gentoo-selinux-policies/signaling.te

policy_module(signaling, 0.0.3)

########################################
#
# Declarations
#

type signaling_t;
type signaling_exec_t;
init_daemon_domain(signaling_t, signaling_exec_t)

type signaling_etc_t;
files_config_file(signaling_etc_t);

allow signaling_t self:fifo_file { read write };
allow signaling_t self:process { getsched signal };
allow signaling_t self:tcp_socket { accept bind connect create getattr getopt listen read setopt write };
allow signaling_t self:udp_socket { connect create getattr read setopt write };
allow signaling_t self:unix_dgram_socket { connect create };
allow signaling_t self:netlink_route_socket create;

corenet_tcp_bind_http_cache_port(signaling_t)
corenet_tcp_connect_http_port(signaling_t)
corenet_tcp_bind_generic_node(signaling_t)
corenet_tcp_connect_all_unreserved_ports(signaling_t)

miscfiles_read_all_certs(signaling_t)
miscfiles_read_localization(signaling_t)

read_files_pattern(signaling_t, signaling_etc_t, signaling_etc_t)
search_dirs_pattern(signaling_t, signaling_etc_t, signaling_etc_t)

sysnet_read_config(signaling_t)

kernel_read_net_sysctls(signaling_t)

dev_read_sysfs(signaling_t)

files_read_etc_files(signaling_t)

optional_policy(`
  gen_require(`
    type supervisor_t;
  ')
  supervisor_service_domain(signaling_t,signaling_exec_t)
  allow signaling_t supervisor_t:fifo_file lock;
')

optional_policy(`
  gen_require(`
    type usr_t;
  ')
  read_files_pattern(usr_t, signaling_t, signaling_t)
')