"Fossies" - the Fresh Open Source Software Archive

Member "cfengine-3.15.4/misc/selinux/cfengine-enterprise.te" (7 Jun 2021, 28736 Bytes) of package /linux/misc/cfengine-3.15.4.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 # SELinux policy module for CFEngine Enterprise
    2 #
    3 # This is a complementary module for the upstream cfengine module [1].
    4 #
    5 # [1] https://github.com/fedora-selinux/selinux-policy-contrib/blob/rawhide/cfengine.te
    6 #
    7 module cfengine-enterprise 1.0;
    8 
    9 # 'require' is something like 'import' -- we need to list here all the things
   10 # used in this policy module
   11 require {
   12 	attribute domain;
   13 	attribute entry_type;
   14 	attribute file_type;
   15 	attribute exec_type;
   16 	attribute non_security_file_type;
   17 	attribute non_auth_file_type;
   18 	type bin_t;
   19 	type cert_t;
   20 	type devlog_t;
   21 	type kernel_t;
   22 	type var_t;
   23 	type var_log_t;
   24 	type fs_t;
   25 	type unconfined_t;
   26 	type unreserved_port_t;
   27 	type user_cron_spool_t;
   28 	type cfengine_serverd_t;
   29 	type cfengine_execd_exec_t;
   30 	type net_conf_t;
   31 	type node_t;
   32 	type passwd_file_t;
   33 	type ping_exec_t;
   34 	type proc_t;
   35 	type proc_net_t;
   36 	type proc_xen_t;
   37 	type cfengine_serverd_exec_t;
   38 	type http_port_t;
   39 	type postgresql_port_t;
   40 	type smtp_port_t;
   41 	type ssh_port_t;
   42 	type rpm_exec_t;
   43 	type rpm_var_lib_t;
   44 	type sssd_t;
   45 	type sssd_public_t;
   46 	type sssd_var_lib_t;
   47 	type sysfs_t;
   48 	type sysctl_net_t;
   49 	type system_cron_spool_t;
   50 	type systemd_unit_file_t;
   51 	type hugetlbfs_t;
   52 	type init_exec_t;
   53 	type init_var_run_t;
   54 	type ifconfig_exec_t;
   55 	type journalctl_exec_t;
   56 	type cfengine_execd_t;
   57 	type cfengine_log_t;
   58 	type systemd_systemctl_exec_t;
   59 	type useradd_exec_t;
   60 	type cfengine_monitord_t;
   61 	type dmidecode_exec_t;
   62 	type init_t;
   63 	type cfengine_monitord_exec_t;
   64 	type gpg_exec_t;
   65 	type shadow_t;
   66 	type cfengine_var_lib_t;
   67 	type crontab_exec_t;
   68 	type hostname_exec_t;
   69 	type groupadd_exec_t;
   70 	type shell_exec_t;
   71 	type semanage_exec_t;
   72 	type syslogd_var_run_t;
   73 	type system_dbusd_t;
   74 	type system_dbusd_var_run_t;
   75 	type tmp_t;
   76 	type tmpfs_t;
   77 	role system_r;
   78 	class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind };
   79 	class udp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown node_bind };
   80 	class sock_file { create write setattr unlink };
   81 	class rawip_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   82 	class netlink_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   83 	class packet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   84 	class unix_stream_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   85 	class unix_dgram_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown sendto };
   86 	class appletalk_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   87 	class netlink_route_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown nlmsg_read getopt };
   88 	class netlink_firewall_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   89 	class netlink_tcpdiag_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   90 	class netlink_nflog_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   91 	class netlink_xfrm_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   92 	class netlink_selinux_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   93 	class netlink_audit_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   94 	class netlink_ip6fw_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   95 	class netlink_dnrt_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   96 	class netlink_kobject_uevent_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   97 	class tun_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   98 	class netlink_iscsi_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
   99 	class netlink_fib_lookup_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  100 	class netlink_connector_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  101 	class netlink_netfilter_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  102 	class netlink_generic_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  103 	class netlink_scsitransport_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  104 	class netlink_rdma_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  105 	class netlink_crypto_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  106 	class sctp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  107 	class icmp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  108 	class ax25_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  109 	class ipx_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  110 	class netrom_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  111 	class atmpvc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  112 	class x25_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  113 	class xdp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  114 	class rose_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  115 	class decnet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  116 	class atmsvc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  117 	class rds_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  118 	class irda_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  119 	class pppox_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  120 	class llc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  121 	class can_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  122 	class tipc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  123 	class bluetooth_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  124 	class iucv_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  125 	class rxrpc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  126 	class isdn_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  127 	class phonet_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  128 	class ieee802154_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  129 	class caif_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  130 	class alg_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  131 	class nfc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  132 	class vsock_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  133 	class kcm_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  134 	class qipcrtr_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  135 	class smc_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  136 	class bridge_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  137 	class dccp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  138 	class ib_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  139 	class mpls_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown };
  140 	class process { setrlimit transition dyntransition execstack execheap execmem signull };
  141 	class file { execute execute_no_trans getattr ioctl map open read unlink write entrypoint lock link rename append setattr create relabelfrom relabelto };
  142 	class fifo_file { create open getattr setattr read write append rename link unlink ioctl lock relabelfrom relabelto };
  143 	class dir { getattr read search open write add_name remove_name lock ioctl create };
  144 	class filesystem getattr;
  145 	class lnk_file { create getattr read unlink };
  146 	class unix_stream_socket connectto;
  147 	class capability { dac_read_search sys_module chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace kill net_bind_service };
  148 	class capability2 { mac_admin mac_override block_suspend syslog compromise_kernel wake_alarm };
  149 	class association { sendto recvfrom setcontext polmatch };
  150 	class security setsecparam;
  151 	class service { start stop status reload enable disable };
  152 	class memprotect mmap_zero;
  153 	class peer recv;
  154 }
  155 
  156 
  157 #============= cfengine_agent_t =============
  158 # define an *unconfined* domain for the agent (so that it can access/do anything)
  159 type cfengine_agent_t;
  160 typeattribute cfengine_agent_t domain;
  161 role system_r types cfengine_agent_t;
  162 
  163 # this is a macro invocation, the file has to be processed with
  164 # make -f /usr/share/selinux/devel/Makefile
  165 unconfined_domain(cfengine_agent_t)
  166 
  167 # /var/cfengine/bin/cf-agent has the 'cfengine_agent_exec_t' context which is an
  168 # entrypoint for the 'cfengine_agent_t' domain
  169 type cfengine_agent_exec_t;
  170 typeattribute cfengine_agent_exec_t entry_type;
  171 typeattribute cfengine_agent_exec_t exec_type;
  172 typeattribute cfengine_agent_exec_t file_type, non_security_file_type, non_auth_file_type;
  173 role object_r types cfengine_agent_exec_t;
  174 
  175 allow cfengine_agent_t cfengine_agent_exec_t:file entrypoint;
  176 allow cfengine_agent_t cfengine_agent_exec_t:file { ioctl read getattr lock map execute open };
  177 
  178 
  179 #============= cfengine_execd_t ==============
  180 # allow cf-execd to run cf-agent and make sure the forked process run in the
  181 # unconfined cfengine_agent_t domain
  182 type_transition cfengine_execd_t cfengine_agent_exec_t:process cfengine_agent_t;
  183 allow cfengine_execd_t cfengine_agent_t:process transition;
  184 allow cfengine_execd_t cfengine_agent_exec_t:file { open read execute map getattr };
  185 
  186 # allow cf-execd to use/execute libpromises.so
  187 allow cfengine_execd_t cfengine_var_lib_t:file map;
  188 allow cfengine_execd_t cfengine_var_lib_t:file execute;
  189 
  190 # allow cf-execd to execute cf-promises
  191 allow cfengine_execd_t cfengine_var_lib_t:file execute_no_trans;
  192 
  193 # TODO: this should not be needed
  194 allow cfengine_execd_t proc_xen_t:dir search;
  195 allow cfengine_execd_t ssh_port_t:tcp_socket name_connect;
  196 
  197 allow cfengine_execd_t cfengine_log_t:file { read unlink write };
  198 allow cfengine_execd_t cfengine_log_t:lnk_file { create getattr read unlink };
  199 allow cfengine_execd_t cfengine_monitord_exec_t:file getattr;
  200 allow cfengine_execd_t cfengine_serverd_exec_t:file getattr;
  201 allow cfengine_execd_t cfengine_hub_exec_t:file getattr;
  202 
  203 allow cfengine_execd_t self:capability sys_ptrace;
  204 
  205 allow cfengine_execd_t crontab_exec_t:file getattr;
  206 allow cfengine_execd_t dmidecode_exec_t:file getattr;
  207 allow cfengine_execd_t fs_t:filesystem getattr;
  208 allow cfengine_execd_t gpg_exec_t:file getattr;
  209 allow cfengine_execd_t groupadd_exec_t:file getattr;
  210 allow cfengine_execd_t hostname_exec_t:file getattr;
  211 allow cfengine_execd_t init_exec_t:file getattr;
  212 allow cfengine_execd_t init_t:unix_stream_socket connectto;
  213 allow cfengine_execd_t journalctl_exec_t:file getattr;
  214 allow cfengine_execd_t ping_exec_t:file getattr;
  215 allow cfengine_execd_t proc_net_t:file { getattr open read };
  216 allow cfengine_execd_t rpm_exec_t:file getattr;
  217 allow cfengine_execd_t rpm_var_lib_t:dir search;
  218 allow cfengine_execd_t rpm_var_lib_t:file open;
  219 allow cfengine_execd_t self:capability dac_read_search;
  220 allow cfengine_execd_t shadow_t:file { getattr open read };
  221 allow cfengine_execd_t smtp_port_t:tcp_socket name_connect;
  222 allow cfengine_execd_t system_cron_spool_t:dir getattr;
  223 allow cfengine_execd_t systemd_systemctl_exec_t:file getattr;
  224 allow cfengine_execd_t systemd_unit_file_t:dir search;
  225 allow cfengine_execd_t systemd_unit_file_t:file getattr;
  226 allow cfengine_execd_t unreserved_port_t:tcp_socket name_connect;
  227 allow cfengine_execd_t user_cron_spool_t:dir getattr;
  228 allow cfengine_execd_t useradd_exec_t:file getattr;
  229 allow cfengine_execd_t var_t:dir read;
  230 allow cfengine_execd_t semanage_exec_t:file getattr;
  231 
  232 
  233 #============= cfengine_monitord_t ==============
  234 # allow cf-monitord to use/execute libpromises.so
  235 allow cfengine_monitord_t cfengine_var_lib_t:file map;
  236 allow cfengine_monitord_t cfengine_var_lib_t:file execute;
  237 
  238 # allow cf-monitord to execute cf-promises
  239 allow cfengine_monitord_t cfengine_var_lib_t:file execute_no_trans;
  240 
  241 allow cfengine_monitord_t cfengine_execd_exec_t:file getattr;
  242 allow cfengine_monitord_t cfengine_serverd_exec_t:file getattr;
  243 allow cfengine_monitord_t cfengine_agent_exec_t:file getattr;
  244 allow cfengine_monitord_t cfengine_hub_exec_t:file getattr;
  245 
  246 allow cfengine_monitord_t var_log_t:file { open read };
  247 
  248 allow cfengine_monitord_t self:capability { dac_override dac_read_search sys_ptrace };
  249 
  250 allow cfengine_monitord_t crontab_exec_t:file getattr;
  251 allow cfengine_monitord_t dmidecode_exec_t:file getattr;
  252 allow cfengine_monitord_t groupadd_exec_t:file getattr;
  253 allow cfengine_monitord_t hostname_exec_t:file getattr;
  254 allow cfengine_monitord_t init_exec_t:file getattr;
  255 allow cfengine_monitord_t journalctl_exec_t:file getattr;
  256 allow cfengine_monitord_t ping_exec_t:file getattr;
  257 allow cfengine_monitord_t rpm_exec_t:file getattr;
  258 allow cfengine_monitord_t shadow_t:file getattr;
  259 allow cfengine_monitord_t systemd_systemctl_exec_t:file getattr;
  260 allow cfengine_monitord_t user_cron_spool_t:dir getattr;
  261 allow cfengine_monitord_t useradd_exec_t:file getattr;
  262 allow cfengine_monitord_t var_t:dir read;
  263 allow cfengine_monitord_t semanage_exec_t:file getattr;
  264 
  265 # TODO: this should not be needed
  266 allow cfengine_monitord_t proc_xen_t:dir search;
  267 
  268 #============= cfengine_serverd_t ==============
  269 # allow cf-serverd to run cf-agent and make sure the forked process run in the
  270 # unconfined cfengine_agent_t domain
  271 allow cfengine_serverd_t cfengine_agent_exec_t:file { open read execute execute_no_trans map getattr };
  272 type_transition cfengine_serverd_t cfengine_agent_exec_t:process cfengine_agent_t;
  273 allow cfengine_serverd_t cfengine_agent_t:process transition;
  274 
  275 # allow cf-serverd to use/execute libpromises.so
  276 allow cfengine_serverd_t cfengine_var_lib_t:file map;
  277 allow cfengine_serverd_t cfengine_var_lib_t:file execute;
  278 
  279 # allow cf-serverd to execute cf-promises
  280 allow cfengine_serverd_t cfengine_var_lib_t:file execute_no_trans;
  281 
  282 # allow cf-serverd to connect in case of call-collect
  283 allow cfengine_serverd_t unreserved_port_t:tcp_socket name_connect;
  284 
  285 # TODO: this should not be needed
  286 allow cfengine_serverd_t proc_xen_t:dir search;
  287 allow cfengine_serverd_t ssh_port_t:tcp_socket name_connect;
  288 
  289 allow cfengine_serverd_t cfengine_execd_exec_t:file getattr;
  290 allow cfengine_serverd_t cfengine_monitord_exec_t:file getattr;
  291 allow cfengine_serverd_t cfengine_hub_exec_t:file getattr;
  292 allow cfengine_serverd_t cfengine_log_t:lnk_file getattr;
  293 
  294 allow cfengine_serverd_t crontab_exec_t:file getattr;
  295 allow cfengine_serverd_t dmidecode_exec_t:file getattr;
  296 allow cfengine_serverd_t fs_t:filesystem getattr;
  297 allow cfengine_serverd_t groupadd_exec_t:file getattr;
  298 allow cfengine_serverd_t hostname_exec_t:file getattr;
  299 allow cfengine_serverd_t init_exec_t:file getattr;
  300 allow cfengine_serverd_t init_t:dir read;
  301 allow cfengine_serverd_t init_t:file { getattr open read };
  302 allow cfengine_serverd_t journalctl_exec_t:file getattr;
  303 allow cfengine_serverd_t ping_exec_t:file getattr;
  304 allow cfengine_serverd_t proc_net_t:file { getattr open read };
  305 allow cfengine_serverd_t rpm_exec_t:file getattr;
  306 allow cfengine_serverd_t self:process setrlimit;
  307 allow cfengine_serverd_t self:tcp_socket { accept listen };
  308 allow cfengine_serverd_t shadow_t:file getattr;
  309 allow cfengine_serverd_t systemd_systemctl_exec_t:file getattr;
  310 allow cfengine_serverd_t unreserved_port_t:tcp_socket name_bind;
  311 allow cfengine_serverd_t user_cron_spool_t:dir getattr;
  312 allow cfengine_serverd_t useradd_exec_t:file getattr;
  313 allow cfengine_serverd_t var_t:dir read;
  314 allow cfengine_serverd_t semanage_exec_t:file getattr;
  315 
  316 
  317 #============= cfengine_hub_t ==============
  318 type cfengine_hub_t;
  319 typeattribute cfengine_hub_t domain;
  320 role system_r types cfengine_hub_t;
  321 
  322 # /var/cfengine/bin/cf-hub has the 'cfengine_hub_exec_t' context which is an
  323 # entrypoint for the 'cfengine_hub_t' domain
  324 type cfengine_hub_exec_t;
  325 typeattribute cfengine_hub_exec_t entry_type;
  326 typeattribute cfengine_hub_exec_t exec_type;
  327 typeattribute cfengine_hub_exec_t file_type, non_security_file_type, non_auth_file_type;
  328 role object_r types cfengine_hub_exec_t;
  329 
  330 type_transition init_t cfengine_hub_exec_t:process cfengine_hub_t;
  331 allow init_t cfengine_hub_t:process transition;
  332 allow init_t cfengine_hub_exec_t:file { execute open read };
  333 
  334 allow cfengine_hub_t cfengine_hub_exec_t:file entrypoint;
  335 allow cfengine_hub_t cfengine_hub_exec_t:file { ioctl read getattr lock map execute open };
  336 
  337 # allow cf-hub to use/execute libpromises.so
  338 allow cfengine_hub_t cfengine_var_lib_t:file map;
  339 allow cfengine_hub_t cfengine_var_lib_t:file execute;
  340 allow cfengine_hub_t cfengine_var_lib_t:file { getattr open read };
  341 
  342 allow cfengine_hub_t cfengine_agent_exec_t:file getattr;
  343 allow cfengine_hub_t cfengine_execd_exec_t:file getattr;
  344 allow cfengine_hub_t cfengine_monitord_exec_t:file getattr;
  345 allow cfengine_hub_t cfengine_serverd_exec_t:file getattr;
  346 
  347 allow cfengine_hub_t cfengine_postgres_t:unix_stream_socket connectto;
  348 allow cfengine_hub_t unreserved_port_t:tcp_socket name_connect;
  349 
  350 allow cfengine_hub_t cfengine_log_t:dir getattr;
  351 allow cfengine_hub_t cfengine_var_lib_t:dir { add_name getattr open read search write remove_name };
  352 allow cfengine_hub_t cfengine_var_lib_t:file { create ioctl lock write unlink };
  353 allow cfengine_hub_t cfengine_var_lib_t:lnk_file { getattr read };
  354 allow cfengine_hub_t cfengine_var_lib_t:sock_file { create unlink };
  355 
  356 allow cfengine_hub_t bin_t:file map;
  357 allow cfengine_hub_t bin_t:file { execute execute_no_trans };
  358 allow cfengine_hub_t cert_t:dir search;
  359 allow cfengine_hub_t cert_t:file { getattr open read };
  360 allow cfengine_hub_t crontab_exec_t:file getattr;
  361 allow cfengine_hub_t devlog_t:lnk_file read;
  362 allow cfengine_hub_t devlog_t:sock_file write;
  363 allow cfengine_hub_t dmidecode_exec_t:file getattr;
  364 allow cfengine_hub_t fs_t:filesystem getattr;
  365 allow cfengine_hub_t groupadd_exec_t:file getattr;
  366 allow cfengine_hub_t hostname_exec_t:file getattr;
  367 allow cfengine_hub_t init_exec_t:file getattr;
  368 allow cfengine_hub_t init_t:dir { getattr open read search };
  369 allow cfengine_hub_t init_t:file { getattr open read };
  370 allow cfengine_hub_t init_t:unix_stream_socket ioctl;
  371 allow cfengine_hub_t init_var_run_t:dir search;
  372 allow cfengine_hub_t journalctl_exec_t:file getattr;
  373 allow cfengine_hub_t kernel_t:unix_dgram_socket sendto;
  374 allow cfengine_hub_t net_conf_t:file { getattr open read };
  375 allow cfengine_hub_t passwd_file_t:file { getattr open read };
  376 allow cfengine_hub_t ping_exec_t:file getattr;
  377 allow cfengine_hub_t proc_net_t:file { getattr open read };
  378 allow cfengine_hub_t proc_t:dir read;
  379 allow cfengine_hub_t rpm_exec_t:file getattr;
  380 allow cfengine_hub_t self:capability dac_override;
  381 allow cfengine_hub_t self:tcp_socket { connect create getopt setopt };
  382 allow cfengine_hub_t self:udp_socket { connect create getattr ioctl setopt };
  383 allow cfengine_hub_t self:netlink_route_socket { create getopt setopt bind getattr };
  384 allow cfengine_hub_t self:unix_dgram_socket { create connect };
  385 allow cfengine_hub_t semanage_exec_t:file getattr;
  386 allow cfengine_hub_t shadow_t:file getattr;
  387 allow cfengine_hub_t sssd_public_t:dir search;
  388 allow cfengine_hub_t sssd_public_t:file map;
  389 allow cfengine_hub_t sssd_public_t:file { getattr open read };
  390 allow cfengine_hub_t sssd_t:unix_stream_socket connectto;
  391 allow cfengine_hub_t sssd_var_lib_t:dir search;
  392 allow cfengine_hub_t sssd_var_lib_t:sock_file write;
  393 allow cfengine_hub_t sysctl_net_t:dir search;
  394 allow cfengine_hub_t sysfs_t:dir read;
  395 allow cfengine_hub_t sysfs_t:file { getattr open read };
  396 allow cfengine_hub_t syslogd_var_run_t:dir search;
  397 allow cfengine_hub_t systemd_systemctl_exec_t:file getattr;
  398 allow cfengine_hub_t tmp_t:sock_file write;
  399 allow cfengine_hub_t user_cron_spool_t:dir getattr;
  400 allow cfengine_hub_t useradd_exec_t:file getattr;
  401 allow cfengine_hub_t var_t:dir read;
  402 
  403 # TODO: these should not be needed
  404 allow cfengine_hub_t ifconfig_exec_t:file { execute execute_no_trans open read getattr map };
  405 allow cfengine_hub_t shell_exec_t:file map;
  406 allow cfengine_hub_t shell_exec_t:file { execute execute_no_trans };
  407 allow cfengine_hub_t proc_xen_t:dir search;
  408 
  409 
  410 #============= cfengine_postgres_t ==============
  411 type cfengine_postgres_t;
  412 typeattribute cfengine_postgres_t domain;
  413 role system_r types cfengine_postgres_t;
  414 
  415 # /var/cfengine/bin/cf-postgres has the 'cfengine_postgres_exec_t' context which is an
  416 # entrypoint for the 'cfengine_postgres_t' domain
  417 type cfengine_postgres_exec_t;
  418 typeattribute cfengine_postgres_exec_t entry_type;
  419 typeattribute cfengine_postgres_exec_t exec_type;
  420 typeattribute cfengine_postgres_exec_t file_type, non_security_file_type, non_auth_file_type;
  421 role object_r types cfengine_postgres_exec_t;
  422 
  423 type_transition init_t cfengine_postgres_exec_t:process cfengine_postgres_t;
  424 allow init_t cfengine_postgres_t:process transition;
  425 allow init_t cfengine_postgres_exec_t:file { execute open read };
  426 
  427 allow cfengine_postgres_t cfengine_postgres_exec_t:file entrypoint;
  428 allow cfengine_postgres_t cfengine_postgres_exec_t:file { ioctl read getattr lock map execute open };
  429 
  430 # TODO: Why are 'map', 'execute' and 'execute_no_trans' needed for postgres?
  431 allow cfengine_postgres_t cfengine_var_lib_t:file map;
  432 allow cfengine_postgres_t cfengine_var_lib_t:file { create execute execute_no_trans getattr link open read rename unlink write };
  433 
  434 allow cfengine_postgres_t cfengine_var_lib_t:dir { add_name getattr open read remove_name search write };
  435 
  436 allow cfengine_postgres_t postgresql_port_t:tcp_socket name_bind;
  437 
  438 allow cfengine_postgres_t hugetlbfs_t:file map;
  439 allow cfengine_postgres_t hugetlbfs_t:file { read write };
  440 allow cfengine_postgres_t init_t:unix_stream_socket { getattr ioctl };
  441 allow cfengine_postgres_t net_conf_t:file { getattr open read };
  442 allow cfengine_postgres_t node_t:tcp_socket node_bind;
  443 allow cfengine_postgres_t node_t:udp_socket node_bind;
  444 allow cfengine_postgres_t proc_t:file { getattr open read };
  445 allow cfengine_postgres_t self:netlink_route_socket { bind create getattr nlmsg_read };
  446 allow cfengine_postgres_t self:tcp_socket { bind create listen setopt };
  447 allow cfengine_postgres_t self:udp_socket { bind connect create getattr getopt };
  448 allow cfengine_postgres_t sssd_public_t:dir search;
  449 allow cfengine_postgres_t sssd_public_t:file map;
  450 allow cfengine_postgres_t sssd_public_t:file { getattr open read };
  451 allow cfengine_postgres_t sssd_var_lib_t:sock_file write;
  452 allow cfengine_postgres_t sssd_var_lib_t:dir search;
  453 allow cfengine_postgres_t sssd_t:unix_stream_socket connectto;
  454 allow cfengine_postgres_t tmp_t:dir { add_name write remove_name };
  455 allow cfengine_postgres_t tmp_t:file { create write unlink };
  456 allow cfengine_postgres_t tmp_t:sock_file { create setattr unlink write };
  457 allow cfengine_postgres_t tmpfs_t:dir { add_name write remove_name };
  458 allow cfengine_postgres_t tmpfs_t:file { create open read write map unlink };
  459 allow cfengine_postgres_t tmpfs_t:filesystem getattr;
  460 allow cfengine_postgres_t var_log_t:file { append open };
  461 
  462 # Needed for systemd to be able to check PostgreSQL's PID file
  463 allow init_t cfengine_var_lib_t:dir { read remove_name write };
  464 allow init_t cfengine_var_lib_t:file { getattr open read unlink };
  465 
  466 # TODO: these should not be needed
  467 allow cfengine_postgres_t shell_exec_t:file map;
  468 allow cfengine_postgres_t shell_exec_t:file { execute execute_no_trans };
  469 
  470 
  471 #============= cfengine_httpd_t ==============
  472 type cfengine_httpd_t;
  473 typeattribute cfengine_httpd_t domain;
  474 role system_r types cfengine_httpd_t;
  475 
  476 # /var/cfengine/bin/cf-httpd has the 'cfengine_httpd_exec_t' context which is an
  477 # entrypoint for the 'cfengine_httpd_t' domain
  478 type cfengine_httpd_exec_t;
  479 typeattribute cfengine_httpd_exec_t entry_type;
  480 typeattribute cfengine_httpd_exec_t exec_type;
  481 typeattribute cfengine_httpd_exec_t file_type, non_security_file_type, non_auth_file_type;
  482 role object_r types cfengine_httpd_exec_t;
  483 
  484 type_transition init_t cfengine_httpd_exec_t:process cfengine_httpd_t;
  485 allow init_t cfengine_httpd_t:process transition;
  486 allow init_t cfengine_httpd_exec_t:file { execute getattr open read };
  487 
  488 allow cfengine_httpd_t cfengine_httpd_exec_t:file entrypoint;
  489 allow cfengine_httpd_t cfengine_httpd_exec_t:file { ioctl read getattr lock map execute open };
  490 
  491 allow cfengine_httpd_t cert_t:dir search;
  492 allow cfengine_httpd_t cert_t:file { getattr open read };
  493 allow cfengine_httpd_t cert_t:lnk_file read;
  494 allow cfengine_httpd_t cfengine_httpd_exec_t:file execute_no_trans;
  495 allow cfengine_httpd_t cfengine_postgres_t:unix_stream_socket connectto;
  496 
  497 # allow httpd to use our custom compiled module
  498 allow cfengine_httpd_t cfengine_var_lib_t:file map;
  499 allow cfengine_httpd_t cfengine_var_lib_t:file { append create execute getattr ioctl lock open read setattr unlink write rename };
  500 
  501 allow cfengine_httpd_t cfengine_var_lib_t:dir { add_name getattr open read remove_name search write create };
  502 allow cfengine_httpd_t cfengine_var_lib_t:lnk_file read;
  503 
  504 allow cfengine_httpd_t devlog_t:lnk_file read;
  505 allow cfengine_httpd_t devlog_t:sock_file write;
  506 allow cfengine_httpd_t http_port_t:tcp_socket { name_bind name_connect };
  507 allow cfengine_httpd_t init_t:dbus send_msg;
  508 allow cfengine_httpd_t init_t:unix_stream_socket { getattr ioctl };
  509 allow cfengine_httpd_t init_var_run_t:dir search;
  510 allow cfengine_httpd_t kernel_t:unix_dgram_socket sendto;
  511 allow cfengine_httpd_t net_conf_t:file { getattr open read };
  512 allow cfengine_httpd_t node_t:tcp_socket node_bind;
  513 allow cfengine_httpd_t self:capability { dac_override dac_read_search kill net_bind_service setgid setuid };
  514 allow cfengine_httpd_t self:netlink_route_socket { bind create getattr nlmsg_read };
  515 allow cfengine_httpd_t self:process execmem;
  516 allow cfengine_httpd_t unconfined_t:process signull;
  517 allow cfengine_httpd_t self:tcp_socket { accept bind connect create getattr getopt listen setopt shutdown };
  518 allow cfengine_httpd_t self:udp_socket { connect create getattr };
  519 allow cfengine_httpd_t self:unix_dgram_socket { connect create };
  520 allow cfengine_httpd_t sssd_public_t:dir search;
  521 allow cfengine_httpd_t sssd_public_t:file map;
  522 allow cfengine_httpd_t sssd_public_t:file { getattr open read };
  523 allow cfengine_httpd_t sssd_t:unix_stream_socket connectto;
  524 allow cfengine_httpd_t sssd_var_lib_t:dir search;
  525 allow cfengine_httpd_t sssd_var_lib_t:sock_file write;
  526 allow cfengine_httpd_t syslogd_var_run_t:dir search;
  527 allow cfengine_httpd_t tmp_t:sock_file write;
  528 
  529 # Bidirectional DBus communication between httpd and systemd
  530 allow cfengine_httpd_t system_dbusd_t:dbus send_msg;
  531 allow cfengine_httpd_t system_dbusd_t:unix_stream_socket connectto;
  532 allow cfengine_httpd_t system_dbusd_var_run_t:dir search;
  533 allow cfengine_httpd_t system_dbusd_var_run_t:sock_file write;
  534 allow init_t cfengine_httpd_t:dbus send_msg;
  535 
  536 # TODO: these should not be needed
  537 allow cfengine_httpd_t passwd_file_t:file { getattr open read };
  538 allow cfengine_httpd_t shell_exec_t:file map;
  539 allow cfengine_httpd_t shell_exec_t:file { execute execute_no_trans };