]>
Commit | Line | Data |
---|---|---|
826d0142 | 1 | policy_module(abrt, 1.2.0) |
e3a90e35 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
3eaa9939 | 8 | ## <desc> |
9a0f7994 DG |
9 | ## <p> |
10 | ## Allow ABRT to modify public files | |
11 | ## used for public file transfer services. | |
12 | ## </p> | |
3eaa9939 DW |
13 | ## </desc> |
14 | gen_tunable(abrt_anon_write, false) | |
15 | ||
e3a90e35 CP |
16 | type abrt_t; |
17 | type abrt_exec_t; | |
18 | init_daemon_domain(abrt_t, abrt_exec_t) | |
19 | ||
20 | type abrt_initrc_exec_t; | |
21 | init_script_file(abrt_initrc_exec_t) | |
22 | ||
23 | # etc files | |
24 | type abrt_etc_t; | |
25 | files_config_file(abrt_etc_t) | |
26 | ||
27 | # log files | |
28 | type abrt_var_log_t; | |
29 | logging_log_file(abrt_var_log_t) | |
30 | ||
31 | # tmp files | |
32 | type abrt_tmp_t; | |
33 | files_tmp_file(abrt_tmp_t) | |
34 | ||
35 | # var/cache files | |
36 | type abrt_var_cache_t; | |
37 | files_type(abrt_var_cache_t) | |
38 | ||
39 | # pid files | |
40 | type abrt_var_run_t; | |
41 | files_pid_file(abrt_var_run_t) | |
42 | ||
1b2f08ea CP |
43 | # type needed to allow all domains |
44 | # to handle /var/cache/abrt | |
45 | type abrt_helper_t; | |
46 | type abrt_helper_exec_t; | |
47 | application_domain(abrt_helper_t, abrt_helper_exec_t) | |
48 | role system_r types abrt_helper_t; | |
49 | ||
50 | ifdef(`enable_mcs',` | |
51 | init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh) | |
52 | ') | |
53 | ||
6795d321 MG |
54 | # |
55 | # Support for ABRT retrace server | |
56 | # | |
57 | ||
58 | type abrt_retrace_worker_t; | |
59 | type abrt_retrace_worker_exec_t; | |
60 | application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) | |
61 | role system_r types abrt_retrace_worker_t; | |
62 | ||
63 | type abrt_retrace_coredump_t; | |
64 | type abrt_retrace_coredump_exec_t; | |
65 | application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t) | |
66 | role system_r types abrt_retrace_coredump_t; | |
67 | ||
68 | permissive abrt_retrace_worker_exec_t; | |
69 | permissive abrt_retrace_coredump_t; | |
70 | ||
71 | type abrt_retrace_cache_t; | |
72 | files_type(abrt_retrace_cache_t) | |
73 | ||
e3a90e35 CP |
74 | ######################################## |
75 | # | |
76 | # abrt local policy | |
77 | # | |
78 | ||
7ff6452e | 79 | allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override }; |
1b2f08ea | 80 | dontaudit abrt_t self:capability sys_rawio; |
3eaa9939 | 81 | allow abrt_t self:process { sigkill signal signull setsched getsched }; |
e3a90e35 CP |
82 | |
83 | allow abrt_t self:fifo_file rw_fifo_file_perms; | |
84 | allow abrt_t self:tcp_socket create_stream_socket_perms; | |
85 | allow abrt_t self:udp_socket create_socket_perms; | |
86 | allow abrt_t self:unix_dgram_socket create_socket_perms; | |
87 | allow abrt_t self:netlink_route_socket r_netlink_socket_perms; | |
88 | ||
89 | # abrt etc files | |
95985585 | 90 | list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t) |
e3a90e35 CP |
91 | rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) |
92 | ||
93 | # log file | |
94 | manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t) | |
95 | logging_log_filetrans(abrt_t, abrt_var_log_t, file) | |
96 | ||
1b2f08ea | 97 | # abrt tmp files |
e3a90e35 CP |
98 | manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) |
99 | manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) | |
100 | files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) | |
3eaa9939 | 101 | can_exec(abrt_t, abrt_tmp_t) |
e3a90e35 CP |
102 | |
103 | # abrt var/cache files | |
104 | manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
105 | manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) | |
1b2f08ea | 106 | manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) |
e3a90e35 | 107 | files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir }) |
b5212295 | 108 | files_spool_filetrans(abrt_t, abrt_var_cache_t, dir) |
e3a90e35 CP |
109 | |
110 | # abrt pid files | |
111 | manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
112 | manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) | |
b5212295 | 113 | manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
1b2f08ea | 114 | manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) |
3eaa9939 | 115 | files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file }) |
e3a90e35 CP |
116 | |
117 | kernel_read_ring_buffer(abrt_t) | |
118 | kernel_read_system_state(abrt_t) | |
119 | kernel_rw_kernel_sysctl(abrt_t) | |
120 | ||
121 | corecmd_exec_bin(abrt_t) | |
122 | corecmd_exec_shell(abrt_t) | |
1b2f08ea | 123 | corecmd_read_all_executables(abrt_t) |
e3a90e35 | 124 | |
cd173453 DG |
125 | corenet_all_recvfrom_netlabel(abrt_t) |
126 | corenet_all_recvfrom_unlabeled(abrt_t) | |
cd173453 DG |
127 | corenet_tcp_sendrecv_generic_if(abrt_t) |
128 | corenet_tcp_sendrecv_generic_node(abrt_t) | |
129 | corenet_tcp_sendrecv_generic_port(abrt_t) | |
1b2f08ea CP |
130 | corenet_tcp_bind_generic_node(abrt_t) |
131 | corenet_tcp_connect_http_port(abrt_t) | |
132 | corenet_tcp_connect_ftp_port(abrt_t) | |
133 | corenet_tcp_connect_all_ports(abrt_t) | |
134 | corenet_sendrecv_http_client_packets(abrt_t) | |
135 | ||
1b2f08ea | 136 | dev_getattr_all_chr_files(abrt_t) |
e3a90e35 | 137 | dev_read_urand(abrt_t) |
1b2f08ea CP |
138 | dev_rw_sysfs(abrt_t) |
139 | dev_dontaudit_read_raw_memory(abrt_t) | |
140 | ||
141 | domain_getattr_all_domains(abrt_t) | |
142 | domain_read_all_domains_state(abrt_t) | |
143 | domain_signull_all_domains(abrt_t) | |
e3a90e35 CP |
144 | |
145 | files_getattr_all_files(abrt_t) | |
8effc8a7 | 146 | files_read_config_files(abrt_t) |
6a074ab5 | 147 | files_read_etc_runtime_files(abrt_t) |
1b2f08ea CP |
148 | files_read_var_symlinks(abrt_t) |
149 | files_read_var_lib_files(abrt_t) | |
e3a90e35 | 150 | files_read_usr_files(abrt_t) |
1b2f08ea CP |
151 | files_read_generic_tmp_files(abrt_t) |
152 | files_read_kernel_modules(abrt_t) | |
153 | files_dontaudit_list_default(abrt_t) | |
154 | files_dontaudit_read_default_files(abrt_t) | |
3eaa9939 DW |
155 | files_dontaudit_read_all_symlinks(abrt_t) |
156 | files_dontaudit_getattr_all_sockets(abrt_t) | |
e3a90e35 CP |
157 | |
158 | fs_list_inotifyfs(abrt_t) | |
159 | fs_getattr_all_fs(abrt_t) | |
160 | fs_getattr_all_dirs(abrt_t) | |
1b2f08ea CP |
161 | fs_read_fusefs_files(abrt_t) |
162 | fs_read_noxattr_fs_files(abrt_t) | |
163 | fs_read_nfs_files(abrt_t) | |
164 | fs_read_nfs_symlinks(abrt_t) | |
165 | fs_search_all(abrt_t) | |
e3a90e35 | 166 | |
3eaa9939 | 167 | sysnet_dns_name_resolve(abrt_t) |
e3a90e35 CP |
168 | |
169 | logging_read_generic_logs(abrt_t) | |
170 | logging_send_syslog_msg(abrt_t) | |
171 | ||
83406219 | 172 | miscfiles_read_generic_certs(abrt_t) |
e3a90e35 CP |
173 | miscfiles_read_localization(abrt_t) |
174 | ||
1b2f08ea | 175 | userdom_dontaudit_read_user_home_content_files(abrt_t) |
3eaa9939 DW |
176 | userdom_dontaudit_read_admin_home_files(abrt_t) |
177 | ||
178 | tunable_policy(`abrt_anon_write',` | |
9a0f7994 | 179 | miscfiles_manage_public_files(abrt_t) |
3eaa9939 DW |
180 | ') |
181 | ||
182 | optional_policy(` | |
183 | apache_read_modules(abrt_t) | |
184 | ') | |
e3a90e35 CP |
185 | |
186 | optional_policy(` | |
1b2f08ea | 187 | dbus_system_domain(abrt_t, abrt_exec_t) |
e3a90e35 CP |
188 | ') |
189 | ||
e3a90e35 | 190 | optional_policy(` |
1b2f08ea CP |
191 | nis_use_ypbind(abrt_t) |
192 | ') | |
193 | ||
194 | optional_policy(` | |
3eaa9939 DW |
195 | nsplugin_read_rw_files(abrt_t) |
196 | nsplugin_read_home(abrt_t) | |
197 | ') | |
198 | ||
199 | optional_policy(` | |
9a0f7994 | 200 | policykit_dbus_chat(abrt_t) |
1b2f08ea CP |
201 | policykit_domtrans_auth(abrt_t) |
202 | policykit_read_lib(abrt_t) | |
203 | policykit_read_reload(abrt_t) | |
204 | ') | |
205 | ||
b5212295 CP |
206 | optional_policy(` |
207 | prelink_exec(abrt_t) | |
208 | libs_exec_ld_so(abrt_t) | |
209 | corecmd_exec_all_executables(abrt_t) | |
210 | ') | |
211 | ||
1b2f08ea CP |
212 | # to install debuginfo packages |
213 | optional_policy(` | |
214 | rpm_exec(abrt_t) | |
215 | rpm_dontaudit_manage_db(abrt_t) | |
216 | rpm_manage_cache(abrt_t) | |
57ce3836 | 217 | rpm_manage_log(abrt_t) |
1b2f08ea CP |
218 | rpm_manage_pid_files(abrt_t) |
219 | rpm_read_db(abrt_t) | |
220 | rpm_signull(abrt_t) | |
e3a90e35 CP |
221 | ') |
222 | ||
223 | # to run mailx plugin | |
224 | optional_policy(` | |
225 | sendmail_domtrans(abrt_t) | |
226 | ') | |
1b2f08ea | 227 | |
3eaa9939 DW |
228 | optional_policy(` |
229 | sosreport_domtrans(abrt_t) | |
230 | sosreport_read_tmp_files(abrt_t) | |
231 | sosreport_delete_tmp_files(abrt_t) | |
232 | ') | |
233 | ||
1b2f08ea CP |
234 | optional_policy(` |
235 | sssd_stream_connect(abrt_t) | |
236 | ') | |
237 | ||
238 | ######################################## | |
239 | # | |
9a0f7994 | 240 | # abrt-helper local policy |
1b2f08ea CP |
241 | # |
242 | ||
b5212295 | 243 | allow abrt_helper_t self:capability { chown setgid sys_nice }; |
1b2f08ea CP |
244 | allow abrt_helper_t self:process signal; |
245 | ||
246 | read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t) | |
247 | ||
b5212295 | 248 | files_search_spool(abrt_helper_t) |
1b2f08ea CP |
249 | manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) |
250 | manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
251 | manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t) | |
252 | files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) | |
253 | ||
254 | read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
255 | read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) | |
256 | ||
257 | domain_read_all_domains_state(abrt_helper_t) | |
258 | ||
259 | files_read_etc_files(abrt_helper_t) | |
3eaa9939 | 260 | files_dontaudit_all_non_security_leaks(abrt_helper_t) |
1b2f08ea CP |
261 | |
262 | fs_list_inotifyfs(abrt_helper_t) | |
263 | fs_getattr_all_fs(abrt_helper_t) | |
264 | ||
265 | auth_use_nsswitch(abrt_helper_t) | |
266 | ||
267 | logging_send_syslog_msg(abrt_helper_t) | |
268 | ||
269 | miscfiles_read_localization(abrt_helper_t) | |
270 | ||
271 | term_dontaudit_use_all_ttys(abrt_helper_t) | |
272 | term_dontaudit_use_all_ptys(abrt_helper_t) | |
273 | ||
9a0f7994 | 274 | ifdef(`hide_broken_symptoms',` |
3eaa9939 | 275 | domain_dontaudit_leaks(abrt_helper_t) |
1b2f08ea CP |
276 | userdom_dontaudit_read_user_home_content_files(abrt_helper_t) |
277 | userdom_dontaudit_read_user_tmp_files(abrt_helper_t) | |
278 | dev_dontaudit_read_all_blk_files(abrt_helper_t) | |
279 | dev_dontaudit_read_all_chr_files(abrt_helper_t) | |
280 | dev_dontaudit_write_all_chr_files(abrt_helper_t) | |
281 | dev_dontaudit_write_all_blk_files(abrt_helper_t) | |
282 | fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) | |
ef521e99 DG |
283 | |
284 | optional_policy(` | |
285 | rpm_dontaudit_leaks(abrt_helper_t) | |
286 | ') | |
1b2f08ea | 287 | ') |
3eaa9939 | 288 | |
9a0f7994 | 289 | ifdef(`hide_broken_symptoms',` |
3eaa9939 | 290 | gen_require(` |
9a0f7994 | 291 | attribute domain; |
3eaa9939 DW |
292 | ') |
293 | ||
9a0f7994 | 294 | allow abrt_t self:capability sys_resource; |
3eaa9939 DW |
295 | allow abrt_t domain:file write; |
296 | allow abrt_t domain:process setrlimit; | |
297 | ') | |
6795d321 MG |
298 | |
299 | ####################################### | |
300 | # | |
301 | # abrt retrace coredump policy | |
302 | # | |
303 | ||
304 | allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms; | |
305 | ||
306 | kernel_read_system_state(abrt_retrace_coredump_t) | |
307 | ||
308 | corecmd_exec_bin(abrt_retrace_coredump_t) | |
309 | corecmd_exec_shell(abrt_retrace_coredump_t) | |
310 | ||
311 | dev_read_urand(abrt_retrace_coredump_t) | |
312 | ||
313 | files_read_etc_files(abrt_retrace_coredump_t) | |
314 | files_read_usr_files(abrt_retrace_coredump_t) | |
315 | ||
316 | logging_send_syslog_msg(abrt_retrace_coredump_t) | |
317 | ||
318 | miscfiles_read_localization(abrt_retrace_coredump_t) | |
319 | ||
320 | sysnet_dns_name_resolve(abrt_retrace_coredump_t) | |
321 | ||
322 | # to install debuginfo packages | |
323 | optional_policy(` | |
324 | rpm_exec(abrt_retrace_coredump_t) | |
325 | rpm_dontaudit_manage_db(abrt_retrace_coredump_t) | |
326 | rpm_manage_cache(abrt_retrace_coredump_t) | |
327 | rpm_manage_log(abrt_retrace_coredump_t) | |
328 | rpm_manage_pid_files(abrt_retrace_coredump_t) | |
329 | rpm_read_db(abrt_retrace_coredump_t) | |
330 | rpm_signull(abrt_retrace_coredump_t) | |
9bf5a594 | 331 | ') |
6795d321 MG |
332 | |
333 | ####################################### | |
334 | # | |
335 | # abrt retrace worker policy | |
336 | # | |
337 | ||
338 | allow abrt_retrace_worker_t self:capability { setuid }; | |
339 | ||
340 | allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms; | |
341 | ||
342 | domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t) | |
343 | allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl; | |
344 | ||
345 | manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t) | |
346 | manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t) | |
347 | manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t) | |
348 | ||
349 | allow abrt_retrace_worker_t abrt_etc_t:file r_file_perms; | |
350 | ||
351 | can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t) | |
352 | ||
353 | kernel_read_system_state(abrt_retrace_worker_t) | |
354 | ||
355 | corecmd_exec_bin(abrt_retrace_worker_t) | |
356 | corecmd_exec_shell(abrt_retrace_worker_t) | |
357 | ||
358 | dev_read_urand(abrt_retrace_worker_t) | |
359 | ||
360 | files_read_etc_files(abrt_retrace_worker_t) | |
361 | files_read_usr_files(abrt_retrace_worker_t) | |
362 | ||
363 | logging_send_syslog_msg(abrt_retrace_worker_t) | |
364 | ||
365 | miscfiles_read_localization(abrt_retrace_worker_t) | |
366 | ||
367 | sysnet_dns_name_resolve(abrt_retrace_worker_t) | |
368 | ||
369 | optional_policy(` | |
370 | mock_domtrans(abrt_retrace_worker_t) | |
371 | ') |