selinux-refpolicy/policy/modules/services/oav.te
Chris PeBenito 1900668638 trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled 
and unlabeled policy support for NetLabel.  This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access.  The older, transport layer specific interfaces, are still  
present for use by third-party modules but are not used in the default policy
modules.

trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.

This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00

161 lines
4.5 KiB
Plaintext

policy_module(oav,1.2.1)
########################################
#
# Declarations
#
type oav_update_t;
type oav_update_exec_t;
domain_type(oav_update_t)
domain_entry_file(oav_update_t,oav_update_exec_t)
# cjp: may be collapsable to etc_t
type oav_update_etc_t;
files_type(oav_update_etc_t)
type oav_update_var_lib_t;
files_type(oav_update_var_lib_t)
type scannerdaemon_t;
type scannerdaemon_exec_t;
init_daemon_domain(scannerdaemon_t,scannerdaemon_exec_t)
type scannerdaemon_etc_t;
files_type(scannerdaemon_etc_t)
type scannerdaemon_log_t;
logging_log_file(scannerdaemon_log_t)
type scannerdaemon_var_run_t;
files_pid_file(scannerdaemon_var_run_t)
########################################
#
# OAV update local policy
#
allow oav_update_t self:tcp_socket create_stream_socket_perms;
allow oav_update_t self:udp_socket create_socket_perms;
# Can read /etc/oav-update/* files
allow oav_update_t oav_update_etc_t:dir list_dir_perms;
allow oav_update_t oav_update_etc_t:file read_file_perms;
# Can read /var/lib/oav-update/current
manage_dirs_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
manage_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
read_lnk_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
corecmd_exec_all_executables(oav_update_t)
corenet_all_recvfrom_unlabeled(oav_update_t)
corenet_all_recvfrom_netlabel(oav_update_t)
corenet_tcp_sendrecv_generic_if(oav_update_t)
corenet_udp_sendrecv_generic_if(oav_update_t)
corenet_tcp_sendrecv_all_nodes(oav_update_t)
corenet_udp_sendrecv_all_nodes(oav_update_t)
corenet_tcp_sendrecv_all_ports(oav_update_t)
corenet_udp_sendrecv_all_ports(oav_update_t)
files_exec_etc_files(oav_update_t)
libs_use_ld_so(oav_update_t)
libs_use_shared_libs(oav_update_t)
libs_exec_ld_so(oav_update_t)
libs_exec_lib_files(oav_update_t)
libs_use_ld_so(oav_update_t)
libs_use_shared_libs(oav_update_t)
logging_send_syslog_msg(oav_update_t)
sysnet_read_config(oav_update_t)
optional_policy(`
cron_system_entry(oav_update_t,oav_update_exec_t)
')
########################################
#
# Scannerdaemon local policy
#
dontaudit scannerdaemon_t self:capability sys_tty_config;
allow scannerdaemon_t self:process signal_perms;
allow scannerdaemon_t self:fifo_file { read write };
allow scannerdaemon_t self:tcp_socket create_stream_socket_perms;
allow scannerdaemon_t self:udp_socket create_socket_perms;
allow scannerdaemon_t oav_update_var_lib_t:dir list_dir_perms;
allow scannerdaemon_t oav_update_var_lib_t:file read_file_perms;
files_search_var_lib(scannerdaemon_t)
allow scannerdaemon_t scannerdaemon_etc_t:file read_file_perms;
allow scannerdaemon_t scannerdaemon_log_t:file manage_file_perms;
logging_log_filetrans(scannerdaemon_t,scannerdaemon_log_t,file)
manage_files_pattern(scannerdaemon_t,scannerdaemon_var_run_t,scannerdaemon_var_run_t)
files_pid_filetrans(scannerdaemon_t,scannerdaemon_var_run_t,file)
kernel_read_system_state(scannerdaemon_t)
kernel_read_kernel_sysctls(scannerdaemon_t)
# Can run kaffe
corecmd_exec_all_executables(scannerdaemon_t)
corenet_all_recvfrom_unlabeled(scannerdaemon_t)
corenet_all_recvfrom_netlabel(scannerdaemon_t)
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
corenet_udp_sendrecv_all_nodes(scannerdaemon_t)
corenet_tcp_sendrecv_all_ports(scannerdaemon_t)
corenet_udp_sendrecv_all_ports(scannerdaemon_t)
dev_read_sysfs(scannerdaemon_t)
domain_use_interactive_fds(scannerdaemon_t)
files_read_etc_files(scannerdaemon_t)
files_read_etc_runtime_files(scannerdaemon_t)
# Can run kaffe
files_exec_etc_files(scannerdaemon_t)
fs_getattr_all_fs(scannerdaemon_t)
fs_search_auto_mountpoints(scannerdaemon_t)
auth_dontaudit_read_shadow(scannerdaemon_t)
libs_use_ld_so(scannerdaemon_t)
libs_use_shared_libs(scannerdaemon_t)
# Can run kaffe
libs_use_ld_so(scannerdaemon_t)
libs_use_shared_libs(scannerdaemon_t)
libs_exec_ld_so(scannerdaemon_t)
libs_exec_lib_files(scannerdaemon_t)
logging_send_syslog_msg(scannerdaemon_t)
miscfiles_read_localization(scannerdaemon_t)
sysnet_read_config(scannerdaemon_t)
userdom_dontaudit_use_unpriv_user_fds(scannerdaemon_t)
userdom_dontaudit_search_sysadm_home_dirs(scannerdaemon_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(scannerdaemon_t)
term_dontaudit_use_generic_ptys(scannerdaemon_t)
files_dontaudit_read_root_files(scannerdaemon_t)
')
optional_policy(`
seutil_sigchld_newrole(scannerdaemon_t)
')
optional_policy(`
udev_read_db(scannerdaemon_t)
')