selinux-refpolicy/policy/modules/services/pyzor.te

150 lines
3.4 KiB
Plaintext

policy_module(pyzor,1.3.1)
########################################
#
# Declarations
#
type pyzor_t;
type pyzor_exec_t;
application_domain(pyzor_t,pyzor_exec_t)
role system_r types pyzor_t;
type pyzord_t;
type pyzord_exec_t;
domain_type(pyzord_t)
init_daemon_domain(pyzord_t,pyzord_exec_t)
type pyzor_etc_t;
files_type(pyzor_etc_t)
type pyzord_log_t;
logging_log_file(pyzord_log_t)
type pyzor_tmp_t;
files_tmp_file(pyzor_tmp_t)
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
########################################
#
# Pyzor local policy
#
allow pyzor_t self:udp_socket create_socket_perms;
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
read_files_pattern(pyzor_t,pyzor_var_lib_t,pyzor_var_lib_t)
files_search_var_lib(pyzor_t)
manage_files_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
manage_dirs_pattern(pyzor_t,pyzor_tmp_t,pyzor_tmp_t)
files_tmp_filetrans(pyzor_t, pyzor_tmp_t, { file dir })
kernel_read_kernel_sysctls(pyzor_t)
kernel_read_system_state(pyzor_t)
corecmd_list_bin(pyzor_t)
corecmd_getattr_bin_files(pyzor_t)
corenet_tcp_sendrecv_all_if(pyzor_t)
corenet_udp_sendrecv_all_if(pyzor_t)
corenet_tcp_sendrecv_all_nodes(pyzor_t)
corenet_udp_sendrecv_all_nodes(pyzor_t)
corenet_tcp_sendrecv_all_ports(pyzor_t)
corenet_udp_sendrecv_all_ports(pyzor_t)
corenet_tcp_connect_http_port(pyzor_t)
dev_read_urand(pyzor_t)
files_read_etc_files(pyzor_t)
auth_use_nsswitch(pyzor_t)
libs_use_ld_so(pyzor_t)
libs_use_shared_libs(pyzor_t)
miscfiles_read_localization(pyzor_t)
userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
ifdef(`targeted_policy',`
userdom_read_generic_user_home_content_files(pyzor_t)
')
optional_policy(`
amavis_manage_lib_files(pyzor_t)
amavis_manage_spool_files(pyzor_t)
')
optional_policy(`
spamassassin_signal_spamd(pyzor_t)
spamassassin_read_spamd_tmp_files(pyzor_t)
')
########################################
#
# Pyzord local policy
#
allow pyzord_t self:udp_socket create_socket_perms;
manage_files_pattern(pyzord_t,pyzor_var_lib_t,pyzor_var_lib_t)
allow pyzord_t pyzor_var_lib_t:dir setattr;
files_var_lib_filetrans(pyzord_t,pyzor_var_lib_t,{ file dir })
read_files_pattern(pyzord_t,pyzor_etc_t,pyzor_etc_t)
allow pyzord_t pyzor_etc_t:dir list_dir_perms;
can_exec(pyzord_t,pyzor_exec_t)
manage_files_pattern(pyzord_t,pyzord_log_t,pyzord_log_t)
allow pyzord_t pyzord_log_t:dir setattr;
logging_log_filetrans(pyzord_t,pyzord_log_t, { file dir } )
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
corenet_all_recvfrom_unlabeled(pyzord_t)
corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
corenet_udp_sendrecv_all_ports(pyzord_t)
corenet_udp_bind_all_nodes(pyzord_t)
corenet_udp_bind_pyzor_port(pyzord_t)
corenet_sendrecv_pyzor_server_packets(pyzord_t)
files_read_etc_files(pyzord_t)
auth_use_nsswitch(pyzord_t)
libs_use_ld_so(pyzord_t)
libs_use_shared_libs(pyzord_t)
locallogin_dontaudit_use_fds(pyzord_t)
miscfiles_read_localization(pyzord_t)
# Do not audit attempts to access /root.
userdom_dontaudit_search_sysadm_home_dirs(pyzord_t)
userdom_dontaudit_search_staff_home_dirs(pyzord_t)
mta_manage_spool(pyzord_t)
ifdef(`targeted_policy',`
term_dontaudit_use_generic_ptys(pyzord_t)
term_dontaudit_use_unallocated_ttys(pyzord_t)
userdom_read_generic_user_home_content_files(pyzord_t)
')
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')