File: //opt/imunify360/venv/share/imunify360/imunify360.te
module imunify360 1.1;
require {
type init_t;
type lib_t;
type logrotate_t;
type sshd_t;
type usr_t;
type var_t;
type var_run_t;
type httpd_t;
type httpd_sys_script_t;
type unconfined_service_t;
class sock_file { write create setattr getattr unlink };
class unix_dgram_socket sendto;
class unix_stream_socket connectto;
class dir { write add_name remove_name create };
class file { create open read write execute execute_no_trans append getattr setattr ioctl lock unlink link rename };
class process execmem;
}
#============= httpd_sys_script_t ==============
allow httpd_sys_script_t lib_t:sock_file write;
#============= httpd_t ==============
allow httpd_t unconfined_service_t:unix_dgram_socket sendto;
allow httpd_t var_run_t:sock_file write;
#============= sshd_t ==============
allow sshd_t unconfined_service_t:unix_stream_socket connectto;
allow sshd_t usr_t:sock_file write;
#============= init_t ==============
allow init_t lib_t:dir { write add_name remove_name };
allow init_t lib_t:sock_file { create setattr unlink write };
allow init_t var_t:dir create;
allow init_t var_t:file { create open read write execute execute_no_trans append setattr ioctl lock unlink link };
allow init_t var_t:sock_file { create getattr setattr write unlink };
allow init_t usr_t:sock_file { create getattr setattr write unlink };
allow init_t self:process execmem;
#============= logrotate_t ==============
allow logrotate_t var_t:dir { write remove_name add_name };
allow logrotate_t var_t:file { rename write getattr setattr read create open };