-
Notifications
You must be signed in to change notification settings - Fork 0
/
myserver.te
93 lines (52 loc) · 2.18 KB
/
myserver.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
policy_module(myserver, 1.0.0)
#if you declare a policy module in the abstracted way then you
#dont need to require any kernel security classes and kernel av perms
#which would be generated by software i.e. audit2allow.
########################################
#
# Declarations
#
# importing other modules i.e. thats not declared locally.
# these are declared elsewhere but we need to use them in our
# policy for our domtain transition rule
gen_require(` type unconfined_t; role unconfined_r; ' )
# declare types
type myserver_t;
type myserver_exec_t;
# Process environments of programs that user process environments
#transition to are called application # domains, and the type of such a
#process is called a application domain type.
# defining myserver_t & myserver_exec_t as application domain types here.
application_domain(myserver_t, myserver_exec_t)
# some one in the user role can be in myserver domain
role unconfined_r types myserver_t;
# allow the domain transition
domtrans_pattern(unconfined_t, myserver_exec_t, myserver_t)
########################################
#
# Myapp local policy
#
# set the value to allow the exec stack to true , if this is true
#allow the process to have an executable stack for myserver
bool allow_myserver_t_execstack true;
if ( allow_myserver_t_execstack ) {
allow myserver_t self:process execstack;
}
# call to a abstracted rule its a macro4
files_exec_etc_files(myserver_t)
# letting myserver_t read system network configuration
sysnet_read_config(myserver_t)
# allows the myserver process to read and write to the calling users
#psudo terminal
userdom_use_inherited_user_ptys(myserver_t)
# allow the subject create socket & access myserver
allow myserver_t self:tcp_socket { create setopt bind};
# this allows the caller to vind tcp sockets to generic ports e.g.
#ports with type port_t
corenet_tcp_bind_generic_port(myserver_t)
corenet_tcp_bind_generic_node(myserver_t)
#the target is equal to the sourcethe target is identified
#by "self" rather than "myserver_t: which allow the permissions on the tcp socket
allow myserver_t self:tcp_socket { read write accept listen};
# allow myserver to exe on memory
allow myserver_t self:process execmem;