Run fapolicyd service as fapolicyd_t

Create policy files and rules for fapolicyd service.
Fapolicyd is a userspace daemon that determines access rights to files based on attributes of the process and file.

fapolicyd.fc

@@ -0,0 +1,7 @@
+/usr/sbin/fapolicyd		--	 gen_context(system_u:object_r:fapolicyd_exec_t,s0)
+
+/var/lib/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_lib_t,s0)
+
+/var/log/fapolicyd-access.log    --      gen_context(system_u:object_r:fapolicyd_log_t,s0)
+
+/var/run/fapolicyd(/.*)?		 gen_context(system_u:object_r:fapolicyd_var_run_t,s0)

fapolicyd.if

@@ -0,0 +1,179 @@
+## <summary>policy for fapolicyd</summary>
+
+########################################
+## <summary>
+##	Execute fapolicyd_exec_t in the fapolicyd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fapolicyd_domtrans',`
+	gen_require(`
+		type fapolicyd_t, fapolicyd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fapolicyd_exec_t, fapolicyd_t)
+')
+
+######################################
+## <summary>
+##	Execute fapolicyd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_exec',`
+	gen_require(`
+		type fapolicyd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, fapolicyd_exec_t)
+')
+
+########################################
+## <summary>
+##	Search fapolicyd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_search_lib',`
+	gen_require(`
+		type fapolicyd_var_lib_t;
+	')
+
+	allow $1 fapolicyd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read fapolicyd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_read_lib_files',`
+	gen_require(`
+		type fapolicyd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage fapolicyd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_manage_lib_files',`
+	gen_require(`
+		type fapolicyd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage fapolicyd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_manage_lib_dirs',`
+	gen_require(`
+		type fapolicyd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read fapolicyd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fapolicyd_read_pid_files',`
+	gen_require(`
+		type fapolicyd_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, fapolicyd_var_run_t, fapolicyd_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an fapolicyd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fapolicyd_admin',`
+	gen_require(`
+		type fapolicyd_t;
+		type fapolicyd_var_lib_t;
+		type fapolicyd_var_run_t;
+	')
+
+	allow $1 fapolicyd_t:process { signal_perms };
+	ps_process_pattern($1, fapolicyd_t)
+
+        tunable_policy(`deny_ptrace',`',`
+                allow $1 fapolicyd_t:process ptrace;
+        ')
+
+	files_search_var_lib($1)
+	admin_pattern($1, fapolicyd_var_lib_t)
+
+	logging_search_logs($1)
+        admin_pattern($1, fapolicyd_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, fapolicyd_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')

fapolicyd.te

@@ -0,0 +1,60 @@
+policy_module(fapolicyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fapolicyd_t;
+type fapolicyd_exec_t; 
+init_daemon_domain(fapolicyd_t, fapolicyd_exec_t)
+
+type fapolicyd_var_lib_t;
+files_type(fapolicyd_var_lib_t)
+
+type fapolicyd_log_t;
+logging_log_file(fapolicyd_log_t)
+
+type fapolicyd_var_run_t;
+files_pid_file(fapolicyd_var_run_t)
+
+########################################
+#
+# fapolicyd local policy
+#
+allow fapolicyd_t self:capability { audit_write chown dac_override setgid setuid sys_admin sys_nice sys_ptrace };
+allow fapolicyd_t self:fifo_file rw_fifo_file_perms;
+allow fapolicyd_t self:process { setcap setsched };
+allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
+allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
+
+manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
+logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
+
+manage_dirs_pattern(fapolicyd_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+manage_files_pattern(fapolicyd_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+mmap_read_files_pattern(fapolicyd_t, fapolicyd_var_lib_t, fapolicyd_var_lib_t)
+files_var_lib_filetrans(fapolicyd_t, fapolicyd_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
+manage_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
+manage_fifo_files_pattern(fapolicyd_t, fapolicyd_var_run_t,fapolicyd_var_run_t)
+manage_lnk_files_pattern(fapolicyd_t, fapolicyd_var_run_t, fapolicyd_var_run_t)
+files_pid_filetrans(fapolicyd_t, fapolicyd_var_run_t, { dir file lnk_file })
+
+kernel_dgram_send(fapolicyd_t)
+
+auth_read_passwd(fapolicyd_t)
+
+domain_read_all_domains_state(fapolicyd_t)
+
+files_mmap_usr_files(fapolicyd_t)
+files_read_all_files(fapolicyd_t)
+fs_getattr_xattr_fs(fapolicyd_t)
+
+logging_send_syslog_msg(fapolicyd_t)
+
+optional_policy(`
+        rpm_read_db(fapolicyd_t)        
+')