policy_module(sagator,1.0.11); require { attribute serial_device; attribute port_type; attribute packet_type; #attribute reserved_port_type; type port_t; type smtp_port_t; type lmtp_port_t; type clamd_var_lib_t; type spamd_port_t; type spamd_t; type rpm_script_t; type named_conf_t; type lo_node_t; type devpts_t; } type sagator_t; type sagator_exec_t; domain_type(sagator_t) init_daemon_domain(sagator_t, sagator_exec_t) type sagator_root_t; files_type(sagator_root_t) type sagator_bin_t; files_type(sagator_bin_t) can_exec(sagator_t, sagator_bin_t) type sagator_lib_t; files_type(sagator_lib_t) type sagator_etc_t; files_type(sagator_etc_t) type sagator_device_t, serial_device; type sagator_var_t; files_type(sagator_var_t) type sagator_tmp_t; files_tmp_file(sagator_tmp_t) type sagator_var_run_t; files_pid_file(sagator_var_run_t) files_pid_filetrans(sagator_t,sagator_var_run_t,file) # Roles role system_r types { sagator_exec_t sagator_t sagator_tmp_t sagator_root_t sagator_bin_t sagator_lib_t sagator_etc_t sagator_var_t sagator_device_t }; # Network ports type sagator_port_t, port_type; #typeattribute sagator_port_t reserved_port_type; #portcon tcp 27 gen_context(system_u:object_r:sagator_port_t,s0) #typeattribute sagator_port_t reserved_port_type; #portcon tcp 28 gen_context(system_u:object_r:sagator_port_t,s0) #allow sagator_t lo_node_t:tcp_socket node_bind; #allow sagator_t reserved_port_t:tcp_socket name_bind; # starting... kernel_read_system_state(sagator_t) dev_read_sysfs(sagator_t) dev_read_urand(sagator_t) corecmd_exec_bin(sagator_t) files_read_etc_files(sagator_t) files_read_etc_runtime_files(sagator_t) # read python modules files_read_usr_files(sagator_t) files_search_var_lib(sagator_t) files_search_spool(sagator_t) files_list_world_readable(sagator_t) files_read_world_readable_files(sagator_t) files_read_world_readable_symlinks(sagator_t) # Satisfy readahead files_read_var_files(sagator_t) files_read_var_symlinks(sagator_t) libs_use_ld_so(sagator_t) libs_use_shared_libs(sagator_t) # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.* libs_read_lib_files(sagator_t) miscfiles_read_localization(sagator_t) # network corenet_tcp_sendrecv_all_if(sagator_t) corenet_tcp_sendrecv_all_nodes(sagator_t) corenet_tcp_connect_all_ports(sagator_t) corenet_tcp_bind_reserved_port(sagator_t) corenet_tcp_bind_all_nodes(sagator_t) corenet_all_recvfrom_unlabeled(sagator_t) corenet_all_recvfrom_netlabel(sagator_t) corenet_tcp_sendrecv_all_ports(sagator_t) # other rw_chr_files_pattern(sagator_t, devpts_t, devpts_t); manage_files_pattern(sagator_t, tmp_t, tmp_t); manage_files_pattern(sagator_t, sagator_var_run_t, sagator_var_run_t); allow sagator_t named_conf_t:dir search; # chroot access allow sagator_t sagator_root_t:dir search; allow sagator_t sagator_exec_t:file { entrypoint getattr ioctl read }; allow sagator_t sagator_device_t:chr_file read; allow sagator_t sagator_device_t:dir search; allow sagator_t sagator_etc_t:dir search; allow sagator_t sagator_etc_t:file { getattr read }; allow sagator_t sagator_lib_t:dir search; allow sagator_t sagator_tmp_t:dir { manage_dir_perms }; allow sagator_t sagator_tmp_t:file { manage_file_perms }; allow sagator_t sagator_var_t:dir { manage_dir_perms }; allow sagator_t sagator_var_t:file { manage_file_perms }; # self IPC allow sagator_t self:capability { dac_override kill net_bind_service setgid setuid sys_chroot }; allow sagator_t self:process { signal_perms }; allow sagator_t self:tcp_socket { create_stream_socket_perms }; allow sagator_t self:fifo_file { read write }; # libclam clamav access allow sagator_t clamd_var_lib_t:dir { rw_dir_perms }; allow sagator_t clamd_var_lib_t:file { manage_file_perms }; # spamassassin allow sagator_t spamd_port_t:tcp_socket { name_connect recv_msg send_msg }; allow spamd_t sagator_root_t:dir { getattr search }; # postfix allow sagator_t port_t:tcp_socket { recv_msg send_msg }; allow sagator_t smtp_port_t:tcp_socket { name_connect recv_msg send_msg }; allow sagator_t lmtp_port_t:tcp_socket { name_connect recv_msg send_msg }; # allow sagator chroot update from package (rpm) update allow rpm_script_t sagator_device_t:chr_file { rw_file_perms }; allow rpm_script_t sagator_device_t:dir { relabelfrom rw_dir_perms }; # allow sagator chroot update from init script allow initrc_t sagator_device_t:chr_file { rw_file_perms }; allow initrc_t sagator_device_t:dir { relabelfrom rw_dir_perms };