acme-updater.te 2.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. policy_module(acme-updater, 0.1.17)
  2. #################################
  3. #
  4. # Declarations
  5. #
  6. type acmeupdater_t;
  7. type acmeupdater_exec_t;
  8. init_system_domain(acmeupdater_t, acmeupdater_exec_t)
  9. type acmeupdater_etc_t;
  10. files_config_file(acmeupdater_etc_t)
  11. ########################################
  12. #
  13. # Local policy
  14. #
  15. allow acmeupdater_t self:capability { dac_read_search dac_override sys_resource };
  16. allow acmeupdater_t self:process setrlimit;
  17. allow acmeupdater_t self:tcp_socket accept;
  18. corecmd_exec_bin(acmeupdater_t)
  19. corecmd_exec_shell(acmeupdater_t)
  20. read_files_pattern(acmeupdater_t, acmeupdater_etc_t, acmeupdater_etc_t)
  21. miscfiles_read_localization(acmeupdater_t)
  22. miscfiles_read_generic_certs(acmeupdater_t)
  23. miscfiles_manage_generic_cert_files(acmeupdater_t)
  24. sysnet_dns_name_resolve(acmeupdater_t)
  25. files_manage_etc_files(acmeupdater_t)
  26. files_search_var_lib(acmeupdater_t)
  27. files_read_all_locks(acmeupdater_t)
  28. kernel_read_system_state(acmeupdater_t)
  29. dev_read_urand(acmeupdater_t)
  30. optional_policy(`
  31. gen_require(`
  32. type acmetool_var_lib_t;
  33. ')
  34. search_dirs_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
  35. read_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
  36. read_lnk_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
  37. ')
  38. apache_manage_config(acmeupdater_t)
  39. apache_domtrans(acmeupdater_t)
  40. jabber_admin(acmeupdater_t, system_r)
  41. optional_policy(`
  42. gen_require(`
  43. type httpd_initrc_exec_t;
  44. ')
  45. init_labeled_script_domtrans(acmeupdater_t, httpd_initrc_exec_t)
  46. ')
  47. optional_policy(`
  48. gen_require(`
  49. type dovecot_cert_t;
  50. ')
  51. manage_files_pattern(acmeupdater_t, dovecot_cert_t, dovecot_cert_t)
  52. ')
  53. optional_policy(`
  54. gen_require(`
  55. type dovecot_initrc_exec_t;
  56. ')
  57. init_labeled_script_domtrans(acmeupdater_t, dovecot_initrc_exec_t)
  58. ')
  59. optional_policy(`
  60. gen_require(`
  61. type postfix_etc_t;
  62. ')
  63. manage_files_pattern(acmeupdater_t, postfix_etc_t, postfix_etc_t)
  64. ')
  65. optional_policy(`
  66. gen_require(`
  67. type postfix_initrc_exec_t;
  68. ')
  69. init_labeled_script_domtrans(acmeupdater_t, postfix_initrc_exec_t)
  70. ')
  71. optional_policy(`
  72. cron_system_entry(acmeupdater_t, acmeupdater_exec_t)
  73. ')
  74. optional_policy(`
  75. gen_require(`
  76. type crond_tmp_t;
  77. ')
  78. allow acmeupdater_t crond_tmp_t:file { read write getattr ioctl };
  79. ')
  80. optional_policy(`
  81. gen_require(`
  82. type named_var_run_t;
  83. ')
  84. search_dirs_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
  85. read_files_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
  86. ')