gentoo-selinux-policies/porticron.te

policy_module(porticron, 0.0.5)

require {
  type postfix_master_t;
  type tmp_t;
  type var_t;
}
########################################
#
# Declarations
#

attribute_role porticron_roles;

type porticron_t;
type porticron_exec_t;
init_system_domain(porticron_t, porticron_exec_t)

allow porticron_t self:fifo_file { getattr ioctl read write };
allow porticron_t self:tcp_socket { create getattr };
allow porticron_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow porticron_t self:process { setrlimit setsched signal };
allow porticron_t self:udp_socket { bind create getattr getopt read setopt write };


allow porticron_t postfix_master_t:unix_stream_socket connectto;

postfix_domtrans_postdrop(porticron_t)
postfix_search_spool(porticron_t)

corecmd_exec_shell(porticron_t)

portage_domtrans(porticron_t)

postfix_read_config(porticron_t)

corenet_udp_bind_generic_node(porticron_t)

corecmd_exec_bin(porticron_t)

logging_send_syslog_msg(porticron_t)

files_read_etc_files(porticron_t)
files_manage_generic_tmp_files(porticron_t)
files_read_usr_files(porticron_t)
files_read_var_lib_files(porticron_t)
files_read_var_files(porticron_t)

allow porticron_t tmp_t:file { execute map };

fs_getattr_tmpfs(porticron_t)

userdom_read_user_tmp_files(porticron_t)

hostname_exec(porticron_t)

miscfiles_read_localization(porticron_t)

sysnet_read_config(porticron_t)

portage_read_config(porticron_t)
portage_read_ebuild(porticron_t)

mta_sendmail_exec(porticron_t)
kernel_read_system_state(porticron_t)
kernel_read_vm_overcommit_sysctl(porticron_t)

allow porticron_t var_t:dir read;

optional_policy(`
        cron_system_entry(porticron_t, porticron_exec_t)
')