Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/udica-templates/base_container.cil
blob: bf08782f84d4bb2446ae4535f8dcb879d939a96b (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

;;
;; Permission sets definitions
;;

(classpermission search_dir_perms)
(classpermissionset search_dir_perms (dir (getattr search)))

(classpermission list_dir_perms)
(classpermissionset list_dir_perms (dir (getattr search open read lock ioctl)))

(classpermission rw_dir_perms)
(classpermissionset rw_dir_perms (dir (open read getattr lock search ioctl add_name remove_name write)))

(classpermission manage_dir_perms)
(classpermissionset manage_dir_perms (dir (create open getattr setattr read write link unlink rename search add_name remove_name reparent rmdir lock ioctl)))

(classpermission rw_chr_file_perms)
(classpermissionset rw_chr_file_perms (chr_file (getattr open read write append ioctl lock)))

(classpermission read_file_perms)
(classpermissionset read_file_perms (file (getattr open read lock ioctl)))

(classpermission rw_file_perms)
(classpermissionset rw_file_perms (file (open getattr read write append ioctl lock)))

(classpermission manage_file_perms)
(classpermissionset manage_file_perms (file (create open getattr setattr read write append rename link unlink ioctl lock)))

(classpermission exec_file_perms)
(classpermissionset exec_file_perms (file (getattr open map read execute ioctl execute_no_trans)))

(classpermission read_lnk_file_perms)
(classpermissionset read_lnk_file_perms (lnk_file (getattr read)))

(classpermission rw_lnk_file_perms)
(classpermissionset rw_lnk_file_perms (lnk_file (getattr read write lock ioctl)))

(classpermission manage_lnk_file_perms)
(classpermissionset manage_lnk_file_perms (lnk_file (create read write getattr setattr link unlink rename ioctl lock)))

(classpermission write_sock_file_perms)
(classpermissionset write_sock_file_perms (sock_file (getattr write open append)))

(classpermission manage_sock_file_perms)
(classpermissionset manage_sock_file_perms (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))

(classpermission create_tcp_socket_perms)
(classpermissionset create_tcp_socket_perms (tcp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept)))

(classpermission create_udp_socket_perms)
(classpermissionset create_udp_socket_perms (udp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown)))

(classpermission create_sctp_socket_perms)
(classpermissionset create_sctp_socket_perms (sctp_socket (ioctl read getattr write setattr append bind connect getopt setopt shutdown)))

(classpermission rw_shm_perms)
(classpermissionset rw_shm_perms (shm (lock associate getattr read unix_read unix_write write)))

;;
;; Base container policy
;;

(block container
	(blockabstract container)

	(type process)
	(type socket)

	(roletype system_r process)
	(typeattributeset domain (process))
	(typeattributeset container_domain (process))
	(typeattributeset mcs_constrained_type (process))
	(typeattributeset file_type (socket))

	(allow process socket manage_sock_file_perms)
	(allow container_engine_domain process (key (create search setattr view)))
)