# Declarations
#
+attribute boinc_domain;
+
type boinc_t;
type boinc_exec_t;
init_daemon_domain(boinc_t, boinc_exec_t)
type boinc_project_var_lib_t;
files_type(boinc_project_var_lib_t)
+#######################################
+#
+# boinc domain local policy
+#
+
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
+allow boinc_domain self:sem create_sem_perms;
+
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_domain)
+
+corecmd_exec_bin(boinc_domain)
+corecmd_exec_shell(boinc_domain)
+
+dev_read_rand(boinc_domain)
+dev_read_urand(boinc_domain)
+dev_read_sysfs(boinc_domain)
+
+domain_read_all_domains_state(boinc_domain)
+
+files_read_etc_files(boinc_domain)
+files_read_etc_runtime_files(boinc_domain)
+files_read_usr_files(boinc_domain)
+
+miscfiles_read_fonts(boinc_domain)
+miscfiles_read_localization(boinc_domain)
+
+optional_policy(`
+ sysnet_dns_name_resolve(boinc_domain)
+')
+
########################################
#
# boinc local policy
allow boinc_t self:capability { kill };
allow boinc_t self:process { setsched sigkill };
-allow boinc_t self:fifo_file rw_fifo_file_perms;
allow boinc_t self:unix_stream_socket create_stream_socket_perms;
allow boinc_t self:tcp_socket create_stream_socket_perms;
-allow boinc_t self:sem create_sem_perms;
allow boinc_t self:shm create_shm_perms;
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
-# needs read /proc/interrupts
-kernel_read_system_state(boinc_t)
-
files_getattr_all_dirs(boinc_t)
files_getattr_all_files(boinc_t)
-corecmd_exec_bin(boinc_t)
-corecmd_exec_shell(boinc_t)
-
corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
corenet_tcp_sendrecv_generic_if(boinc_t)
corenet_tcp_connect_http_port(boinc_t)
corenet_tcp_connect_http_cache_port(boinc_t)
-dev_list_sysfs(boinc_t)
-dev_read_rand(boinc_t)
-dev_read_urand(boinc_t)
-dev_read_sysfs(boinc_t)
-
-domain_read_all_domains_state(boinc_t)
-
files_dontaudit_getattr_boot_dirs(boinc_t)
-files_read_etc_files(boinc_t)
-files_read_usr_files(boinc_t)
-
fs_getattr_all_fs(boinc_t)
term_getattr_all_ptys(boinc_t)
init_read_utmp(boinc_t)
-miscfiles_read_localization(boinc_t)
-miscfiles_read_generic_certs(boinc_t)
-
logging_send_syslog_msg(boinc_t)
-sysnet_dns_name_resolve(boinc_t)
-
-mta_send_mail(boinc_t)
+optional_policy(`
+ mta_send_mail(boinc_t)
+')
########################################
#
allow boinc_project_t self:process ptrace;
')
-allow boinc_project_t self:fifo_file rw_fifo_file_perms;
-allow boinc_project_t self:sem create_sem_perms;
-
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file })
list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t)
-kernel_read_system_state(boinc_project_t)
kernel_read_kernel_sysctls(boinc_project_t)
kernel_search_vm_sysctl(boinc_project_t)
kernel_read_network_state(boinc_project_t)
-corecmd_exec_bin(boinc_project_t)
-corecmd_exec_shell(boinc_project_t)
-
corenet_tcp_connect_boinc_port(boinc_project_t)
-domain_read_all_domains_state(boinc_project_t)
-
-dev_read_rand(boinc_project_t)
-dev_read_urand(boinc_project_t)
-dev_read_sysfs(boinc_project_t)
dev_rw_xserver_misc(boinc_project_t)
-files_read_etc_files(boinc_project_t)
-files_read_etc_runtime_files(boinc_project_t)
-files_read_usr_files(boinc_project_t)
-
-miscfiles_read_fonts(boinc_project_t)
-miscfiles_read_localization(boinc_project_t)
+files_dontaudit_search_home(boinc_project_t)
optional_policy(`
java_exec(boinc_project_t)