abrt_initrc_exec_t)
	22
	23	# etc files
	24	type abrt_etc_t;
	25	files_config_file(abrt_etc_t)
	26
	27	# log files
	28	type abrt_var_log_t;
	29	logging_log_file(abrt_var_log_t)
	30
	31	# tmp files
	32	type abrt_tmp_t;
	33	files_tmp_file(abrt_tmp_t)
	34
	35	# var/cache files
	36	type abrt_var_cache_t;
	37	files_type(abrt_var_cache_t)
	38
	39	# pid files
	40	type abrt_var_run_t;
	41	files_pid_file(abrt_var_run_t)
	42
1b2f08ea CP	43	# type needed to allow all domains
	44	# to handle /var/cache/abrt
	45	type abrt_helper_t;
	46	type abrt_helper_exec_t;
	47	application_domain(abrt_helper_t, abrt_helper_exec_t)
	48	role system_r types abrt_helper_t;
	49
	50	ifdef(`enable_mcs',`
	51	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
	52	')
	53
e3a90e35 CP	54	########################################
	55	#
	56	# abrt local policy
	57	#
	58
1b2f08ea CP	59	allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
1b2f08ea CP	60	dontaudit abrt_t self:capability sys_rawio;
3eaa9939	61	allow abrt_t self:process { sigkill signal signull setsched getsched };
e3a90e35 CP	62
	63	allow abrt_t self:fifo_file rw_fifo_file_perms;
	64	allow abrt_t self:tcp_socket create_stream_socket_perms;
	65	allow abrt_t self:udp_socket create_socket_perms;
	66	allow abrt_t self:unix_dgram_socket create_socket_perms;
	67	allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
	68
	69	# abrt etc files
95985585	70	list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
e3a90e35 CP	71	rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
	72
	73	# log file
	74	manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
	75	logging_log_filetrans(abrt_t, abrt_var_log_t, file)
	76
1b2f08ea	77	# abrt tmp files
e3a90e35 CP	78	manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	79	manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	80	files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
3eaa9939	81	can_exec(abrt_t, abrt_tmp_t)
e3a90e35 CP	82
	83	# abrt var/cache files
	84	manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
	85	manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
1b2f08ea	86	manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
e3a90e35	87	files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
b5212295	88	files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
e3a90e35 CP	89
	90	# abrt pid files
	91	manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
	92	manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
b5212295	93	manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
1b2f08ea	94	manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
3eaa9939	95	files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
e3a90e35 CP	96
	97	kernel_read_ring_buffer(abrt_t)
	98	kernel_read_system_state(abrt_t)
	99	kernel_rw_kernel_sysctl(abrt_t)
	100
	101	corecmd_exec_bin(abrt_t)
	102	corecmd_exec_shell(abrt_t)
1b2f08ea	103	corecmd_read_all_executables(abrt_t)
e3a90e35	104
cd173453 DG	105	corenet_all_recvfrom_netlabel(abrt_t)
cd173453 DG	106	corenet_all_recvfrom_unlabeled(abrt_t)
cd173453 DG	107	corenet_tcp_sendrecv_generic_if(abrt_t)
	108	corenet_tcp_sendrecv_generic_node(abrt_t)
	109	corenet_tcp_sendrecv_generic_port(abrt_t)
1b2f08ea CP	110	corenet_tcp_bind_generic_node(abrt_t)
	111	corenet_tcp_connect_http_port(abrt_t)
	112	corenet_tcp_connect_ftp_port(abrt_t)
	113	corenet_tcp_connect_all_ports(abrt_t)
	114	corenet_sendrecv_http_client_packets(abrt_t)
	115
1b2f08ea	116	dev_getattr_all_chr_files(abrt_t)
e3a90e35	117	dev_read_urand(abrt_t)
1b2f08ea CP	118	dev_rw_sysfs(abrt_t)
	119	dev_dontaudit_read_raw_memory(abrt_t)
	120
	121	domain_getattr_all_domains(abrt_t)
	122	domain_read_all_domains_state(abrt_t)
	123	domain_signull_all_domains(abrt_t)
e3a90e35 CP	124
e3a90e35 CP	125	files_getattr_all_files(abrt_t)
8effc8a7	126	files_read_config_files(abrt_t)
6a074ab5	127	files_read_etc_runtime_files(abrt_t)
1b2f08ea CP	128	files_read_var_symlinks(abrt_t)
1b2f08ea CP	129	files_read_var_lib_files(abrt_t)
e3a90e35	130	files_read_usr_files(abrt_t)
1b2f08ea CP	131	files_read_generic_tmp_files(abrt_t)
	132	files_read_kernel_modules(abrt_t)
	133	files_dontaudit_list_default(abrt_t)
	134	files_dontaudit_read_default_files(abrt_t)
3eaa9939 DW	135	files_dontaudit_read_all_symlinks(abrt_t)
3eaa9939 DW	136	files_dontaudit_getattr_all_sockets(abrt_t)
e3a90e35 CP	137
	138	fs_list_inotifyfs(abrt_t)
	139	fs_getattr_all_fs(abrt_t)
	140	fs_getattr_all_dirs(abrt_t)
1b2f08ea CP	141	fs_read_fusefs_files(abrt_t)
	142	fs_read_noxattr_fs_files(abrt_t)
	143	fs_read_nfs_files(abrt_t)
	144	fs_read_nfs_symlinks(abrt_t)
	145	fs_search_all(abrt_t)
e3a90e35	146
3eaa9939	147	sysnet_dns_name_resolve(abrt_t)
e3a90e35 CP	148
	149	logging_read_generic_logs(abrt_t)
	150	logging_send_syslog_msg(abrt_t)
	151
83406219	152	miscfiles_read_generic_certs(abrt_t)
e3a90e35 CP	153	miscfiles_read_localization(abrt_t)
e3a90e35 CP	154
1b2f08ea	155	userdom_dontaudit_read_user_home_content_files(abrt_t)
3eaa9939 DW	156	userdom_dontaudit_read_admin_home_files(abrt_t)
	157
	158	tunable_policy(`abrt_anon_write',`
9a0f7994	159	miscfiles_manage_public_files(abrt_t)
3eaa9939 DW	160	')
	161
	162	optional_policy(`
	163	apache_read_modules(abrt_t)
	164	')
e3a90e35 CP	165
e3a90e35 CP	166	optional_policy(`
1b2f08ea	167	dbus_system_domain(abrt_t, abrt_exec_t)
e3a90e35 CP	168	')
e3a90e35 CP	169
e3a90e35	170	optional_policy(`
1b2f08ea CP	171	nis_use_ypbind(abrt_t)
	172	')
	173
	174	optional_policy(`
3eaa9939 DW	175	nsplugin_read_rw_files(abrt_t)
	176	nsplugin_read_home(abrt_t)
	177	')
	178
	179	optional_policy(`
9a0f7994	180	policykit_dbus_chat(abrt_t)
1b2f08ea CP	181	policykit_domtrans_auth(abrt_t)
	182	policykit_read_lib(abrt_t)
	183	policykit_read_reload(abrt_t)
	184	')
	185
b5212295 CP	186	optional_policy(`
	187	prelink_exec(abrt_t)
	188	libs_exec_ld_so(abrt_t)
	189	corecmd_exec_all_executables(abrt_t)
	190	')
	191
1b2f08ea CP	192	# to install debuginfo packages
	193	optional_policy(`
	194	rpm_exec(abrt_t)
	195	rpm_dontaudit_manage_db(abrt_t)
	196	rpm_manage_cache(abrt_t)
	197	rpm_manage_pid_files(abrt_t)
	198	rpm_read_db(abrt_t)
	199	rpm_signull(abrt_t)
e3a90e35 CP	200	')
	201
	202	# to run mailx plugin
	203	optional_policy(`
	204	sendmail_domtrans(abrt_t)
	205	')
1b2f08ea	206
3eaa9939 DW	207	optional_policy(`
	208	sosreport_domtrans(abrt_t)
	209	sosreport_read_tmp_files(abrt_t)
	210	sosreport_delete_tmp_files(abrt_t)
	211	')
	212
1b2f08ea CP	213	optional_policy(`
	214	sssd_stream_connect(abrt_t)
	215	')
	216
	217	########################################
	218	#
9a0f7994	219	# abrt-helper local policy
1b2f08ea CP	220	#
1b2f08ea CP	221
b5212295	222	allow abrt_helper_t self:capability { chown setgid sys_nice };
1b2f08ea CP	223	allow abrt_helper_t self:process signal;
	224
	225	read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
	226
b5212295	227	files_search_spool(abrt_helper_t)
1b2f08ea CP	228	manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	229	manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	230	manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	231	files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
	232
	233	read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	234	read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	235
	236	domain_read_all_domains_state(abrt_helper_t)
	237
	238	files_read_etc_files(abrt_helper_t)
3eaa9939	239	files_dontaudit_all_non_security_leaks(abrt_helper_t)
1b2f08ea CP	240
	241	fs_list_inotifyfs(abrt_helper_t)
	242	fs_getattr_all_fs(abrt_helper_t)
	243
	244	auth_use_nsswitch(abrt_helper_t)
	245
	246	logging_send_syslog_msg(abrt_helper_t)
	247
	248	miscfiles_read_localization(abrt_helper_t)
	249
	250	term_dontaudit_use_all_ttys(abrt_helper_t)
	251	term_dontaudit_use_all_ptys(abrt_helper_t)
	252
9a0f7994	253	ifdef(`hide_broken_symptoms',`
3eaa9939	254	domain_dontaudit_leaks(abrt_helper_t)
1b2f08ea CP	255	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	256	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
	257	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	258	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	259	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	260	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	261	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
ef521e99 DG	262
	263	optional_policy(`
	264	rpm_dontaudit_leaks(abrt_helper_t)
	265	')
1b2f08ea	266	')
3eaa9939	267
9a0f7994	268	ifdef(`hide_broken_symptoms',`
3eaa9939	269	gen_require(`
9a0f7994	270	attribute domain;
3eaa9939 DW	271	')
3eaa9939 DW	272
9a0f7994	273	allow abrt_t self:capability sys_resource;
3eaa9939 DW	274	allow abrt_t domain:file write;
	275	allow abrt_t domain:process setrlimit;
	276	')