File: pcp-testsuite.te

package info (click to toggle)
pcp 7.0.5-1
  • links: PTS
  • area: main
  • in suites: forky, sid
  • size: 252,916 kB
  • sloc: ansic: 1,478,844; sh: 177,285; xml: 160,462; cpp: 83,809; python: 24,349; perl: 18,303; yacc: 6,877; lex: 2,864; makefile: 2,694; awk: 165; fortran: 60; java: 52
file content (199 lines) | stat: -rw-r--r-- 13,001 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
 
#
# Additional SELinux policy module for PCP QA ... this is for the
# apps in the QA suite and/or additional apps or libraries (outside
# PCP) that we use in exercising the PMDAs.
#
# This file is using the same form and same optional rule mechanisms
# as pcp.te - all of the hints in src/selinux/README apply here too.
#

policy_module(pcp-testsuite, 2.0.0)

require {
	type user_home_t;
	type hostname_exec_t;
	type pcp_pmcd_t;
	type usr_t;
	type user_tmp_t;

	class file { write };
	class process { execstack signull };
	class capability audit_write;
	class file { create execute execute_no_trans unlink write };
}

#============= pcp_pmcd_t ==============
#

# type=AVC msg=audit(qa/457): avc: denied { write } for pid=PID comm="457.pipe" name="457.pipe.pid" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
allow pcp_pmcd_t user_home_t:file { write };

# type=AVC msg=audit(qa/805): avc: denied { execute execute_no_trans } for  pid=73096 comm="perl" name="805-72044.qshape" dev=DEV ino=INO scontext=unconfined_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
allow pcp_pmcd_t user_tmp_t:file { execute execute_no_trans };

# type=AVC msg=audit(qa/789) avc:  denied  { audit_write } for  pid=1 comm="su" capability=29  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { audit_write } for  pid=1 comm="sudo" capability=29  scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=capability permissive=1
allow pcp_pmcd_t self:capability audit_write;

# type=AVC msg=audit(qa/789) avc:  denied  { execstack } for  pid=1 comm="mysqladmin" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=process permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { execstack } for  pid=1 comm="zmcontrol" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=process permissive=1
allow pcp_pmcd_t self:process execstack;

# type=AVC msg=audit(qa/789) avc:  denied  { create } for  pid=1 comm="sh" name="???" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { unlink } for  pid=1 comm="zmcontrol" name="???" dev="dm-0" ino=84011089 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { unlink } for  pid=1 comm="zmcontrol" name="???" dev="dm-0" ino=84011091 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { write } for  pid=1 comm="sh" name="???" dev="dm-0" ino=84011093 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { write } for  pid=1 comm="sh" path="/opt/zimbra/data/tmp/zmcontrol.status.61LsA" dev="dm-0" ino=84011089 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
# type=AVC msg=audit(qa/789) avc:  denied  { write } for  pid=1 comm="sh" path="/opt/zimbra/data/tmp/zmcontrol.status.tS7mV" dev="dm-0" ino=84011089 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
allow pcp_pmcd_t usr_t:file { create unlink write };

optional_policy(`
    require {
        class file { map };
    }
    # type=AVC msg=audit(qa/255): avc: denied { map } for pid=PID comm="broken_pmda_2_0" path=".../broken_pmda_2_0" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
    allow pcp_pmcd_t user_home_t:file { map };
    # type=AVC msg=audit(qa/597): avc: denied { map } for pid=PID comm="hostname" path="/usr/bin/hostname" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file permissive=0
    allow pcp_pmcd_t hostname_exec_t:file { map };
')

optional_policy(`
    require {
	type initrc_tmp_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { add_name } for pid=PID comm="java" name="???" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { remove_name } for pid=PID comm="java" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { remove_name } for pid=PID comm="java" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { write } for pid=PID comm="java" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir permissive=1
    allow pcp_pmcd_t initrc_tmp_t:dir { add_name remove_name write };
    # type=AVC msg=audit(qa/789) avc: denied { create } for pid=PID comm="java" name="???" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { unlink } for pid=PID comm="java" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { unlink } for pid=PID comm="java" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=file permissive=1
    allow pcp_pmcd_t initrc_tmp_t:file { create unlink };
')

optional_policy(`
    require {
	type sudo_exec_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { execute } for pid=PID comm="zmmailboxdctl" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { execute_no_trans } for  pid=PID comm="zmmailboxdctl" path="/usr/bin/sudo" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:sudo_exec_t:s0 tclass=file permissive=1
    allow pcp_pmcd_t sudo_exec_t:file { execute execute_no_trans };
')

optional_policy(`
    require {
	class security { compute_av };
	type security_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { compute_av } for pid=PID comm="su" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
    allow pcp_pmcd_t security_t:security { compute_av };
')

optional_policy(`
    require {
	type chkpwd_exec_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { execute } for pid=PID comm="sudo" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { execute_no_trans } for pid=PID comm="sudo" path="/usr/sbin/unix_chkpwd" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=1
    allow pcp_pmcd_t chkpwd_exec_t:file { execute execute_no_trans };
')

optional_policy(`
    require {
	type initrc_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { signull } for pid=PID comm="java" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { signull } for pid=PID comm="ldap" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { signull } for pid=PID comm="zmmailboxdmgr" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process permissive=1
    allow pcp_pmcd_t initrc_t:process { signull };
')

optional_policy(`
    require {
	type var_log_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { write } for pid=PID comm="zmcontrol" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1
    allow pcp_pmcd_t var_log_t:file { write };
')

optional_policy(`
    require {
	type lastlog_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { write } for pid=PID comm="su" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
    allow pcp_pmcd_t lastlog_t:file { write };
')

optional_policy(`
    require {
	type xauth_exec_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { execute } for pid=PID comm="su" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:xauth_exec_t:s0 tclass=file permissive=1
    allow pcp_pmcd_t xauth_exec_t:file { execute };
')

optional_policy(`
    require {
	type logrotate_t;
    }
    # type=AVC msg=audit(qa/789) avc: denied { signull } for pid=PID comm="java" scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=process permissive=1
    allow logrotate_t pcp_pmcd_t:process { signull };
    # type=AVC msg=audit(qa/789) avc: denied { signull } for pid=PID comm="java" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=process permissive=1
    allow pcp_pmcd_t logrotate_t:process { signull };
')

optional_policy(`
    require {
	class netlink_audit_socket { create nlmsg_relay };
    }
    # type=AVC msg=audit(qa/789) avc: denied { create } for pid=PID comm="sudo" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_audit_socket permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { nlmsg_relay } for pid=PID comm="su" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_audit_socket permissive=1
    allow pcp_pmcd_t self:netlink_audit_socket { create nlmsg_relay };
')

optional_policy(`
    require {
	class netlink_selinux_socket { bind create };
    }
    # type=AVC msg=audit(qa/789) avc: denied { bind } for pid=PID comm="su" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_selinux_socket permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { create } for pid=PID comm="su" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=netlink_selinux_socket permissive=1
    allow pcp_pmcd_t self:netlink_selinux_socket { bind create };
')

optional_policy(`
    require {
	class sock_file { write };
    }
    # type=AVC msg=audit(qa/789) avc: denied { write } for pid=PID comm="mysqladmin" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=sock_file permissive=1
    allow pcp_pmcd_t usr_t:sock_file { write };
')

optional_policy(`
    require {
	class dir { add_name remove_name write };
    }
    # type=AVC msg=audit(qa/789) avc: denied { add_name } for pid=PID comm="sh" name="???" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { remove_name } for pid=PID comm="zmcontrol" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir permissive=1
    # type=AVC msg=audit(qa/789) avc: denied { write } for pid=PID comm="sh" name="???" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir permissive=1
    allow pcp_pmcd_t usr_t:dir { add_name remove_name write };
')

optional_policy(`
    require {
        # pmda.netcheck
	class rawip_socket { create getopt setopt read write };
    }
    # type=AVC msg=audit(qa/1160) avc: denied { create } for pid=PID comm="ping" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=rawip_socket permissive=1
    # type=AVC msg=audit(qa/1160) avc: denied { getopt } for pid=PID comm="ping" lport=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=rawip_socket permissive=1
    # type=AVC msg=audit(qa/1160) avc: denied { setopt } for pid=PID comm="ping" lport=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:pcp_pmcd_t:s0 tclass=rawip_socket permissive=1
    allow pcp_pmcd_t self:rawip_socket { create getopt setopt read write };
')

# type=AVC msg=audit(qa/789): avc: denied { write } for pid=PID comm="su" name="btmp" dev=DEV ino=INO scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=0
optional_policy(`
    require {
	type faillog_t;
    }
    allow pcp_pmcd_t faillog_t:file { write };
')