Miroslav Grepl d7de04
Miroslav Grepl d7de04
policy_module(passanger,1.0.0)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
########################################
Miroslav Grepl d7de04
#
Miroslav Grepl d7de04
# Declarations
Miroslav Grepl d7de04
#
Miroslav Grepl d7de04
Miroslav Grepl d7de04
type passenger_t;
Miroslav Grepl d7de04
type passenger_exec_t;
Miroslav Grepl d7de04
domain_type(passenger_t)
Miroslav Grepl d7de04
domain_entry_file(passenger_t, passenger_exec_t)
Miroslav Grepl d7de04
role system_r types passenger_t;
Miroslav Grepl d7de04
Miroslav Grepl d7de04
type passenger_tmp_t;
Miroslav Grepl d7de04
files_tmp_file(passenger_tmp_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
type passenger_var_lib_t;
Miroslav Grepl d7de04
files_type(passenger_var_lib_t)
Miroslav Grepl d7de04
Dan Walsh 3034a8
type passenger_var_run_t;
Dan Walsh 3034a8
files_pid_file(passenger_var_run_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
permissive passenger_t;
Miroslav Grepl d7de04
Miroslav Grepl d7de04
########################################
Miroslav Grepl d7de04
#
Miroslav Grepl d7de04
# passanger local policy
Miroslav Grepl d7de04
#
Miroslav Grepl d7de04
Miroslav Grepl d7de04
allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
Miroslav Grepl d7de04
allow passenger_t self:process signal;
Miroslav Grepl d7de04
Miroslav Grepl d7de04
allow passenger_t self:fifo_file rw_fifo_file_perms;
Miroslav Grepl d7de04
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
Miroslav Grepl d7de04
Miroslav Grepl d7de04
files_search_var_lib(passenger_t)
Miroslav Grepl d7de04
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
Miroslav Grepl d7de04
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
Miroslav Grepl d7de04
Dan Walsh 3034a8
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
Dan Walsh 3034a8
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
Dan Walsh 3034a8
manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
Dan Walsh 3034a8
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
Dan Walsh 3034a8
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
Dan Walsh 3034a8
Miroslav Grepl d7de04
kernel_read_system_state(passenger_t)
Miroslav Grepl d7de04
kernel_read_kernel_sysctls(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
corenet_tcp_connect_http_port(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
corecmd_exec_bin(passenger_t)
Miroslav Grepl d7de04
corecmd_exec_shell(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
dev_read_urand(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
files_read_etc_files(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
auth_use_nsswitch(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
miscfiles_read_localization(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
userdom_dontaudit_use_user_terminals(passenger_t)
Miroslav Grepl d7de04
Miroslav Grepl d7de04
optional_policy(`
Miroslav Grepl d7de04
	apache_append_log(passenger_t)
Miroslav Grepl d7de04
	apache_read_sys_content(passenger_t)
Miroslav Grepl d7de04
')