1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
policy_module(matrixd)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether Matrixd is allowed to federate
## (bind all UDP ports and connect to all TCP ports).
## </p>
## </desc>
gen_tunable(matrix_allow_federation, true)
## <desc>
## <p>
## Determine whether Matrixd can connect to the Postgres database.
## </p>
## </desc>
gen_tunable(matrix_postgresql_connect, false)
type matrixd_t;
type matrixd_exec_t;
init_daemon_domain(matrixd_t, matrixd_exec_t)
type matrixd_conf_t;
files_config_file(matrixd_conf_t)
type matrixd_log_t;
logging_log_file(matrixd_log_t)
type matrixd_tmp_t;
files_tmp_file(matrixd_tmp_t)
type matrixd_var_t;
files_type(matrixd_var_t)
########################################
#
# Local policy
#
allow matrixd_t self:fifo_file rw_file_perms;
allow matrixd_t self:tcp_socket create_stream_socket_perms;
allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
allow matrixd_t self:udp_socket create_socket_perms;
allow matrixd_t self:unix_dgram_socket create_socket_perms;
# execmem is needed for Python callbacks
# https://cffi.readthedocs.io/en/latest/using.html#callbacks
allow matrixd_t self:process execmem;
allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
allow matrixd_t matrixd_conf_t:dir list_dir_perms;
read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
logging_search_logs(matrixd_t)
manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
mmap_manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
manage_dirs_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
files_search_var_lib(matrixd_t)
kernel_read_system_state(matrixd_t)
kernel_read_vm_overcommit_sysctl(matrixd_t)
# The following in the systemd service file causes a domain transition when
# running python3:
# SELinuxContext=system_u:system_r:matrixd_t:s0
corecmd_bin_entry_type(matrixd_t)
corecmd_exec_bin(matrixd_t)
corecmd_exec_shell(matrixd_t)
corenet_tcp_bind_generic_node(matrixd_t)
corenet_tcp_bind_http_port(matrixd_t)
corenet_tcp_connect_http_cache_port(matrixd_t)
corenet_tcp_connect_http_port(matrixd_t)
corenet_udp_bind_generic_node(matrixd_t)
corenet_udp_bind_generic_port(matrixd_t)
corenet_udp_bind_reserved_port(matrixd_t)
dev_read_urand(matrixd_t)
files_read_etc_files(matrixd_t)
files_read_etc_runtime_files(matrixd_t)
files_read_etc_symlinks(matrixd_t)
# for /usr/share/ca-certificates
files_read_usr_files(matrixd_t)
init_search_runtime(matrixd_t)
logging_send_syslog_msg(matrixd_t)
miscfiles_read_generic_tls_privkey(matrixd_t)
miscfiles_read_generic_certs(matrixd_t)
miscfiles_read_localization(matrixd_t)
sysnet_read_config(matrixd_t)
userdom_search_user_runtime_root(matrixd_t)
tunable_policy(`matrix_allow_federation',`
corenet_tcp_connect_all_unreserved_ports(matrixd_t)
corenet_tcp_connect_generic_port(matrixd_t)
corenet_udp_bind_all_ports(matrixd_t)
', `
corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
corenet_dontaudit_udp_bind_all_ports(matrixd_t)
')
tunable_policy(`matrix_postgresql_connect',`
postgresql_stream_connect(matrixd_t)
postgresql_tcp_connect(matrixd_t)
')
optional_policy(`
apache_search_config(matrixd_t)
')
|
GitWeb