[people/stevee/selinux-policy.git] / policy / modules / services / abrt.te

policy_module(abrt, 1.2.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow ABRT to modify public files
##	used for public file transfer services.
##	</p>
## </desc>
gen_tunable(abrt_anon_write, false)

type abrt_t;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)

type abrt_initrc_exec_t;
init_script_file(abrt_initrc_exec_t)

# etc files
type abrt_etc_t;
files_config_file(abrt_etc_t)

# log files
type abrt_var_log_t;
logging_log_file(abrt_var_log_t)

# tmp files
type abrt_tmp_t;
files_tmp_file(abrt_tmp_t)

# var/cache files
type abrt_var_cache_t;
files_type(abrt_var_cache_t)

# pid files
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)

# type needed to allow all domains
# to handle /var/cache/abrt
type abrt_helper_t;
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')

#
# Support for ABRT retrace server
#

type abrt_retrace_worker_t;
type abrt_retrace_worker_exec_t;
application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;

type abrt_retrace_coredump_t;
type abrt_retrace_coredump_exec_t;
application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
role system_r types abrt_retrace_coredump_t;

permissive abrt_retrace_worker_exec_t;
permissive abrt_retrace_coredump_t;

type abrt_retrace_cache_t;
files_type(abrt_retrace_cache_t)

########################################
#
# abrt local policy
#

allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { sigkill signal signull setsched getsched };

allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
allow abrt_t self:udp_socket create_socket_perms;
allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;

# abrt etc files
list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)

# log file
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)

# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
can_exec(abrt_t, abrt_tmp_t)

# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)

# abrt pid files
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })

kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)

corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)

corenet_all_recvfrom_netlabel(abrt_t)
corenet_all_recvfrom_unlabeled(abrt_t)
corenet_tcp_sendrecv_generic_if(abrt_t)
corenet_tcp_sendrecv_generic_node(abrt_t)
corenet_tcp_sendrecv_generic_port(abrt_t)
corenet_tcp_bind_generic_node(abrt_t)
corenet_tcp_connect_http_port(abrt_t)
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)

dev_getattr_all_chr_files(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)

domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)

files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)

fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
fs_read_fusefs_files(abrt_t)
fs_read_noxattr_fs_files(abrt_t)
fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)

sysnet_dns_name_resolve(abrt_t)

logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)

miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)

userdom_dontaudit_read_user_home_content_files(abrt_t)
userdom_dontaudit_read_admin_home_files(abrt_t)

tunable_policy(`abrt_anon_write',`
	miscfiles_manage_public_files(abrt_t)
')

optional_policy(`
	apache_read_modules(abrt_t)
')

optional_policy(`
	dbus_system_domain(abrt_t, abrt_exec_t)
')

optional_policy(`
	nis_use_ypbind(abrt_t)
')

optional_policy(`
	nsplugin_read_rw_files(abrt_t)
	nsplugin_read_home(abrt_t)
')

optional_policy(`
	policykit_dbus_chat(abrt_t)
	policykit_domtrans_auth(abrt_t)
	policykit_read_lib(abrt_t)
	policykit_read_reload(abrt_t)
')

optional_policy(`
	prelink_exec(abrt_t)
	libs_exec_ld_so(abrt_t)
	corecmd_exec_all_executables(abrt_t)
')

# to install debuginfo packages
optional_policy(`
	rpm_exec(abrt_t)
	rpm_dontaudit_manage_db(abrt_t)
	rpm_manage_cache(abrt_t)
	rpm_manage_log(abrt_t)
	rpm_manage_pid_files(abrt_t)
	rpm_read_db(abrt_t)
	rpm_signull(abrt_t)
')

# to run mailx plugin
optional_policy(`
	sendmail_domtrans(abrt_t)
')

optional_policy(`
	sosreport_domtrans(abrt_t)
	sosreport_read_tmp_files(abrt_t)
	sosreport_delete_tmp_files(abrt_t)
')

optional_policy(`
	sssd_stream_connect(abrt_t)
')

########################################
#
# abrt-helper local policy
#

allow abrt_helper_t self:capability { chown setgid sys_nice };
allow abrt_helper_t self:process signal;

read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)

files_search_spool(abrt_helper_t)
manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })

read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)

domain_read_all_domains_state(abrt_helper_t)

files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)

fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)

auth_use_nsswitch(abrt_helper_t)

logging_send_syslog_msg(abrt_helper_t)

miscfiles_read_localization(abrt_helper_t)

term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)

ifdef(`hide_broken_symptoms',`
	domain_dontaudit_leaks(abrt_helper_t)
	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)

	optional_policy(`
		rpm_dontaudit_leaks(abrt_helper_t)
	')
')

ifdef(`hide_broken_symptoms',`
	gen_require(`
		attribute domain;
	')

	allow abrt_t self:capability sys_resource;
	allow abrt_t domain:file write;
	allow abrt_t domain:process setrlimit;
')

#######################################
#
# abrt retrace coredump policy
#

allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;

kernel_read_system_state(abrt_retrace_coredump_t)

corecmd_exec_bin(abrt_retrace_coredump_t)
corecmd_exec_shell(abrt_retrace_coredump_t)

dev_read_urand(abrt_retrace_coredump_t)

files_read_etc_files(abrt_retrace_coredump_t)
files_read_usr_files(abrt_retrace_coredump_t)

logging_send_syslog_msg(abrt_retrace_coredump_t)

miscfiles_read_localization(abrt_retrace_coredump_t)

sysnet_dns_name_resolve(abrt_retrace_coredump_t)

# to install debuginfo packages
optional_policy(`
	rpm_exec(abrt_retrace_coredump_t)
	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
	rpm_manage_cache(abrt_retrace_coredump_t)
	rpm_manage_log(abrt_retrace_coredump_t)
	rpm_manage_pid_files(abrt_retrace_coredump_t)
	rpm_read_db(abrt_retrace_coredump_t)
	rpm_signull(abrt_retrace_coredump_t)
')

#######################################
#
# abrt retrace worker policy
#

allow abrt_retrace_worker_t self:capability { setuid };

allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;

domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;

manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)

allow abrt_retrace_worker_t abrt_etc_t:file r_file_perms;

can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)

kernel_read_system_state(abrt_retrace_worker_t)

corecmd_exec_bin(abrt_retrace_worker_t)
corecmd_exec_shell(abrt_retrace_worker_t)

dev_read_urand(abrt_retrace_worker_t)

files_read_etc_files(abrt_retrace_worker_t)
files_read_usr_files(abrt_retrace_worker_t)

logging_send_syslog_msg(abrt_retrace_worker_t)

miscfiles_read_localization(abrt_retrace_worker_t)

sysnet_dns_name_resolve(abrt_retrace_worker_t)

optional_policy(`
	mock_domtrans(abrt_retrace_worker_t)
')
Commit	Line	Data
826d0142	1	policy_module(abrt, 1.2.0)
e3a90e35 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
3eaa9939	8	## <desc>
9a0f7994 DG	9	## <p>
	10	## Allow ABRT to modify public files
	11	## used for public file transfer services.
	12	## </p>
3eaa9939 DW	13	## </desc>
	14	gen_tunable(abrt_anon_write, false)
	15
e3a90e35 CP	16	type abrt_t;
	17	type abrt_exec_t;
	18	init_daemon_domain(abrt_t, abrt_exec_t)
	19
	20	type abrt_initrc_exec_t;
	21	init_script_file(abrt_initrc_exec_t)
	22
	23	# etc files
	24	type abrt_etc_t;
	25	files_config_file(abrt_etc_t)
	26
	27	# log files
	28	type abrt_var_log_t;
	29	logging_log_file(abrt_var_log_t)
	30
	31	# tmp files
	32	type abrt_tmp_t;
	33	files_tmp_file(abrt_tmp_t)
	34
	35	# var/cache files
	36	type abrt_var_cache_t;
	37	files_type(abrt_var_cache_t)
	38
	39	# pid files
	40	type abrt_var_run_t;
	41	files_pid_file(abrt_var_run_t)
	42
1b2f08ea CP	43	# type needed to allow all domains
	44	# to handle /var/cache/abrt
	45	type abrt_helper_t;
	46	type abrt_helper_exec_t;
	47	application_domain(abrt_helper_t, abrt_helper_exec_t)
	48	role system_r types abrt_helper_t;
	49
	50	ifdef(`enable_mcs',`
	51	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
	52	')
	53
6795d321 MG	54	#
	55	# Support for ABRT retrace server
	56	#
	57
	58	type abrt_retrace_worker_t;
	59	type abrt_retrace_worker_exec_t;
	60	application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
	61	role system_r types abrt_retrace_worker_t;
	62
	63	type abrt_retrace_coredump_t;
	64	type abrt_retrace_coredump_exec_t;
	65	application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
	66	role system_r types abrt_retrace_coredump_t;
	67
	68	permissive abrt_retrace_worker_exec_t;
	69	permissive abrt_retrace_coredump_t;
	70
	71	type abrt_retrace_cache_t;
	72	files_type(abrt_retrace_cache_t)
	73
e3a90e35 CP	74	########################################
	75	#
	76	# abrt local policy
	77	#
	78
7ff6452e	79	allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
1b2f08ea	80	dontaudit abrt_t self:capability sys_rawio;
3eaa9939	81	allow abrt_t self:process { sigkill signal signull setsched getsched };
e3a90e35 CP	82
	83	allow abrt_t self:fifo_file rw_fifo_file_perms;
	84	allow abrt_t self:tcp_socket create_stream_socket_perms;
	85	allow abrt_t self:udp_socket create_socket_perms;
	86	allow abrt_t self:unix_dgram_socket create_socket_perms;
	87	allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
	88
	89	# abrt etc files
95985585	90	list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
e3a90e35 CP	91	rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
	92
	93	# log file
	94	manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
	95	logging_log_filetrans(abrt_t, abrt_var_log_t, file)
	96
1b2f08ea	97	# abrt tmp files
e3a90e35 CP	98	manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	99	manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
	100	files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
3eaa9939	101	can_exec(abrt_t, abrt_tmp_t)
e3a90e35 CP	102
	103	# abrt var/cache files
	104	manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
	105	manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
1b2f08ea	106	manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
e3a90e35	107	files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
b5212295	108	files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
e3a90e35 CP	109
	110	# abrt pid files
	111	manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
	112	manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
b5212295	113	manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
1b2f08ea	114	manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
3eaa9939	115	files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
e3a90e35 CP	116
	117	kernel_read_ring_buffer(abrt_t)
	118	kernel_read_system_state(abrt_t)
	119	kernel_rw_kernel_sysctl(abrt_t)
	120
	121	corecmd_exec_bin(abrt_t)
	122	corecmd_exec_shell(abrt_t)
1b2f08ea	123	corecmd_read_all_executables(abrt_t)
e3a90e35	124
cd173453 DG	125	corenet_all_recvfrom_netlabel(abrt_t)
cd173453 DG	126	corenet_all_recvfrom_unlabeled(abrt_t)
cd173453 DG	127	corenet_tcp_sendrecv_generic_if(abrt_t)
	128	corenet_tcp_sendrecv_generic_node(abrt_t)
	129	corenet_tcp_sendrecv_generic_port(abrt_t)
1b2f08ea CP	130	corenet_tcp_bind_generic_node(abrt_t)
	131	corenet_tcp_connect_http_port(abrt_t)
	132	corenet_tcp_connect_ftp_port(abrt_t)
	133	corenet_tcp_connect_all_ports(abrt_t)
	134	corenet_sendrecv_http_client_packets(abrt_t)
	135
1b2f08ea	136	dev_getattr_all_chr_files(abrt_t)
e3a90e35	137	dev_read_urand(abrt_t)
1b2f08ea CP	138	dev_rw_sysfs(abrt_t)
	139	dev_dontaudit_read_raw_memory(abrt_t)
	140
	141	domain_getattr_all_domains(abrt_t)
	142	domain_read_all_domains_state(abrt_t)
	143	domain_signull_all_domains(abrt_t)
e3a90e35 CP	144
e3a90e35 CP	145	files_getattr_all_files(abrt_t)
8effc8a7	146	files_read_config_files(abrt_t)
6a074ab5	147	files_read_etc_runtime_files(abrt_t)
1b2f08ea CP	148	files_read_var_symlinks(abrt_t)
1b2f08ea CP	149	files_read_var_lib_files(abrt_t)
e3a90e35	150	files_read_usr_files(abrt_t)
1b2f08ea CP	151	files_read_generic_tmp_files(abrt_t)
	152	files_read_kernel_modules(abrt_t)
	153	files_dontaudit_list_default(abrt_t)
	154	files_dontaudit_read_default_files(abrt_t)
3eaa9939 DW	155	files_dontaudit_read_all_symlinks(abrt_t)
3eaa9939 DW	156	files_dontaudit_getattr_all_sockets(abrt_t)
e3a90e35 CP	157
	158	fs_list_inotifyfs(abrt_t)
	159	fs_getattr_all_fs(abrt_t)
	160	fs_getattr_all_dirs(abrt_t)
1b2f08ea CP	161	fs_read_fusefs_files(abrt_t)
	162	fs_read_noxattr_fs_files(abrt_t)
	163	fs_read_nfs_files(abrt_t)
	164	fs_read_nfs_symlinks(abrt_t)
	165	fs_search_all(abrt_t)
e3a90e35	166
3eaa9939	167	sysnet_dns_name_resolve(abrt_t)
e3a90e35 CP	168
	169	logging_read_generic_logs(abrt_t)
	170	logging_send_syslog_msg(abrt_t)
	171
83406219	172	miscfiles_read_generic_certs(abrt_t)
e3a90e35 CP	173	miscfiles_read_localization(abrt_t)
e3a90e35 CP	174
1b2f08ea	175	userdom_dontaudit_read_user_home_content_files(abrt_t)
3eaa9939 DW	176	userdom_dontaudit_read_admin_home_files(abrt_t)
	177
	178	tunable_policy(`abrt_anon_write',`
9a0f7994	179	miscfiles_manage_public_files(abrt_t)
3eaa9939 DW	180	')
	181
	182	optional_policy(`
	183	apache_read_modules(abrt_t)
	184	')
e3a90e35 CP	185
e3a90e35 CP	186	optional_policy(`
1b2f08ea	187	dbus_system_domain(abrt_t, abrt_exec_t)
e3a90e35 CP	188	')
e3a90e35 CP	189
e3a90e35	190	optional_policy(`
1b2f08ea CP	191	nis_use_ypbind(abrt_t)
	192	')
	193
	194	optional_policy(`
3eaa9939 DW	195	nsplugin_read_rw_files(abrt_t)
	196	nsplugin_read_home(abrt_t)
	197	')
	198
	199	optional_policy(`
9a0f7994	200	policykit_dbus_chat(abrt_t)
1b2f08ea CP	201	policykit_domtrans_auth(abrt_t)
	202	policykit_read_lib(abrt_t)
	203	policykit_read_reload(abrt_t)
	204	')
	205
b5212295 CP	206	optional_policy(`
	207	prelink_exec(abrt_t)
	208	libs_exec_ld_so(abrt_t)
	209	corecmd_exec_all_executables(abrt_t)
	210	')
	211
1b2f08ea CP	212	# to install debuginfo packages
	213	optional_policy(`
	214	rpm_exec(abrt_t)
	215	rpm_dontaudit_manage_db(abrt_t)
	216	rpm_manage_cache(abrt_t)
57ce3836	217	rpm_manage_log(abrt_t)
1b2f08ea CP	218	rpm_manage_pid_files(abrt_t)
	219	rpm_read_db(abrt_t)
	220	rpm_signull(abrt_t)
e3a90e35 CP	221	')
	222
	223	# to run mailx plugin
	224	optional_policy(`
	225	sendmail_domtrans(abrt_t)
	226	')
1b2f08ea	227
3eaa9939 DW	228	optional_policy(`
	229	sosreport_domtrans(abrt_t)
	230	sosreport_read_tmp_files(abrt_t)
	231	sosreport_delete_tmp_files(abrt_t)
	232	')
	233
1b2f08ea CP	234	optional_policy(`
	235	sssd_stream_connect(abrt_t)
	236	')
	237
	238	########################################
	239	#
9a0f7994	240	# abrt-helper local policy
1b2f08ea CP	241	#
1b2f08ea CP	242
b5212295	243	allow abrt_helper_t self:capability { chown setgid sys_nice };
1b2f08ea CP	244	allow abrt_helper_t self:process signal;
	245
	246	read_files_pattern(abrt_helper_t, abrt_etc_t, abrt_etc_t)
	247
b5212295	248	files_search_spool(abrt_helper_t)
1b2f08ea CP	249	manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	250	manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	251	manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
	252	files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
	253
	254	read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	255	read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
	256
	257	domain_read_all_domains_state(abrt_helper_t)
	258
	259	files_read_etc_files(abrt_helper_t)
3eaa9939	260	files_dontaudit_all_non_security_leaks(abrt_helper_t)
1b2f08ea CP	261
	262	fs_list_inotifyfs(abrt_helper_t)
	263	fs_getattr_all_fs(abrt_helper_t)
	264
	265	auth_use_nsswitch(abrt_helper_t)
	266
	267	logging_send_syslog_msg(abrt_helper_t)
	268
	269	miscfiles_read_localization(abrt_helper_t)
	270
	271	term_dontaudit_use_all_ttys(abrt_helper_t)
	272	term_dontaudit_use_all_ptys(abrt_helper_t)
	273
9a0f7994	274	ifdef(`hide_broken_symptoms',`
3eaa9939	275	domain_dontaudit_leaks(abrt_helper_t)
1b2f08ea CP	276	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
	277	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
	278	dev_dontaudit_read_all_blk_files(abrt_helper_t)
	279	dev_dontaudit_read_all_chr_files(abrt_helper_t)
	280	dev_dontaudit_write_all_chr_files(abrt_helper_t)
	281	dev_dontaudit_write_all_blk_files(abrt_helper_t)
	282	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
ef521e99 DG	283
	284	optional_policy(`
	285	rpm_dontaudit_leaks(abrt_helper_t)
	286	')
1b2f08ea	287	')
3eaa9939	288
9a0f7994	289	ifdef(`hide_broken_symptoms',`
3eaa9939	290	gen_require(`
9a0f7994	291	attribute domain;
3eaa9939 DW	292	')
3eaa9939 DW	293
9a0f7994	294	allow abrt_t self:capability sys_resource;
3eaa9939 DW	295	allow abrt_t domain:file write;
	296	allow abrt_t domain:process setrlimit;
	297	')
6795d321 MG	298
	299	#######################################
	300	#
	301	# abrt retrace coredump policy
	302	#
	303
	304	allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
	305
	306	kernel_read_system_state(abrt_retrace_coredump_t)
	307
	308	corecmd_exec_bin(abrt_retrace_coredump_t)
	309	corecmd_exec_shell(abrt_retrace_coredump_t)
	310
	311	dev_read_urand(abrt_retrace_coredump_t)
	312
	313	files_read_etc_files(abrt_retrace_coredump_t)
	314	files_read_usr_files(abrt_retrace_coredump_t)
	315
	316	logging_send_syslog_msg(abrt_retrace_coredump_t)
	317
	318	miscfiles_read_localization(abrt_retrace_coredump_t)
	319
	320	sysnet_dns_name_resolve(abrt_retrace_coredump_t)
	321
	322	# to install debuginfo packages
	323	optional_policy(`
	324	rpm_exec(abrt_retrace_coredump_t)
	325	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
	326	rpm_manage_cache(abrt_retrace_coredump_t)
	327	rpm_manage_log(abrt_retrace_coredump_t)
	328	rpm_manage_pid_files(abrt_retrace_coredump_t)
	329	rpm_read_db(abrt_retrace_coredump_t)
	330	rpm_signull(abrt_retrace_coredump_t)
9bf5a594	331	')
6795d321 MG	332
	333	#######################################
	334	#
	335	# abrt retrace worker policy
	336	#
	337
	338	allow abrt_retrace_worker_t self:capability { setuid };
	339
	340	allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
	341
	342	domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
	343	allow abrt_retrace_worker_t abrt_retrace_coredump_exec_t:file ioctl;
	344
	345	manage_dirs_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
	346	manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
	347	manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
	348
	349	allow abrt_retrace_worker_t abrt_etc_t:file r_file_perms;
	350
	351	can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
	352
	353	kernel_read_system_state(abrt_retrace_worker_t)
	354
	355	corecmd_exec_bin(abrt_retrace_worker_t)
	356	corecmd_exec_shell(abrt_retrace_worker_t)
	357
	358	dev_read_urand(abrt_retrace_worker_t)
	359
	360	files_read_etc_files(abrt_retrace_worker_t)
	361	files_read_usr_files(abrt_retrace_worker_t)
	362
	363	logging_send_syslog_msg(abrt_retrace_worker_t)
	364
	365	miscfiles_read_localization(abrt_retrace_worker_t)
	366
	367	sysnet_dns_name_resolve(abrt_retrace_worker_t)
	368
	369	optional_policy(`
	370	mock_domtrans(abrt_retrace_worker_t)
	371	')