1 files changed, 142 insertions, 0 deletions

diff --git a/policy/modules/contrib/rhgb.te b/policy/modules/contrib/rhgb.te
new file mode 100644
index 00000000..0f262a7d
--- /dev/null
+++ b/policy/modules/contrib/rhgb.te
@@ -0,0 +1,142 @@
+policy_module(rhgb, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type rhgb_t;
+type rhgb_exec_t;
+init_daemon_domain(rhgb_t, rhgb_exec_t)
+
+type rhgb_tmpfs_t;
+files_tmpfs_file(rhgb_tmpfs_t)
+
+type rhgb_devpts_t;
+term_pty(rhgb_devpts_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rhgb_t self:capability { fsetid setgid setuid sys_admin sys_tty_config };
+dontaudit rhgb_t self:capability sys_tty_config;
+allow rhgb_t self:process { setpgid signal_perms };
+allow rhgb_t self:shm create_shm_perms;
+allow rhgb_t self:unix_stream_socket create_stream_socket_perms;
+allow rhgb_t self:fifo_file rw_fifo_file_perms;
+allow rhgb_t self:tcp_socket create_socket_perms;
+allow rhgb_t self:udp_socket create_socket_perms;
+allow rhgb_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow rhgb_t rhgb_devpts_t:chr_file { rw_chr_file_perms setattr };
+term_create_pty(rhgb_t, rhgb_devpts_t)
+
+manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_lnk_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_fifo_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+manage_sock_files_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
+fs_tmpfs_filetrans(rhgb_t, rhgb_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(rhgb_t)
+kernel_read_system_state(rhgb_t)
+
+corecmd_exec_bin(rhgb_t)
+corecmd_exec_shell(rhgb_t)
+
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
+corenet_tcp_sendrecv_generic_if(rhgb_t)
+corenet_udp_sendrecv_generic_if(rhgb_t)
+corenet_tcp_sendrecv_generic_node(rhgb_t)
+corenet_udp_sendrecv_generic_node(rhgb_t)
+corenet_tcp_sendrecv_all_ports(rhgb_t)
+corenet_udp_sendrecv_all_ports(rhgb_t)
+corenet_tcp_connect_all_ports(rhgb_t)
+corenet_sendrecv_all_client_packets(rhgb_t)
+
+dev_read_sysfs(rhgb_t)
+dev_read_urand(rhgb_t)
+
+domain_use_interactive_fds(rhgb_t)
+
+files_read_etc_files(rhgb_t)
+files_read_var_files(rhgb_t)
+files_read_etc_runtime_files(rhgb_t)
+files_search_tmp(rhgb_t)
+files_read_usr_files(rhgb_t)
+files_mounton_mnt(rhgb_t)
+files_dontaudit_rw_root_dir(rhgb_t)
+files_dontaudit_read_default_files(rhgb_t)
+files_dontaudit_search_pids(rhgb_t)
+# for nscd
+files_dontaudit_search_var(rhgb_t)
+
+fs_search_auto_mountpoints(rhgb_t)
+fs_mount_ramfs(rhgb_t)
+fs_unmount_ramfs(rhgb_t)
+fs_getattr_tmpfs(rhgb_t)
+# for ramfs file systems
+fs_manage_ramfs_dirs(rhgb_t)
+fs_manage_ramfs_files(rhgb_t)
+fs_manage_ramfs_pipes(rhgb_t)
+fs_manage_ramfs_sockets(rhgb_t)
+
+selinux_dontaudit_read_fs(rhgb_t)
+
+term_use_unallocated_ttys(rhgb_t)
+term_use_ptmx(rhgb_t)
+term_getattr_pty_fs(rhgb_t)
+
+init_write_initctl(rhgb_t)
+
+# for localization
+libs_read_lib_files(rhgb_t)
+
+logging_send_syslog_msg(rhgb_t)
+
+miscfiles_read_localization(rhgb_t)
+miscfiles_read_fonts(rhgb_t)
+miscfiles_dontaudit_write_fonts(rhgb_t)
+
+seutil_search_default_contexts(rhgb_t)
+seutil_read_config(rhgb_t)
+
+sysnet_read_config(rhgb_t)
+sysnet_domtrans_ifconfig(rhgb_t)
+
+userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
+userdom_dontaudit_search_user_home_content(rhgb_t)
+
+xserver_read_tmp_files(rhgb_t)
+xserver_kill(rhgb_t)
+# for running setxkbmap
+xserver_read_xkb_libs(rhgb_t)
+xserver_domtrans(rhgb_t)
+xserver_signal(rhgb_t)
+xserver_read_xdm_tmp_files(rhgb_t)
+xserver_stream_connect(rhgb_t)
+
+optional_policy(`
+	consoletype_exec(rhgb_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(rhgb_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(rhgb_t)
+')
+
+optional_policy(`
+	udev_read_db(rhgb_t)
+')
+
+ifdef(`TODO',`
+	#this seems a bit much
+	allow domain rhgb_devpts_t:chr_file { read write };
+	allow initrc_t rhgb_gph_t:fd use;
+')