1# Copyright (C) 2007-2012 Red Hat
2# see file 'COPYING' for use and warranty information
3#
4# policygentool is a tool for the initial generation of SELinux policy
5#
6#    This program is free software; you can redistribute it and/or
7#    modify it under the terms of the GNU General Public License as
8#    published by the Free Software Foundation; either version 2 of
9#    the License, or (at your option) any later version.
10#
11#    This program is distributed in the hope that it will be useful,
12#    but WITHOUT ANY WARRANTY; without even the implied warranty of
13#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#    GNU General Public License for more details.
15#
16#    You should have received a copy of the GNU General Public License
17#    along with this program; if not, write to the Free Software
18#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19#                                        02111-1307  USA
20#
21#
22########################### Type Enforcement File #############################
23te_daemon_types="""\
24policy_module(TEMPLATETYPE, 1.0.0)
25
26########################################
27#
28# Declarations
29#
30
31type TEMPLATETYPE_t;
32type TEMPLATETYPE_exec_t;
33init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
34
35permissive TEMPLATETYPE_t;
36"""
37
38te_initscript_types="""
39type TEMPLATETYPE_initrc_exec_t;
40init_script_file(TEMPLATETYPE_initrc_exec_t)
41"""
42
43te_dbusd_types="""\
44policy_module(TEMPLATETYPE, 1.0.0)
45
46########################################
47#
48# Declarations
49#
50
51type TEMPLATETYPE_t;
52type TEMPLATETYPE_exec_t;
53domain_type(TEMPLATETYPE_t)
54domain_entry_file(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
55role system_r types TEMPLATETYPE_t;
56
57permissive TEMPLATETYPE_t;
58"""
59
60te_inetd_types="""\
61policy_module(TEMPLATETYPE, 1.0.0)
62
63########################################
64#
65# Declarations
66#
67
68type TEMPLATETYPE_t;
69type TEMPLATETYPE_exec_t;
70inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
71
72permissive TEMPLATETYPE_t;
73"""
74
75te_userapp_types="""\
76policy_module(TEMPLATETYPE, 1.0.0)
77
78########################################
79#
80# Declarations
81#
82
83attribute_role TEMPLATETYPE_roles;
84roleattribute system_r TEMPLATETYPE_roles;
85
86type TEMPLATETYPE_t;
87type TEMPLATETYPE_exec_t;
88application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
89role TEMPLATETYPE_roles types TEMPLATETYPE_t;
90
91permissive TEMPLATETYPE_t;
92"""
93
94te_sandbox_types="""\
95policy_module(TEMPLATETYPE, 1.0.0)
96
97########################################
98#
99# Declarations
100#
101
102sandbox_x_domain_template(TEMPLATETYPE)
103
104permissive TEMPLATETYPE_t;
105permissive TEMPLATETYPE_client_t;
106
107"""
108
109te_cgi_types="""\
110policy_module(TEMPLATETYPE, 1.0.0)
111
112########################################
113#
114# Declarations
115#
116
117apache_content_template(TEMPLATETYPE)
118
119permissive httpd_TEMPLATETYPE_script_t;
120"""
121
122te_daemon_rules="""\
123allow TEMPLATETYPE_t self:fifo_file rw_fifo_file_perms;
124allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
125"""
126
127te_inetd_rules="""
128"""
129
130te_dbusd_rules="""
131optional_policy(`
132	dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
133')
134"""
135
136te_userapp_rules="""
137allow TEMPLATETYPE_t self:fifo_file manage_fifo_file_perms;
138allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
139"""
140
141te_cgi_rules="""
142"""
143
144te_sandbox_rules="""
145"""
146
147te_uid_rules="""
148auth_use_nsswitch(TEMPLATETYPE_t)
149"""
150
151te_syslog_rules="""
152logging_send_syslog_msg(TEMPLATETYPE_t)
153"""
154
155te_resolve_rules="""
156sysnet_dns_name_resolve(TEMPLATETYPE_t)
157"""
158
159te_pam_rules="""
160auth_domtrans_chk_passwd(TEMPLATETYPE_t)
161"""
162
163te_mail_rules="""
164mta_send_mail(TEMPLATETYPE_t)
165"""
166
167te_dbus_rules="""
168optional_policy(`
169	dbus_system_bus_client(TEMPLATETYPE_t)
170	dbus_connect_system_bus(TEMPLATETYPE_t)
171')
172"""
173
174te_kerberos_rules="""
175optional_policy(`
176	kerberos_use(TEMPLATETYPE_t)
177')
178"""
179
180te_manage_krb5_rcache_rules="""
181optional_policy(`
182	kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t)
183	kerberos_manage_host_rcache(TEMPLATETYPE_t)
184')
185"""
186
187te_audit_rules="""
188logging_send_audit_msgs(TEMPLATETYPE_t)
189"""
190
191te_run_rules="""
192optional_policy(`
193	gen_require(`
194		type USER_t;
195		role USER_r;
196	')
197
198	TEMPLATETYPE_run(USER_t, USER_r)
199')
200"""
201
202te_fd_rules="""
203domain_use_interactive_fds(TEMPLATETYPE_t)
204"""
205
206te_etc_rules="""
207files_read_etc_files(TEMPLATETYPE_t)
208"""
209
210te_localization_rules="""
211miscfiles_read_localization(TEMPLATETYPE_t)
212"""
213
214########################### Interface File #############################
215
216if_heading_rules="""
217## <summary>policy for TEMPLATETYPE</summary>"""
218
219if_program_rules="""
220
221########################################
222## <summary>
223##	Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain.
224## </summary>
225## <param name=\"domain\">
226## <summary>
227##	Domain allowed to transition.
228## </summary>
229## </param>
230#
231interface(`TEMPLATETYPE_domtrans',`
232	gen_require(`
233		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
234	')
235
236	corecmd_search_bin($1)
237	domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
238')
239
240######################################
241## <summary>
242##	Execute TEMPLATETYPE in the caller domain.
243## </summary>
244## <param name="domain">
245##	<summary>
246##	Domain allowed access.
247##	</summary>
248## </param>
249#
250interface(`TEMPLATETYPE_exec',`
251	gen_require(`
252		type TEMPLATETYPE_exec_t;
253	')
254
255	corecmd_search_bin($1)
256	can_exec($1, TEMPLATETYPE_exec_t)
257')
258"""
259
260if_user_program_rules="""
261########################################
262## <summary>
263##	Execute TEMPLATETYPE in the TEMPLATETYPE domain, and
264##	allow the specified role the TEMPLATETYPE domain.
265## </summary>
266## <param name="domain">
267##	<summary>
268##	Domain allowed to transition
269##	</summary>
270## </param>
271## <param name="role">
272##	<summary>
273##	The role to be allowed the TEMPLATETYPE domain.
274##	</summary>
275## </param>
276#
277interface(`TEMPLATETYPE_run',`
278	gen_require(`
279		type TEMPLATETYPE_t;
280		attribute_role TEMPLATETYPE_roles;
281	')
282
283	TEMPLATETYPE_domtrans($1)
284	roleattribute $2 TEMPLATETYPE_roles;
285')
286
287########################################
288## <summary>
289##	Role access for TEMPLATETYPE
290## </summary>
291## <param name="role">
292##	<summary>
293##	Role allowed access
294##	</summary>
295## </param>
296## <param name="domain">
297##	<summary>
298##	User domain for the role
299##	</summary>
300## </param>
301#
302interface(`TEMPLATETYPE_role',`
303	gen_require(`
304		type TEMPLATETYPE_t;
305		attribute_role TEMPLATETYPE_roles;
306	')
307
308	roleattribute $1 TEMPLATETYPE_roles;
309
310	TEMPLATETYPE_domtrans($2)
311
312	ps_process_pattern($2, TEMPLATETYPE_t)
313	allow $2 TEMPLATETYPE_t:process { signull signal sigkill };
314')
315"""
316
317if_sandbox_rules="""
318########################################
319## <summary>
320##	Execute sandbox in the TEMPLATETYPE_t domain, and
321##	allow the specified role the TEMPLATETYPE_t domain.
322## </summary>
323## <param name="domain">
324##	<summary>
325##	Domain allowed to transition.
326##	</summary>
327## </param>
328## <param name="role">
329##	<summary>
330##	The role to be allowed the TEMPLATETYPE_t domain.
331##	</summary>
332## </param>
333#
334interface(`TEMPLATETYPE_transition',`
335	gen_require(`
336		type TEMPLATETYPE_t;
337		type TEMPLATETYPE_client_t;
338	')
339
340	allow $1 TEMPLATETYPE_t:process { signal_perms transition };
341	dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh };
342	role $2 types TEMPLATETYPE_t;
343	role $2 types TEMPLATETYPE_client_t;
344
345	allow TEMPLATETYPE_t $1:process { sigchld signull };
346	allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms;
347	allow TEMPLATETYPE_client_t $1:process { sigchld signull };
348	allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms;
349')
350"""
351
352if_role_change_rules="""
353########################################
354## <summary>
355##	Change to the TEMPLATETYPE role.
356## </summary>
357## <param name="role">
358##	<summary>
359##	Role allowed access.
360##	</summary>
361## </param>
362## <rolecap/>
363#
364interface(`TEMPLATETYPE_role_change',`
365	gen_require(`
366		role TEMPLATETYPE_r;
367	')
368
369	allow $1 TEMPLATETYPE_r;
370')
371"""
372
373if_initscript_rules="""
374########################################
375## <summary>
376##	Execute TEMPLATETYPE server in the TEMPLATETYPE domain.
377## </summary>
378## <param name="domain">
379##	<summary>
380##	Domain allowed access.
381##	</summary>
382## </param>
383#
384interface(`TEMPLATETYPE_initrc_domtrans',`
385	gen_require(`
386		type TEMPLATETYPE_initrc_exec_t;
387	')
388
389	init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
390')
391"""
392
393if_dbus_rules="""
394########################################
395## <summary>
396##	Send and receive messages from
397##	TEMPLATETYPE over dbus.
398## </summary>
399## <param name="domain">
400##	<summary>
401##	Domain allowed access.
402##	</summary>
403## </param>
404#
405interface(`TEMPLATETYPE_dbus_chat',`
406	gen_require(`
407		type TEMPLATETYPE_t;
408		class dbus send_msg;
409	')
410
411	allow $1 TEMPLATETYPE_t:dbus send_msg;
412	allow TEMPLATETYPE_t $1:dbus send_msg;
413')
414"""
415
416if_begin_admin="""
417########################################
418## <summary>
419##	All of the rules required to administrate
420##	an TEMPLATETYPE environment
421## </summary>
422## <param name="domain">
423##	<summary>
424##	Domain allowed access.
425##	</summary>
426## </param>
427## <param name="role">
428##	<summary>
429##	Role allowed access.
430##	</summary>
431## </param>
432## <rolecap/>
433#
434interface(`TEMPLATETYPE_admin',`
435	gen_require(`
436		type TEMPLATETYPE_t;"""
437
438if_middle_admin="""
439	')
440
441	allow $1 TEMPLATETYPE_t:process { signal_perms };
442	ps_process_pattern($1, TEMPLATETYPE_t)
443
444    tunable_policy(`deny_ptrace',`',`
445        allow $1 TEMPLATETYPE_t:process ptrace;
446    ')
447"""
448
449if_initscript_admin_types="""
450		type TEMPLATETYPE_initrc_exec_t;"""
451
452if_initscript_admin="""
453	TEMPLATETYPE_initrc_domtrans($1)
454	domain_system_change_exemption($1)
455	role_transition $2 TEMPLATETYPE_initrc_exec_t system_r;
456	allow $2 system_r;
457"""
458
459if_end_admin="""\
460	optional_policy(`
461		systemd_passwd_agent_exec($1)
462		systemd_read_fifo_file_passwd_run($1)
463	')
464')
465"""
466
467########################### File Context ##################################
468fc_program="""\
469EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
470"""
471
472fc_user="""\
473#  No file context, leave blank
474"""
475
476fc_initscript="""\
477EXECUTABLE	--	gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
478"""
479