156 lines
4.5 KiB
Text
156 lines
4.5 KiB
Text
policy_module(fdo, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type fdo_t;
|
|
type fdo_exec_t;
|
|
init_daemon_domain(fdo_t, fdo_exec_t)
|
|
|
|
type fdo_conf_t;
|
|
files_config_file(fdo_conf_t)
|
|
|
|
type fdo_conf_rw_t;
|
|
files_config_file(fdo_conf_rw_t)
|
|
|
|
type fdo_device_credentials_t;
|
|
files_type(fdo_device_credentials_t)
|
|
|
|
type fdo_home_t;
|
|
userdom_user_home_content(fdo_home_t)
|
|
|
|
type fdo_tmp_t;
|
|
files_tmp_file(fdo_tmp_t)
|
|
|
|
type fdo_unit_file_t;
|
|
systemd_unit_file(fdo_unit_file_t)
|
|
|
|
type fdo_var_lib_t;
|
|
files_type(fdo_var_lib_t)
|
|
|
|
type fdo_var_t;
|
|
files_type(fdo_var_t)
|
|
|
|
########################################
|
|
#
|
|
# fdo local policy
|
|
#
|
|
allow fdo_t self:capability { chown dac_override dac_read_search sys_admin };
|
|
allow fdo_t self:fifo_file rw_fifo_file_perms;
|
|
allow fdo_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow fdo_t self:tcp_socket create_stream_socket_perms;
|
|
allow fdo_t self:udp_socket create_socket_perms;
|
|
allow fdo_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow fdo_t fdo_exec_t:dir search_dir_perms;
|
|
allow fdo_t fdo_exec_t:lnk_file read_lnk_file_perms;
|
|
can_exec(fdo_t, fdo_exec_t)
|
|
|
|
manage_dirs_pattern(fdo_t, fdo_conf_t, fdo_conf_t)
|
|
manage_dirs_pattern(fdo_t, fdo_conf_rw_t, fdo_conf_rw_t)
|
|
manage_files_pattern(fdo_t, fdo_conf_rw_t, fdo_conf_rw_t)
|
|
manage_lnk_files_pattern(fdo_t, fdo_conf_rw_t, fdo_conf_rw_t)
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "configs" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "keys" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "logs" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "manufacturing_sessions" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "owner_vouchers" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "owner_onboarding_sessions" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "rendezvous_registered" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "rendezvous_sessions" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, dir, "stores" )
|
|
filetrans_pattern(fdo_t, fdo_conf_t, fdo_conf_rw_t, file, "aio_configuration" )
|
|
#fdouser file is copied by fdo from server to client /etc/sudoers.d/fdouser
|
|
files_etc_filetrans(fdo_t, fdo_conf_rw_t, file, "fdouser")
|
|
|
|
manage_files_pattern(fdo_t, fdo_device_credentials_t, fdo_device_credentials_t)
|
|
files_etc_filetrans(fdo_t, fdo_device_credentials_t, file, "device-credentials")
|
|
files_etc_filetrans(fdo_t, fdo_device_credentials_t, file, "device_onboarding_performed")
|
|
files_boot_filetrans(fdo_t, fdo_device_credentials_t, file, "device-credentials")
|
|
|
|
manage_dirs_pattern(fdo_t, fdo_home_t, fdo_home_t)
|
|
manage_files_pattern(fdo_t, fdo_home_t, fdo_home_t)
|
|
|
|
manage_dirs_pattern(fdo_t, fdo_tmp_t, fdo_tmp_t)
|
|
manage_files_pattern(fdo_t, fdo_tmp_t, fdo_tmp_t)
|
|
files_tmp_filetrans(fdo_t, fdo_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(fdo_t, fdo_var_t, fdo_var_t)
|
|
manage_files_pattern(fdo_t, fdo_var_t, fdo_var_t)
|
|
files_var_filetrans(fdo_t, fdo_var_t, { file dir })
|
|
|
|
read_files_pattern(fdo_t, fdo_var_lib_t, fdo_var_lib_t)
|
|
files_var_lib_filetrans(fdo_t, fdo_var_lib_t, { file dir })
|
|
|
|
kernel_get_sysvipc_info(fdo_t)
|
|
kernel_read_proc_files(fdo_t)
|
|
kernel_stream_connect(fdo_t)
|
|
|
|
corecmd_exec_bin(fdo_t)
|
|
corecmd_exec_shell(fdo_t)
|
|
|
|
corenet_tcp_bind_generic_node(fdo_t)
|
|
corenet_tcp_bind_http_cache_port(fdo_t)
|
|
corenet_tcp_connect_http_cache_port(fdo_t)
|
|
corenet_tcp_bind_http_port(fdo_t)
|
|
corenet_tcp_connect_http_port(fdo_t)
|
|
corenet_tcp_bind_transproxy_port(fdo_t)
|
|
corenet_tcp_connect_transproxy_port(fdo_t)
|
|
corenet_tcp_bind_us_cli_port(fdo_t)
|
|
corenet_tcp_connect_us_cli_port(fdo_t)
|
|
|
|
dev_getattr_fs(fdo_t)
|
|
dev_list_sysfs(fdo_t)
|
|
dev_read_rand(fdo_t)
|
|
dev_rw_lvm_control(fdo_t)
|
|
dev_rw_tpm(fdo_t)
|
|
|
|
domain_use_interactive_fds(fdo_t)
|
|
|
|
files_read_config_files(fdo_t)
|
|
|
|
fs_getattr_xattr_fs(fdo_t)
|
|
fs_read_cgroup_files(fdo_t)
|
|
|
|
storage_raw_rw_fixed_disk(fdo_t)
|
|
|
|
optional_policy(`
|
|
auth_read_passwd_file(fdo_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_domtrans(fdo_t)
|
|
lvm_manage_var_run(fdo_t)
|
|
lvm_var_run_filetrans(fdo_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
miscfiles_read_generic_certs(fdo_t)
|
|
miscfiles_read_localization(fdo_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_basic_client_template(fdo, fdo_t, system_r)
|
|
ssh_create_home_dirs(fdo_t)
|
|
ssh_filetrans_home_content(fdo_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_read_config(fdo_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
systemd_manage_userdbd_runtime_sock_files(fdo_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
userdom_home_filetrans_user_home_dir(fdo_home_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
usermanage_domtrans_passwd(fdo_t)
|
|
usermanage_domtrans_useradd(fdo_t)
|
|
usermanage_read_crack_db(fdo_t)
|
|
')
|