1 |
This fixed quite some messages. |
2 |
|
3 |
module astnb 1.0; |
4 |
|
5 |
require { |
6 |
type var_run_t; |
7 |
type var_log_t; |
8 |
type asterisk_t; |
9 |
type var_spool_t; |
10 |
type initrc_t; |
11 |
type var_lib_t; |
12 |
type sysadm_t; |
13 |
type asterisk_log_t; |
14 |
type initrc_var_run_t; |
15 |
type asterisk_var_run_t; |
16 |
class socket { write read }; |
17 |
class process setpgid; |
18 |
class unix_stream_socket { connectto accept listen }; |
19 |
class capability { dac_read_search chown }; |
20 |
class file { rename setattr read create write getattr link unlink open append }; |
21 |
class sock_file { write create unlink }; |
22 |
class dir { read write add_name setattr remove_name }; |
23 |
} |
24 |
|
25 |
#============= asterisk_t ============== |
26 |
allow asterisk_t initrc_t:unix_stream_socket connectto; |
27 |
allow asterisk_t initrc_var_run_t:file { write getattr }; |
28 |
allow asterisk_t self:capability { dac_read_search chown }; |
29 |
allow asterisk_t self:process setpgid; |
30 |
allow asterisk_t self:socket { write read }; |
31 |
allow asterisk_t self:unix_stream_socket { accept listen }; |
32 |
allow asterisk_t var_lib_t:file { read write getattr open }; |
33 |
allow asterisk_t var_log_t:file { getattr open append }; |
34 |
allow asterisk_t var_run_t:dir setattr; |
35 |
allow asterisk_t var_run_t:sock_file { write create unlink }; |
36 |
allow asterisk_t var_spool_t:dir { read write add_name remove_name }; |
37 |
allow asterisk_t var_spool_t:file { rename write getattr link create unlink open }; |
38 |
|
39 |
#============= initrc_t ============== |
40 |
allow initrc_t asterisk_log_t:file setattr; |
41 |
allow initrc_t asterisk_var_run_t:file setattr; |
42 |
allow initrc_t var_run_t:dir setattr; |
43 |
|
44 |
#============= sysadm_t ============== |
45 |
allow sysadm_t asterisk_t:unix_stream_socket connectto |