You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
76 lines
2.3 KiB
76 lines
2.3 KiB
policy_module(efsutils, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type efsutils_t;
|
|
type efsutils_exec_t;
|
|
init_daemon_domain(efsutils_t, efsutils_exec_t)
|
|
|
|
type efsutils_log_t;
|
|
logging_log_file(efsutils_log_t)
|
|
|
|
type efsutils_unit_file_t;
|
|
systemd_unit_file(efsutils_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
# efsutils local policy
|
|
#
|
|
allow efsutils_t self:fifo_file rw_fifo_file_perms;
|
|
allow efsutils_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
|
|
manage_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
|
|
manage_lnk_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
|
|
logging_log_filetrans(efsutils_t, efsutils_log_t, { dir file lnk_file })
|
|
|
|
domain_use_interactive_fds(efsutils_t)
|
|
|
|
files_read_etc_files(efsutils_t)
|
|
|
|
miscfiles_read_localization(efsutils_t)
|
|
|
|
########################################
|
|
#
|
|
# Custom policy
|
|
#
|
|
allow efsutils_t self:netlink_route_socket { bind create getattr nlmsg_read };
|
|
allow efsutils_t self:process getpgid;
|
|
allow efsutils_t self:tcp_socket { accept bind connect create getattr getopt listen setopt shutdown };
|
|
allow efsutils_t self:unix_dgram_socket { connect create };
|
|
|
|
auth_read_passwd_file(efsutils_t)
|
|
corecmd_exec_bin(efsutils_t)
|
|
corecmd_mmap_bin_files(efsutils_t)
|
|
corenet_tcp_bind_generic_node(efsutils_t)
|
|
corenet_tcp_bind_generic_port(efsutils_t)
|
|
corenet_tcp_connect_nfs_port(efsutils_t)
|
|
dev_read_sysfs(efsutils_t)
|
|
files_rw_pid_dirs(efsutils_t)
|
|
fs_getattr_nfs(efsutils_t)
|
|
fs_list_nfs(efsutils_t)
|
|
kernel_dgram_send(efsutils_t)
|
|
logging_create_devlog_dev(efsutils_t)
|
|
logging_read_syslog_pid(efsutils_t)
|
|
miscfiles_read_generic_certs(efsutils_t)
|
|
miscfiles_search_generic_cert_dirs(efsutils_t)
|
|
sysnet_read_config(efsutils_t)
|
|
|
|
# to be replaced by custom type - efsutils_var_run_t and corresponding rules
|
|
# allow efsutils_t var_run_t:dir rmdir;
|
|
files_delete_all_pids(efsutils_t)
|
|
# allow efsutils_t var_run_t:file { create getattr ioctl open read rename setattr unlink write };
|
|
files_manage_all_pids(efsutils_t)
|
|
#allow efsutils_t unconfined_t:dir search;
|
|
#allow efsutils_t unconfined_t:file { getattr open read };
|
|
optional_policy(`
|
|
unconfined_read_files(efsutils_t)
|
|
')
|
|
#allow efs-utils_t stunnel_exec_t:file { execute execute_no_trans map open read };
|
|
optional_policy(`
|
|
stunnel_exec(efsutils_t)
|
|
')
|