policy/modules/services/nut.te

   1
   2 policy_module(nut, 1.0.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type nut_conf_t;
  10 files_config_file(nut_conf_t)
  11
  12 type nut_upsd_t;
  13 type nut_upsd_exec_t;
  14 init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
  15
  16 type nut_upsmon_t;
  17 type nut_upsmon_exec_t;
  18 init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
  19
  20 type nut_upsdrvctl_t;
  21 type nut_upsdrvctl_exec_t;
  22 init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
  23
  24 type nut_var_run_t;
  25 files_pid_file(nut_var_run_t)
  26
  27 ########################################
  28 #
  29 # Local policy for upsd
  30 #
  31
  32 allow nut_upsd_t self:capability { setgid setuid };
  33 allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
  34 allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
  35
  36 allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
  37
  38 read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
  39
  40 # pid file
  41 manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
  42 manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
  43 manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
  44 files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })
  45
  46 kernel_read_kernel_sysctls(nut_upsd_t)
  47
  48 corenet_tcp_bind_ups_port(nut_upsd_t)
  49 corenet_tcp_bind_generic_port(nut_upsd_t)
  50 corenet_tcp_bind_all_nodes(nut_upsd_t)
  51
  52 files_read_usr_files(nut_upsd_t)
  53
  54 auth_use_nsswitch(nut_upsd_t)
  55
  56 logging_send_syslog_msg(nut_upsd_t)
  57
  58 miscfiles_read_localization(nut_upsd_t)
  59
  60 ########################################
  61 #
  62 # Local policy for upsmon
  63 #
  64
  65 allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
  66 allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
  67 allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
  68 allow nut_upsmon_t self:tcp_socket create_socket_perms;
  69
  70 read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
  71
  72 # pid file
  73 manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
  74 manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
  75 files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
  76
  77 kernel_read_kernel_sysctls(nut_upsmon_t)
  78 kernel_read_system_state(nut_upsmon_t)
  79
  80 corecmd_exec_bin(nut_upsmon_t)
  81 corecmd_exec_shell(nut_upsmon_t)
  82
  83 corenet_tcp_connect_ups_port(nut_upsmon_t)
  84 corenet_tcp_connect_generic_port(nut_upsmon_t)
  85
  86 # Creates /etc/killpower
  87 files_manage_etc_runtime_files(nut_upsmon_t)
  88 files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
  89
  90 # /usr/bin/wall
  91 term_write_all_terms(nut_upsmon_t)
  92
  93 # upsmon runs shutdown, probably need a shutdown domain
  94 init_rw_utmp(nut_upsmon_t)
  95 init_telinit(nut_upsmon_t)
  96
  97 logging_send_syslog_msg(nut_upsmon_t)
  98
  99 auth_use_nsswitch(nut_upsmon_t)
 100
 101 miscfiles_read_localization(nut_upsmon_t)
 102
 103 ########################################
 104 #
 105 # Local policy for upsdrvctl
 106 #
 107
 108 allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
 109 allow nut_upsdrvctl_t self:process { sigchld signal signull };
 110 allow nut_upsdrvctl_t self:fd use;
 111 allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
 112 allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
 113 allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
 114
 115 read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
 116
 117 # pid file
 118 manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
 119 manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
 120 manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
 121 files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
 122
 123 kernel_read_kernel_sysctls(nut_upsdrvctl_t)
 124
 125 # /sbin/upsdrvctl executes other drivers
 126 corecmd_exec_bin(nut_upsdrvctl_t)
 127
 128 dev_read_urand(nut_upsdrvctl_t)
 129 dev_rw_generic_usb_dev(nut_upsdrvctl_t)
 130
 131 term_use_unallocated_ttys(nut_upsdrvctl_t)
 132
 133 auth_use_nsswitch(nut_upsdrvctl_t)
 134
 135 init_sigchld(nut_upsdrvctl_t)
 136
 137 logging_send_syslog_msg(nut_upsdrvctl_t)
 138
 139 miscfiles_read_localization(nut_upsdrvctl_t)
 140
 141 #######################################
 142 #
 143 # Local policy for upscgi scripts
 144 # requires httpd_enable_cgi and httpd_can_network_connect
 145 #
 146
 147 optional_policy(`
 148         apache_content_template(nutups_cgi)
 149
 150         read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
 151
 152         corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
 153 ')