75 lines
2.3 KiB
Plaintext
75 lines
2.3 KiB
Plaintext
policy_module(wings, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type wings_t;
|
|
type wings_exec_t;
|
|
type wings_etc_t;
|
|
type wings_tmp_t;
|
|
init_daemon_domain(wings_t, wings_exec_t, wings_etc_t, wings_tmp_t)
|
|
|
|
permissive wings_t;
|
|
|
|
########################################
|
|
#
|
|
# wings local policy
|
|
#
|
|
allow wings_t self:fifo_file rw_fifo_file_perms;
|
|
allow wings_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow wings_t wings_exec_t:file execmod;
|
|
|
|
allow wings_t container_file_t:file { open read setattr write };
|
|
allow wings_t container_runtime_t:unix_stream_socket connectto;
|
|
allow wings_t container_var_run_t:sock_file write;
|
|
allow wings_t http_cache_port_t:tcp_socket name_bind;
|
|
allow wings_t http_port_t:tcp_socket name_connect;
|
|
allow wings_t node_t:tcp_socket node_bind;
|
|
allow wings_t passwd_file_t:file { open read };
|
|
allow wings_t self:capability { chown dac_override dac_read_search };
|
|
allow wings_t self:netlink_route_socket { bind create getattr nlmsg_read };
|
|
allow wings_t self:process execmem;
|
|
allow wings_t self:tcp_socket { accept bind connect create getattr getopt listen setopt };
|
|
allow wings_t sysctl_net_t:dir search;
|
|
allow wings_t sysctl_net_t:file { open read };
|
|
allow wings_t sysfs_t:file { open read };
|
|
allow wings_t unreserved_port_t:tcp_socket name_bind;
|
|
allow wings_t var_lib_t:dir { read setattr };
|
|
allow wings_t var_lib_t:file { open read };
|
|
allow wings_t var_log_t:file open;
|
|
allow wings_t wings_etc_t:file { getattr lock open read write };
|
|
|
|
domain_use_interactive_fds(wings_t)
|
|
|
|
files_read_etc_files(wings_t)
|
|
|
|
miscfiles_read_localization(wings_t)
|
|
|
|
files_manage_mounttab(wings_t)
|
|
files_rw_var_lib_dirs(wings_t)
|
|
|
|
require {
|
|
type container_file_t;
|
|
type container_runtime_t;
|
|
type container_var_run_t;
|
|
type http_cache_port_t;
|
|
type http_port_t;
|
|
type node_t;
|
|
type passwd_file_t;
|
|
type wings_t;
|
|
type wings_etc_t;
|
|
type sysctl_net_t;
|
|
type sysfs_t;
|
|
type unreserved_port_t;
|
|
type var_lib_t;
|
|
type var_log_t;
|
|
class process execmem;
|
|
class tcp_socket { accept bind connect create getattr getopt listen setopt };
|
|
class capability { chown dac_override dac_read_search };
|
|
class netlink_route_socket { bind create getattr nlmsg_read };
|
|
class file { getattr lock open read setattr write };
|
|
}
|