forked from OwlCyberDefense/refpolicy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrazor.if
130 lines (113 loc) · 2.69 KB
/
razor.if
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
#######################################
## <summary>
## The template to define a razor domain.
## </summary>
## <param name="domain_prefix">
## <summary>
## Domain prefix to be used.
## </summary>
## </param>
#
template(`razor_common_domain_template',`
gen_require(`
attribute razor_domain;
type razor_exec_t;
')
########################################
#
# Declarations
#
type $1_t, razor_domain;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
########################################
#
# Declarations
#
auth_use_nsswitch($1_t)
')
########################################
## <summary>
## Role access for razor.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`razor_role',`
gen_require(`
attribute_role razor_roles;
type razor_t, razor_exec_t, razor_home_t;
type razor_tmp_t;
')
roleattribute $1 razor_roles;
domtrans_pattern($2, razor_exec_t, razor_t)
ps_process_pattern($2, razor_t)
allow $2 razor_t:process signal;
allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
')
########################################
## <summary>
## Execute razor in the system razor domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`razor_domtrans',`
gen_require(`
type system_razor_t, razor_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, razor_exec_t, system_razor_t)
')
########################################
## <summary>
## Create, read, write, and delete
## razor home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`razor_manage_home_content',`
gen_require(`
type razor_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 razor_home_t:dir manage_dir_perms;
allow $1 razor_home_t:file manage_file_perms;
allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## Read razor lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`razor_read_lib_files',`
gen_require(`
type razor_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
')