Hoshpak
/
debian-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100
							policy_module(apticron, 0.1.12)

#################################
#
# Declarations
#

attribute_role apticron_roles;

type apticron_t;
type apticron_exec_t;
init_system_domain(apticron_t, apticron_exec_t)
role apticron_roles types apticron_t;

type apticron_var_lib_t;
files_type(apticron_var_lib_t)

type apticron_tmp_t;
files_tmp_file(apticron_tmp_t)

type apticron_etc_t;
files_config_file(apticron_etc_t)

########################################
#
# Local policy
#

allow apticron_t self:fifo_file { read write ioctl getattr };
allow apticron_t self:capability setgid;
allow apticron_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow apticron_t self:tcp_socket { read write create connect setopt };
allow apticron_t self:udp_socket { create connect getattr };
allow apticron_t self:process { setfscreate setrlimit getsched };

manage_files_pattern(apticron_t, apticron_tmp_t, apticron_tmp_t)
manage_dirs_pattern(apticron_t, apticron_tmp_t, apticron_tmp_t)
allow apticron_t apticron_tmp_t:file relabelto;
files_tmp_filetrans(apticron_t, apticron_tmp_t, { file dir })

manage_files_pattern(apticron_t, apticron_var_lib_t, apticron_var_lib_t)
files_var_lib_filetrans(apticron_t, apticron_var_lib_t, file)
allow apticron_t apticron_var_lib_t:file relabelfrom;

read_files_pattern(apticron_t, apticron_etc_t, apticron_etc_t)

apt_domtrans(apticron_t)
dpkg_run(apticron_t, apticron_roles)
hostname_domtrans(apticron_t)
sysnet_domtrans_ifconfig(apticron_t)
corecmd_exec_shell(apticron_t)
corecmd_exec_bin(apticron_t)
miscfiles_read_localization(apticron_t)
kernel_read_system_state(apticron_t)
fs_getattr_xattr_fs(apticron_t)
dev_read_urand(apticron_t)
sysnet_read_config(apticron_t)
corenet_tcp_connect_smtp_port(apticron_t)

mta_sendmail_exec(apticron_t)

gen_require(`
	type apt_var_cache_t;
')
allow apticron_t apt_var_cache_t:dir { write read getattr open search };
allow apticron_t apt_var_cache_t:file { read getattr open };

gen_require(`
	type apt_var_lib_t;
')
allow apticron_t apt_var_lib_t:dir { read open search getattr };
allow apticron_t apt_var_lib_t:file { read ioctl open getattr };

gen_require(`
        type crond_tmp_t;
')
allow apticron_t crond_tmp_t:file { read write getattr ioctl };

gen_require(`
	type etc_t;
')
allow apticron_t etc_t:file { read getattr open ioctl };

gen_require(`
	type usr_t;
')
allow apticron_t usr_t:file { read getattr open };
allow apticron_t usr_t:dir { read getattr open };

optional_policy(`
        cron_system_entry(apticron_t, apticron_exec_t)
')

gen_require(`
        type dpkg_var_lib_t;
')
allow apticron_t dpkg_var_lib_t:file { read getattr open ioctl };
allow apticron_t dpkg_var_lib_t:dir { read search open getattr };