source: trunk/selinux/arm4.te @ 704

policy_module(arm4,1.0.0)

########################################
#
# Declarations
#

type arm4_t;
type arm4_exec_t;
init_daemon_domain(arm4_t, arm4_exec_t)

type arm4_script_exec_t;
init_script_file(arm4_script_exec_t)

type arm4_tmp_t;
files_tmp_file(arm4_tmp_t)

type arm4_var_run_t;
files_pid_file(arm4_var_run_t)

type arm4_var_lib_t;
files_type(arm4_var_lib_t)

########################################
#
# arm4 local policy
#

# Init script handling
domain_use_interactive_fds(arm4_t)

# internal communication is often done using fifo and unix sockets.
allow arm4_t self:fifo_file rw_file_perms;
allow arm4_t self:unix_stream_socket create_stream_socket_perms;
allow arm4_t self:msgq { create unix_read unix_write associate enqueue read write };
allow arm4_t self:shm { create unix_read unix_write associate read write };
allow arm4_t self:sem { create unix_read unix_write associate read write };
allow arm4_t self:process { signal signull };
#allow arm4_t proc_t:file { read getattr };
#allow arm4_t tmpfs_t:file { read write };

# Capabilities required by the daemon
allow arm4_t self:capability { chown setgid setuid dac_override };

files_read_etc_files(arm4_t)

libs_use_ld_so(arm4_t)
libs_use_shared_libs(arm4_t)

miscfiles_read_localization(arm4_t)


allow arm4_t arm4_tmp_t:file { manage_file_perms read write };
allow arm4_t arm4_tmp_t:dir create_dir_perms;
files_tmp_filetrans(arm4_t,arm4_tmp_t, { file dir })

manage_dirs_pattern(arm4_t, arm4_var_run_t,  arm4_var_run_t)
manage_files_pattern(arm4_t, arm4_var_run_t,  arm4_var_run_t)
files_pid_filetrans(arm4_t,arm4_var_run_t, { file dir })

manage_dirs_pattern(arm4_t, arm4_var_lib_t,  arm4_var_lib_t)
manage_files_pattern(arm4_t, arm4_var_lib_t,  arm4_var_lib_t)
files_var_lib_filetrans(arm4_t, arm4_var_lib_t, { file dir } )

logging_send_syslog_msg(arm4_t)