|
 |
1ec3d1a |
policy_module(polipo, 1.0.0)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Determine whether polipo can
|
|
|
1ec3d1a |
## access cifs file systems.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(polipo_use_cifs, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Determine whether Polipo can
|
|
|
1ec3d1a |
## access nfs file systems.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(polipo_use_nfs, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Determine whether Polipo session daemon
|
|
|
1ec3d1a |
## can bind tcp sockets to all unreserved ports.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(polipo_session_bind_all_unreserved_ports, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Determine whether calling user domains
|
|
|
1ec3d1a |
## can execute Polipo daemon in the
|
|
|
1ec3d1a |
## polipo_session_t domain.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(polipo_session_users, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Allow polipo to connect to all ports > 1023
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(polipo_connect_all_unreserved, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
attribute polipo_daemon;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_t, polipo_daemon;
|
|
|
1ec3d1a |
type polipo_exec_t;
|
|
|
1ec3d1a |
init_daemon_domain(polipo_t, polipo_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_initrc_exec_t;
|
|
|
1ec3d1a |
init_script_file(polipo_initrc_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_etc_t;
|
|
|
1ec3d1a |
files_config_file(polipo_etc_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_cache_t;
|
|
|
1ec3d1a |
files_type(polipo_cache_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_log_t;
|
|
|
1ec3d1a |
logging_log_file(polipo_log_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_pid_t;
|
|
|
1ec3d1a |
files_pid_file(polipo_pid_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_session_t, polipo_daemon;
|
|
|
1ec3d1a |
application_domain(polipo_session_t, polipo_exec_t)
|
|
|
1ec3d1a |
ubac_constrained(polipo_session_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_config_home_t;
|
|
|
1ec3d1a |
userdom_user_home_content(polipo_config_home_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_cache_home_t;
|
|
|
1ec3d1a |
userdom_user_home_content(polipo_cache_home_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type polipo_unit_file_t;
|
|
|
1ec3d1a |
systemd_unit_file(polipo_unit_file_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Global local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow polipo_daemon self:fifo_file rw_fifo_file_perms;
|
|
|
1ec3d1a |
allow polipo_daemon self:tcp_socket { listen accept };
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corenet_tcp_bind_generic_node(polipo_daemon)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_generic_if(polipo_daemon)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_generic_node(polipo_daemon)
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
|
|
|
1ec3d1a |
corenet_tcp_bind_http_cache_port(polipo_daemon)
|
|
|
1ec3d1a |
corenet_sendrecv_http_cache_server_packets(polipo_daemon)
|
|
|
76a4017 |
corenet_tcp_connect_http_port(polipo_daemon)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
fs_search_auto_mountpoints(polipo_daemon)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Polipo local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
|
|
|
1ec3d1a |
manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
|
|
|
1ec3d1a |
files_var_filetrans(polipo_t, polipo_cache_t, dir)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
|
|
|
1ec3d1a |
logging_log_filetrans(polipo_t, polipo_log_t, file)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
|
|
|
1ec3d1a |
files_pid_filetrans(polipo_t, polipo_pid_t, file)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
auth_use_nsswitch(polipo_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_send_syslog_msg(polipo_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
cron_system_entry(polipo_t, polipo_exec_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`polipo_connect_all_unreserved',`
|
|
|
1ec3d1a |
corenet_tcp_connect_all_unreserved_ports(polipo_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`polipo_use_cifs',`
|
|
|
1ec3d1a |
fs_manage_cifs_files(polipo_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`polipo_use_nfs',`
|
|
|
1ec3d1a |
fs_manage_nfs_files(polipo_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Polipo session local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
|
|
|
1ec3d1a |
manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
auth_use_nsswitch(polipo_session_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_use_user_terminals(polipo_session_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`polipo_session_bind_all_unreserved_ports',`
|
|
|
1ec3d1a |
corenet_tcp_sendrecv_all_ports(polipo_session_t)
|
|
|
1ec3d1a |
corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
 |
ab85b47 |
logging_send_syslog_msg(polipo_session_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_home_manager(polipo_session_t)
|