1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
|
module prelude-correlator 1.0;
require {
type var_run_t;
type device_t;
type proc_t;
type tmp_t;
type http_port_t;
type prelude_correlator_t;
type bin_t;
type var_lib_t;
class sock_file write;
class capability { sys_tty_config ipc_lock };
class dir { write read add_name remove_name search };
class file { read create write getattr unlink open };
class tcp_socket name_connect;
}
#============= prelude_correlator_t ==============
allow prelude_correlator_t bin_t:dir read;
allow prelude_correlator_t bin_t:file getattr;
allow prelude_correlator_t device_t:sock_file write;
allow prelude_correlator_t proc_t:file { read getattr open };
allow prelude_correlator_t self:capability { sys_tty_config ipc_lock };
# This is needed for the correlator to be able to write context files
allow prelude_correlator_t var_lib_t:dir { read write add_name };
allow prelude_correlator_t var_lib_t:file { write read getattr open create };
# Add permissions to write on directory /var/run/ to create the PID file
allow prelude_correlator_t var_run_t:dir { read search write add_name };
allow prelude_correlator_t var_run_t:file { write create open getattr };
# Add a policy to allow downloading .dat files (IP blacklists)
# from the Internet
allow prelude_correlator_t http_port_t:tcp_socket name_connect;
# Add a policy for temporary files
allow prelude_correlator_t tmp_t:dir { write remove_name add_name };
allow prelude_correlator_t tmp_t:file { write create unlink open };
|