# $Id: svc.te,v 1.7 2003/11/28 15:11:55 peter Exp $
#
# author Petre Rodan <petre.rodan@ravantivirus.com>
#
# get the latest version of this file from
# http://team.rav.ro/peter/policy.tar.gz
#

#
# selinux policy for daemontools
# http://cr.yp.to/daemontools.html
#
# thanks for D. J. Bernstein and the NSA team for the great software
# they provide
#
#
# svc_exec_t runs in the svc_t domain
# svc_multilog_t runs in multilog_t
#

##############################################################
# type definitions

type svc_exec_t, file_type, sysadmfile, exec_type;
type svc_run_t, file_type, sysadmfile, exec_type;
type svc_svc_t, file_type, sysadmfile;
type svc_lnk_t, file_type, sysadmfile;
type svc_down_t, file_type, sysadmfile;
type svc_control_t, file_type, sysadmfile;
type svc_ok_t, file_type, sysadmfile;
type svc_lock_t, file_type, sysadmfile;
type svc_status_t, file_type, sysadmfile;
type svc_logstatus_t, file_type, sysadmfile;

type svc_env_t, file_type, sysadmfile;
type svc_log_t, file_type, sysadmfile;

type svc_multilog_t, file_type, exec_type, sysadmfile;
type svc_tai64n_t, file_type, exec_type, sysadmfile;
type svc_tai64nlocal_t, file_type, exec_type, sysadmfile;
type svc_softlimit_t, file_type, exec_type, sysadmfile;
type svc_setuidgid_t, file_type, exec_type, sysadmfile;
type svc_envuidgid_t, file_type, exec_type, sysadmfile;
type svc_envdir_t, file_type, exec_type, sysadmfile;
type svc_setlock_t, file_type, exec_type, sysadmfile;

##############################################################
# the svc domain

type svc_t, domain;
role system_r types svc_t;
role sysadm_r types svc_t;

allow { initrc_t sysadm_t } svc_exec_t :file { execute execute_no_trans read };
allow { initrc_t sysadm_t } { svc_run_t svc_setuidgid_t svc_envuidgid_t svc_envdir_t svc_softlimit_t } :file { execute execute_no_trans read };

domain_auto_trans(initrc_t, svc_exec_t, svc_t);
uses_shlib(svc_t);

allow svc_t self:capability { setgid fsetid setuid sys_time };
allow svc_t self:fifo_file { read write getattr ioctl };
allow svc_t self:tcp_socket { ioctl read write };
allow svc_t self:dir { search };
allow svc_t self:file { read };
allow svc_t self:process { sigchld fork };


allow svc_t { svc_envdir_t svc_setuidgid_t svc_envuidgid_t svc_softlimit_t  }: file { execute execute_no_trans getattr read };

allow svc_t svc_control_t:fifo_file { read write };
allow svc_t svc_env_t:dir { getattr read search };
allow svc_t svc_env_t:file { read };
allow svc_t svc_env_t:lnk_file { read };
allow svc_t svc_exec_t:file { execute_no_trans };
allow svc_t svc_lock_t:file { append lock };
allow svc_t svc_lnk_t:lnk_file { read };
allow svc_t svc_lnk_t:dir { getattr read search };
allow svc_t svc_ok_t:fifo_file { read };
allow svc_t svc_run_t:file { execute execute_no_trans getattr read };
allow svc_t svc_svc_t:file { create getattr rename unlink write };
allow svc_t svc_svc_t:dir { add_name read remove_name search getattr write };

# read /etc/nsswitch.conf
allow svc_t etc_t:file { getattr read };

allow svc_t { bin_t sbin_t }:dir { search };
allow svc_t { bin_t sbin_t }:file { execute execute_no_trans getattr read };
allow svc_t bin_t:lnk_file { read };
allow svc_t console_device_t:chr_file { read write };
allow svc_t devtty_t:chr_file { read write };
allow svc_t etc_runtime_t:file { getattr read };
allow svc_t init_t:fd { use };
allow svc_t proc_t:dir { search };
allow svc_t proc_t:file { getattr read };
allow svc_t proc_t:lnk_file { read };
allow svc_t shell_exec_t:file { execute_no_trans execute read };
allow svc_t sysctl_kernel_t:dir { search };
allow svc_t sysctl_kernel_t:file { read };

ifdef(`ssh.te', `
domain_auto_trans(svc_t, sshd_exec_t, sshd_t)
')

ifdef(`qmail.te', `
allow svc_t qmail_start_exec_t:file { getattr read execute execute_no_trans };
domain_auto_trans(svc_t, qmail_start_exec_t, qmail_start_t)

# the starting script reads /var/qmail/defaultdelivery
allow svc_t etc_qmail_t:dir { search };
allow svc_t etc_qmail_t:file { getattr read };

allow qmail_send_t svc_t:fd { use };
allow qmail_send_t svc_t:fifo_file { write };
allow qmail_send_t svc_t:process { sigchld };
allow qmail_start_t svc_svc_t:dir { getattr search };
')
##############################################################


##############################################################
# the logger

type multilog_t, domain;

role system_r types multilog_t;

domain_auto_trans( { initrc_t svc_t } , svc_multilog_t, multilog_t);
uses_shlib(multilog_t);

allow multilog_t init_t:fd { use };
allow multilog_t svc_log_t:dir { add_name read search remove_name write };
allow multilog_t svc_log_t:file { append create link lock getattr setattr unlink };

allow multilog_t var_log_t:dir { read search add_name getattr remove_name write };
allow multilog_t var_log_t:file { append getattr lock setattr create link rename unlink };

allow multilog_t svc_svc_t:dir { read search };
allow multilog_t console_device_t:chr_file { read write };
allow multilog_t var_log_ksyms_t:file { append getattr setattr };
allow multilog_t svc_logstatus_t:file { append write };
##############################################################