policy/modules/services/abrt.te

   1
   2 policy_module(abrt, 1.0.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type abrt_t;
  10 type abrt_exec_t;
  11 init_daemon_domain(abrt_t, abrt_exec_t)
  12
  13 type abrt_initrc_exec_t;
  14 init_script_file(abrt_initrc_exec_t)
  15
  16 # etc files
  17 type abrt_etc_t;
  18 files_config_file(abrt_etc_t)
  19
  20 # log files
  21 type abrt_var_log_t;
  22 logging_log_file(abrt_var_log_t)
  23
  24 # tmp files
  25 type abrt_tmp_t;
  26 files_tmp_file(abrt_tmp_t)
  27
  28 # var/cache files
  29 type abrt_var_cache_t;
  30 files_type(abrt_var_cache_t)
  31
  32 # pid files
  33 type abrt_var_run_t;
  34 files_pid_file(abrt_var_run_t)
  35
  36 ########################################
  37 #
  38 # abrt local policy
  39 #
  40
  41 allow abrt_t self:capability { setuid setgid sys_nice dac_override };
  42 allow abrt_t self:process { signal signull setsched getsched };
  43
  44 allow abrt_t self:fifo_file rw_fifo_file_perms;
  45 allow abrt_t self:tcp_socket create_stream_socket_perms;
  46 allow abrt_t self:udp_socket create_socket_perms;
  47 allow abrt_t self:unix_dgram_socket create_socket_perms;
  48 allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
  49
  50 # abrt etc files
  51 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
  52
  53 # log file
  54 manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
  55 logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  56
  57 # abrt tmp files
  58 manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  59 manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  60 files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
  61
  62 # abrt var/cache files
  63 manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
  64 manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
  65 files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
  66
  67 # abrt pid files
  68 manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  69 manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  70 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
  71
  72 kernel_read_ring_buffer(abrt_t)
  73 kernel_read_system_state(abrt_t)
  74 kernel_rw_kernel_sysctl(abrt_t)
  75
  76 corecmd_exec_bin(abrt_t)
  77 corecmd_exec_shell(abrt_t)
  78
  79 corenet_tcp_connect_http_port(abrt_t)
  80
  81 dev_read_urand(abrt_t)
  82
  83 files_getattr_all_files(abrt_t)
  84 files_read_etc_files(abrt_t)
  85 files_read_usr_files(abrt_t)
  86
  87 fs_list_inotifyfs(abrt_t)
  88 fs_getattr_all_fs(abrt_t)
  89 fs_getattr_all_dirs(abrt_t)
  90
  91 sysnet_read_config(abrt_t)
  92
  93 logging_read_generic_logs(abrt_t)
  94 logging_send_syslog_msg(abrt_t)
  95
  96 miscfiles_read_certs(abrt_t)
  97 miscfiles_read_localization(abrt_t)
  98
  99 # to run bugzilla plugin
 100 # read ~/.abrt/Bugzilla.conf
 101 userdom_read_user_home_content_files(abrt_t)
 102
 103 optional_policy(`
 104         dbus_connect_system_bus(abrt_t)
 105         dbus_system_bus_client(abrt_t)
 106 ')
 107
 108 # to install debuginfo packages
 109 optional_policy(`
 110         rpm_manage_db(abrt_t)
 111         rpm_domtrans(abrt_t)
 112 ')
 113
 114 # to run mailx plugin
 115 optional_policy(`
 116         sendmail_domtrans(abrt_t)
 117 ')