forked from OwlCyberDefense/refpolicy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcolord.te
144 lines (113 loc) · 3.58 KB
/
colord.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
policy_module(colord, 1.3.0)
########################################
#
# Declarations
#
type colord_t;
type colord_exec_t;
dbus_system_domain(colord_t, colord_exec_t)
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
type colord_tmpfs_t;
files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
########################################
#
# Local policy
#
allow colord_t self:capability { dac_override dac_read_search };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
allow colord_t self:tcp_socket { accept listen };
allow colord_t self:shm create_shm_perms;
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
files_var_lib_filetrans(colord_t, colord_var_lib_t, dir)
kernel_read_crypto_sysctls(colord_t)
kernel_read_device_sysctls(colord_t)
kernel_read_network_state(colord_t)
kernel_read_system_state(colord_t)
kernel_request_load_module(colord_t)
corenet_all_recvfrom_netlabel(colord_t)
corenet_all_recvfrom_unlabeled(colord_t)
corenet_tcp_sendrecv_generic_if(colord_t)
corenet_udp_sendrecv_generic_if(colord_t)
corenet_tcp_sendrecv_generic_node(colord_t)
corenet_udp_sendrecv_generic_node(colord_t)
corenet_udp_bind_generic_node(colord_t)
corenet_sendrecv_ipp_server_packets(colord_t)
corenet_udp_bind_ipp_port(colord_t)
corenet_udp_sendrecv_ipp_port(colord_t)
corenet_sendrecv_ipp_client_packets(colord_t)
corenet_tcp_connect_ipp_port(colord_t)
corenet_tcp_sendrecv_ipp_port(colord_t)
corecmd_exec_bin(colord_t)
corecmd_exec_shell(colord_t)
dev_read_raw_memory(colord_t)
dev_write_raw_memory(colord_t)
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
dev_read_rand(colord_t)
dev_read_sysfs(colord_t)
dev_read_urand(colord_t)
dev_list_sysfs(colord_t)
dev_rw_generic_usb_dev(colord_t)
domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
files_read_usr_files(colord_t)
fs_getattr_noxattr_fs(colord_t)
fs_getattr_tmpfs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
fs_dontaudit_getattr_all_fs(colord_t)
storage_getattr_fixed_disk_dev(colord_t)
storage_getattr_removable_dev(colord_t)
storage_read_scsi_generic(colord_t)
storage_write_scsi_generic(colord_t)
init_read_state(colord_t)
auth_use_nsswitch(colord_t)
logging_send_syslog_msg(colord_t)
miscfiles_read_localization(colord_t)
tunable_policy(`use_nfs_home_dirs',`
fs_getattr_nfs(colord_t)
fs_read_nfs_files(colord_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_getattr_cifs(colord_t)
fs_read_cifs_files(colord_t)
')
optional_policy(`
cups_read_config(colord_t)
cups_read_rw_config(colord_t)
cups_read_state(colord_t)
cups_stream_connect(colord_t)
cups_dbus_chat(colord_t)
')
optional_policy(`
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
policykit_read_reload(colord_t)
')
optional_policy(`
sysnet_exec_ifconfig(colord_t)
')
optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
optional_policy(`
xserver_read_xdm_lib_files(colord_t)
xserver_use_xdm_fds(colord_t)
')