Attachment 890474 Details for Bug 1091647 – local

local

local.te (text/plain), 5.40 KB, created by Bruno Wolff III on 2014-04-28 13:30:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Bruno Wolff III

Created: 2014-04-28 13:30:13 UTC

Size: 5.40 KB

patch

obsolete

>module local 1.8;
>
>require {
>	type bin_t;
>	type cluster_var_lib_t;
>	type crond_t;
>	type devlog_t;
>	type dns_port_t;
>	type fsdaemon_tmp_t;
>	type httpd_sys_content_rw_t;
>	type httpd_sys_content_t;
>	type httpd_sys_script_exec_t;
>	type httpd_sys_script_t;
>	type httpd_user_content_t;
>	type httpd_t;
>	type initrc_t;
>	type inotifyfs_t;
>	type ipsec_mgmt_t;
>	type lib_t;
>	type mailman_mail_t;
>	type postgresql_t;
>	type postgresql_var_run_t;
>	type postgresql_tmp_t;
>	type qmail_alias_home_t;
>	type qmail_clean_t;
>	type qmail_inject_exec_t;
>	type qmail_inject_t;
>	type qmail_local_t;
>	type qmail_lspawn_t;
>	type qmail_queue_t;
>	type qmail_remote_t;
>	type qmail_rspawn_t;
>	type qmail_send_t;
>	type qmail_spool_t;
>	type qmail_start_t;
>	type setfiles_t;
>	type setroubleshootd_t;
>	type sysfs_t;
>	type system_dbusd_t;
>	type system_mail_t;
>	type system_mail_tmp_t;
>	type systemd_logind_var_run_t;
>	type systemd_tmpfiles_t;
>	type tmp_t;
>	type unconfined_t;
>	type unlabeled_t;
>	type user_home_dir_t;
>	type user_home_t;
>	type urandom_device_t;
>	type usr_t;
>	type var_lib_t;
>	type var_log_t;
>	type var_run_t;
>	type var_t;
>	class capability { setuid dac_override };
>	class chr_file { read open };
>	class dir { search read write getattr remove_name open add_name };
>	class fifo_file { read ioctl write open };
>	class file { rename execute read lock create getattr execute_no_trans write ioctl link unlink open execmod append };
>	class filesystem getattr;
>	class key search;
>	class lnk_file read;
>	class process { execstack execmem signull sigchld setpgid };
>	class shm { unix_read getattr associate };
>	class sock_file { write unlink} ;
>	class tcp_socket name_connect;
>	class unix_stream_socket { read write connectto };
>}
>
>#============= qmail_clean_t ==============
>allow qmail_clean_t qmail_spool_t:dir read;
>allow qmail_clean_t var_t:lnk_file read;
>
>#============= qmail_inject_t ==============
>allow qmail_inject_t fsdaemon_tmp_t:file read;
>allow qmail_inject_t inotifyfs_t:dir read;
>allow qmail_inject_t system_mail_tmp_t:file read;
>allow qmail_inject_t var_log_t:file read;
>allow qmail_inject_t self:capability dac_override;
>
>#============= qmail_local_t ==============
>allow qmail_local_t self:capability setuid;
>allow qmail_local_t self:fifo_file read;
>allow qmail_local_t self:process setpgid;
>allow qmail_local_t tmp_t:dir { write remove_name search getattr add_name };
>allow qmail_local_t tmp_t:file { write getattr read create unlink open };
>allow qmail_local_t httpd_sys_content_rw_t:file unlink;
>allow qmail_local_t httpd_sys_content_t:dir { write remove_name search add_name getattr read open };
>allow qmail_local_t httpd_sys_content_t:file { rename execute read lock create ioctl execute_no_trans write getattr unlink open };
>allow qmail_local_t httpd_sys_content_t:lnk_file read;
>allow qmail_local_t httpd_sys_script_exec_t:file { ioctl execute read open getattr execute_no_trans };
>allow qmail_local_t httpd_user_content_t:lnk_file read;
>allow qmail_local_t postgresql_t:unix_stream_socket connectto;
>allow qmail_local_t postgresql_tmp_t:sock_file write;
>allow qmail_local_t postgresql_var_run_t:dir search;
>allow qmail_local_t postgresql_var_run_t:sock_file write;
>allow qmail_local_t qmail_inject_exec_t:file { read execute open execute_no_trans };
>allow qmail_local_t unlabeled_t:dir { write search read remove_name open add_name };
>allow qmail_local_t unlabeled_t:file { write open create unlink link };
>allow qmail_local_t var_t:file { write create open ioctl getattr };
>allow qmail_local_t var_t:dir { write read open add_name };
>allow qmail_local_t var_t:lnk_file read;
>allow qmail_local_t usr_t:file { read getattr open ioctl };
>allow qmail_local_t sysfs_t:dir search;
>allow qmail_local_t urandom_device_t:chr_file { read open };
>
>#============= qmail_lspawn_t ==============
>allow qmail_lspawn_t var_t:file { read open };
>allow qmail_lspawn_t var_t:lnk_file read;
>allow qmail_lspawn_t bin_t:lnk_file read;
>allow qmail_lspawn_t httpd_user_content_t:lnk_file read;
>
>#============= qmail_queue_t ==============
>allow qmail_queue_t inotifyfs_t:dir read;
>allow qmail_queue_t qmail_start_t:fifo_file { write read };
>allow qmail_queue_t var_log_t:file read;
>allow qmail_queue_t user_home_t:file { read write append };
>allow qmail_queue_t var_t:lnk_file read;
>
>#============= qmail_remote_t ==============
>allow qmail_remote_t qmail_spool_t:dir { read open };
>allow qmail_remote_t dns_port_t:tcp_socket name_connect;
>allow qmail_remote_t var_t:lnk_file read;
>
>#============= qmail_rspawn_t ==============
>allow qmail_rspawn_t qmail_spool_t:dir { read open };
>allow qmail_rspawn_t var_t:lnk_file read;
>
>#============= qmail_send_t ==============
>allow qmail_send_t initrc_t:fifo_file write;
>allow qmail_send_t initrc_t:process sigchld;
>allow qmail_send_t var_t:lnk_file read;
>
>
>#============= qmail_start_t ==============
>allow qmail_start_t qmail_spool_t:dir { read write search open add_name remove_name };
>allow qmail_start_t qmail_spool_t:fifo_file { read open };
>allow qmail_start_t qmail_spool_t:file { read write getattr open create unlink };
>allow qmail_start_t bin_t:file { read execute open execute_no_trans };
>allow qmail_start_t var_t:lnk_file read;
>
>#============= This seems to be needed for area forwarding ===========
>allow httpd_t qmail_alias_home_t:dir search;
>allow httpd_t var_t:lnk_file read;
>
># Allow web access to postgresql
>allow httpd_sys_script_t postgresql_t:unix_stream_socket connectto;
>allow httpd_sys_script_t postgresql_var_run_t:dir search;
>allow httpd_sys_script_t postgresql_var_run_t:sock_file write;

Actions: View

Attachments on bug 1091647: 890473 | 890474 | 890475 | 890476 | 890490 | 890491 | 890492 | 890493 | 890495 | 890496 | 890498 | 890499 | 890500 | 890502