1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
module prelude-correlator 1.0;
require {
type var_run_t;
type device_t;
type proc_t;
type tmp_t;
type http_port_t;
type prelude_correlator_t;
type bin_t;
type var_lib_t;
class sock_file write;
class capability { sys_tty_config ipc_lock };
class dir { write read add_name remove_name search };
class file { read create write getattr unlink open };
class tcp_socket name_connect;
}
#============= prelude_correlator_t ==============
allow prelude_correlator_t bin_t:dir read;
allow prelude_correlator_t bin_t:file getattr;
allow prelude_correlator_t device_t:sock_file write;
allow prelude_correlator_t proc_t:file { read getattr open };
allow prelude_correlator_t self:capability { sys_tty_config ipc_lock };
# This is needed for the correlator to be able to write context files
allow prelude_correlator_t var_lib_t:dir { read write add_name };
allow prelude_correlator_t var_lib_t:file { write read getattr open create };
# Add permissions to write on directory /var/run/ to create the PID file
allow prelude_correlator_t var_run_t:dir { read search write add_name };
allow prelude_correlator_t var_run_t:file { write create open getattr };
# Add a policy to allow downloading .dat files (IP blacklists)
# from the Internet
allow prelude_correlator_t http_port_t:tcp_socket name_connect;
# Add a policy for temporary files
allow prelude_correlator_t tmp_t:dir { write remove_name add_name };
allow prelude_correlator_t tmp_t:file { write create unlink open };
|
