Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/conntrackd.te

74 lines
2.5 KiB
Text
Raw Normal View History

policy_module(conntrackd, 1.0.0)
########################################
#
# Declarations
#
type conntrackd_t;
type conntrackd_exec_t;
init_daemon_domain(conntrackd_t, conntrackd_exec_t)
type conntrackd_conf_t;
files_config_file(conntrackd_conf_t)
type conntrackd_initrc_exec_t;
init_script_file(conntrackd_initrc_exec_t)
type conntrackd_unit_file_t;
systemd_unit_file(conntrackd_unit_file_t)
type conntrackd_log_t;
logging_log_file(conntrackd_log_t)
type conntrackd_var_run_t;
files_pid_file(conntrackd_var_run_t)
type conntrackd_var_lock_t;
files_lock_file(conntrackd_var_lock_t)
########################################
#
# Local policy
#
#
allow conntrackd_t self:capability { sys_nice net_admin };
allow conntrackd_t self:capability2 { bpf };
allow conntrackd_t self:netlink_route_socket rw_netlink_socket_perms;
allow conntrackd_t self:netlink_netfilter_socket create_socket_perms;
allow conntrackd_t self:udp_socket create_socket_perms;
allow conntrackd_t self:unix_dgram_socket create_socket_perms;
allow conntrackd_t self:process { setsched signal };
allow conntrackd_t conntrackd_conf_t:dir list_dir_perms;
read_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
read_lnk_files_pattern(conntrackd_t, conntrackd_conf_t, conntrackd_conf_t)
allow conntrackd_t conntrackd_log_t:dir setattr_dir_perms;
manage_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
manage_sock_files_pattern(conntrackd_t, conntrackd_log_t, conntrackd_log_t)
logging_log_filetrans(conntrackd_t, conntrackd_log_t, { sock_file file dir })
manage_dirs_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
manage_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
manage_sock_files_pattern(conntrackd_t, conntrackd_var_run_t, conntrackd_var_run_t)
files_pid_filetrans(conntrackd_t, conntrackd_var_run_t, { dir file sock_file })
manage_dirs_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
manage_files_pattern(conntrackd_t, conntrackd_var_lock_t, conntrackd_var_lock_t)
files_lock_filetrans(conntrackd_t, conntrackd_var_lock_t, { dir file sock_file })
kernel_read_network_state(conntrackd_t)
kernel_request_load_module(conntrackd_t)
corenet_udp_sendrecv_generic_if(conntrackd_t)
corenet_udp_sendrecv_generic_node(conntrackd_t)
corenet_udp_sendrecv_all_ports(conntrackd_t)
corenet_udp_bind_generic_node(conntrackd_t)
corenet_udp_bind_conntrackd_port(conntrackd_t)
corenet_udp_sendrecv_conntrackd_port(conntrackd_t)
logging_send_syslog_msg(conntrackd_t)