github.com/ethanhsieh/snapd@v0.0.0-20210615102523-3db9b8e4edc5/data/selinux/snappy.if

github.com/ethanhsieh/snapd@v0.0.0-20210615102523-3db9b8e4edc5/data/selinux/snappy.if (about)

     1  # This file is part of snapd-selinux
     2  # Skeleton derived from Fedora selinux-policy, Copyright (C) 2016 Red Hat, Inc.
     3  # Copyright (C) 2016 Neal Gompa
     4  #
     5  # This program is free software; you can redistribute it and/or modify
     6  # it under the terms of the GNU General Public License as published by
     7  # the Free Software Foundation; either version 2 of the License, or
     8  # (at your option) any later version.
     9  #
    10  # This program is distributed in the hope that it will be useful,
    11  # but WITHOUT ANY WARRANTY; without even the implied warranty of
    12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    13  # GNU Library General Public License for more details.
    14  #
    15  # You should have received a copy of the GNU General Public License
    16  # along with this program; if not, write to the Free Software
    17  # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
    18  
    19  
    20  ########################################
    21  ## <summary>
    22  ##	Execute snapd in the snappy domain.
    23  ## </summary>
    24  ## <param name="domain">
    25  ##	<summary>
    26  ##	Domain allowed to transition.
    27  ##	</summary>
    28  ## </param>
    29  #
    30  interface(`snappy_domtrans',`
    31  	gen_require(`
    32  		type snappy_t, snappy_exec_t;
    33  	')
    34  	corecmd_search_bin($1)
    35  	domtrans_pattern($1, snappy_exec_t, snappy_t)
    36  ')
    37  
    38  #######################################
    39  ## <summary>
    40  ##      Execute snapd server in the snappy domain.
    41  ## </summary>
    42  ## <param name="domain">
    43  ##      <summary>
    44  ##      Domain allowed to transition.
    45  ##      </summary>
    46  ## </param>
    47  #
    48  interface(`snappy_systemctl',`
    49  	gen_require(`
    50  		type snappy_t;
    51  		type snappy_unit_file_t;
    52  	')
    53  	systemd_exec_systemctl($1)
    54  	init_reload_services($1)
    55  	allow $1 snappy_unit_file_t:unix_stream_socket create_stream_socket_perms;
    56  	allow $1 snappy_unit_file_t:file read_file_perms;
    57  	allow $1 snappy_unit_file_t:service manage_service_perms;
    58  	ps_process_pattern($1, snappy_t)
    59  ')
    60  
    61  
    62  ########################################
    63  ## <summary>
    64  ##      Permit the reading of snapd config files
    65  ## </summary>
    66  ## <param name="domain">
    67  ##      <summary>
    68  ##      Domain allowed to access.
    69  ##      </summary>
    70  ## </param>
    71  #
    72  interface(`snappy_read_config',`
    73  	gen_require(`
    74  		type snappy_config_t;
    75  	')
    76  	files_search_etc($1)
    77  	allow $1 snappy_config_t:dir list_dir_perms;
    78  	allow $1 snappy_config_t:file read_file_perms;
    79  	allow $1 snappy_config_t:lnk_file read_lnk_file_perms;
    80  ')
    81  
    82  
    83  ########################################
    84  ## <summary>
    85  ##	Create snappy content in the user home directory
    86  ##	with an correct label.
    87  ## </summary>
    88  ## <param name="domain">
    89  ##	<summary>
    90  ##	Domain allowed access.
    91  ##	</summary>
    92  ## </param>
    93  #
    94  interface(`snappy_filetrans_home_content',`
    95  	gen_require(`
    96  		type snappy_home_t;
    97  	')
    98  	userdom_user_home_dir_filetrans($1, snappy_home_t, dir, "snap")
    99  ')
   100  
   101  
   102  ########################################
   103  ## <summary>
   104  ## Read snappy home directory content
   105  ## </summary>
   106  ## <param name="domain">
   107  ## <summary>
   108  ## Domain allowed access.
   109  ## </summary>
   110  ## </param>
   111  #
   112  interface(`snappy_read_user_home_files',`
   113  	gen_require(`
   114  		type snappy_home_t;
   115  	')
   116  	allow $1 snappy_home_t:dir list_dir_perms;
   117  	allow $1 snappy_home_t:file read_file_perms;
   118  	allow $1 snappy_home_t:lnk_file read_lnk_file_perms;
   119  	userdom_search_user_home_dirs($1)
   120  ')
   121  
   122  ########################################
   123  ## <summary>
   124  ## Write snappy home directory content
   125  ## </summary>
   126  ## <param name="domain">
   127  ## <summary>
   128  ## Domain allowed access.
   129  ## </summary>
   130  ## </param>
   131  #
   132  interface(`snappy_write_user_home_files',`
   133  	gen_require(`
   134  		type snappy_home_t;
   135  	')
   136  	write_files_pattern($1, snappy_home_t, snappy_home_t)
   137  	userdom_search_user_home_dirs($1)
   138  ')
   139  
   140  ########################################
   141  ## <summary>
   142  ## Dontaudit attempts to read/write snappy home directory content
   143  ## </summary>
   144  ## <param name="domain">
   145  ## <summary>
   146  ## Domain to not audit.
   147  ## </summary>
   148  ## </param>
   149  #
   150  interface(`snappy_dontaudit_rw_user_home_files',`
   151  	gen_require(`
   152  		type snappy_home_t;
   153  	')
   154  	dontaudit $1 snappy_home_t:file rw_inherited_file_perms;
   155  ')
   156  
   157  ########################################
   158  ## <summary>
   159  ## Dontaudit attempts to write snappy home directory content
   160  ## </summary>
   161  ## <param name="domain">
   162  ## <summary>
   163  ## Domain to not audit.
   164  ## </summary>
   165  ## </param>
   166  #
   167  interface(`snappy_dontaudit_manage_user_home_files',`
   168  	gen_require(`
   169  		type snappy_home_t;
   170  	')
   171  	dontaudit $1 snappy_home_t:dir manage_dir_perms;
   172  	dontaudit $1 snappy_home_t:file manage_file_perms;
   173  ')
   174  
   175  ########################################
   176  ## <summary>
   177  ## Connect to snapd over a unix stream socket.
   178  ## </summary>
   179  ## <param name="domain">
   180  ## <summary>
   181  ## Domain allowed access.
   182  ## </summary>
   183  ## </param>
   184  #
   185  interface(`snappy_stream_connect',`
   186  	gen_require(`
   187  		type snappy_t, snappy_var_run_t;
   188  	')
   189  	files_search_pids($1)
   190  	stream_connect_pattern($1, snappy_var_run_t, snappy_var_run_t, snappy_t)
   191  ')
   192  
   193  #######################################
   194  ## <summary>
   195  ##      All of the rules required to
   196  ##      administrate a snappy environment.
   197  ## </summary>
   198  ## <param name="domain">
   199  ##      <summary>
   200  ##      Domain allowed access.
   201  ##      </summary>
   202  ## </param>
   203  ## <param name="role">
   204  ##      <summary>
   205  ##      Role allowed access.
   206  ##      </summary>
   207  ## </param>
   208  ## <rolecap/>
   209  #
   210  interface(`snappy_admin',`
   211  	gen_require(`
   212  		type snappy_t, snappy_config_t;
   213  		type snappy_var_run_t;
   214  	')
   215  	allow $1 snappy_t:process signal_perms;
   216  	ps_process_pattern($1, snappy_t);
   217  	admin_pattern($1, snappy_config_t);
   218  	files_list_pids($1, snappy_var_run_t);
   219  	admin_pattern($1, snappy_var_run_t);
   220  ')
   221  
   222  ########################################
   223  ## <summary>
   224  ##	Execute snappy CLI in the snappy_cli_t domain.
   225  ## </summary>
   226  ## <param name="domain">
   227  ##	<summary>
   228  ##	Domain allowed to transition.
   229  ##	</summary>
   230  ## </param>
   231  #
   232  interface(`snappy_cli_domtrans',`
   233  	gen_require(`
   234  		type snappy_cli_t, snappy_cli_exec_t;
   235  	')
   236  	corecmd_search_bin($1)
   237  	domtrans_pattern($1, snappy_cli_exec_t, snappy_cli_t)
   238  ')
   239  
   240  ########################################
   241  ## <summary>
   242  ##	Execute snap-confine in the snappy_confine_t domain.
   243  ## </summary>
   244  ## <param name="domain">
   245  ##	<summary>
   246  ##	Domain allowed to transition.
   247  ##	</summary>
   248  ## </param>
   249  #
   250  interface(`snappy_confine_domtrans',`
   251  	gen_require(`
   252  		type snappy_confine_t, snappy_confine_exec_t;
   253  	')
   254  	corecmd_search_bin($1)
   255  	domtrans_pattern($1, snappy_confine_exec_t, snappy_confine_t)
   256  ')
   257  
   258  ########################################
   259  ## <summary>
   260  ##	Execute snap-update-ns, snap-discard-ns in the snappy_mount_t domain.
   261  ## </summary>
   262  ## <param name="domain">
   263  ##	<summary>
   264  ##	Domain allowed to transition.
   265  ##	</summary>
   266  ## </param>
   267  #
   268  interface(`snappy_mount_domtrans',`
   269  	gen_require(`
   270  		type snappy_mount_t, snappy_mount_exec_t;
   271  	')
   272  	corecmd_search_bin($1)
   273  	domtrans_pattern($1, snappy_mount_exec_t, snappy_mount_t)
   274  ')
   275  
   276  ########################################
   277  ## <summary>
   278  ##	Search snapd state directories.
   279  ## </summary>
   280  ## <param name="domain">
   281  ##	<summary>
   282  ##	Domain allowed access.
   283  ##	</summary>
   284  ## </param>
   285  #
   286  interface(`snappy_search_lib',`
   287  	gen_require(`
   288  		type snappy_var_lib_t;
   289  	')
   290  
   291  	allow $1 snappy_var_lib_t:dir search_dir_perms;
   292  	files_search_var_lib($1)
   293  ')
   294  
   295  ########################################
   296  ## <summary>
   297  ##	Read snapd state files.
   298  ## </summary>
   299  ## <param name="domain">
   300  ##	<summary>
   301  ##	Domain allowed access.
   302  ##	</summary>
   303  ## </param>
   304  #
   305  interface(`snappy_read_lib',`
   306  	gen_require(`
   307  		type snappy_var_lib_t;
   308  	')
   309  
   310  	snappy_search_lib($1)
   311  	list_dirs_pattern($1, snappy_var_lib_t, snappy_var_lib_t)
   312  	read_files_pattern($1, snappy_var_lib_t, snappy_var_lib_t)
   313  ')