/usr/share/selinux/ubuntu/include/services/razor.if is in selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 | ## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
## <desc>
## <p>
## A distributed, collaborative, spam detection and filtering network.
## </p>
## <p>
## This policy will work with either the ATrpms provided config
## file in /etc/razor, or with the default of dumping everything into
## $HOME/.razor.
## </p>
## </desc>
#######################################
## <summary>
## Template to create types and rules common to
## all razor domains.
## </summary>
## <param name="prefix">
## <summary>
## The prefix of the domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
#
template(`razor_common_domain_template',`
gen_require(`
type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
')
type $1_t;
domain_type($1_t)
domain_entry_file($1_t, razor_exec_t)
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:tcp_socket create_socket_perms;
# Read system config file
allow $1_t razor_etc_t:dir list_dir_perms;
allow $1_t razor_etc_t:file read_file_perms;
allow $1_t razor_etc_t:lnk_file { getattr read };
manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
manage_files_pattern($1_t, razor_log_t, razor_log_t)
manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
logging_log_filetrans($1_t, razor_log_t, file)
manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
files_search_var_lib($1_t)
# Razor is one executable and several symlinks
allow $1_t razor_exec_t:file read_file_perms;
allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctls($1_t)
corecmd_exec_bin($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_generic_node($1_t)
corenet_raw_sendrecv_generic_node($1_t)
corenet_tcp_sendrecv_razor_port($1_t)
# mktemp and other randoms
dev_read_rand($1_t)
dev_read_urand($1_t)
files_search_pids($1_t)
# Allow access to various files in the /etc/directory including mtab
# and nsswitch
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
fs_search_auto_mountpoints($1_t)
libs_read_lib_files($1_t)
miscfiles_read_localization($1_t)
sysnet_read_config($1_t)
sysnet_dns_name_resolve($1_t)
optional_policy(`
nis_use_ypbind($1_t)
')
')
########################################
## <summary>
## Role access for razor
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`razor_role',`
gen_require(`
type razor_t, razor_exec_t, razor_home_t;
')
role $1 types razor_t;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, razor_exec_t, razor_t)
# allow ps to show razor and allow the user to kill it
ps_process_pattern($2, razor_t)
allow $2 razor_t:process signal;
manage_dirs_pattern($2, razor_home_t, razor_home_t)
manage_files_pattern($2, razor_home_t, razor_home_t)
manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
relabel_dirs_pattern($2, razor_home_t, razor_home_t)
relabel_files_pattern($2, razor_home_t, razor_home_t)
relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')
########################################
## <summary>
## Execute razor in the system razor domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`razor_domtrans',`
gen_require(`
type razor_t, razor_exec_t;
')
domtrans_pattern($1, razor_exec_t, razor_t)
')
|