Home Explore Help
Sign In
Hoshpak
/
gentoo-selinux-policies
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

acmetool: add policy module

Helmut Pozimski 4 years ago
parent
6f19902bc8
commit
e07f35e415
2 changed files with 90 additions and 0 deletions
Split View Show Diff Stats
  1. 4 0
      acmetool.fc
  2. 86 0
      acmetool.te

+ 4 - 0
acmetool.fc
View File 

@@ -0,0 +1,4 @@
 
+/usr/local/bin/acmetool	--	gen_context(system_u:object_r:acmetool_exec_t,s0)
 
+/var/lib/acme(/.*)?		gen_context(system_u:object_r:acmetool_var_lib_t,s0)
 
+/usr/lib/acme(/.*)?		gen_context(system_u:object_r:acmetool_usr_lib_t,s0)
 
+/etc/default/acme-dns	--	gen_context(system_u:object_r:acmetool_etc_t,s0)

+ 86 - 0
acmetool.te
View File 

@@ -0,0 +1,86 @@
 
+policy_module(acmetool, 0.1.14)
 
+
 
+########################################
 
+#
 
+# Declarations
 
+#
 
+
 
+attribute_role acmetool_roles;
 
+
 
+type acmetool_t;
 
+type acmetool_exec_t;
 
+init_system_domain(acmetool_t, acmetool_exec_t)
 
+
 
+type acmetool_var_lib_t;
 
+files_type(acmetool_var_lib_t)
 
+
 
+type acmetool_usr_lib_t;
 
+files_type(acmetool_usr_lib_t)
 
+
 
+type acmetool_etc_t;
 
+files_config_file(acmetool_etc_t)
 
+
 
+
 
+########################################
 
+#
 
+# Local policy
 
+#
 
+
 
+allow acmetool_t self:process getsched;
 
+allow acmetool_t self:tcp_socket { bind create setopt listen accept };
 
+allow acmetool_t self:unix_dgram_socket { create setopt connect };
 
+allow acmetool_t self:udp_socket { create setopt };
 
+allow acmetool_t acmetool_usr_lib_t:file { execute execute_no_trans };
 
+allow acmetool_t self:fifo_file { read write getattr ioctl };
 
+allow acmetool_t self:process signal;
 
+
 
+manage_dirs_pattern(acmetool_t,acmetool_var_lib_t,acmetool_var_lib_t)
 
+manage_files_pattern(acmetool_t,acmetool_var_lib_t,acmetool_var_lib_t)
 
+manage_lnk_files_pattern(acmetool_t,acmetool_var_lib_t,acmetool_var_lib_t)
 
+files_var_lib_filetrans(acmetool_t, acmetool_var_lib_t, { file dir lnk_file })
 
+
 
+read_files_pattern(acmetool_t, acmetool_etc_t, acmetool_etc_t)
 
+
 
+manage_dirs_pattern(acmetool_t,acmetool_usr_lib_t,acmetool_usr_lib_t)
 
+manage_files_pattern(acmetool_t,acmetool_usr_lib_t,acmetool_usr_lib_t)
 
+gen_require(`
 
+	type lib_t;
 
+')
 
+filetrans_pattern(acmetool_t, lib_t, acmetool_usr_lib_t, { file dir lnk_file })
 
+
 
+corecmd_exec_shell(acmetool_t)
 
+corecmd_exec_bin(acmetool_t)
 
+
 
+miscfiles_read_localization(acmetool_t)
 
+
 
+dev_read_urand(acmetool_t)
 
+
 
+kernel_read_net_sysctls(acmetool_t)
 
+kernel_read_vm_sysctls(acmetool_t)
 
+kernel_read_kernel_sysctls(acmetool_t)
 
+kernel_read_system_state(acmetool_t)
 
+kernel_search_vm_sysctl(acmetool_t)
 
+kernel_read_vm_overcommit_sysctl(acmetool_t)
 
+
 
+corenet_tcp_bind_generic_node(acmetool_t)
 
+corenet_tcp_connect_http_port(acmetool_t)
 
+corenet_tcp_bind_http_port(acmetool_t)
 
+corenet_tcp_bind_reserved_port(acmetool_t)
 
+corenet_tcp_bind_all_unreserved_ports(acmetool_t)
 
+corenet_udp_bind_generic_node(acmetool_t)
 
+corenet_udp_bind_pyzor_port(acmetool_t)
 
+corenet_udp_bind_traceroute_port(acmetool_t)
 
+corenet_udp_bind_all_unreserved_ports(acmetool_t)
 
+
 
+auth_use_nsswitch(acmetool_t)
 
+
 
+sysnet_read_config(acmetool_t)
 
+
 
+optional_policy(`
 
+	cron_system_entry(acmetool_t, acmetool_exec_t)
 
+')
 
+
 
+gen_require(`
 
+	type crond_tmp_t;
 
+')
 
+allow acmetool_t crond_tmp_t:file { read write ioctl };