policy_module(porticron, 0.0.7) require { type postfix_master_t; type tmp_t; type var_t; } ######################################## # # Declarations # attribute_role porticron_roles; type porticron_t; type porticron_exec_t; init_system_domain(porticron_t, porticron_exec_t) allow porticron_t self:fifo_file { getattr ioctl read write }; allow porticron_t self:tcp_socket { create getattr }; allow porticron_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow porticron_t self:process { setrlimit setsched signal getsched }; allow porticron_t self:udp_socket { bind create getattr getopt read setopt write }; allow porticron_t postfix_master_t:unix_stream_socket connectto; postfix_domtrans_postdrop(porticron_t) postfix_search_spool(porticron_t) corecmd_exec_shell(porticron_t) portage_domtrans(porticron_t) postfix_read_config(porticron_t) corenet_udp_bind_generic_node(porticron_t) corecmd_exec_bin(porticron_t) logging_send_syslog_msg(porticron_t) files_read_etc_files(porticron_t) files_manage_generic_tmp_files(porticron_t) files_read_usr_files(porticron_t) files_read_var_lib_files(porticron_t) files_read_var_files(porticron_t) files_read_etc_runtime_files(porticron_t) allow porticron_t tmp_t:file { execute map }; fs_getattr_tmpfs(porticron_t) userdom_read_user_tmp_files(porticron_t) hostname_exec(porticron_t) miscfiles_read_localization(porticron_t) miscfiles_read_generic_certs(porticron_t) sysnet_read_config(porticron_t) portage_read_config(porticron_t) portage_read_ebuild(porticron_t) mta_sendmail_exec(porticron_t) kernel_read_system_state(porticron_t) kernel_read_vm_overcommit_sysctl(porticron_t) allow porticron_t var_t:dir read; optional_policy(` cron_system_entry(porticron_t, porticron_exec_t) ')