[people/stevee/selinux-policy.git] / policy / modules / services / abrt.te

policy_module(abrt, 1.2.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow ABRT to modify public files
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(abrt_anon_write, false)

type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)

type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)

# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)

# log files
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)

# tmp files
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)

# var/cache files
type abrt_var_cache_t;
files_type(abrt_var_cache_t)

# pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)

type abrt_dump_oops_t;
type abrt_dump_oops_exec_t;
init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)

permissive abrt_dump_oops_t;

# type needed to allow all domains
# to handle /var/cache/abrt
type abrt_helper_t;
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')

#
# Support for ABRT retrace server
#

type abrt_retrace_worker_t;
type abrt_retrace_worker_exec_t;
application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;

type abrt_retrace_coredump_t;
type abrt_retrace_coredump_exec_t;
application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
role system_r types abrt_retrace_coredump_t;

permissive abrt_retrace_worker_exec_t;
permissive abrt_retrace_coredump_t;

type abrt_retrace_cache_t;
files_type(abrt_retrace_cache_t)

type abrt_retrace_spool_t;
files_spool_file(abrt_retrace_spool_t)

########################################
#
# abrt local policy
#

allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { sigkill signal signull setsched getsched };

allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
allow abrt_t self:udp_socket create_socket_perms;
allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;

# abrt etc files
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)

# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)

# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
can_exec(abrt_t, abrt_tmp_t)

# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)

# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })

kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)

corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)

corenet_all_recvfrom_netlabel(abrt_t)
corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)

dev_getattr_all_chr_files(abrt_t)
dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)

domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)

files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)

fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)

sysnet_dns_name_resolve(abrt_t)

logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)

miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)

userdom_dontaudit_read_user_home_content_files(abrt_t)
userdom_dontaudit_read_admin_home_files(abrt_t)

tunable_policy(`abrt_anon_write',`
	miscfiles_manage_public_files(abrt_t)
')

optional_policy(`
	apache_list_modules(abrt_t)
	apache_read_modules(abrt_t)
')

optional_policy(`
	dbus_system_domain(abrt_t, abrt_exec_t)
')

optional_policy(`
	nis_use_ypbind(abrt_t)
')

optional_policy(`
	nsplugin_read_rw_files(abrt_t)
	nsplugin_read_home(abrt_t)
')

optional_policy(`
	policykit_dbus_chat(abrt_t)
	policykit_domtrans_auth(abrt_t)
	policykit_read_lib(abrt_t)
	policykit_read_reload(abrt_t)
')

optional_policy(`
	prelink_exec(abrt_t)
	libs_exec_ld_so(abrt_t)
	corecmd_exec_all_executables(abrt_t)
')

# to install debuginfo packages
optional_policy(`
	rpm_exec(abrt_t)
	rpm_dontaudit_manage_db(abrt_t)
	rpm_manage_cache(abrt_t)
	rpm_manage_log(abrt_t)
	rpm_manage_pid_files(abrt_t)
	rpm_read_db(abrt_t)
	rpm_signull(abrt_t)
')

# to run mailx plugin
optional_policy(`
	sendmail_domtrans(abrt_t)
')

optional_policy(`
	sosreport_domtrans(abrt_t)
	sosreport_read_tmp_files(abrt_t)
	sosreport_delete_tmp_files(abrt_t)
')

optional_policy(`
	sssd_stream_connect(abrt_t)
')

########################################
#
# abrt-helper local policy
#

allow abrt_helper_t self:capability { chown setgid sys_nice };
allow abrt_helper_t self:process signal;

read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)

files_search_spool(abrt_helper_t)
manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })

read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)

corecmd_read_all_executables(abrt_helper_t)

domain_read_all_domains_state(abrt_helper_t)

files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)

fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)

auth_use_nsswitch(abrt_helper_t)

logging_send_syslog_msg(abrt_helper_t)

miscfiles_read_localization(abrt_helper_t)

term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)

ifdef(`hide_broken_symptoms',`
	domain_dontaudit_leaks(abrt_helper_t)
	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)

	optional_policy(`
		rpm_dontaudit_leaks(abrt_helper_t)
	')
')

ifdef(`hide_broken_symptoms',`
	gen_require(`
		attribute domain;
	')

	allow abrt_t self:capability sys_resource;
	allow abrt_t domain:file write;
	allow abrt_t domain:process setrlimit;
')

#######################################
#
# abrt retrace coredump policy
#

allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;

list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)

list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)

kernel_read_system_state(abrt_retrace_coredump_t)

corecmd_exec_bin(abrt_retrace_coredump_t)
corecmd_exec_shell(abrt_retrace_coredump_t)

dev_read_urand(abrt_retrace_coredump_t)

files_read_etc_files(abrt_retrace_coredump_t)
files_read_usr_files(abrt_retrace_coredump_t)

logging_send_syslog_msg(abrt_retrace_coredump_t)

miscfiles_read_localization(abrt_retrace_coredump_t)

sysnet_dns_name_resolve(abrt_retrace_coredump_t)

# to install debuginfo packages
optional_policy(`
	rpm_exec(abrt_retrace_coredump_t)
	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
	rpm_manage_cache(abrt_retrace_coredump_t)
	rpm_manage_log(abrt_retrace_coredump_t)
	rpm_manage_pid_files(abrt_retrace_coredump_t)
	rpm_read_db(abrt_retrace_coredump_t)
	rpm_signull(abrt_retrace_coredump_t)
')

#######################################
#
# abrt retrace worker policy
#

allow abrt_retrace_worker_t self:capability { setuid };

allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;

domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;

manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)

allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;

can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)

kernel_read_system_state(abrt_retrace_worker_t)

corecmd_exec_bin(abrt_retrace_worker_t)
corecmd_exec_shell(abrt_retrace_worker_t)

dev_read_urand(abrt_retrace_worker_t)

files_read_etc_files(abrt_retrace_worker_t)
files_read_usr_files(abrt_retrace_worker_t)

logging_send_syslog_msg(abrt_retrace_worker_t)

miscfiles_read_localization(abrt_retrace_worker_t)

sysnet_dns_name_resolve(abrt_retrace_worker_t)

optional_policy(`
	mock_domtrans(abrt_retrace_worker_t)
')

########################################
#
# abrt_dump_oops local policy
#

allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;

files_search_spool(abrt_dump_oops_t)
manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })

read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)

domain_use_interactive_fds(abrt_dump_oops_t)

files_read_etc_files(abrt_dump_oops_t)

logging_read_generic_logs(abrt_helper_t)
logging_send_syslog_msg(abrt_dump_oops_t)

miscfiles_read_localization(abrt_dump_oops_t)
Commit	Line	Data
826d0142	1	policy_module(abrt, 1.2.0)
e3a90e35 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
3eaa9939	8	## <desc>
9a0f7994 DG	9	## <p>
	10	## Allow ABRT to modify public files
	11	## used for public file transfer services.
	12	## </p>
3eaa9939 DW	13	## </desc>
	14	gen_tunable(abrt_anon_write, false)
	15
e3a90e35 CP	16	type abrt_t;
	17	type abrt_exec_t;
	18	init_daemon_domain(abrt_t, abrt_exec_t)
	19
	20	type abrt_initrc_exec_t;
	21	init_script_file(abrt_initrc_exec_t)
	22
	23	# etc files
	24	type abrt_etc_t;
	25	files_config_file(abrt_etc_t)
	26
	27	# log files
	28	type abrt_var_log_t;
	29	logging_log_file(abrt_var_log_t)
	30
	31	# tmp files
	32	type abrt_tmp_t;
	33	files_tmp_file(abrt_tmp_t)
	34
	35	# var/cache files
	36	type abrt_var_cache_t;
	37	files_type(abrt_var_cache_t)
	38
	39	# pid files
	40	type abrt_var_run_t;
	41	files_pid_file(abrt_var_run_t)
	42
21fd3a28 DW	43	type abrt_dump_oops_t;
	44	type abrt_dump_oops_exec_t;
	45	init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
	46
	47	permissive abrt_dump_oops_t;
	48
1b2f08ea CP	49	# type needed to allow all domains
	50	# to handle /var/cache/abrt
	51	type abrt_helper_t;
	52	type abrt_helper_exec_t;
	53	application_domain(abrt_helper_t, abrt_helper_exec_t)
	54	role system_r types abrt_helper_t;
	55
	56	ifdef(`enable_mcs',`
	57	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
	58	')
	59
6795d321 MG	60	#
	61	# Support for ABRT retrace server
	62	#
	63
	64	type abrt_retrace_worker_t;
	65	type abrt_retrace_worker_exec_t;
	66	application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
	67	role system_r types abrt_retrace_worker_t;
	68
	69	type abrt_retrace_coredump_t;
	70	type abrt_retrace_coredump_exec_t;
	71	application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
	72	role system_r types abrt_retrace_coredump_t;
	73
	74	permissive abrt_retrace_worker_exec_t;
	75	permissive abrt_retrace_coredump_t;
	76
	77	type abrt_retrace_cache_t;
	78	files_type(abrt_retrace_cache_t)
	79
9dd53ce4	80	type abrt_retrace_spool_t;
0059652b	81	files_spool_file(abrt_retrace_spool_t)
9dd53ce4	82
e3a90e35 CP	83	########################################
	84	#
	85	# abrt local policy
	86	#
	87
362793cb	88	allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
1b2f08ea	89	dontaudit abrt_t self:capability sys_rawio;
3eaa9939	90	allow abrt_t self:process { sigkill signal signull setsched getsched };
e3a90e35 CP	91
	92	allow abrt_t self:fifo_file rw_fifo_file_perms;
	93	allow abrt_t self:tcp_socket create_stream_socket_perms;
	94	allow abrt_t self:udp_socket create_socket_perms;
	95	allow abrt_t self:unix_dgram_socket create_socket_perms;
	96	allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
	97
	98	# abrt etc files
95985585	99	list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
e3a90e35 CP	100	rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
	101
	102	# log file
	103	manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
	104	logging_log_filetrans(abrt_t, abrt_var_log_t, file)
	105
1b2f08ea	106	# abrt tmp files
e3a90e35 CP	107	manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	108	manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	109	files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
3eaa9939	110	can_exec(abrt_t, abrt_tmp_t)
e3a90e35 CP	111
	112	# abrt var/cache files
	113	manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
	114	manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
1b2f08ea	115	manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
e3a90e35	116	files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
b5212295	117	files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
e3a90e35 CP	118
	119	# abrt pid files
	120	manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
	121	manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
b5212295	122	manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
1b2f08ea	123	manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
3eaa9939	124	files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
e3a90e35 CP	125
	126	kernel_read_ring_buffer(abrt_t)
	127	kernel_read_system_state(abrt_t)
	128	kernel_rw_kernel_sysctl(abrt_t)
	129
	130	corecmd_exec_bin(abrt_t)
	131	corecmd_exec_shell(abrt_t)
1b2f08ea	132	corecmd_read_all_executables(abrt_t)
e3a90e35	133
cd173453 DG	134	corenet_all_recvfrom_netlabel(abrt_t)
cd173453 DG	135	corenet_all_recvfrom_unlabeled(abrt_t)
cd173453 DG	136	corenet_tcp_sendrecv_generic_if(abrt_t)
	137	corenet_tcp_sendrecv_generic_node(abrt_t)
	138	corenet_tcp_sendrecv_generic_port(abrt_t)
1b2f08ea CP	139	corenet_tcp_bind_generic_node(abrt_t)
	140	corenet_tcp_connect_http_port(abrt_t)
	141	corenet_tcp_connect_ftp_port(abrt_t)
	142	corenet_tcp_connect_all_ports(abrt_t)
	143	corenet_sendrecv_http_client_packets(abrt_t)
	144
1b2f08ea	145	dev_getattr_all_chr_files(abrt_t)
9ca17b9f	146	dev_read_rand(abrt_t)
e3a90e35	147	dev_read_urand(abrt_t)
1b2f08ea CP	148	dev_rw_sysfs(abrt_t)
	149	dev_dontaudit_read_raw_memory(abrt_t)
	150
	151	domain_getattr_all_domains(abrt_t)
	152	domain_read_all_domains_state(abrt_t)
	153	domain_signull_all_domains(abrt_t)
e3a90e35 CP	154
e3a90e35 CP	155	files_getattr_all_files(abrt_t)
8effc8a7	156	files_read_config_files(abrt_t)
6a074ab5	157	files_read_etc_runtime_files(abrt_t)
1b2f08ea CP	158	files_read_var_symlinks(abrt_t)
1b2f08ea CP	159	files_read_var_lib_files(abrt_t)
e3a90e35	160	files_read_usr_files(abrt_t)
1b2f08ea CP	161	files_read_generic_tmp_files(abrt_t)
	162	files_read_kernel_modules(abrt_t)
	163	files_dontaudit_list_default(abrt_t)
	164	files_dontaudit_read_default_files(abrt_t)
3eaa9939 DW	165	files_dontaudit_read_all_symlinks(abrt_t)
3eaa9939 DW	166	files_dontaudit_getattr_all_sockets(abrt_t)
e3a90e35 CP	167
	168	fs_list_inotifyfs(abrt_t)
	169	fs_getattr_all_fs(abrt_t)
	170	fs_getattr_all_dirs(abrt_t)
1b2f08ea CP	171	fs_read_fusefs_files(abrt_t)
	172	fs_read_noxattr_fs_files(abrt_t)
	173	fs_read_nfs_files(abrt_t)
	174	fs_read_nfs_symlinks(abrt_t)
	175	fs_search_all(abrt_t)
e3a90e35	176
3eaa9939	177	sysnet_dns_name_resolve(abrt_t)
e3a90e35 CP	178
	179	logging_read_generic_logs(abrt_t)
	180	logging_send_syslog_msg(abrt_t)
	181
83406219	182	miscfiles_read_generic_certs(abrt_t)
e3a90e35 CP	183	miscfiles_read_localization(abrt_t)
e3a90e35 CP	184
1b2f08ea	185	userdom_dontaudit_read_user_home_content_files(abrt_t)
3eaa9939 DW	186	userdom_dontaudit_read_admin_home_files(abrt_t)
	187
	188	tunable_policy(`abrt_anon_write',`
9a0f7994	189	miscfiles_manage_public_files(abrt_t)
3eaa9939 DW	190	')
	191
	192	optional_policy(`
cc6210eb	193	apache_list_modules(abrt_t)
3eaa9939 DW	194	apache_read_modules(abrt_t)
3eaa9939 DW	195	')
e3a90e35 CP	196
e3a90e35 CP	197	optional_policy(`
1b2f08ea	198	dbus_system_domain(abrt_t, abrt_exec_t)
e3a90e35 CP	199	')
e3a90e35 CP	200
e3a90e35	201	optional_policy(`
1b2f08ea CP	202	nis_use_ypbind(abrt_t)
	203	')
	204
	205	optional_policy(`
3eaa9939 DW	206	nsplugin_read_rw_files(abrt_t)
	207	nsplugin_read_home(abrt_t)
	208	')
	209
	210	optional_policy(`
9a0f7994	211	policykit_dbus_chat(abrt_t)
1b2f08ea CP	212	policykit_domtrans_auth(abrt_t)
	213	policykit_read_lib(abrt_t)
	214	policykit_read_reload(abrt_t)
	215	')
	216
b5212295 CP	217	optional_policy(`
	218	prelink_exec(abrt_t)
	219	libs_exec_ld_so(abrt_t)
	220	corecmd_exec_all_executables(abrt_t)
	221	')
	222
1b2f08ea CP	223	# to install debuginfo packages
	224	optional_policy(`
	225	rpm_exec(abrt_t)
	226	rpm_dontaudit_manage_db(abrt_t)
	227	rpm_manage_cache(abrt_t)
57ce3836	228	rpm_manage_log(abrt_t)
1b2f08ea CP	229	rpm_manage_pid_files(abrt_t)
	230	rpm_read_db(abrt_t)
	231	rpm_signull(abrt_t)
e3a90e35 CP	232	')
	233
	234	# to run mailx plugin
	235	optional_policy(`
	236	sendmail_domtrans(abrt_t)
	237	')
1b2f08ea	238
3eaa9939 DW	239	optional_policy(`
	240	sosreport_domtrans(abrt_t)
	241	sosreport_read_tmp_files(abrt_t)
	242	sosreport_delete_tmp_files(abrt_t)
	243	')
	244
1b2f08ea CP	245	optional_policy(`
	246	sssd_stream_connect(abrt_t)
	247	')
	248
	249	########################################
	250	#
9a0f7994	251	# abrt-helper local policy
1b2f08ea CP	252	#
1b2f08ea CP	253
b5212295	254	allow abrt_helper_t self:capability { chown setgid sys_nice };
1b2f08ea CP	255	allow abrt_helper_t self:process signal;
	256
	257	read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
	258
b5212295	259	files_search_spool(abrt_helper_t)
1b2f08ea CP	260	manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	261	manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	262	manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	263	files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
	264
	265	read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	266	read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	267
622f03c6 DW	268	corecmd_read_all_executables(abrt_helper_t)
622f03c6 DW	269
1b2f08ea CP	270	domain_read_all_domains_state(abrt_helper_t)
	271
	272	files_read_etc_files(abrt_helper_t)
3eaa9939	273	files_dontaudit_all_non_security_leaks(abrt_helper_t)
1b2f08ea CP	274
	275	fs_list_inotifyfs(abrt_helper_t)
	276	fs_getattr_all_fs(abrt_helper_t)
	277
	278	auth_use_nsswitch(abrt_helper_t)
	279
	280	logging_send_syslog_msg(abrt_helper_t)
	281
	282	miscfiles_read_localization(abrt_helper_t)
	283
	284	term_dontaudit_use_all_ttys(abrt_helper_t)
	285	term_dontaudit_use_all_ptys(abrt_helper_t)
	286
9a0f7994	287	ifdef(`hide_broken_symptoms',`
3eaa9939	288	domain_dontaudit_leaks(abrt_helper_t)
1b2f08ea CP	289	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	290	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
	291	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	292	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	293	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	294	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	295	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
ef521e99 DG	296
	297	optional_policy(`
	298	rpm_dontaudit_leaks(abrt_helper_t)
	299	')
1b2f08ea	300	')
3eaa9939	301
9a0f7994	302	ifdef(`hide_broken_symptoms',`
3eaa9939	303	gen_require(`
9a0f7994	304	attribute domain;
3eaa9939 DW	305	')
3eaa9939 DW	306
9a0f7994	307	allow abrt_t self:capability sys_resource;
3eaa9939 DW	308	allow abrt_t domain:file write;
	309	allow abrt_t domain:process setrlimit;
	310	')
6795d321 MG	311
	312	#######################################
	313	#
	314	# abrt retrace coredump policy
	315	#
	316
	317	allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
	318
9dd53ce4 MG	319	list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
	320	read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
	321	read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
	322
	323	list_dirs_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
	324	read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
	325	read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
	326
6795d321 MG	327	kernel_read_system_state(abrt_retrace_coredump_t)
	328
	329	corecmd_exec_bin(abrt_retrace_coredump_t)
	330	corecmd_exec_shell(abrt_retrace_coredump_t)
	331
	332	dev_read_urand(abrt_retrace_coredump_t)
	333
	334	files_read_etc_files(abrt_retrace_coredump_t)
	335	files_read_usr_files(abrt_retrace_coredump_t)
	336
	337	logging_send_syslog_msg(abrt_retrace_coredump_t)
	338
	339	miscfiles_read_localization(abrt_retrace_coredump_t)
	340
	341	sysnet_dns_name_resolve(abrt_retrace_coredump_t)
	342
	343	# to install debuginfo packages
	344	optional_policy(`
	345	rpm_exec(abrt_retrace_coredump_t)
	346	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
	347	rpm_manage_cache(abrt_retrace_coredump_t)
	348	rpm_manage_log(abrt_retrace_coredump_t)
	349	rpm_manage_pid_files(abrt_retrace_coredump_t)
	350	rpm_read_db(abrt_retrace_coredump_t)
	351	rpm_signull(abrt_retrace_coredump_t)
9bf5a594	352	')
6795d321 MG	353
	354	#######################################
	355	#
	356	# abrt retrace worker policy
	357	#
	358
	359	allow abrt_retrace_worker_t self:capability { setuid };
	360
	361	allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
	362
	363	domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
	364	allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
	365
9dd53ce4 MG	366	manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
	367	manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
	368	manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
6795d321	369
fceb08fe	370	allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
6795d321 MG	371
	372	can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
	373
	374	kernel_read_system_state(abrt_retrace_worker_t)
	375
	376	corecmd_exec_bin(abrt_retrace_worker_t)
	377	corecmd_exec_shell(abrt_retrace_worker_t)
	378
	379	dev_read_urand(abrt_retrace_worker_t)
	380
	381	files_read_etc_files(abrt_retrace_worker_t)
	382	files_read_usr_files(abrt_retrace_worker_t)
	383
	384	logging_send_syslog_msg(abrt_retrace_worker_t)
	385
	386	miscfiles_read_localization(abrt_retrace_worker_t)
	387
	388	sysnet_dns_name_resolve(abrt_retrace_worker_t)
	389
	390	optional_policy(`
	391	mock_domtrans(abrt_retrace_worker_t)
	392	')
21fd3a28 DW	393
	394	########################################
	395	#
	396	# abrt_dump_oops local policy
	397	#
	398
	399	allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
	400	allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
	401
	402	files_search_spool(abrt_dump_oops_t)
	403	manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
	404	manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
	405	manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
	406	files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
	407
	408	read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
	409	read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
	410
	411	domain_use_interactive_fds(abrt_dump_oops_t)
	412
	413	files_read_etc_files(abrt_dump_oops_t)
	414
98a1cb30	415	logging_read_generic_logs(abrt_helper_t)
21fd3a28 DW	416	logging_send_syslog_msg(abrt_dump_oops_t)
	417
	418	miscfiles_read_localization(abrt_dump_oops_t)