2020-02-11 10:50:54 +01:00
|
|
|
module VerityBook 1.0;
|
2018-09-19 08:02:18 +02:00
|
|
|
|
|
|
|
|
require {
|
2019-06-26 17:12:02 +02:00
|
|
|
type policykit_auth_t;
|
|
|
|
|
type policykit_t;
|
|
|
|
|
type sssd_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type system_dbusd_var_run_t;
|
|
|
|
|
type iscsi_unit_file_t;
|
|
|
|
|
type etc_t;
|
|
|
|
|
type systemd_timedated_t;
|
|
|
|
|
type var_t;
|
2019-06-26 17:12:02 +02:00
|
|
|
type usr_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type NetworkManager_t;
|
|
|
|
|
type systemd_networkd_var_run_t;
|
2018-09-20 07:24:26 +02:00
|
|
|
type default_t;
|
|
|
|
|
type lib_t;
|
|
|
|
|
type machineid_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type avahi_t;
|
|
|
|
|
type xdm_t;
|
2018-09-20 07:24:26 +02:00
|
|
|
type shadow_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type cupsd_t;
|
|
|
|
|
type semanage_store_t;
|
|
|
|
|
type var_lib_t;
|
|
|
|
|
type init_t;
|
2018-09-19 08:02:18 +02:00
|
|
|
type systemd_tmpfiles_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type accountsd_t;
|
|
|
|
|
type init_var_lib_t;
|
|
|
|
|
type getty_var_run_t;
|
2018-09-20 07:24:26 +02:00
|
|
|
type useradd_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type systemd_gpt_generator_t;
|
2018-11-30 11:03:18 +01:00
|
|
|
type system_cronjob_tmp_t;
|
2018-11-20 12:53:51 +01:00
|
|
|
type init_var_run_t;
|
2018-11-30 11:03:18 +01:00
|
|
|
type svirt_t;
|
|
|
|
|
type user_home_dir_t;
|
2019-06-26 17:12:02 +02:00
|
|
|
type chkpwd_t;
|
|
|
|
|
type xdm_var_lib_t;
|
|
|
|
|
class sock_file { create write };
|
2018-11-20 12:53:51 +01:00
|
|
|
class file { create getattr map open read relabelfrom relabelto rename setattr unlink write };
|
|
|
|
|
class process { dyntransition setcurrent };
|
2019-06-26 17:12:02 +02:00
|
|
|
class dir { add_name create getattr read write search mounton map };
|
2018-11-20 12:53:51 +01:00
|
|
|
class process2 nnp_transition;
|
|
|
|
|
class service { reload status stop };
|
|
|
|
|
class dbus send_msg;
|
2019-06-26 17:12:02 +02:00
|
|
|
class sock_file { read write };
|
2018-11-30 11:03:18 +01:00
|
|
|
class lnk_file { getattr read };
|
2018-09-19 08:02:18 +02:00
|
|
|
}
|
|
|
|
|
|
2018-11-20 12:53:51 +01:00
|
|
|
#============= NetworkManager_t ==============
|
|
|
|
|
allow NetworkManager_t iscsi_unit_file_t:service { reload status };
|
|
|
|
|
|
2018-09-19 08:02:18 +02:00
|
|
|
#============= accountsd_t ==============
|
2018-11-20 12:53:51 +01:00
|
|
|
allow accountsd_t var_lib_t:file { create getattr open read rename unlink write };
|
2018-09-19 08:02:18 +02:00
|
|
|
allow accountsd_t shadow_t:file map;
|
|
|
|
|
|
2018-11-20 12:53:51 +01:00
|
|
|
#============= avahi_t ==============
|
|
|
|
|
allow avahi_t xdm_t:dbus send_msg;
|
2018-09-19 08:02:18 +02:00
|
|
|
|
2018-11-20 12:53:51 +01:00
|
|
|
#============= cupsd_t ==============
|
|
|
|
|
allow cupsd_t etc_t:file { rename unlink };
|
2018-09-20 07:24:26 +02:00
|
|
|
|
|
|
|
|
#============= init_t ==============
|
2018-11-20 12:53:51 +01:00
|
|
|
# because of initramfs doing 'load_policy -i'
|
|
|
|
|
allow init_t self:process { dyntransition setcurrent };
|
2018-09-20 07:24:26 +02:00
|
|
|
allow init_t semanage_store_t:file map;
|
2018-11-30 11:03:18 +01:00
|
|
|
allow init_t system_cronjob_tmp_t:dir mounton;
|
2018-09-20 07:24:26 +02:00
|
|
|
|
2018-11-20 12:53:51 +01:00
|
|
|
#============= init_t ==============
|
|
|
|
|
allow init_t systemd_timedated_t:process2 nnp_transition;
|
|
|
|
|
allow init_t var_t:dir create;
|
|
|
|
|
allow init_t var_t:file { create open read rename setattr write };
|
|
|
|
|
allow init_t machineid_t:file { create write relabelto read setattr open };
|
2018-09-20 07:24:26 +02:00
|
|
|
|
|
|
|
|
#============= systemd_gpt_generator_t ==============
|
2018-11-20 12:53:51 +01:00
|
|
|
# because /efi has no selinux label yet
|
2018-09-20 07:24:26 +02:00
|
|
|
allow systemd_gpt_generator_t default_t:dir read;
|
|
|
|
|
|
2018-11-20 12:53:51 +01:00
|
|
|
#============= systemd_timedated_t ==============
|
|
|
|
|
allow systemd_timedated_t init_var_lib_t:dir { add_name getattr write search };
|
|
|
|
|
allow systemd_timedated_t init_var_lib_t:file { create open setattr write getattr read };
|
2018-11-30 11:03:18 +01:00
|
|
|
allow systemd_timedated_t init_var_lib_t:lnk_file { getattr read };
|
2018-11-20 12:53:51 +01:00
|
|
|
allow systemd_timedated_t init_var_run_t:dir { add_name write };
|
|
|
|
|
allow systemd_timedated_t init_var_run_t:file { create open write };
|
|
|
|
|
allow systemd_timedated_t system_dbusd_var_run_t:dir read;
|
2018-11-20 16:39:07 +01:00
|
|
|
allow systemd_timedated_t system_dbusd_var_run_t:sock_file read;
|
2018-11-20 12:53:51 +01:00
|
|
|
allow systemd_timedated_t systemd_networkd_var_run_t:dir read;
|
|
|
|
|
|
|
|
|
|
#============= systemd_tmpfiles_t ==============
|
|
|
|
|
allow systemd_tmpfiles_t shadow_t:file { getattr relabelfrom relabelto };
|
|
|
|
|
|
|
|
|
|
#============= useradd_t ==============
|
|
|
|
|
allow useradd_t var_t:file { getattr open read write };
|
|
|
|
|
|
|
|
|
|
#============= xdm_t ==============
|
|
|
|
|
allow xdm_t avahi_t:dbus send_msg;
|
|
|
|
|
allow xdm_t getty_var_run_t:file getattr;
|
|
|
|
|
allow xdm_t lib_t:service stop;
|
2019-06-26 17:12:02 +02:00
|
|
|
allow xdm_t xdm_var_lib_t:dir map;
|
2018-11-30 11:03:18 +01:00
|
|
|
|
|
|
|
|
#============= svirt_t ==============
|
|
|
|
|
allow svirt_t user_home_dir_t:dir read;
|
2019-06-26 17:12:02 +02:00
|
|
|
|
|
|
|
|
#============= chkpwd_t ==============
|
|
|
|
|
allow chkpwd_t usr_t:file map;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#============= policykit_auth_t ==============
|
|
|
|
|
allow policykit_auth_t var_lib_t:file read;
|
|
|
|
|
allow policykit_auth_t var_lib_t:sock_file write;
|
|
|
|
|
|
|
|
|
|
#============= policykit_t ==============
|
|
|
|
|
allow policykit_t var_lib_t:file read;
|
|
|
|
|
allow policykit_t var_lib_t:sock_file write;
|
|
|
|
|
|
|
|
|
|
#============= sssd_t ==============
|
|
|
|
|
allow sssd_t var_lib_t:file read;
|
|
|
|
|
allow sssd_t var_lib_t:sock_file { create write };
|
|
|
|
|
|
