sepolicy/policy/chromeos/log-and-errors/cros_chromeos_cleanup_logs.te - mirrors/cros/chromiumos/platform2 - Git at Google

 type cros_chromeos_cleanup_logs, chromeos_domain, domain, cros_log_file_creator_domain, cros_metrics_client_domain;

 permissive cros_chromeos_cleanup_logs;

 # We can also have a transition directly from init at bootup
 # That means we won't magically get these from cros_periodic_scheduler
 exec_coreutils(cros_chromeos_cleanup_logs);
 use_init_fd(cros_chromeos_cleanup_logs);
 log_writer(cros_chromeos_cleanup_logs);

 domain_auto_trans({ cros_init cros_init_scripts cros_ssh_session }, cros_chromeos_cleanup_logs_exec, cros_chromeos_cleanup_logs);
 cros_cron(cros_chromeos_cleanup_logs, cros_chromeos_cleanup_logs_exec);
 allow cros_chromeos_cleanup_logs { cros_init cros_init_scripts cros_sshd frecon }:fd use;

 cros_dbus_client(cros_chromeos_cleanup_logs);

 uma_writer(cros_chromeos_cleanup_logs);
 allow cros_chromeos_cleanup_logs cros_metrics_client_exec:file map;

 allow cros_chromeos_cleanup_logs domain:dir { search getattr };
 allow cros_chromeos_cleanup_logs domain:file { getattr open read };

 allow cros_chromeos_cleanup_logs cros_var_file_type:dir { getattr search open read };
 allow cros_chromeos_cleanup_logs cros_var_file_type:file getattr;
 allow cros_chromeos_cleanup_logs cros_var_file_type:lnk_file getattr;

 r_dir_file(cros_chromeos_cleanup_logs, { cros_home_file_type -cros_downloads_file });
 allow cros_chromeos_cleanup_logs { cros_home_file_type -cros_downloads_file }:file unlink;
 allow cros_chromeos_cleanup_logs { cros_home_file_type -cros_downloads_file }:dir { write remove_name };

 allow cros_chromeos_cleanup_logs cros_rotate_by_cleanup_logs_file_type:file create_file_perms;

 neverallow cros_chromeos_cleanup_logs { cros_var_file_type -cros_rotate_by_cleanup_logs_file_type }:file create;

 r_dir_file(cros_chromeos_cleanup_logs, sysfs);
 r_dir_file(cros_chromeos_cleanup_logs_exec, cros_passwd_file);
 allow cros_chromeos_cleanup_logs sh_exec:file { rx_file_perms map };
 allow cros_chromeos_cleanup_logs cros_coreutils_exec:file { rx_file_perms map };


 allow cros_chromeos_cleanup_logs devpts:chr_file { read write };
	type cros_chromeos_cleanup_logs, chromeos_domain, domain, cros_log_file_creator_domain, cros_metrics_client_domain;

	permissive cros_chromeos_cleanup_logs;

	# We can also have a transition directly from init at bootup
	# That means we won't magically get these from cros_periodic_scheduler
	exec_coreutils(cros_chromeos_cleanup_logs);
	use_init_fd(cros_chromeos_cleanup_logs);
	log_writer(cros_chromeos_cleanup_logs);

	domain_auto_trans({ cros_init cros_init_scripts cros_ssh_session }, cros_chromeos_cleanup_logs_exec, cros_chromeos_cleanup_logs);
	cros_cron(cros_chromeos_cleanup_logs, cros_chromeos_cleanup_logs_exec);
	allow cros_chromeos_cleanup_logs { cros_init cros_init_scripts cros_sshd frecon }:fd use;

	cros_dbus_client(cros_chromeos_cleanup_logs);

	uma_writer(cros_chromeos_cleanup_logs);
	allow cros_chromeos_cleanup_logs cros_metrics_client_exec:file map;

	allow cros_chromeos_cleanup_logs domain:dir { search getattr };
	allow cros_chromeos_cleanup_logs domain:file { getattr open read };

	allow cros_chromeos_cleanup_logs cros_var_file_type:dir { getattr search open read };
	allow cros_chromeos_cleanup_logs cros_var_file_type:file getattr;
	allow cros_chromeos_cleanup_logs cros_var_file_type:lnk_file getattr;

	r_dir_file(cros_chromeos_cleanup_logs, { cros_home_file_type -cros_downloads_file });
	allow cros_chromeos_cleanup_logs { cros_home_file_type -cros_downloads_file }:file unlink;
	allow cros_chromeos_cleanup_logs { cros_home_file_type -cros_downloads_file }:dir { write remove_name };

	allow cros_chromeos_cleanup_logs cros_rotate_by_cleanup_logs_file_type:file create_file_perms;

	neverallow cros_chromeos_cleanup_logs { cros_var_file_type -cros_rotate_by_cleanup_logs_file_type }:file create;

	r_dir_file(cros_chromeos_cleanup_logs, sysfs);
	r_dir_file(cros_chromeos_cleanup_logs_exec, cros_passwd_file);
	allow cros_chromeos_cleanup_logs sh_exec:file { rx_file_perms map };
	allow cros_chromeos_cleanup_logs cros_coreutils_exec:file { rx_file_perms map };


	allow cros_chromeos_cleanup_logs devpts:chr_file { read write };