This file is indexed.

/usr/share/selinux/ubuntu/include/services/razor.if is in selinux-policy-ubuntu-dev 0.2.20091117-0ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
## <desc>
##	<p>
##	A distributed, collaborative, spam detection and filtering network.
##	</p>
##	<p>
##	This policy will work with either the ATrpms provided config
##	file in /etc/razor, or with the default of dumping everything into
##	$HOME/.razor.
##	</p>
## </desc>

#######################################
## <summary>
##	Template to create types and rules common to
##	all razor domains.
## </summary>
## <param name="prefix">
##	<summary>
##	The prefix of the domain (e.g., user
##	is the prefix for user_t).
##	</summary>
## </param>
#
template(`razor_common_domain_template',`
	gen_require(`
		type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
	')
	type $1_t;
	domain_type($1_t)
	domain_entry_file($1_t, razor_exec_t)

	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	allow $1_t self:fd use;
	allow $1_t self:fifo_file rw_fifo_file_perms;
	allow $1_t self:unix_dgram_socket create_socket_perms;
	allow $1_t self:unix_stream_socket create_stream_socket_perms;
	allow $1_t self:unix_dgram_socket sendto;
	allow $1_t self:unix_stream_socket connectto;
	allow $1_t self:shm create_shm_perms;
	allow $1_t self:sem create_sem_perms;
	allow $1_t self:msgq create_msgq_perms;
	allow $1_t self:msg { send receive };
	allow $1_t self:tcp_socket create_socket_perms;

	# Read system config file
	allow $1_t razor_etc_t:dir list_dir_perms;
	allow $1_t razor_etc_t:file read_file_perms;
	allow $1_t razor_etc_t:lnk_file { getattr read };

	manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
	manage_files_pattern($1_t, razor_log_t, razor_log_t)
	manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
	logging_log_filetrans($1_t, razor_log_t, file)

	manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
	manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
	manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
	files_search_var_lib($1_t)

	# Razor is one executable and several symlinks
	allow $1_t razor_exec_t:file read_file_perms;
	allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;

	kernel_read_system_state($1_t)
	kernel_read_network_state($1_t)
	kernel_read_software_raid_state($1_t)
	kernel_getattr_core_if($1_t)
	kernel_getattr_message_if($1_t)
	kernel_read_kernel_sysctls($1_t)

	corecmd_exec_bin($1_t)

	corenet_all_recvfrom_unlabeled($1_t)
	corenet_all_recvfrom_netlabel($1_t)
	corenet_tcp_sendrecv_generic_if($1_t)
	corenet_raw_sendrecv_generic_if($1_t)
	corenet_tcp_sendrecv_generic_node($1_t)
	corenet_raw_sendrecv_generic_node($1_t)
	corenet_tcp_sendrecv_razor_port($1_t)

	# mktemp and other randoms
	dev_read_rand($1_t)
	dev_read_urand($1_t)

	files_search_pids($1_t)
	# Allow access to various files in the /etc/directory including mtab
	# and nsswitch
	files_read_etc_files($1_t)
	files_read_etc_runtime_files($1_t)

	fs_search_auto_mountpoints($1_t)

	libs_read_lib_files($1_t)

	miscfiles_read_localization($1_t)

	sysnet_read_config($1_t)
	sysnet_dns_name_resolve($1_t)

	optional_policy(`
		nis_use_ypbind($1_t)
	')
')

########################################
## <summary>
##	Role access for razor
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`razor_role',`
	gen_require(`
		type razor_t, razor_exec_t, razor_home_t;
	')

	role $1 types razor_t;

	# Transition from the user domain to the derived domain.
	domtrans_pattern($2, razor_exec_t, razor_t)

	# allow ps to show razor and allow the user to kill it 
	ps_process_pattern($2, razor_t)
	allow $2 razor_t:process signal;

	manage_dirs_pattern($2, razor_home_t, razor_home_t)
	manage_files_pattern($2, razor_home_t, razor_home_t)
	manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
	relabel_dirs_pattern($2, razor_home_t, razor_home_t)
	relabel_files_pattern($2, razor_home_t, razor_home_t)
	relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
')

########################################
## <summary>
##	Execute razor in the system razor domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`razor_domtrans',`
	gen_require(`
		type razor_t, razor_exec_t;
	')

	domtrans_pattern($1, razor_exec_t, razor_t)
')