]>
Commit | Line | Data |
---|---|---|
826d0142 | 1 | policy_module(abrt, 1.2.0) |
e3a90e35 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
3eaa9939 | 8 | ## <desc> |
9a0f7994 DG |
9 | ## <p> |
10 | ## Allow ABRT to modify public files | |
11 | ## used for public file transfer services. | |
12 | ## </p> | |
3eaa9939 DW |
13 | ## </desc> |
14 | gen_tunable(abrt_anon_write, false) | |
15 | ||
e3a90e35 CP |
16 | type abrt_t; |
17 | type abrt_exec_t; | |
18 | init_daemon_domain(abrt_t, abrt_exec_t) | |
19 | ||
20 | type abrt_initrc_exec_t; | |
21 | init_script_file(abrt_initrc_exec_t) | |
22 | ||
23 | # etc files | |
24 | type abrt_etc_t; | |
25 | files_config_file(abrt_etc_t) | |
26 | ||
27 | # log files | |
28 | type abrt_var_log_t; | |
29 | logging_log_file(abrt_var_log_t) | |
30 | ||
31 | # tmp files | |
32 | type abrt_tmp_t; | |
33 | files_tmp_file(abrt_tmp_t) | |
34 | ||
35 | # var/cache files | |
36 | type abrt_var_cache_t; | |
37 | files_type(abrt_var_cache_t) | |
38 | ||
39 | # pid files | |
40 | type abrt_var_run_t; | |
41 | files_pid_file(abrt_var_run_t) | |
42 | ||
1b2f08ea CP |
43 | # type needed to allow all domains |
44 | # to handle /var/cache/abrt | |
45 | type abrt_helper_t; | |
46 | type abrt_helper_exec_t; | |
47 | application_domain(abrt_helper_t, abrt_helper_exec_t) | |
48 | role system_r types abrt_helper_t; | |
49 | ||
50 | ifdef(`enable_mcs',` | |
51 | init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) | |
52 | ') | |
53 | ||
e3a90e35 CP |
54 | ######################################## |
55 | # | |
56 | # abrt local policy | |
57 | # | |
58 | ||
1b2f08ea CP |
59 | allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override }; |
60 | dontaudit abrt_t self:capability sys_rawio; | |
3eaa9939 | 61 | allow abrt_t self:process { sigkill signal signull setsched getsched }; |
e3a90e35 CP |
62 | |
63 | allow abrt_t self:fifo_file rw_fifo_file_perms; | |
64 | allow abrt_t self:tcp_socket create_stream_socket_perms; | |
65 | allow abrt_t self:udp_socket create_socket_perms; | |
66 | allow abrt_t self:unix_dgram_socket create_socket_perms; | |
67 | allow abrt_t self:netlink_route_socket r_netlink_socket_perms; | |
68 | ||
69 | # abrt etc files | |
95985585 | 70 | list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) |
e3a90e35 CP |
71 | rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) |
72 | ||
73 | # log file | |
74 | manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) | |
75 | logging_log_filetrans(abrt_t, abrt_var_log_t, file) | |
76 | ||
1b2f08ea | 77 | # abrt tmp files |
e3a90e35 CP |
78 | manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) |
79 | manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) | |
80 | files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) | |
3eaa9939 | 81 | can_exec(abrt_t, abrt_tmp_t) |
e3a90e35 CP |
82 | |
83 | # abrt var/cache files | |
84 | manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
85 | manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
1b2f08ea | 86 | manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) |
e3a90e35 | 87 | files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) |
b5212295 | 88 | files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) |
e3a90e35 CP |
89 | |
90 | # abrt pid files | |
91 | manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
92 | manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
b5212295 | 93 | manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
1b2f08ea | 94 | manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
3eaa9939 | 95 | files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) |
e3a90e35 CP |
96 | |
97 | kernel_read_ring_buffer(abrt_t) | |
98 | kernel_read_system_state(abrt_t) | |
99 | kernel_rw_kernel_sysctl(abrt_t) | |
100 | ||
101 | corecmd_exec_bin(abrt_t) | |
102 | corecmd_exec_shell(abrt_t) | |
1b2f08ea | 103 | corecmd_read_all_executables(abrt_t) |
e3a90e35 | 104 | |
cd173453 DG |
105 | corenet_all_recvfrom_netlabel(abrt_t) |
106 | corenet_all_recvfrom_unlabeled(abrt_t) | |
cd173453 DG |
107 | corenet_tcp_sendrecv_generic_if(abrt_t) |
108 | corenet_tcp_sendrecv_generic_node(abrt_t) | |
109 | corenet_tcp_sendrecv_generic_port(abrt_t) | |
1b2f08ea CP |
110 | corenet_tcp_bind_generic_node(abrt_t) |
111 | corenet_tcp_connect_http_port(abrt_t) | |
112 | corenet_tcp_connect_ftp_port(abrt_t) | |
113 | corenet_tcp_connect_all_ports(abrt_t) | |
114 | corenet_sendrecv_http_client_packets(abrt_t) | |
115 | ||
1b2f08ea | 116 | dev_getattr_all_chr_files(abrt_t) |
e3a90e35 | 117 | dev_read_urand(abrt_t) |
1b2f08ea CP |
118 | dev_rw_sysfs(abrt_t) |
119 | dev_dontaudit_read_raw_memory(abrt_t) | |
120 | ||
121 | domain_getattr_all_domains(abrt_t) | |
122 | domain_read_all_domains_state(abrt_t) | |
123 | domain_signull_all_domains(abrt_t) | |
e3a90e35 CP |
124 | |
125 | files_getattr_all_files(abrt_t) | |
8effc8a7 | 126 | files_read_config_files(abrt_t) |
6a074ab5 | 127 | files_read_etc_runtime_files(abrt_t) |
1b2f08ea CP |
128 | files_read_var_symlinks(abrt_t) |
129 | files_read_var_lib_files(abrt_t) | |
e3a90e35 | 130 | files_read_usr_files(abrt_t) |
1b2f08ea CP |
131 | files_read_generic_tmp_files(abrt_t) |
132 | files_read_kernel_modules(abrt_t) | |
133 | files_dontaudit_list_default(abrt_t) | |
134 | files_dontaudit_read_default_files(abrt_t) | |
3eaa9939 DW |
135 | files_dontaudit_read_all_symlinks(abrt_t) |
136 | files_dontaudit_getattr_all_sockets(abrt_t) | |
e3a90e35 CP |
137 | |
138 | fs_list_inotifyfs(abrt_t) | |
139 | fs_getattr_all_fs(abrt_t) | |
140 | fs_getattr_all_dirs(abrt_t) | |
1b2f08ea CP |
141 | fs_read_fusefs_files(abrt_t) |
142 | fs_read_noxattr_fs_files(abrt_t) | |
143 | fs_read_nfs_files(abrt_t) | |
144 | fs_read_nfs_symlinks(abrt_t) | |
145 | fs_search_all(abrt_t) | |
e3a90e35 | 146 | |
3eaa9939 | 147 | sysnet_dns_name_resolve(abrt_t) |
e3a90e35 CP |
148 | |
149 | logging_read_generic_logs(abrt_t) | |
150 | logging_send_syslog_msg(abrt_t) | |
151 | ||
83406219 | 152 | miscfiles_read_generic_certs(abrt_t) |
e3a90e35 CP |
153 | miscfiles_read_localization(abrt_t) |
154 | ||
1b2f08ea | 155 | userdom_dontaudit_read_user_home_content_files(abrt_t) |
3eaa9939 DW |
156 | userdom_dontaudit_read_admin_home_files(abrt_t) |
157 | ||
158 | tunable_policy(`abrt_anon_write',` | |
9a0f7994 | 159 | miscfiles_manage_public_files(abrt_t) |
3eaa9939 DW |
160 | ') |
161 | ||
162 | optional_policy(` | |
163 | apache_read_modules(abrt_t) | |
164 | ') | |
e3a90e35 CP |
165 | |
166 | optional_policy(` | |
1b2f08ea | 167 | dbus_system_domain(abrt_t, abrt_exec_t) |
e3a90e35 CP |
168 | ') |
169 | ||
e3a90e35 | 170 | optional_policy(` |
1b2f08ea CP |
171 | nis_use_ypbind(abrt_t) |
172 | ') | |
173 | ||
174 | optional_policy(` | |
3eaa9939 DW |
175 | nsplugin_read_rw_files(abrt_t) |
176 | nsplugin_read_home(abrt_t) | |
177 | ') | |
178 | ||
179 | optional_policy(` | |
9a0f7994 | 180 | policykit_dbus_chat(abrt_t) |
1b2f08ea CP |
181 | policykit_domtrans_auth(abrt_t) |
182 | policykit_read_lib(abrt_t) | |
183 | policykit_read_reload(abrt_t) | |
184 | ') | |
185 | ||
b5212295 CP |
186 | optional_policy(` |
187 | prelink_exec(abrt_t) | |
188 | libs_exec_ld_so(abrt_t) | |
189 | corecmd_exec_all_executables(abrt_t) | |
190 | ') | |
191 | ||
1b2f08ea CP |
192 | # to install debuginfo packages |
193 | optional_policy(` | |
194 | rpm_exec(abrt_t) | |
195 | rpm_dontaudit_manage_db(abrt_t) | |
196 | rpm_manage_cache(abrt_t) | |
197 | rpm_manage_pid_files(abrt_t) | |
198 | rpm_read_db(abrt_t) | |
199 | rpm_signull(abrt_t) | |
e3a90e35 CP |
200 | ') |
201 | ||
202 | # to run mailx plugin | |
203 | optional_policy(` | |
204 | sendmail_domtrans(abrt_t) | |
205 | ') | |
1b2f08ea | 206 | |
3eaa9939 DW |
207 | optional_policy(` |
208 | sosreport_domtrans(abrt_t) | |
209 | sosreport_read_tmp_files(abrt_t) | |
210 | sosreport_delete_tmp_files(abrt_t) | |
211 | ') | |
212 | ||
1b2f08ea CP |
213 | optional_policy(` |
214 | sssd_stream_connect(abrt_t) | |
215 | ') | |
216 | ||
217 | ######################################## | |
218 | # | |
9a0f7994 | 219 | # abrt-helper local policy |
1b2f08ea CP |
220 | # |
221 | ||
b5212295 | 222 | allow abrt_helper_t self:capability { chown setgid sys_nice }; |
1b2f08ea CP |
223 | allow abrt_helper_t self:process signal; |
224 | ||
225 | read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) | |
226 | ||
b5212295 | 227 | files_search_spool(abrt_helper_t) |
1b2f08ea CP |
228 | manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) |
229 | manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
230 | manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
231 | files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) | |
232 | ||
233 | read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
234 | read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
235 | ||
236 | domain_read_all_domains_state(abrt_helper_t) | |
237 | ||
238 | files_read_etc_files(abrt_helper_t) | |
3eaa9939 | 239 | files_dontaudit_all_non_security_leaks(abrt_helper_t) |
1b2f08ea CP |
240 | |
241 | fs_list_inotifyfs(abrt_helper_t) | |
242 | fs_getattr_all_fs(abrt_helper_t) | |
243 | ||
244 | auth_use_nsswitch(abrt_helper_t) | |
245 | ||
246 | logging_send_syslog_msg(abrt_helper_t) | |
247 | ||
248 | miscfiles_read_localization(abrt_helper_t) | |
249 | ||
250 | term_dontaudit_use_all_ttys(abrt_helper_t) | |
251 | term_dontaudit_use_all_ptys(abrt_helper_t) | |
252 | ||
9a0f7994 | 253 | ifdef(`hide_broken_symptoms',` |
3eaa9939 | 254 | domain_dontaudit_leaks(abrt_helper_t) |
1b2f08ea CP |
255 | userdom_dontaudit_read_user_home_content_files(abrt_helper_t) |
256 | userdom_dontaudit_read_user_tmp_files(abrt_helper_t) | |
257 | dev_dontaudit_read_all_blk_files(abrt_helper_t) | |
258 | dev_dontaudit_read_all_chr_files(abrt_helper_t) | |
259 | dev_dontaudit_write_all_chr_files(abrt_helper_t) | |
260 | dev_dontaudit_write_all_blk_files(abrt_helper_t) | |
261 | fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) | |
ef521e99 DG |
262 | |
263 | optional_policy(` | |
264 | rpm_dontaudit_leaks(abrt_helper_t) | |
265 | ') | |
1b2f08ea | 266 | ') |
3eaa9939 | 267 | |
9a0f7994 | 268 | ifdef(`hide_broken_symptoms',` |
3eaa9939 | 269 | gen_require(` |
9a0f7994 | 270 | attribute domain; |
3eaa9939 DW |
271 | ') |
272 | ||
9a0f7994 | 273 | allow abrt_t self:capability sys_resource; |
3eaa9939 DW |
274 | allow abrt_t domain:file write; |
275 | allow abrt_t domain:process setrlimit; | |
276 | ') |