blob: 35d406d02081c4ab68de203e9926981931a0e48d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
policy_module(efsutils, 1.0.0)
########################################
#
# Declarations
#
type efsutils_t;
type efsutils_exec_t;
init_daemon_domain(efsutils_t, efsutils_exec_t)
type efsutils_log_t;
logging_log_file(efsutils_log_t)
type efsutils_unit_file_t;
systemd_unit_file(efsutils_unit_file_t)
########################################
#
# efsutils local policy
#
allow efsutils_t self:fifo_file rw_fifo_file_perms;
allow efsutils_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
manage_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
manage_lnk_files_pattern(efsutils_t, efsutils_log_t, efsutils_log_t)
logging_log_filetrans(efsutils_t, efsutils_log_t, { dir file lnk_file })
domain_use_interactive_fds(efsutils_t)
files_read_etc_files(efsutils_t)
miscfiles_read_localization(efsutils_t)
########################################
#
# Custom policy
#
allow efsutils_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow efsutils_t self:process getpgid;
allow efsutils_t self:tcp_socket { accept bind connect create getattr getopt listen setopt shutdown };
allow efsutils_t self:unix_dgram_socket { connect create };
auth_read_passwd_file(efsutils_t)
corecmd_exec_bin(efsutils_t)
corecmd_mmap_bin_files(efsutils_t)
corenet_tcp_bind_generic_node(efsutils_t)
corenet_tcp_bind_generic_port(efsutils_t)
corenet_tcp_connect_nfs_port(efsutils_t)
dev_read_sysfs(efsutils_t)
files_rw_pid_dirs(efsutils_t)
fs_getattr_nfs(efsutils_t)
fs_list_nfs(efsutils_t)
kernel_dgram_send(efsutils_t)
logging_create_devlog_dev(efsutils_t)
logging_read_syslog_pid(efsutils_t)
miscfiles_read_generic_certs(efsutils_t)
miscfiles_search_generic_cert_dirs(efsutils_t)
sysnet_read_config(efsutils_t)
# to be replaced by custom type - efsutils_var_run_t and corresponding rules
# allow efsutils_t var_run_t:dir rmdir;
files_delete_all_pids(efsutils_t)
# allow efsutils_t var_run_t:file { create getattr ioctl open read rename setattr unlink write };
files_manage_all_pids(efsutils_t)
#allow efsutils_t unconfined_t:dir search;
#allow efsutils_t unconfined_t:file { getattr open read };
optional_policy(`
unconfined_read_files(efsutils_t)
')
#allow efs-utils_t stunnel_exec_t:file { execute execute_no_trans map open read };
optional_policy(`
stunnel_exec(efsutils_t)
')
|
