module backup_IDA 1.0;
require {
type insmod_exec_t;
type semanage_store_t;
type usr_t;
type var_run_t;
type pam_var_run_t;
type sysadm_t;
type initrc_t;
type man_t;
type fusermount_exec_t;
type ipsec_var_run_t;
type setroubleshootd_t;
type insmod_t;
type rpm_var_cache_t;
type useradd_exec_t;
type lib_t;
type modules_conf_t;
type etc_t;
type audisp_t;
type rpm_var_lib_t;
type var_lib_t;
type virtd_t;
type selinux_config_t;
type bin_t;
type sshd_t;
type rpm_t;
type system_map_t;
type var_lock_t;
type var_t;
type scsi_generic_device_t;
type admin_home_t;
class fifo_file { write getattr setattr read create unlink open };
class dbus send_msg;
class chr_file { read write ioctl open };
class file { write getattr link setattr read relabelto unlink open execute execute_no_trans};
class sock_file { write create unlink setattr };
class lnk_file unlink;
class dir { search setattr relabelfrom write getattr rmdir relabelto remove_name };
}
#============= initrc_t ==============
#!!!! This avc is allowed in the current policy
allow initrc_t ipsec_var_run_t:dir setattr;
allow initrc_t var_t:dir { remove_name rmdir };
allow initrc_t usr_t:dir setattr;
allow initrc_t usr_t:fifo_file setattr;
allow initrc_t usr_t:file setattr;
allow initrc_t usr_t:sock_file setattr;
#============= insmod_t ==============
#!!!! This avc is allowed in the current policy
allow insmod_t system_map_t:file { read open };
#!!!! This avc is allowed in the current policy
allow insmod_t var_lock_t:file write;
#!!!! This avc is allowed in the current policy
allow insmod_t virtd_t:fifo_file getattr;
#============= rpm_t ==============
allow rpm_t sshd_t:dbus send_msg;
#============= setroubleshootd_t ==============
#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.
#Contraint rule:
allow setroubleshootd_t audisp_t:dbus send_msg;
allow setroubleshootd_t sshd_t:dbus send_msg;
#============= sshd_t ==============
allow sshd_t bin_t:dir rmdir;
allow sshd_t etc_t:dir { relabelfrom relabelto setattr };
allow sshd_t fusermount_exec_t:file { relabelto unlink setattr };
allow sshd_t insmod_exec_t:file getattr;
allow sshd_t lib_t:dir rmdir;
allow sshd_t lib_t:lnk_file unlink;
allow sshd_t man_t:dir remove_name;
allow sshd_t man_t:file unlink;
#!!!! This avc is allowed in the current policy
allow sshd_t modules_conf_t:dir { write search setattr relabelfrom relabelto getattr };
#!!!! This avc is allowed in the current policy
allow sshd_t modules_conf_t:file getattr;
allow sshd_t pam_var_run_t:dir { relabelfrom relabelto };
allow sshd_t rpm_t:dbus send_msg;
allow sshd_t rpm_var_cache_t:file open;
allow sshd_t rpm_var_lib_t:dir rmdir;
allow sshd_t selinux_config_t:dir rmdir;
allow sshd_t semanage_store_t:dir rmdir;
allow sshd_t setroubleshootd_t:dbus send_msg;
allow sshd_t useradd_exec_t:file getattr;
allow sshd_t usr_t:dir rmdir;
allow sshd_t usr_t:file link;
allow sshd_t var_lib_t:dir rmdir;
allow sshd_t var_run_t:dir rmdir;
#============= sysadm_t ==============
allow sysadm_t scsi_generic_device_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
allow sysadm_t scsi_generic_device_t:chr_file { read write open };
#!!!! This avc is allowed in the current policy
allow sysadm_t usr_t:fifo_file { write setattr read create unlink open };
allow sysadm_t usr_t:sock_file unlink;
#!!!! This avc is allowed in the current policy
allow sysadm_t usr_t:sock_file { write create setattr };
allow sysadm_t admin_home_t:file execute_no_trans;
#!!!! This avc is allowed in the current policy
allow sysadm_t admin_home_t:file execute;