|
Michael Thomas |
6a90090 |
policy_module(cyphesis,1.0.0)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
########################################
|
|
Michael Thomas |
6a90090 |
#
|
|
Michael Thomas |
6a90090 |
# Declarations
|
|
Michael Thomas |
6a90090 |
#
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
gen_require(`
|
|
Michael Thomas |
6a90090 |
type port_t;
|
|
Michael Thomas |
6a90090 |
type system_dbusd_var_run_t;
|
|
Michael Thomas |
6a90090 |
type urandom_device_t;
|
|
Michael Thomas |
f2790d0 |
type initrc_su_t;
|
|
Michael Thomas |
6a90090 |
type krb5_conf_t;
|
|
Michael Thomas |
6a90090 |
attribute port_type;
|
|
Michael Thomas |
6a90090 |
')
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
type cyphesis_port_t, port_type;
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
type cyphesis_t;
|
|
Michael Thomas |
6a90090 |
type cyphesis_exec_t;
|
|
Michael Thomas |
6a90090 |
domain_type(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
# To disable the transition to the protected domain (which
|
|
Michael Thomas |
6a90090 |
# effectively disables the policy), use:
|
|
Michael Thomas |
6a90090 |
# setsebool cyphesis_disable_trans 1
|
|
Michael Thomas |
6a90090 |
init_daemon_domain(cyphesis_t, cyphesis_exec_t)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# pid files
|
|
Michael Thomas |
6a90090 |
type cyphesis_var_run_t;
|
|
Michael Thomas |
6a90090 |
files_pid_file(cyphesis_var_run_t)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# log files
|
|
Michael Thomas |
6a90090 |
type cyphesis_var_log_t;
|
|
Michael Thomas |
6a90090 |
logging_log_file(cyphesis_var_log_t)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
########################################
|
|
Michael Thomas |
6a90090 |
#
|
|
Michael Thomas |
6a90090 |
# cyphesis local policy
|
|
Michael Thomas |
6a90090 |
#
|
|
Michael Thomas |
6a90090 |
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
|
|
Michael Thomas |
6a90090 |
# Note: /usr/share/selinux/devel/include/support/obj_perm_sets.spt contains
|
|
Michael Thomas |
6a90090 |
# the definitions of many permissions, such as 'rw_dir_perms'
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# Some common macros (you might be able to remove some)
|
|
Michael Thomas |
f2790d0 |
corecmd_dontaudit_search_bin(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
corecmd_search_bin(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
corecmd_getattr_bin_files(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
files_read_usr_files(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
files_read_etc_files(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
libs_use_ld_so(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
libs_use_shared_libs(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
miscfiles_read_localization(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
## internal communication is often done using fifo and unix sockets.
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t self:fifo_file { read write };
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t self:unix_stream_socket create_stream_socket_perms;
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# pid file
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_var_run_t:file manage_file_perms;
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_var_run_t:sock_file manage_file_perms;
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_var_run_t:dir rw_dir_perms;
|
|
Michael Thomas |
6a90090 |
files_pid_filetrans(cyphesis_t,cyphesis_var_run_t, { file sock_file })
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# log files
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_var_log_t:file create_file_perms;
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_var_log_t:sock_file create_file_perms;
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_var_log_t:dir { rw_dir_perms setattr };
|
|
Michael Thomas |
6a90090 |
logging_log_filetrans(cyphesis_t,cyphesis_var_log_t,{ sock_file file dir })
|
|
Michael Thomas |
6a90090 |
logging_send_syslog_msg(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
## Networking basics (adjust to your needs!)
|
|
Michael Thomas |
6a90090 |
sysnet_dns_name_resolve(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
corenet_tcp_sendrecv_all_if(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
corenet_tcp_sendrecv_all_nodes(cyphesis_t)
|
|
Michael Thomas |
f2790d0 |
corenet_all_recvfrom_unlabeled(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
corenet_tcp_bind_all_nodes(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t self:tcp_socket { listen accept };
|
|
Michael Thomas |
6a90090 |
# The application expects cyphesis_port_t to be port 13327.
|
|
Michael Thomas |
6a90090 |
# The port is defined using semanage:
|
|
Michael Thomas |
6a90090 |
# semanage port -a -t cyphesis_port_t -p tcp 6767
|
|
Michael Thomas |
6a90090 |
# semanage port -a -t cyphesis_port_t -p tcp 6769
|
|
Michael Thomas |
6a90090 |
# semanage port -a -t cyphesis_port_t -p udp 32771
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t cyphesis_port_t:tcp_socket { name_bind };
|
|
Michael Thomas |
6a90090 |
corenet_tcp_sendrecv_all_ports(cyphesis_t)
|
|
Michael Thomas |
4619126 |
# For communication with the metaserver
|
|
Michael Thomas |
4619126 |
allow cyphesis_t port_t:udp_socket { recv_msg send_msg };
|
|
Michael Thomas |
4619126 |
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# ??
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t self:unix_dgram_socket { connect create write };
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# Init script handling
|
|
Michael Thomas |
6a90090 |
init_use_fds(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
init_use_script_ptys(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
domain_use_interactive_fds(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# Misc rules that are needed. I don't understand the meaning of some
|
|
Michael Thomas |
6a90090 |
# of these, and for others I don't yet understand why the game needs
|
|
Michael Thomas |
6a90090 |
# them
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
kernel_read_kernel_sysctls(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
term_dontaudit_use_generic_ptys(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
# cyphesis wants to talk to avahi via dbus
|
|
Michael Thomas |
6a90090 |
avahi_dbus_chat(avahi_t)
|
|
Michael Thomas |
6a90090 |
avahi_dbus_chat(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
dbus_send_system_bus(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
postgresql_stream_connect(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t system_dbusd_t:unix_stream_socket connectto;
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t system_dbusd_var_run_t:dir search;
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t system_dbusd_var_run_t:sock_file write;
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t self:process { setsched signal };
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
files_manage_generic_tmp_files(cyphesis_t)
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t tmp_t:sock_file create;
|
|
Michael Thomas |
4619126 |
allow cyphesis_t tmp_t:sock_file unlink;
|
|
Michael Thomas |
6a90090 |
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t urandom_device_t:chr_file { getattr ioctl read };
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t krb5_conf_t:file { getattr read };
|
|
Michael Thomas |
6a90090 |
allow cyphesis_t proc_t:file { getattr read };
|
|
Michael Thomas |
f2790d0 |
allow cyphesis_t initrc_su_t:process sigchld;
|