123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479 |
- (block guix_daemon
-
- (typeattributeset cil_gen_require domain)
- (typeattributeset cil_gen_require init_t)
- (typeattributeset cil_gen_require init_var_run_t)
- (typeattributeset cil_gen_require nscd_var_run_t)
- (typeattributeset cil_gen_require system_dbusd_var_run_t)
- (typeattributeset cil_gen_require tmp_t)
- (typeattributeset cil_gen_require var_log_t)
-
- (type guix_daemon_t)
- (roletype object_r guix_daemon_t)
- (type guix_daemon_conf_t)
- (roletype object_r guix_daemon_conf_t)
- (typeattributeset file_type guix_daemon_conf_t)
- (type guix_daemon_exec_t)
- (roletype object_r guix_daemon_exec_t)
- (typeattributeset file_type guix_daemon_exec_t)
- (type guix_daemon_socket_t)
- (roletype object_r guix_daemon_socket_t)
- (typeattributeset file_type guix_daemon_socket_t)
- (type guix_store_content_t)
- (roletype object_r guix_store_content_t)
- (typeattributeset file_type guix_store_content_t)
- (type guix_profiles_t)
- (roletype object_r guix_profiles_t)
- (typeattributeset file_type guix_profiles_t)
-
- (typeattributeset domain (guix_daemon_t guix_daemon_exec_t))
- (level low (s0))
-
-
- (typetransition init_t guix_daemon_exec_t
- process guix_daemon_t)
- (typetransition guix_store_content_t guix_daemon_exec_t
- process guix_daemon_t)
- (roletype system_r guix_daemon_t)
-
- (allow init_t
- guix_profiles_t
- (lnk_file (read)))
- (allow init_t
- guix_daemon_exec_t
- (file (execute)))
- (allow init_t
- guix_daemon_t
- (process (transition)))
- (allow init_t
- guix_store_content_t
- (lnk_file (read)))
- (allow init_t
- guix_store_content_t
- (file (open read execute)))
- (allow init_t
- guix_profiles_t
- (dir (setattr)))
-
- (allow guix_daemon_t
- passwd_file_t
- (file (getattr open read)))
-
- (allow guix_daemon_t
- nscd_var_run_t
- (file (map read)))
- (allow guix_daemon_t
- nscd_var_run_t
- (dir (search)))
- (allow guix_daemon_t
- nscd_var_run_t
- (sock_file (write)))
- (allow guix_daemon_t
- nscd_t
- (fd (use)))
- (allow guix_daemon_t
- nscd_t
- (unix_stream_socket (connectto)))
- (allow guix_daemon_t nscd_t
- (nscd (getgrp gethost getpwd getserv shmemgrp shmemhost shmempwd shmemserv)))
-
- (allow guix_daemon_t http_port_t
- (tcp_socket (name_connect)))
- (allow guix_daemon_t ftp_port_t
- (tcp_socket (name_connect)))
- (allow guix_daemon_t ephemeral_port_t
- (tcp_socket (name_connect)))
-
- (allow guix_daemon_t
- tmp_t
- (lnk_file (create rename setattr unlink)))
- (allow guix_daemon_t
- tmp_t
- (file (link
- rename create execute execute_no_trans write
- unlink setattr map relabelto relabelfrom)))
- (allow guix_daemon_t
- tmp_t
- (fifo_file (open read write create getattr ioctl setattr unlink)))
- (allow guix_daemon_t
- tmp_t
- (dir (create rename
- rmdir relabelto relabelfrom reparent
- add_name remove_name
- open read write
- getattr setattr
- search)))
- (allow guix_daemon_t
- tmp_t
- (sock_file (create getattr setattr unlink write)))
- (allow guix_daemon_t
- var_log_t
- (file (create getattr open write)))
- (allow guix_daemon_t
- var_log_t
- (dir (getattr create write add_name)))
- (allow guix_daemon_t
- var_run_t
- (lnk_file (read)))
- (allow guix_daemon_t
- var_run_t
- (dir (search)))
-
- (allow guix_daemon_t
- self
- (process (fork execmem setrlimit setpgid setsched)))
- (allow guix_daemon_t
- guix_daemon_exec_t
- (file (execute
- execute_no_trans read write open entrypoint map
- getattr link unlink)))
-
- (allow guix_daemon_t
- fs_t
- (filesystem (remount)))
-
- (allow guix_daemon_t
- root_t
- (dir (mounton)))
- (allow guix_daemon_t
- fs_t
- (filesystem (getattr)))
- (allow guix_daemon_conf_t
- fs_t
- (filesystem (associate)))
-
- (allow guix_daemon_t
- guix_store_content_t
- (file (ioctl mounton)))
- (allow guix_store_content_t
- fs_t
- (filesystem (associate)))
- (allow guix_daemon_t
- guix_store_content_t
- (dir (read mounton)))
- (allow guix_daemon_t
- guix_daemon_t
- (capability (net_admin
- fsetid fowner
- chown setuid setgid
- dac_override dac_read_search
- sys_chroot
- sys_admin)))
- (allow guix_daemon_t
- fs_t
- (filesystem (unmount)))
- (allow guix_daemon_t
- devpts_t
- (dir (search)))
- (allow guix_daemon_t
- devpts_t
- (filesystem (mount)))
- (allow guix_daemon_t
- devpts_t
- (chr_file (ioctl open read write setattr getattr)))
- (allow guix_daemon_t
- tmpfs_t
- (filesystem (getattr mount)))
- (allow guix_daemon_t
- tmpfs_t
- (file (create open read unlink write)))
- (allow guix_daemon_t
- tmp_t
- (file (create open read unlink write)))
- (allow guix_daemon_t
- tmpfs_t
- (dir (getattr add_name remove_name write)))
- (allow guix_daemon_t
- proc_t
- (file (getattr open read)))
- (allow guix_daemon_t
- proc_t
- (dir (read)))
- (allow guix_daemon_t
- proc_t
- (filesystem (associate mount)))
- (allow guix_daemon_t
- null_device_t
- (chr_file (getattr open read write)))
- (allow guix_daemon_t
- kvm_device_t
- (chr_file (getattr)))
- (allow guix_daemon_t
- zero_device_t
- (chr_file (getattr)))
- (allow guix_daemon_t
- urandom_device_t
- (chr_file (getattr)))
- (allow guix_daemon_t
- random_device_t
- (chr_file (getattr)))
- (allow guix_daemon_t
- devtty_t
- (chr_file (getattr)))
-
- (allow guix_daemon_t
- guix_store_content_t
- (dir (reparent
- create
- getattr setattr
- search rename
- add_name remove_name
- open write
- rmdir relabelfrom)))
- (allow guix_daemon_t
- guix_store_content_t
- (file (create
- lock
- setattr getattr
- execute execute_no_trans
- link unlink
- map
- rename
- append
- open read write relabelfrom)))
- (allow guix_daemon_t
- guix_store_content_t
- (lnk_file (create
- getattr setattr
- link unlink
- read
- rename)))
- (allow guix_daemon_t
- guix_store_content_t
- (fifo_file (create getattr open read unlink write)))
- (allow guix_daemon_t
- guix_store_content_t
- (sock_file (create getattr setattr unlink write)))
-
- (allow guix_daemon_t
- system_dbusd_var_run_t
- (dir (search)))
- (allow guix_daemon_t
- init_var_run_t
- (dir (search)))
-
- (allow guix_daemon_t
- guix_daemon_conf_t
- (dir (search create
- setattr getattr
- add_name remove_name
- open read write)))
- (allow guix_daemon_t
- guix_daemon_conf_t
- (file (create rename
- lock
- map
- getattr setattr
- unlink
- open read write)))
- (allow guix_daemon_t
- guix_daemon_conf_t
- (lnk_file (create getattr rename unlink read)))
- (allow guix_daemon_t net_conf_t
- (file (getattr open read)))
- (allow guix_daemon_t net_conf_t
- (lnk_file (read)))
- (allow guix_daemon_t NetworkManager_var_run_t
- (dir (search)))
-
- (allow guix_daemon_t
- guix_profiles_t
- (dir (search getattr setattr read write open create add_name)))
- (allow guix_daemon_t
- guix_profiles_t
- (lnk_file (read getattr)))
-
-
- (allow guix_daemon_t
- user_home_t
- (lnk_file (read getattr)))
- (allow guix_daemon_t
- user_home_t
- (dir (search)))
- (allow guix_daemon_t
- cache_home_t
- (dir (search)))
- (allow guix_daemon_t
- cache_home_t
- (lnk_file (getattr read)))
-
- (allow guix_daemon_t
- self
- (dir (add_name write)))
- (allow guix_daemon_t
- self
- (netlink_route_socket (bind create getattr nlmsg_read read write getopt)))
-
- (allow guix_daemon_t
- guix_daemon_socket_t
- (sock_file (unlink write)))
- (allow guix_daemon_t
- init_t
- (fd (use)))
- (allow guix_daemon_t
- init_t
- (unix_stream_socket (write)))
- (allow guix_daemon_t
- guix_daemon_conf_t
- (unix_stream_socket (listen)))
- (allow guix_daemon_t
- guix_daemon_conf_t
- (sock_file (create unlink write)))
- (allow guix_daemon_t
- self
- (unix_stream_socket (create
- read write
- connect bind accept
- getopt setopt)))
- (allow guix_daemon_t
- self
- (tcp_socket (accept listen bind connect create setopt getopt getattr ioctl read write shutdown)))
- (allow guix_daemon_t
- unreserved_port_t
- (tcp_socket (name_bind name_connect accept listen)))
- (allow guix_daemon_t
- self
- (udp_socket (connect getattr bind getopt setopt read write)))
- (allow guix_daemon_t
- self
- (fifo_file (write read)))
- (allow guix_daemon_t
- self
- (udp_socket (ioctl create)))
- (allow guix_daemon_t
- self
- (unix_stream_socket (connectto)))
- (allow guix_daemon_t
- self
- (unix_dgram_socket (create bind connect sendto read write)))
-
- (allow guix_daemon_t
- self
- (capability (kill)))
- (allow guix_daemon_t
- node_t
- (tcp_socket (node_bind)))
- (allow guix_daemon_t
- node_t
- (udp_socket (node_bind)))
- (allow guix_daemon_t
- port_t
- (tcp_socket (name_connect)))
- (allow guix_daemon_t
- tmpfs_t
- (file (map read write link getattr)))
- (allow guix_daemon_t
- usermodehelper_t
- (file (read)))
- (allow guix_daemon_t
- hugetlbfs_t
- (file (map read write)))
- (allow guix_daemon_t
- proc_net_t
- (file (read)))
- (allow guix_daemon_t
- postgresql_port_t
- (tcp_socket (name_connect name_bind)))
- (allow guix_daemon_t
- rtp_media_port_t
- (udp_socket (name_bind)))
- (allow guix_daemon_t
- vnc_port_t
- (tcp_socket (name_bind)))
-
- (allow guix_daemon_t
- random_device_t
- (chr_file (read)))
-
- (allow guix_daemon_t
- kvm_device_t
- (chr_file (ioctl open read write)))
- (allow guix_daemon_t
- kernel_t
- (system (ipc_info)))
-
- (filecon "@guix_sysconfdir@/guix(/.*)?"
- any (system_u object_r guix_daemon_conf_t (low low)))
- (filecon "@guix_localstatedir@/guix(/.*)?"
- any (system_u object_r guix_daemon_conf_t (low low)))
- (filecon "@guix_localstatedir@/guix/profiles(/.*)?"
- any (system_u object_r guix_profiles_t (low low)))
- (filecon "/gnu"
- dir (unconfined_u object_r guix_store_content_t (low low)))
- (filecon "@storedir@(/.+)?"
- any (unconfined_u object_r guix_store_content_t (low low)))
- (filecon "@storedir@/[^/]+/.+"
- any (unconfined_u object_r guix_store_content_t (low low)))
- (filecon "@prefix@/bin/guix-daemon"
- file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@guix_localstatedir@/guix/profiles/per-user/[^/]+/current-guix/bin/guix-daemon"
- file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@storedir@/.+-(guix-.+|profile)/bin/guix-daemon"
- file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@storedir@/[a-z0-9]+-guix-daemon"
- file (system_u object_r guix_daemon_exec_t (low low)))
- (filecon "@guix_localstatedir@/guix/daemon-socket/socket"
- any (system_u object_r guix_daemon_socket_t (low low))))
|