#DESC PRELINK - Security Enhanced version of the GNU Prelink
#
# Author:  Dan Walsh <dwalsh@redhat.com>
#

#################################
#
# Rules for the prelink_t domain.
#
# prelink_exec_t is the type of the prelink executable.
#
daemon_base_domain(prelink, `, admin, privowner')

allow prelink_t self:process { execheap execmem execstack };
allow prelink_t texrel_shlib_t:file execmod;
allow prelink_t fs_t:filesystem getattr;

ifdef(`crond.te', `
system_crond_entry(prelink_exec_t, prelink_t)
allow system_crond_t prelink_log_t:dir rw_dir_perms;
allow system_crond_t prelink_log_t:file create_file_perms;
allow system_crond_t prelink_cache_t:file { getattr read unlink };
allow prelink_t crond_log_t:file append;
')

logdir_domain(prelink)
type etc_prelink_t, file_type, sysadmfile;
type var_lock_prelink_t, file_type, sysadmfile, lockfile;

allow prelink_t etc_prelink_t:file { getattr read };
allow prelink_t file_type:dir rw_dir_perms;
allow prelink_t file_type:lnk_file r_file_perms;
allow prelink_t file_type:file getattr;
allow prelink_t { ifdef(`amanda.te', `amanda_usr_lib_t') admin_passwd_exec_t ifdef(`apache.te', `httpd_modules_t') ifdef(`xserver.te', `xkb_var_lib_t') ld_so_t su_exec_t texrel_shlib_t shlib_t sbin_t bin_t lib_t exec_type }:file { create_file_perms execute relabelto relabelfrom };
allow prelink_t ld_so_t:file execute_no_trans;

allow prelink_t self:capability { chown dac_override fowner fsetid };
allow prelink_t self:fifo_file rw_file_perms;
allow prelink_t self:file { getattr read };
dontaudit prelink_t sysctl_kernel_t:dir search;
dontaudit prelink_t sysctl_t:dir search;
allow prelink_t etc_runtime_t:file { getattr read };
read_locale(prelink_t)
allow prelink_t urandom_device_t:chr_file read;
allow prelink_t proc_t:file { getattr read };
#
# prelink_cache_t is the type of /etc/prelink.cache.
#
type prelink_cache_t, file_type, sysadmfile;
file_type_auto_trans(prelink_t, etc_t, prelink_cache_t, file)