policy_module(passanger,1.0.0) ######################################## # # Declarations # type passenger_t; type passenger_exec_t; domain_type(passenger_t) domain_entry_file(passenger_t, passenger_exec_t) role system_r types passenger_t; type passenger_tmp_t; files_tmp_file(passenger_tmp_t) type passenger_var_lib_t; files_type(passenger_var_lib_t) type passenger_state_t; files_pid_file(passenger_state_t) permissive passenger_t; ######################################## # # passanger local policy # allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid }; allow passenger_t self:process signal; allow passenger_t self:fifo_file rw_fifo_file_perms; allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto }; manage_dirs_pattern(passenger_t, passenger_state_t, passenger_state_t) manage_files_pattern(passenger_t, passenger_state_t, passenger_state_t) manage_fifo_files_pattern(passenger_t, passenger_state_t, passenger_state_t) manage_sock_files_pattern(passenger_t, passenger_state_t, passenger_state_t) files_search_var_lib(passenger_t) manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t) kernel_read_system_state(passenger_t) kernel_read_kernel_sysctls(passenger_t) corenet_tcp_connect_http_port(passenger_t) corecmd_exec_bin(passenger_t) corecmd_exec_shell(passenger_t) dev_read_urand(passenger_t) files_read_etc_files(passenger_t) auth_use_nsswitch(passenger_t) miscfiles_read_localization(passenger_t) userdom_dontaudit_use_user_terminals(passenger_t) optional_policy(` apache_append_log(passenger_t) apache_read_sys_content(passenger_t) ')