Chris PeBenito 0fbfa5
#DESC Checkpolicy - SELinux policy compliler
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Frank Mayer, mayerf@tresys.com
Chris PeBenito 0fbfa5
# X-Debian-Packages: checkpolicy
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
###########################
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# checkpolicy_t is the domain type for checkpolicy
Chris PeBenito 0fbfa5
# checkpolicy_exec_t if file type for the executable
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type checkpolicy_t, domain;
Chris PeBenito 0fbfa5
role sysadm_r types checkpolicy_t;
Chris PeBenito 0fbfa5
role system_r types checkpolicy_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type checkpolicy_exec_t, file_type, exec_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##########################
Chris PeBenito 0fbfa5
# 
Chris PeBenito 0fbfa5
# Rules
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# able to create and modify binary policy files
Chris PeBenito 0fbfa5
allow checkpolicy_t policy_config_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow checkpolicy_t policy_config_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
###########################
Chris PeBenito 0fbfa5
# constrain what checkpolicy can use as source files
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# only allow read of policy source files
Chris PeBenito 0fbfa5
allow checkpolicy_t policy_src_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow checkpolicy_t policy_src_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow test policies to be created in src directories
Chris PeBenito 0fbfa5
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# directory search permissions for path to source and binary policy files
Chris PeBenito 0fbfa5
allow checkpolicy_t root_t:dir search;
Chris PeBenito 0fbfa5
allow checkpolicy_t etc_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read the devpts root directory.  
Chris PeBenito 0fbfa5
allow checkpolicy_t devpts_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
ifdef(`sshd.te',
Chris PeBenito 0fbfa5
`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Other access
Chris PeBenito 0fbfa5
allow checkpolicy_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
Chris PeBenito 0fbfa5
uses_shlib(checkpolicy_t)
Chris PeBenito 0fbfa5
allow checkpolicy_t self:capability dac_override;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
##########################
Chris PeBenito 0fbfa5
# Allow users to execute checkpolicy without a domain transition
Chris PeBenito 0fbfa5
# so it can be used without privilege to write real binary policy file
Chris PeBenito 0fbfa5
can_exec(unpriv_userdomain, checkpolicy_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow checkpolicy_t { userdomain privfd }:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow checkpolicy_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow checkpolicy_t console_device_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow checkpolicy_t init_t:fd use;
Chris PeBenito 0fbfa5
allow checkpolicy_t selinux_config_t:dir search;