Mini Shell

module imunify360 1.1;

require {
    type init_t;
	type lib_t;
	type logrotate_t;
	type sshd_t;
	type usr_t;
	type var_t;
	type var_run_t;
	type httpd_t;
	type httpd_sys_script_t;
	type unconfined_service_t;
	class sock_file { write create setattr getattr unlink };
	class unix_dgram_socket sendto;
	class unix_stream_socket connectto;
	class dir { write add_name remove_name create };
	class file { create open read write execute execute_no_trans append getattr setattr ioctl lock unlink link rename };
	class process execmem;
}

#============= httpd_sys_script_t ==============

allow httpd_sys_script_t lib_t:sock_file write;

#============= httpd_t ==============

allow httpd_t unconfined_service_t:unix_dgram_socket sendto;
allow httpd_t var_run_t:sock_file write;

#============= sshd_t ==============

allow sshd_t unconfined_service_t:unix_stream_socket connectto;
allow sshd_t usr_t:sock_file write;

#============= init_t ==============
allow init_t lib_t:dir { write add_name remove_name };
allow init_t lib_t:sock_file { create setattr unlink write };
allow init_t var_t:dir create;
allow init_t var_t:file { create open read write execute execute_no_trans append setattr ioctl lock unlink link };
allow init_t var_t:sock_file { create getattr setattr write unlink };
allow init_t usr_t:sock_file { create getattr setattr write unlink };
allow init_t self:process execmem;

#============= logrotate_t ==============

allow logrotate_t var_t:dir { write remove_name add_name };
allow logrotate_t var_t:file { rename write getattr setattr read create open };