policy_module(turnserver, 0.1.9) ######################################## # # Declarations # attribute_role turnserver_roles; type turnserver_t; type turnserver_exec_t; init_daemon_domain(turnserver_t, turnserver_exec_t) type turnserver_etc_t; files_config_file(turnserver_etc_t) type turnserver_initrc_exec_t; init_script_file(turnserver_initrc_exec_t) type turnserver_var_run_t; files_pid_file(turnserver_var_run_t) type turnserver_var_log_t; logging_log_file(turnserver_var_log_t) type turnserver_var_t; files_type(turnserver_var_t) type turnserver_tmp_t; files_tmp_file(turnserver_tmp_t) ######################################## # # Local policy # allow turnserver_t self:tcp_socket { bind create setopt listen }; allow turnserver_t self:udp_socket { getopt create setopt bind }; allow turnserver_t self:capability { setuid setgid }; allow turnserver_t self:process signal; allow turnserver_t self:tcp_socket accept; allow turnserver_t self:rawip_socket { bind create listen setopt }; manage_dirs_pattern(turnserver_t, turnserver_var_t, turnserver_var_t) manage_files_pattern(turnserver_t, turnserver_var_t, turnserver_var_t) type_transition turnserver_t turnserver_var_t:file turnserver_var_t; read_files_pattern(turnserver_t, turnserver_etc_t, turnserver_etc_t) manage_files_pattern(turnserver_t, turnserver_var_run_t, turnserver_var_run_t) files_pid_filetrans(turnserver_t, turnserver_var_run_t, file) manage_files_pattern(turnserver_t, turnserver_var_log_t, turnserver_var_log_t) logging_log_filetrans(turnserver_t, turnserver_var_log_t, file) manage_dirs_pattern(turnserver_t,turnserver_tmp_t,turnserver_tmp_t) manage_files_pattern(turnserver_t,turnserver_tmp_t,turnserver_tmp_t) files_tmp_filetrans(turnserver_t,turnserver_tmp_t, file) dev_read_sysfs(turnserver_t) corenet_tcp_bind_all_unreserved_ports(turnserver_t) corenet_udp_bind_all_unreserved_ports(turnserver_t) corenet_tcp_bind_generic_node(turnserver_t) corenet_udp_bind_generic_node(turnserver_t) corenet_raw_bind_generic_node(turnserver_t) miscfiles_read_localization(turnserver_t) dev_read_urand(turnserver_t) auth_use_nsswitch(turnserver_t) kernel_request_load_module(turnserver_t) optional_policy(` gen_require(` type port_t; ') allow turnserver_t port_t:rawip_socket name_bind; ')