|
|
@@ -0,0 +1,84 @@
|
|
|
+policy_module(turnserver, 0.1.10)
|
|
|
+
|
|
|
+########################################
|
|
|
+#
|
|
|
+# Declarations
|
|
|
+#
|
|
|
+
|
|
|
+attribute_role turnserver_roles;
|
|
|
+
|
|
|
+type turnserver_t;
|
|
|
+type turnserver_exec_t;
|
|
|
+init_daemon_domain(turnserver_t, turnserver_exec_t)
|
|
|
+
|
|
|
+type turnserver_etc_t;
|
|
|
+files_config_file(turnserver_etc_t)
|
|
|
+
|
|
|
+type turnserver_initrc_exec_t;
|
|
|
+init_script_file(turnserver_initrc_exec_t)
|
|
|
+
|
|
|
+type turnserver_var_run_t;
|
|
|
+files_pid_file(turnserver_var_run_t)
|
|
|
+
|
|
|
+type turnserver_var_log_t;
|
|
|
+logging_log_file(turnserver_var_log_t)
|
|
|
+
|
|
|
+type turnserver_var_t;
|
|
|
+files_type(turnserver_var_t)
|
|
|
+
|
|
|
+type turnserver_tmp_t;
|
|
|
+files_tmp_file(turnserver_tmp_t)
|
|
|
+
|
|
|
+type turnserver_unit_t;
|
|
|
+init_unit_file(turnserver_unit_t)
|
|
|
+
|
|
|
+########################################
|
|
|
+#
|
|
|
+# Local policy
|
|
|
+#
|
|
|
+
|
|
|
+allow turnserver_t self:tcp_socket { bind create setopt listen };
|
|
|
+allow turnserver_t self:udp_socket { getopt create setopt bind };
|
|
|
+allow turnserver_t self:capability { setuid setgid };
|
|
|
+allow turnserver_t self:process signal;
|
|
|
+allow turnserver_t self:tcp_socket accept;
|
|
|
+allow turnserver_t self:rawip_socket { bind create listen setopt };
|
|
|
+
|
|
|
+manage_dirs_pattern(turnserver_t, turnserver_var_t, turnserver_var_t)
|
|
|
+manage_files_pattern(turnserver_t, turnserver_var_t, turnserver_var_t)
|
|
|
+type_transition turnserver_t turnserver_var_t:file turnserver_var_t;
|
|
|
+
|
|
|
+read_files_pattern(turnserver_t, turnserver_etc_t, turnserver_etc_t)
|
|
|
+
|
|
|
+manage_files_pattern(turnserver_t, turnserver_var_run_t, turnserver_var_run_t)
|
|
|
+files_pid_filetrans(turnserver_t, turnserver_var_run_t, file)
|
|
|
+
|
|
|
+manage_files_pattern(turnserver_t, turnserver_var_log_t, turnserver_var_log_t)
|
|
|
+logging_log_filetrans(turnserver_t, turnserver_var_log_t, file)
|
|
|
+
|
|
|
+manage_dirs_pattern(turnserver_t,turnserver_tmp_t,turnserver_tmp_t)
|
|
|
+manage_files_pattern(turnserver_t,turnserver_tmp_t,turnserver_tmp_t)
|
|
|
+files_tmp_filetrans(turnserver_t,turnserver_tmp_t, file)
|
|
|
+
|
|
|
+dev_read_sysfs(turnserver_t)
|
|
|
+
|
|
|
+corenet_tcp_bind_all_unreserved_ports(turnserver_t)
|
|
|
+corenet_udp_bind_all_unreserved_ports(turnserver_t)
|
|
|
+
|
|
|
+corenet_tcp_bind_generic_node(turnserver_t)
|
|
|
+corenet_udp_bind_generic_node(turnserver_t)
|
|
|
+corenet_raw_bind_generic_node(turnserver_t)
|
|
|
+
|
|
|
+miscfiles_read_localization(turnserver_t)
|
|
|
+dev_read_urand(turnserver_t)
|
|
|
+auth_use_nsswitch(turnserver_t)
|
|
|
+
|
|
|
+kernel_request_load_module(turnserver_t)
|
|
|
+
|
|
|
+optional_policy(`
|
|
|
+ gen_require(`
|
|
|
+ type port_t;
|
|
|
+ ')
|
|
|
+ allow turnserver_t port_t:rawip_socket name_bind;
|
|
|
+')
|
|
|
+
|
