+++ /dev/null
-## <summary>giFT peer to peer file sharing tool</summary>
-
-############################################################
-## <summary>
-## Role access for gift
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## User domain for the role
-## </summary>
-## </param>
-#
-interface(`gift_role',`
- gen_require(`
- type gift_t, gift_exec_t;
- type giftd_t, giftd_exec_t;
- type gift_home_t;
- ')
-
- role $1 types { gift_t giftd_t };
-
- # transition from user domain
- domtrans_pattern($2, gift_exec_t, gift_t)
- domtrans_pattern($2, giftd_exec_t, giftd_t)
-
- # user managed content
- manage_dirs_pattern($2, gift_home_t, gift_home_t)
- manage_files_pattern($2, gift_home_t, gift_home_t)
- manage_lnk_files_pattern($2, gift_home_t, gift_home_t)
- relabel_dirs_pattern($2, gift_home_t, gift_home_t)
- relabel_files_pattern($2, gift_home_t, gift_home_t)
- relabel_lnk_files_pattern($2, gift_home_t, gift_home_t)
-
- # Allow the user domain to signal/ps.
- ps_process_pattern($2, { gift_t giftd_t })
- allow $2 { gift_t giftd_t }:process signal_perms;
-')
+++ /dev/null
-policy_module(gift, 2.2.0)
-
-########################################
-#
-# Declarations
-#
-
-type gift_t;
-type gift_exec_t;
-typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t };
-typealias gift_t alias { auditadm_gift_t secadm_gift_t };
-application_domain(gift_t, gift_exec_t)
-ubac_constrained(gift_t)
-
-type gift_home_t;
-typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
-typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
-userdom_user_home_content(gift_home_t)
-
-type gift_tmpfs_t;
-typealias gift_tmpfs_t alias { user_gift_tmpfs_t staff_gift_tmpfs_t sysadm_gift_tmpfs_t };
-typealias gift_tmpfs_t alias { auditadm_gift_tmpfs_t secadm_gift_tmpfs_t };
-files_tmpfs_file(gift_tmpfs_t)
-ubac_constrained(gift_tmpfs_t)
-
-type giftd_t;
-type giftd_exec_t;
-typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t };
-typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t };
-application_domain(giftd_t, giftd_exec_t)
-ubac_constrained(giftd_t)
-
-##############################
-#
-# giFT user interface local policy
-#
-
-allow gift_t self:tcp_socket create_socket_perms;
-
-manage_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
-manage_lnk_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
-manage_fifo_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
-manage_sock_files_pattern(gift_t, gift_tmpfs_t, gift_tmpfs_t)
-fs_tmpfs_filetrans(gift_t, gift_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-manage_dirs_pattern(gift_t, gift_home_t, gift_home_t)
-manage_files_pattern(gift_t, gift_home_t, gift_home_t)
-manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t)
-userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir)
-
-# Launch gift daemon
-domtrans_pattern(gift_t, giftd_exec_t, giftd_t)
-
-# Read /proc/meminfo
-kernel_read_system_state(gift_t)
-
-# Connect to gift daemon
-corenet_all_recvfrom_unlabeled(gift_t)
-corenet_all_recvfrom_netlabel(gift_t)
-corenet_tcp_sendrecv_generic_if(gift_t)
-corenet_tcp_sendrecv_generic_node(gift_t)
-corenet_tcp_sendrecv_giftd_port(gift_t)
-corenet_tcp_connect_giftd_port(gift_t)
-corenet_sendrecv_giftd_client_packets(gift_t)
-
-fs_search_auto_mountpoints(gift_t)
-
-sysnet_read_config(gift_t)
-
-# giftui looks in .icons, .themes.
-userdom_dontaudit_read_user_home_content_files(gift_t)
-
-userdom_home_manager(gift_t)
-
-optional_policy(`
- nscd_socket_use(gift_t)
-')
-
-optional_policy(`
- xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
-')
-
-##############################
-#
-# giFT server local policy
-#
-
-allow giftd_t self:process { signal setsched };
-allow giftd_t self:unix_stream_socket create_socket_perms;
-allow giftd_t self:tcp_socket create_stream_socket_perms;
-allow giftd_t self:udp_socket create_socket_perms;
-
-manage_dirs_pattern(giftd_t, gift_home_t, gift_home_t)
-manage_files_pattern(giftd_t, gift_home_t, gift_home_t)
-manage_lnk_files_pattern(giftd_t, gift_home_t, gift_home_t)
-userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir)
-
-kernel_read_system_state(giftd_t)
-kernel_read_kernel_sysctls(giftd_t)
-
-# Serve content on various p2p networks. Ports can be random.
-corenet_all_recvfrom_unlabeled(giftd_t)
-corenet_all_recvfrom_netlabel(giftd_t)
-corenet_tcp_sendrecv_generic_if(giftd_t)
-corenet_udp_sendrecv_generic_if(giftd_t)
-corenet_tcp_sendrecv_generic_node(giftd_t)
-corenet_udp_sendrecv_generic_node(giftd_t)
-corenet_tcp_sendrecv_all_ports(giftd_t)
-corenet_udp_sendrecv_all_ports(giftd_t)
-corenet_tcp_bind_generic_node(giftd_t)
-corenet_udp_bind_generic_node(giftd_t)
-corenet_tcp_bind_all_ports(giftd_t)
-corenet_udp_bind_all_ports(giftd_t)
-corenet_tcp_connect_all_ports(giftd_t)
-corenet_sendrecv_all_client_packets(giftd_t)
-
-files_read_usr_files(giftd_t)
-# Read /etc/mtab
-files_read_etc_runtime_files(giftd_t)
-
-miscfiles_read_localization(giftd_t)
-
-sysnet_read_config(giftd_t)
-
-userdom_use_inherited_user_terminals(giftd_t)
-userdom_home_manager(gitd_t)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-network_port(giftd, tcp,1213,s0)
network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
projects / people / stevee / selinux-policy.git / commitdiff
