debian-selinux-policies/policy/modules/murmur.te

policy_module(murmur, 0.1.9)

########################################
#
# Declarations
#

attribute_role murmur_roles;

type murmur_t;
type murmur_exec_t;
init_daemon_domain(murmur_t, murmur_exec_t)
role murmur_roles types murmur_t;

type murmur_etc_t;
files_config_file(murmur_etc_t)

type murmur_initrc_exec_t;
init_script_file(murmur_initrc_exec_t)

type murmur_var_log_t;
logging_log_file(murmur_var_log_t)

type murmur_var_run_t;
files_pid_file(murmur_var_run_t)

type murmur_tmp_t;
files_tmp_file(murmur_tmp_t)

type murmur_var_lib_t;
files_type(murmur_var_lib_t)

########################################
#
# Local policy
#

allow murmur_t self:process { signal getsched setsched };
allow murmur_t self:fifo_file rw_fifo_file_perms;

allow murmur_t self:tcp_socket { getattr setopt getopt bind create listen read write accept };
allow murmur_t self:udp_socket { getattr setopt getopt bind create listen read write accept };
allow murmur_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow murmur_t self:unix_dgram_socket { create ioctl };

allow murmur_t murmur_etc_t:file read_file_perms;
allow murmur_t murmur_etc_t:lnk_file read_lnk_file_perms;

manage_dirs_pattern(murmur_t, murmur_var_log_t, murmur_var_log_t)
append_files_pattern(murmur_t, murmur_var_log_t, murmur_var_log_t)
create_files_pattern(murmur_t, murmur_var_log_t, murmur_var_log_t)
setattr_files_pattern(murmur_t, murmur_var_log_t, murmur_var_log_t)
logging_log_filetrans(murmur_t, murmur_var_log_t, file)

manage_dirs_pattern(murmur_t, murmur_var_run_t, murmur_var_run_t)
manage_files_pattern(murmur_t, murmur_var_run_t, murmur_var_run_t)
files_pid_filetrans(murmur_t, murmur_var_run_t, { file dir })

allow murmur_t murmur_tmp_t:file manage_file_perms;
files_tmp_filetrans(murmur_t, murmur_tmp_t, file)

manage_dirs_pattern(murmur_t, murmur_var_lib_t, murmur_var_lib_t)
manage_files_pattern(murmur_t, murmur_var_lib_t, murmur_var_lib_t)
type_transition murmur_t murmur_var_lib_t:file murmur_var_lib_t;

corecmd_exec_bin(murmur_t)

miscfiles_read_all_certs(murmur_t)

files_read_config_files(murmur_t)

fs_getattr_xattr_fs(murmur_t)

miscfiles_read_localization(murmur_t)

corenet_tcp_bind_generic_node(murmur_t)
corenet_udp_bind_generic_node(murmur_t)

kernel_read_system_state(murmur_t)
kernel_read_network_state(murmur_t)

dbus_all_session_bus_client(murmur_t)
dbus_system_bus_client(murmur_t)

corenet_tcp_bind_all_unreserved_ports(murmur_t)
corenet_udp_bind_all_unreserved_ports(murmur_t)

dev_read_urand(murmur_t)

files_getattr_usr_files(murmur_t)
files_read_usr_files(murmur_t)

dev_read_sysfs(murmur_t)