Your IP : 18.223.156.172
# This file is part of snapd-selinux
# Skeleton derived from Fedora selinux-policy, Copyright (C) 2016 Red Hat, Inc.
# Copyright (C) 2016 Neal Gompa
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Library General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
########################################
## <summary>
## Execute snapd in the snappy domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`snappy_domtrans',`
gen_require(`
type snappy_t, snappy_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, snappy_exec_t, snappy_t)
')
#######################################
## <summary>
## Execute snapd server in the snappy domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`snappy_systemctl',`
gen_require(`
type snappy_t;
type snappy_unit_file_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 snappy_unit_file_t:unix_stream_socket create_stream_socket_perms;
allow $1 snappy_unit_file_t:file read_file_perms;
allow $1 snappy_unit_file_t:service manage_service_perms;
ps_process_pattern($1, snappy_t)
')
########################################
## <summary>
## Permit the reading of snapd config files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to access.
## </summary>
## </param>
#
interface(`snappy_read_config',`
gen_require(`
type snappy_config_t;
')
files_search_etc($1)
allow $1 snappy_config_t:dir list_dir_perms;
allow $1 snappy_config_t:file read_file_perms;
allow $1 snappy_config_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Create snappy content in the user home directory
## with an correct label.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_filetrans_home_content',`
gen_require(`
type snappy_home_t;
')
userdom_user_home_dir_filetrans($1, snappy_home_t, dir, "snap")
')
########################################
## <summary>
## Read snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_read_user_home_files',`
gen_require(`
type snappy_home_t;
')
allow $1 snappy_home_t:dir list_dir_perms;
allow $1 snappy_home_t:file read_file_perms;
allow $1 snappy_home_t:lnk_file read_lnk_file_perms;
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Write snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_write_user_home_files',`
gen_require(`
type snappy_home_t;
')
write_files_pattern($1, snappy_home_t, snappy_home_t)
userdom_search_user_home_dirs($1)
')
########################################
## <summary>
## Dontaudit attempts to read/write snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`snappy_dontaudit_rw_user_home_files',`
gen_require(`
type snappy_home_t;
')
dontaudit $1 snappy_home_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Dontaudit attempts to write snappy home directory content
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`snappy_dontaudit_manage_user_home_files',`
gen_require(`
type snappy_home_t;
')
dontaudit $1 snappy_home_t:dir manage_dir_perms;
dontaudit $1 snappy_home_t:file manage_file_perms;
')
########################################
## <summary>
## Connect to snapd over a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_stream_connect',`
gen_require(`
type snappy_t, snappy_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, snappy_var_run_t, snappy_var_run_t, snappy_t)
')
#######################################
## <summary>
## All of the rules required to
## administrate a snappy environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`snappy_admin',`
gen_require(`
type snappy_t, snappy_config_t;
type snappy_var_run_t;
')
allow $1 snappy_t:process signal_perms;
ps_process_pattern($1, snappy_t);
admin_pattern($1, snappy_config_t);
files_list_pids($1, snappy_var_run_t);
admin_pattern($1, snappy_var_run_t);
')
########################################
## <summary>
## Execute snappy CLI in the snappy_cli_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`snappy_cli_domtrans',`
gen_require(`
type snappy_cli_t, snappy_cli_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, snappy_cli_exec_t, snappy_cli_t)
')
########################################
## <summary>
## Execute snap-confine in the snappy_confine_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`snappy_confine_domtrans',`
gen_require(`
type snappy_confine_t, snappy_confine_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, snappy_confine_exec_t, snappy_confine_t)
')
########################################
## <summary>
## Execute snap-update-ns, snap-discard-ns in the snappy_mount_t domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`snappy_mount_domtrans',`
gen_require(`
type snappy_mount_t, snappy_mount_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, snappy_mount_exec_t, snappy_mount_t)
')
########################################
## <summary>
## Search snapd state directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_search_lib',`
gen_require(`
type snappy_var_lib_t;
')
allow $1 snappy_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read snapd state files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`snappy_read_lib',`
gen_require(`
type snappy_var_lib_t;
')
snappy_search_lib($1)
list_dirs_pattern($1, snappy_var_lib_t, snappy_var_lib_t)
read_files_pattern($1, snappy_var_lib_t, snappy_var_lib_t)
')