policy_module(acme-updater, 0.1.17) ################################# # # Declarations # type acmeupdater_t; type acmeupdater_exec_t; init_system_domain(acmeupdater_t, acmeupdater_exec_t) type acmeupdater_etc_t; files_config_file(acmeupdater_etc_t) ######################################## # # Local policy # allow acmeupdater_t self:capability { dac_read_search dac_override sys_resource }; allow acmeupdater_t self:process setrlimit; allow acmeupdater_t self:tcp_socket accept; corecmd_exec_bin(acmeupdater_t) corecmd_exec_shell(acmeupdater_t) read_files_pattern(acmeupdater_t, acmeupdater_etc_t, acmeupdater_etc_t) miscfiles_read_localization(acmeupdater_t) miscfiles_read_generic_certs(acmeupdater_t) miscfiles_manage_generic_cert_files(acmeupdater_t) sysnet_dns_name_resolve(acmeupdater_t) files_manage_etc_files(acmeupdater_t) files_search_var_lib(acmeupdater_t) files_read_all_locks(acmeupdater_t) kernel_read_system_state(acmeupdater_t) dev_read_urand(acmeupdater_t) optional_policy(` gen_require(` type acmetool_var_lib_t; ') search_dirs_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t) read_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t) read_lnk_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t) ') apache_manage_config(acmeupdater_t) apache_domtrans(acmeupdater_t) jabber_admin(acmeupdater_t, system_r) optional_policy(` gen_require(` type httpd_initrc_exec_t; ') init_labeled_script_domtrans(acmeupdater_t, httpd_initrc_exec_t) ') optional_policy(` gen_require(` type dovecot_cert_t; ') manage_files_pattern(acmeupdater_t, dovecot_cert_t, dovecot_cert_t) ') optional_policy(` gen_require(` type dovecot_initrc_exec_t; ') init_labeled_script_domtrans(acmeupdater_t, dovecot_initrc_exec_t) ') optional_policy(` gen_require(` type postfix_etc_t; ') manage_files_pattern(acmeupdater_t, postfix_etc_t, postfix_etc_t) ') optional_policy(` gen_require(` type postfix_initrc_exec_t; ') init_labeled_script_domtrans(acmeupdater_t, postfix_initrc_exec_t) ') optional_policy(` cron_system_entry(acmeupdater_t, acmeupdater_exec_t) ') optional_policy(` gen_require(` type crond_tmp_t; ') allow acmeupdater_t crond_tmp_t:file { read write getattr ioctl }; ') optional_policy(` gen_require(` type named_var_run_t; ') search_dirs_pattern(acmeupdater_t, named_var_run_t, named_var_run_t) read_files_pattern(acmeupdater_t, named_var_run_t, named_var_run_t) ')