STNSのsshクエリラッパー用SELinuxのポリシーファイル

stns-query-wrapper.te

module stns-query-wrapper 1.0;

require {
        type bin_t;
        type chkpwd_t;
        type policykit_t;
        type sshd_t;
        type sysctl_net_t;
        type sysfs_t;
        type system_dbusd_t;
        type systemd_logind_t;
        type unreserved_port_t;
        type useradd_t;
        type var_lib_t;
        class capability { sys_ptrace fsetid };
        class capability2 block_suspend;
        class dir search;
        class file { open execute execute_no_trans getattr setattr read write };
        class lnk_file read;
        class tcp_socket name_connect;
}

allow chkpwd_t bin_t:file { execute execute_no_trans };
allow chkpwd_t self:capability2 block_suspend;
allow chkpwd_t sysctl_net_t:dir search;
allow chkpwd_t sysctl_net_t:file { open read };
allow chkpwd_t sysfs_t:file { setattr getattr read open };
allow chkpwd_t sysfs_t:lnk_file read;
allow chkpwd_t unreserved_port_t:tcp_socket name_connect;

allow policykit_t self:capability2 block_suspend;
allow policykit_t sysctl_net_t:dir search;
allow policykit_t unreserved_port_t:tcp_socket name_connect;

allow sshd_t self:capability2 block_suspend;
allow sshd_t unreserved_port_t:tcp_socket name_connect;
allow sshd_t var_lib_t:file { setattr getattr open write };

allow system_dbusd_t self:capability { sys_ptrace fsetid };
allow system_dbusd_t sysctl_net_t:dir search;
allow system_dbusd_t sysctl_net_t:file { open read };
allow system_dbusd_t var_lib_t:file { open setattr };

allow systemd_logind_t bin_t:file { execute execute_no_trans };
allow systemd_logind_t sysctl_net_t:dir search;
allow systemd_logind_t sysctl_net_t:file { open read };
allow systemd_logind_t unreserved_port_t:tcp_socket name_connect;

allow useradd_t self:capability2 block_suspend;
allow useradd_t sysctl_net_t:dir search;
allow useradd_t unreserved_port_t:tcp_socket name_connect;