AimeeOS
/
home-assistant-yellow
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2025-09-06. You can view files and clone it, but cannot push or open issues/pull-requests.
home-assistant-yellow/repos/aimee-os/sec-policy/selinux-aimee-os/files/aimee-os.te

291 lines
11 KiB
Plaintext
Raw Blame History

policy_module(aimee-os, 1.0)
########################################
#
# Declarations
#
type aimee_storinit_t;
type aimee_storinit_exec_t;
init_daemon_domain(aimee_storinit_t, aimee_storinit_exec_t)
type aimee_storinit_runtime_t;
files_runtime_file(aimee_storinit_runtime_t)
type aimee_sysupdate_t;
type aimee_sysupdate_exec_t;
userdom_user_application_domain(aimee_sysupdate_t, aimee_sysupdate_exec_t)
type aimee_sysupdate_tmp_t;
files_tmp_file(aimee_sysupdate_tmp_t)
type aimee_factory_reset_t;
type aimee_factory_reset_exec_t;
init_daemon_domain(aimee_factory_reset_t, aimee_factory_reset_exec_t)
type aimee_set_root_password_t;
type aimee_set_root_password_exec_t;
userdom_user_application_domain(aimee_set_root_password_t, aimee_set_root_password_exec_t)
type aimee_set_root_password_tmp_t;
files_tmp_file(aimee_set_root_password_tmp_t)
########################################
#
# init-storage local policy
#
allow aimee_storinit_t self:fifo_file rw_fifo_file_perms;
allow aimee_storinit_t self:capability { chown fsetid sys_admin };
allow aimee_storinit_t self:process { setfscreate };
manage_dirs_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
manage_files_pattern(aimee_storinit_t, aimee_storinit_runtime_t, aimee_storinit_runtime_t)
files_runtime_filetrans(aimee_storinit_t, aimee_storinit_runtime_t, dir)
corecmd_exec_bin(aimee_storinit_t)
storage_raw_read_fixed_disk(aimee_storinit_t)
fstools_domtrans(aimee_storinit_t)
mount_exec(aimee_storinit_t)
miscfiles_read_localization(aimee_storinit_t)
mount_list_runtime(aimee_storinit_t)
dev_read_sysfs(aimee_storinit_t)
kernel_search_debugfs(aimee_storinit_t)
kernel_list_unlabeled(aimee_storinit_t)
fs_getattr_all_fs(aimee_storinit_t)
fs_mount_all_fs(aimee_storinit_t)
fs_unmount_all_fs(aimee_storinit_t)
allow aimee_storinit_t aimee_storinit_runtime_t:dir mounton;
gen_require(`
type mount_runtime_t;
')
dontaudit aimee_storinit_t mount_runtime_t:dir write;
seutil_read_config(aimee_storinit_t)
seutil_read_file_contexts(aimee_storinit_t)
seutil_read_bin_policy(aimee_storinit_t)
seutil_domtrans_setfiles(aimee_storinit_t)
kernel_manage_unlabeled_dirs(aimee_storinit_t)
auth_manage_shadow(aimee_storinit_t)
auth_relabel_shadow(aimee_storinit_t)
files_manage_var_dirs(aimee_storinit_t)
files_relabel_var_dirs(aimee_storinit_t)
files_manage_var_files(aimee_storinit_t)
files_manage_var_symlinks(aimee_storinit_t)
gen_require(`
type var_lib_t, var_lock_t, var_run_t;
type semanage_store_t;
type semanage_read_lock_t, semanage_trans_lock_t;
type system_dbusd_var_lib_t;
type init_var_lib_t;
type auditd_log_t;
type tmp_t;
type etc_t;
type shadow_t;
attribute logfile;
')
manage_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
relabel_dirs_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
relabel_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
relabel_lnk_files_pattern(aimee_storinit_t, var_lib_t, var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
relabel_lnk_files_pattern(aimee_storinit_t, var_lock_t, var_lock_t)
manage_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
relabel_dirs_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
relabel_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
relabel_lnk_files_pattern(aimee_storinit_t, var_run_t, var_run_t)
manage_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
relabel_dirs_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
relabel_files_pattern(aimee_storinit_t, semanage_store_t, semanage_store_t)
manage_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
relabel_dirs_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
relabel_files_pattern(aimee_storinit_t, semanage_read_lock_t, semanage_read_lock_t)
manage_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
relabel_dirs_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
relabel_files_pattern(aimee_storinit_t, semanage_trans_lock_t, semanage_trans_lock_t)
manage_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
relabel_dirs_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
relabel_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
relabel_lnk_files_pattern(aimee_storinit_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
relabel_dirs_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
relabel_files_pattern(aimee_storinit_t, init_var_lib_t, init_var_lib_t)
manage_dirs_pattern(aimee_storinit_t, logfile, logfile)
relabel_dirs_pattern(aimee_storinit_t, logfile, logfile)
manage_files_pattern(aimee_storinit_t, logfile, logfile)
relabel_files_pattern(aimee_storinit_t, logfile, logfile)
manage_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
relabel_dirs_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
relabel_files_pattern(aimee_storinit_t, auditd_log_t, auditd_log_t)
manage_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
relabel_dirs_pattern(aimee_storinit_t, tmp_t, tmp_t)
manage_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
relabel_files_pattern(aimee_storinit_t, tmp_t, tmp_t)
manage_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
relabel_dirs_pattern(aimee_storinit_t, etc_t, etc_t)
allow aimee_storinit_t shadow_t:file mounton;
########################################
#
# system-update local policy
#
allow aimee_sysupdate_t self:capability { chown fowner fsetid sys_admin };
allow aimee_sysupdate_t self:fifo_file rw_fifo_file_perms;
allow aimee_sysupdate_t self:tcp_socket create_stream_socket_perms;
files_tmp_filetrans(aimee_sysupdate_t, aimee_sysupdate_tmp_t, dir)
manage_dirs_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
manage_files_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, aimee_sysupdate_tmp_t)
filetrans_pattern(aimee_sysupdate_t, aimee_sysupdate_tmp_t, bin_t, file, "install")
domain_use_interactive_fds(aimee_sysupdate_t)
userdom_use_inherited_user_terminals(aimee_sysupdate_t)
corecmd_exec_bin(aimee_sysupdate_t)
selinux_get_fs_mount(aimee_sysupdate_t)
seutil_read_config(aimee_sysupdate_t)
userdom_search_user_home_dirs(aimee_sysupdate_t)
kernel_read_system_state(aimee_sysupdate_t)
fstools_exec(aimee_sysupdate_t)
fstools_manage_runtime_files(aimee_sysupdate_t)
miscfiles_read_localization(aimee_sysupdate_t)
storage_raw_rw_fixed_disk(aimee_sysupdate_t)
dev_read_sysfs(aimee_sysupdate_t)
files_read_etc_files(aimee_sysupdate_t)
systemd_read_resolved_runtime(aimee_sysupdate_t)
systemd_stream_connect_resolved(aimee_sysupdate_t)
corenet_tcp_connect_http_port(aimee_sysupdate_t)
corenet_tcp_connect_soundd_port(aimee_sysupdate_t)
files_manage_non_security_dirs(aimee_sysupdate_t)
files_manage_non_security_files(aimee_sysupdate_t)
mount_exec(aimee_sysupdate_t)
mount_list_runtime(aimee_sysupdate_t)
fs_getattr_all_fs(aimee_sysupdate_t)
fs_mount_all_fs(aimee_sysupdate_t)
fs_unmount_all_fs(aimee_sysupdate_t)
dbus_system_bus_client(aimee_sysupdate_t)
systemd_dbus_chat_logind(aimee_sysupdate_t)
logging_send_syslog_msg(aimee_sysupdate_t)
files_mounton_non_security(aimee_sysupdate_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_system_update(sysadm_t, sysadm_r)
# factory-reset local policy
#
allow aimee_factory_reset_t self:capability { sys_admin };
allow aimee_factory_reset_t self:fifo_file rw_fifo_file_perms;
corecmd_exec_bin(aimee_factory_reset_t)
dev_read_sysfs(aimee_factory_reset_t)
kernel_read_system_state(aimee_factory_reset_t)
fstools_exec(aimee_factory_reset_t)
fstools_manage_runtime_files(aimee_factory_reset_t)
miscfiles_read_localization(aimee_factory_reset_t)
storage_raw_rw_fixed_disk(aimee_factory_reset_t)
########################################
#
# set-root-password local policy
#
gen_require(`
class passwd { passwd };
')
allow aimee_set_root_password_t self:capability { sys_admin };
allow aimee_set_root_password_t self:fifo_file rw_fifo_file_perms;
allow aimee_set_root_password_t self:process setfscreate;
allow aimee_set_root_password_t self:process { ptrace sigkill sigstop signal };
allow aimee_set_root_password_t self:passwd passwd;
files_tmp_filetrans(aimee_set_root_password_t, aimee_set_root_password_tmp_t, dir)
manage_dirs_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
manage_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
relabel_files_pattern(aimee_set_root_password_t, aimee_set_root_password_tmp_t, aimee_set_root_password_tmp_t)
domain_use_interactive_fds(aimee_set_root_password_t)
userdom_use_inherited_user_terminals(aimee_set_root_password_t)
userdom_search_user_home_dirs(aimee_set_root_password_t)
corecmd_exec_bin(aimee_set_root_password_t)
selinux_get_fs_mount(aimee_set_root_password_t)
seutil_read_config(aimee_set_root_password_t)
miscfiles_read_localization(aimee_set_root_password_t)
files_mounton_root(aimee_set_root_password_t)
aimee_os_set_root_password_exec(aimee_set_root_password_t)
mount_list_runtime(aimee_set_root_password_t)
fs_getattr_all_fs(aimee_set_root_password_t)
fs_mount_all_fs(aimee_set_root_password_t)
fs_unmount_all_fs(aimee_set_root_password_t)
files_read_var_lib_files(aimee_set_root_password_t)
files_manage_etc_files(aimee_set_root_password_t)
files_relabel_etc_files(aimee_set_root_password_t)
files_manage_etc_dirs(aimee_set_root_password_t)
auth_manage_shadow(aimee_set_root_password_t)
auth_relabel_shadow(aimee_set_root_password_t)
files_mounton_etc_dirs(aimee_set_root_password_t)
usermanage_domtrans_passwd(aimee_set_root_password_t)
dev_read_sysfs(aimee_set_root_password_t)
aimee_os_manage_set_root_password_tmp_files(aimee_set_root_password_t)
gen_require(`
type mount_t;
type passwd_t;
')
allow aimee_set_root_password_t aimee_set_root_password_tmp_t:dir mounton;
allow mount_t aimee_set_root_password_tmp_t:dir mounton;
aimee_os_manage_set_root_password_tmp_files(passwd_t)
gen_require(`
type sysadm_t;
role sysadm_r;
')
aimee_os_run_set_root_password(sysadm_t, sysadm_r)
########################################
#
# Additional policy rules for Aimee OS-specific behavior
#
# Allow ssh-keygen to create host key files in /var/lib/ssh
gen_require(`
type ssh_keygen_t;
type sshd_key_t, var_lib_t;
')
allow ssh_keygen_t var_lib_t:dir rw_dir_perms;
filetrans_pattern(ssh_keygen_t, var_lib_t, sshd_key_t, file)
# Allow login to execute /bin/busybox (via /bin/sh symlink)
gen_require(`
type local_login_t;
')
corecmd_exec_bin(local_login_t)
# Allow root to log in on the serial console
gen_require(`
type sysadm_t;
')
init_use_fds(sysadm_t)
Reference in New Issue View Git Blame Copy Permalink