Hoshpak
/
gentoo-selinux-policies


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113
							policy_module(acme-updater, 0.1.19)

#################################
#
# Declarations
#

type acmeupdater_t;
type acmeupdater_exec_t;
init_system_domain(acmeupdater_t, acmeupdater_exec_t)

type acmeupdater_etc_t;
files_config_file(acmeupdater_etc_t)

########################################
#
# Local policy
#

allow acmeupdater_t self:capability { dac_read_search dac_override sys_resource };
allow acmeupdater_t self:fifo_file { getattr ioctl read write };
allow acmeupdater_t self:process setrlimit;
allow acmeupdater_t self:tcp_socket accept;

corecmd_exec_bin(acmeupdater_t)
corecmd_exec_shell(acmeupdater_t)

corenet_tcp_bind_generic_node(acmeupdater_t)

read_files_pattern(acmeupdater_t, acmeupdater_etc_t, acmeupdater_etc_t)

miscfiles_read_localization(acmeupdater_t)
miscfiles_read_generic_certs(acmeupdater_t)
miscfiles_manage_generic_cert_files(acmeupdater_t)

sysnet_dns_name_resolve(acmeupdater_t)

files_manage_etc_files(acmeupdater_t)
files_search_var_lib(acmeupdater_t)
files_read_all_locks(acmeupdater_t)

kernel_read_system_state(acmeupdater_t)

dev_read_urand(acmeupdater_t)

optional_policy(`
	gen_require(`
		type acmetool_var_lib_t;
	')
	search_dirs_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
	read_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
	read_lnk_files_pattern(acmeupdater_t, acmetool_var_lib_t, acmetool_var_lib_t)
')

apache_manage_config(acmeupdater_t)
apache_domtrans(acmeupdater_t)

jabber_admin(acmeupdater_t, system_r)

optional_policy(`
	gen_require(`
		type httpd_initrc_exec_t;
	')
	init_labeled_script_domtrans(acmeupdater_t, httpd_initrc_exec_t)
')

optional_policy(`
	gen_require(`
		type dovecot_cert_t;
	')
	manage_files_pattern(acmeupdater_t, dovecot_cert_t, dovecot_cert_t)
')

optional_policy(`
	gen_require(`
		type dovecot_initrc_exec_t;
	')
	init_labeled_script_domtrans(acmeupdater_t, dovecot_initrc_exec_t)
')

optional_policy(`
	gen_require(`
        	type postfix_etc_t;
	')
	manage_files_pattern(acmeupdater_t, postfix_etc_t, postfix_etc_t)
')

optional_policy(`
	gen_require(`
        	type postfix_initrc_exec_t;
	')
	init_labeled_script_domtrans(acmeupdater_t, postfix_initrc_exec_t)
')

optional_policy(`
	cron_system_entry(acmeupdater_t, acmeupdater_exec_t)
')

optional_policy(`
	gen_require(`
		type crond_tmp_t;
	')
	allow acmeupdater_t crond_tmp_t:file { read write getattr ioctl };
')

optional_policy(`
	gen_require(`
        	type named_var_run_t;
	')
	search_dirs_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
	read_files_pattern(acmeupdater_t, named_var_run_t, named_var_run_t)
')