%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/share/selinux/devel/include/contrib/
Upload File :
Create Path :
Current File : //usr/share/selinux/devel/include/contrib/snappy.if

# This file is part of snapd-selinux
# Skeleton derived from Fedora selinux-policy, Copyright (C) 2016 Red Hat, Inc.
# Copyright (C) 2016 Neal Gompa
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Library General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.


########################################
## <summary>
##	Execute snapd in the snappy domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`snappy_domtrans',`
	gen_require(`
		type snappy_t, snappy_exec_t;
	')
	corecmd_search_bin($1)
	domtrans_pattern($1, snappy_exec_t, snappy_t)
')

#######################################
## <summary>
##      Execute snapd server in the snappy domain.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to transition.
##      </summary>
## </param>
#
interface(`snappy_systemctl',`
	gen_require(`
		type snappy_t;
		type snappy_unit_file_t;
	')
	systemd_exec_systemctl($1)
	init_reload_services($1)
	allow $1 snappy_unit_file_t:unix_stream_socket create_stream_socket_perms;
	allow $1 snappy_unit_file_t:file read_file_perms;
	allow $1 snappy_unit_file_t:service manage_service_perms;
	ps_process_pattern($1, snappy_t)
')


########################################
## <summary>
##      Permit the reading of snapd config files
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed to access.
##      </summary>
## </param>
#
interface(`snappy_read_config',`
	gen_require(`
		type snappy_config_t;
	')
	files_search_etc($1)
	allow $1 snappy_config_t:dir list_dir_perms;
	allow $1 snappy_config_t:file read_file_perms;
	allow $1 snappy_config_t:lnk_file read_lnk_file_perms;
')


########################################
## <summary>
##	Create snappy content in the user home directory
##	with an correct label.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snappy_filetrans_home_content',`
	gen_require(`
		type snappy_home_t;
	')
	userdom_user_home_dir_filetrans($1, snappy_home_t, dir, "snap")
')


########################################
## <summary>
## Read snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_read_user_home_files',`
	gen_require(`
		type snappy_home_t;
	')
	allow $1 snappy_home_t:dir list_dir_perms;
	allow $1 snappy_home_t:file read_file_perms;
	allow $1 snappy_home_t:lnk_file read_lnk_file_perms;
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
## Write snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_write_user_home_files',`
	gen_require(`
		type snappy_home_t;
	')
	write_files_pattern($1, snappy_home_t, snappy_home_t)
	userdom_search_user_home_dirs($1)
')

########################################
## <summary>
## Dontaudit attempts to read/write snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`snappy_dontaudit_rw_user_home_files',`
	gen_require(`
		type snappy_home_t;
	')
	dontaudit $1 snappy_home_t:file rw_inherited_file_perms;
')

########################################
## <summary>
## Dontaudit attempts to write snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`snappy_dontaudit_manage_user_home_files',`
	gen_require(`
		type snappy_home_t;
	')
	dontaudit $1 snappy_home_t:dir manage_dir_perms;
	dontaudit $1 snappy_home_t:file manage_file_perms;
')

########################################
## <summary>
## Connect to snapd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_stream_connect',`
	gen_require(`
		type snappy_t, snappy_var_run_t;
	')
	files_search_pids($1)
	stream_connect_pattern($1, snappy_var_run_t, snappy_var_run_t, snappy_t)
')

#######################################
## <summary>
##      All of the rules required to
##      administrate a snappy environment.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <param name="role">
##      <summary>
##      Role allowed access.
##      </summary>
## </param>
## <rolecap/>
#
interface(`snappy_admin',`
	gen_require(`
		type snappy_t, snappy_config_t;
		type snappy_var_run_t;
	')
	allow $1 snappy_t:process signal_perms;
	ps_process_pattern($1, snappy_t);
	admin_pattern($1, snappy_config_t);
	files_list_pids($1, snappy_var_run_t);
	admin_pattern($1, snappy_var_run_t);
')

########################################
## <summary>
##	Execute snappy CLI in the snappy_cli_t domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`snappy_cli_domtrans',`
	gen_require(`
		type snappy_cli_t, snappy_cli_exec_t;
	')
	corecmd_search_bin($1)
	domtrans_pattern($1, snappy_cli_exec_t, snappy_cli_t)
')

########################################
## <summary>
##	Execute snap-confine in the snappy_confine_t domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`snappy_confine_domtrans',`
	gen_require(`
		type snappy_confine_t, snappy_confine_exec_t;
	')
	corecmd_search_bin($1)
	domtrans_pattern($1, snappy_confine_exec_t, snappy_confine_t)
')

########################################
## <summary>
##	Execute snap-update-ns, snap-discard-ns in the snappy_mount_t domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`snappy_mount_domtrans',`
	gen_require(`
		type snappy_mount_t, snappy_mount_exec_t;
	')
	corecmd_search_bin($1)
	domtrans_pattern($1, snappy_mount_exec_t, snappy_mount_t)
')

########################################
## <summary>
##	Search snapd state directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snappy_search_lib',`
	gen_require(`
		type snappy_var_lib_t;
	')

	allow $1 snappy_var_lib_t:dir search_dir_perms;
	files_search_var_lib($1)
')

########################################
## <summary>
##	Read snapd state files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`snappy_read_lib',`
	gen_require(`
		type snappy_var_lib_t;
	')

	snappy_search_lib($1)
	list_dirs_pattern($1, snappy_var_lib_t, snappy_var_lib_t)
	read_files_pattern($1, snappy_var_lib_t, snappy_var_lib_t)
')

Zerion Mini Shell 1.0