1# Copyright (C) 2007-2012 Red Hat
2# see file 'COPYING' for use and warranty information
3#
4# policygentool is a tool for the initial generation of SELinux policy
5#
6#    This program is free software; you can redistribute it and/or
7#    modify it under the terms of the GNU General Public License as
8#    published by the Free Software Foundation; either version 2 of
9#    the License, or (at your option) any later version.
10#
11#    This program is distributed in the hope that it will be useful,
12#    but WITHOUT ANY WARRANTY; without even the implied warranty of
13#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14#    GNU General Public License for more details.
15#
16#    You should have received a copy of the GNU General Public License
17#    along with this program; if not, write to the Free Software
18#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
19#                                        02111-1307  USA
20#
21#
22########################### Type Enforcement File #############################
23te_daemon_types="""\
24policy_module(TEMPLATETYPE, 1.0.0)
25
26########################################
27#
28# Declarations
29#
30
31type TEMPLATETYPE_t;
32type TEMPLATETYPE_exec_t;
33init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
34
35permissive TEMPLATETYPE_t;
36"""
37
38te_initscript_types="""
39type TEMPLATETYPE_initrc_exec_t;
40init_script_file(TEMPLATETYPE_initrc_exec_t)
41"""
42
43te_dbusd_types="""\
44policy_module(TEMPLATETYPE, 1.0.0)
45
46########################################
47#
48# Declarations
49#
50
51type TEMPLATETYPE_t;
52type TEMPLATETYPE_exec_t;
53domain_type(TEMPLATETYPE_t)
54domain_entry_file(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
55role system_r types TEMPLATETYPE_t;
56
57permissive TEMPLATETYPE_t;
58"""
59
60te_inetd_types="""\
61policy_module(TEMPLATETYPE, 1.0.0)
62
63########################################
64#
65# Declarations
66#
67
68type TEMPLATETYPE_t;
69type TEMPLATETYPE_exec_t;
70inetd_service_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
71
72permissive TEMPLATETYPE_t;
73"""
74
75te_userapp_types="""\
76policy_module(TEMPLATETYPE, 1.0.0)
77
78########################################
79#
80# Declarations
81#
82
83attribute_role TEMPLATETYPE_roles;
84roleattribute system_r TEMPLATETYPE_roles;
85
86type TEMPLATETYPE_t;
87type TEMPLATETYPE_exec_t;
88application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
89
90permissive TEMPLATETYPE_t;
91"""
92
93te_sandbox_types="""\
94policy_module(TEMPLATETYPE, 1.0.0)
95
96########################################
97#
98# Declarations
99#
100
101sandbox_x_domain_template(TEMPLATETYPE)
102
103permissive TEMPLATETYPE_t;
104permissive TEMPLATETYPE_client_t;
105
106"""
107
108te_cgi_types="""\
109policy_module(TEMPLATETYPE, 1.0.0)
110
111########################################
112#
113# Declarations
114#
115
116apache_content_template(TEMPLATETYPE)
117
118permissive httpd_TEMPLATETYPE_script_t;
119"""
120
121te_daemon_rules="""\
122allow TEMPLATETYPE_t self:fifo_file rw_fifo_file_perms;
123allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
124"""
125
126te_inetd_rules="""
127"""
128
129te_dbusd_rules="""
130optional_policy(`
131	dbus_system_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
132')
133"""
134
135te_userapp_rules="""
136allow TEMPLATETYPE_t self:fifo_file manage_fifo_file_perms;
137allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
138"""
139
140te_cgi_rules="""
141"""
142
143te_sandbox_rules="""
144"""
145
146te_uid_rules="""
147auth_use_nsswitch(TEMPLATETYPE_t)
148"""
149
150te_syslog_rules="""
151logging_send_syslog_msg(TEMPLATETYPE_t)
152"""
153
154te_resolve_rules="""
155sysnet_dns_name_resolve(TEMPLATETYPE_t)
156"""
157
158te_pam_rules="""
159auth_domtrans_chk_passwd(TEMPLATETYPE_t)
160"""
161
162te_mail_rules="""
163mta_send_mail(TEMPLATETYPE_t)
164"""
165
166te_dbus_rules="""
167optional_policy(`
168	dbus_system_bus_client(TEMPLATETYPE_t)
169	dbus_connect_system_bus(TEMPLATETYPE_t)
170')
171"""
172
173te_kerberos_rules="""
174optional_policy(`
175	kerberos_use(TEMPLATETYPE_t)
176')
177"""
178
179te_manage_krb5_rcache_rules="""
180optional_policy(`
181	kerberos_keytab_template(TEMPLATETYPE, TEMPLATETYPE_t)
182	kerberos_manage_host_rcache(TEMPLATETYPE_t)
183')
184"""
185
186te_audit_rules="""
187logging_send_audit_msgs(TEMPLATETYPE_t)
188"""
189
190te_run_rules="""
191optional_policy(`
192	gen_require(`
193		type USER_t;
194		role USER_r;
195	')
196
197	TEMPLATETYPE_run(USER_t, USER_r)
198')
199"""
200
201te_fd_rules="""
202domain_use_interactive_fds(TEMPLATETYPE_t)
203"""
204
205te_etc_rules="""
206files_read_etc_files(TEMPLATETYPE_t)
207"""
208
209te_localization_rules="""
210miscfiles_read_localization(TEMPLATETYPE_t)
211"""
212
213########################### Interface File #############################
214
215if_heading_rules="""
216## <summary>policy for TEMPLATETYPE</summary>"""
217
218if_program_rules="""
219
220########################################
221## <summary>
222##	Execute TEMPLATE in the TEMPLATETYPE domin.
223## </summary>
224## <param name=\"domain\">
225## <summary>
226##	Domain allowed to transition.
227## </summary>
228## </param>
229#
230interface(`TEMPLATETYPE_domtrans',`
231	gen_require(`
232		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
233	')
234
235	corecmd_search_bin($1)
236	domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
237')
238"""
239
240if_user_program_rules="""
241########################################
242## <summary>
243##	Execute TEMPLATETYPE in the TEMPLATETYPE domain, and
244##	allow the specified role the TEMPLATETYPE domain.
245## </summary>
246## <param name="domain">
247##	<summary>
248##	Domain allowed to transition
249##	</summary>
250## </param>
251## <param name="role">
252##	<summary>
253##	The role to be allowed the TEMPLATETYPE domain.
254##	</summary>
255## </param>
256#
257interface(`TEMPLATETYPE_run',`
258	gen_require(`
259		type TEMPLATETYPE_t;
260		attribute_role TEMPLATETYPE_roles;
261	')
262
263	TEMPLATETYPE_domtrans($1)
264	roleattribute $2 TEMPLATETYPE_roles;
265')
266
267########################################
268## <summary>
269##	Role access for TEMPLATETYPE
270## </summary>
271## <param name="role">
272##	<summary>
273##	Role allowed access
274##	</summary>
275## </param>
276## <param name="domain">
277##	<summary>
278##	User domain for the role
279##	</summary>
280## </param>
281#
282interface(`TEMPLATETYPE_role',`
283	gen_require(`
284		type TEMPLATETYPE_t;
285		attribute_role TEMPLATETYPE_roles;
286	')
287
288	roleattribute $1 TEMPLATETYPE_roles;
289
290	TEMPLATETYPE_domtrans($2)
291
292	ps_process_pattern($2, TEMPLATETYPE_t)
293	allow $2 TEMPLATETYPE_t:process { signull signal sigkill };
294')
295"""
296
297if_sandbox_rules="""
298########################################
299## <summary>
300##	Execute sandbox in the TEMPLATETYPE_t domain, and
301##	allow the specified role the TEMPLATETYPE_t domain.
302## </summary>
303## <param name="domain">
304##	<summary>
305##	Domain allowed to transition.
306##	</summary>
307## </param>
308## <param name="role">
309##	<summary>
310##	The role to be allowed the TEMPLATETYPE_t domain.
311##	</summary>
312## </param>
313#
314interface(`TEMPLATETYPE_transition',`
315	gen_require(`
316		type TEMPLATETYPE_t;
317		type TEMPLATETYPE_client_t;
318	')
319
320	allow $1 TEMPLATETYPE_t:process { signal_perms transition };
321	dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh };
322	role $2 types TEMPLATETYPE_t;
323	role $2 types TEMPLATETYPE_client_t;
324
325	allow TEMPLATETYPE_t $1:process { sigchld signull };
326	allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms;
327	allow TEMPLATETYPE_client_t $1:process { sigchld signull };
328	allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms;
329')
330"""
331
332if_role_change_rules="""
333########################################
334## <summary>
335##	Change to the TEMPLATETYPE role.
336## </summary>
337## <param name="role">
338##	<summary>
339##	Role allowed access.
340##	</summary>
341## </param>
342## <rolecap/>
343#
344interface(`TEMPLATETYPE_role_change',`
345	gen_require(`
346		role TEMPLATETYPE_r;
347	')
348
349	allow $1 TEMPLATETYPE_r;
350')
351"""
352
353if_initscript_rules="""
354########################################
355## <summary>
356##	Execute TEMPLATETYPE server in the TEMPLATETYPE domain.
357## </summary>
358## <param name="domain">
359##	<summary>
360##	Domain allowed access.
361##	</summary>
362## </param>
363#
364interface(`TEMPLATETYPE_initrc_domtrans',`
365	gen_require(`
366		type TEMPLATETYPE_initrc_exec_t;
367	')
368
369	init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
370')
371"""
372
373if_dbus_rules="""
374########################################
375## <summary>
376##	Send and receive messages from
377##	TEMPLATETYPE over dbus.
378## </summary>
379## <param name="domain">
380##	<summary>
381##	Domain allowed access.
382##	</summary>
383## </param>
384#
385interface(`TEMPLATETYPE_dbus_chat',`
386	gen_require(`
387		type TEMPLATETYPE_t;
388		class dbus send_msg;
389	')
390
391	allow $1 TEMPLATETYPE_t:dbus send_msg;
392	allow TEMPLATETYPE_t $1:dbus send_msg;
393')
394"""
395
396if_begin_admin="""
397########################################
398## <summary>
399##	All of the rules required to administrate
400##	an TEMPLATETYPE environment
401## </summary>
402## <param name="domain">
403##	<summary>
404##	Domain allowed access.
405##	</summary>
406## </param>
407## <param name="role">
408##	<summary>
409##	Role allowed access.
410##	</summary>
411## </param>
412## <rolecap/>
413#
414interface(`TEMPLATETYPE_admin',`
415	gen_require(`
416		type TEMPLATETYPE_t;"""
417
418if_middle_admin="""
419	')
420
421	allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
422	ps_process_pattern($1, TEMPLATETYPE_t)
423"""
424
425if_initscript_admin_types="""
426		type TEMPLATETYPE_initrc_exec_t;"""
427
428if_initscript_admin="""
429	TEMPLATETYPE_initrc_domtrans($1)
430	domain_system_change_exemption($1)
431	role_transition $2 TEMPLATETYPE_initrc_exec_t system_r;
432	allow $2 system_r;
433"""
434
435if_end_admin="""\
436	optional_policy(`
437		systemd_passwd_agent_exec($1)
438		systemd_read_fifo_file_passwd_run($1)
439	')
440')
441"""
442
443########################### File Context ##################################
444fc_program="""\
445EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
446"""
447
448fc_user="""\
449#  No file context, leave blank
450"""
451
452fc_initscript="""\
453EXECUTABLE	--	gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
454"""
455