Home Explore Help
Sign In
Hoshpak
/
debian-selinux-policies
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 246fdd57dd
Branches Tags
debian-selinux-...
/
policy
/
modules
/
apticron.te

apticron.te 2.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100 
  1. policy_module(apticron, 0.1.12)
    2. 

  2. 

  3. #################################
    4. 

  4. #
    5. 

  5. # Declarations
    6. 

  6. #
    7. 

  7. 

  8. attribute_role apticron_roles;
    9. 

  9. 

  10. type apticron_t;
    11. 

  11. type apticron_exec_t;
    12. 

  12. init_system_domain(apticron_t, apticron_exec_t)
    13. 

  13. role apticron_roles types apticron_t;
    14. 

  14. 

  15. type apticron_var_lib_t;
    16. 

  16. files_type(apticron_var_lib_t)
    17. 

  17. 

  18. type apticron_tmp_t;
    19. 

  19. files_tmp_file(apticron_tmp_t)
    20. 

  20. 

  21. type apticron_etc_t;
    22. 

  22. files_config_file(apticron_etc_t)
    23. 

  23. 

  24. ########################################
    25. 

  25. #
    26. 

  26. # Local policy
    27. 

  27. #
    28. 

  28. 

  29. allow apticron_t self:fifo_file { read write ioctl getattr };
    30. 

  30. allow apticron_t self:capability setgid;
    31. 

  31. allow apticron_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
    32. 

  32. allow apticron_t self:tcp_socket { read write create connect setopt };
    33. 

  33. allow apticron_t self:udp_socket { create connect getattr };
    34. 

  34. allow apticron_t self:process { setfscreate setrlimit getsched };
    35. 

  35. 

  36. manage_files_pattern(apticron_t, apticron_tmp_t, apticron_tmp_t)
    37. 

  37. manage_dirs_pattern(apticron_t, apticron_tmp_t, apticron_tmp_t)
    38. 

  38. allow apticron_t apticron_tmp_t:file relabelto;
    39. 

  39. files_tmp_filetrans(apticron_t, apticron_tmp_t, { file dir })
    40. 

  40. 

  41. manage_files_pattern(apticron_t, apticron_var_lib_t, apticron_var_lib_t)
    42. 

  42. files_var_lib_filetrans(apticron_t, apticron_var_lib_t, file)
    43. 

  43. allow apticron_t apticron_var_lib_t:file relabelfrom;
    44. 

  44. 

  45. read_files_pattern(apticron_t, apticron_etc_t, apticron_etc_t)
    46. 

  46. 

  47. apt_domtrans(apticron_t)
    48. 

  48. dpkg_run(apticron_t, apticron_roles)
    49. 

  49. hostname_domtrans(apticron_t)
    50. 

  50. sysnet_domtrans_ifconfig(apticron_t)
    51. 

  51. corecmd_exec_shell(apticron_t)
    52. 

  52. corecmd_exec_bin(apticron_t)
    53. 

  53. miscfiles_read_localization(apticron_t)
    54. 

  54. kernel_read_system_state(apticron_t)
    55. 

  55. fs_getattr_xattr_fs(apticron_t)
    56. 

  56. dev_read_urand(apticron_t)
    57. 

  57. sysnet_read_config(apticron_t)
    58. 

  58. corenet_tcp_connect_smtp_port(apticron_t)
    59. 

  59. 

  60. mta_sendmail_exec(apticron_t)
    61. 

  61. 

  62. gen_require(`
    63. 

  63. 	type apt_var_cache_t;
    64. 

  64. ')
    65. 

  65. allow apticron_t apt_var_cache_t:dir { write read getattr open search };
    66. 

  66. allow apticron_t apt_var_cache_t:file { read getattr open };
    67. 

  67. 

  68. gen_require(`
    69. 

  69. 	type apt_var_lib_t;
    70. 

  70. ')
    71. 

  71. allow apticron_t apt_var_lib_t:dir { read open search getattr };
    72. 

  72. allow apticron_t apt_var_lib_t:file { read ioctl open getattr };
    73. 

  73. 

  74. gen_require(`
    75. 

  75.         type crond_tmp_t;
    76. 

  76. ')
    77. 

  77. allow apticron_t crond_tmp_t:file { read write getattr ioctl };
    78. 

  78. 

  79. gen_require(`
    80. 

  80. 	type etc_t;
    81. 

  81. ')
    82. 

  82. allow apticron_t etc_t:file { read getattr open ioctl };
    83. 

  83. 

  84. gen_require(`
    85. 

  85. 	type usr_t;
    86. 

  86. ')
    87. 

  87. allow apticron_t usr_t:file { read getattr open };
    88. 

  88. allow apticron_t usr_t:dir { read getattr open };
    89. 

  89. 

  90. optional_policy(`
    91. 

  91.         cron_system_entry(apticron_t, apticron_exec_t)
    92. 

  92. ')
    93. 

  93. 

  94. gen_require(`
    95. 

  95.         type dpkg_var_lib_t;
    96. 

  96. ')
    97. 

  97. allow apticron_t dpkg_var_lib_t:file { read getattr open ioctl };
    98. 

  98. allow apticron_t dpkg_var_lib_t:dir { read search open getattr };
    99. 

  99. 

  100.