[people/stevee/selinux-policy.git] / policy / modules / services / cloudform.te

policy_module(cloudform, 1.0)
########################################
#
# Declarations
#

attribute cloudform_domain;

cloudform_domain_template(deltacloudd)
cloudform_domain_template(iwhd)
cloudform_domain_template(mongod)
cloudform_domain_template(thin)

type deltacloudd_log_t;
logging_log_file(deltacloudd_log_t)

type deltacloudd_var_run_t;
files_pid_file(deltacloudd_var_run_t)

type deltacloudd_tmp_t;
files_tmp_file(deltacloudd_tmp_t)

type iwhd_initrc_exec_t;
init_script_file(iwhd_initrc_exec_t)

type iwhd_var_lib_t;
files_type(iwhd_var_lib_t)

type iwhd_var_run_t;
files_pid_file(iwhd_var_run_t)

type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)

type mongod_log_t;
logging_log_file(mongod_log_t)

type mongod_var_lib_t;
files_type(mongod_var_lib_t)

type mongod_tmp_t;
files_tmp_file(mongod_tmp_t)

type mongod_var_run_t;
files_pid_file(mongod_var_run_t)

type thin_var_run_t;
files_pid_file(thin_var_run_t)

type iwhd_log_t;
logging_log_file(iwhd_log_t)

########################################
#
# cloudform_domain local policy
#

allow cloudform_domain self:fifo_file rw_fifo_file_perms;
allow cloudform_domain self:tcp_socket create_stream_socket_perms;

dev_read_urand(cloudform_domain)

files_read_etc_files(cloudform_domain)

miscfiles_read_certs(cloudform_domain)
miscfiles_read_localization(cloudform_domain)

########################################
#
# deltacloudd local policy
#

allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
allow deltacloudd_t self:udp_socket create_socket_perms;

allow deltacloudd_t self:process signal;

allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })

manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })

manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })

kernel_read_system_state(deltacloudd_t)

corecmd_exec_bin(deltacloudd_t)

corenet_tcp_bind_generic_node(deltacloudd_t)
corenet_tcp_bind_generic_port(deltacloudd_t)

files_read_usr_files(deltacloudd_t)

logging_send_syslog_msg(deltacloudd_t)

optional_policy(`
	sysnet_read_config(deltacloudd_t)
')

########################################
#
# iwhd local policy
#

allow iwhd_t self:capability { chown kill };
allow iwhd_t self:process { fork };

allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
allow iwhd_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)

manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
logging_log_filetrans(iwhd_t, iwhd_log_t, { file })

manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })

kernel_read_system_state(iwhd_t)

corenet_tcp_bind_generic_node(iwhd_t)
corenet_tcp_bind_websm_port(iwhd_t)
corenet_tcp_connect_all_ports(iwhd_t)

dev_read_rand(iwhd_t)
dev_read_urand(iwhd_t)

userdom_home_manager(iwhd_t)

########################################
#
# mongod local policy
#

allow mongod_t self:process { setsched signal };

allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
allow mongod_t self:unix_stream_socket create_stream_socket_perms;
allow mongod_t self:udp_socket create_socket_perms;

manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)

manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)

manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })

manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
#needed by dbomatic
files_pid_filetrans(mongod_t, mongod_var_run_t, { file })

corenet_tcp_bind_generic_node(mongod_t)
corenet_tcp_bind_generic_port(mongod_t)

files_read_usr_files(mongod_t)

optional_policy(`
	mysql_stream_connect(mongod_t)
')

optional_policy(`
	postgresql_stream_connect(mongod_t)
')

optional_policy(`
	sysnet_dns_name_resolve(mongod_t)
')

########################################
#
# thin local policy
#

allow thin_t self:capability { setuid kill setgid dac_override };

allow thin_t self:netlink_route_socket r_netlink_socket_perms;
allow thin_t self:udp_socket create_socket_perms;
allow thin_t self:unix_stream_socket create_stream_socket_perms;

manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
files_pid_filetrans(thin_t, thin_var_run_t, { file })

corecmd_exec_bin(thin_t)

corenet_tcp_bind_generic_node(thin_t)
corenet_tcp_bind_ntop_port(thin_t)
corenet_tcp_connect_postgresql_port(thin_t)
corenet_tcp_connect_all_ports(iwhd_t)

files_read_usr_files(thin_t)

fs_search_auto_mountpoints(thin_t)

init_read_utmp(thin_t)

kernel_read_kernel_sysctls(thin_t)

optional_policy(`
	sysnet_read_config(thin_t)
')
Commit	Line	Data
4693e1b6	1	policy_module(cloudform, 1.0)
4693e1b6 MG	2	########################################
	3	#
	4	# Declarations
	5	#
	6
	7	attribute cloudform_domain;
	8
	9	cloudform_domain_template(deltacloudd)
	10	cloudform_domain_template(iwhd)
	11	cloudform_domain_template(mongod)
	12	cloudform_domain_template(thin)
	13
d5badaf8	14	type deltacloudd_log_t;
	15	logging_log_file(deltacloudd_log_t)
	16
	17	type deltacloudd_var_run_t;
	18	files_pid_file(deltacloudd_var_run_t)
	19
4693e1b6 MG	20	type deltacloudd_tmp_t;
	21	files_tmp_file(deltacloudd_tmp_t)
	22
	23	type iwhd_initrc_exec_t;
	24	init_script_file(iwhd_initrc_exec_t)
	25
	26	type iwhd_var_lib_t;
	27	files_type(iwhd_var_lib_t)
	28
	29	type iwhd_var_run_t;
	30	files_pid_file(iwhd_var_run_t)
	31
	32	type mongod_initrc_exec_t;
	33	init_script_file(mongod_initrc_exec_t)
	34
	35	type mongod_log_t;
	36	logging_log_file(mongod_log_t)
	37
	38	type mongod_var_lib_t;
	39	files_type(mongod_var_lib_t)
	40
	41	type mongod_tmp_t;
	42	files_tmp_file(mongod_tmp_t)
	43
	44	type mongod_var_run_t;
	45	files_pid_file(mongod_var_run_t)
	46
	47	type thin_var_run_t;
	48	files_pid_file(thin_var_run_t)
	49
	50	type iwhd_log_t;
	51	logging_log_file(iwhd_log_t)
	52
	53	########################################
	54	#
	55	# cloudform_domain local policy
	56	#
	57
	58	allow cloudform_domain self:fifo_file rw_fifo_file_perms;
	59	allow cloudform_domain self:tcp_socket create_stream_socket_perms;
	60
	61	dev_read_urand(cloudform_domain)
	62
	63	files_read_etc_files(cloudform_domain)
	64
	65	miscfiles_read_certs(cloudform_domain)
	66	miscfiles_read_localization(cloudform_domain)
	67
	68	########################################
	69	#
	70	# deltacloudd local policy
	71	#
	72
	73	allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
	74	allow deltacloudd_t self:udp_socket create_socket_perms;
	75
	76	allow deltacloudd_t self:process signal;
	77
	78	allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
	79	allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
	80	allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
	81
	82	manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
	83	manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
84	files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
85
d5badaf8	86	manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
	87	manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
	88	manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
	89	files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
	90
	91	manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
	92	manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
	93	logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
	94
	95	kernel_read_system_state(deltacloudd_t)
	96
4693e1b6 MG	97	corecmd_exec_bin(deltacloudd_t)
	98
	99	corenet_tcp_bind_generic_node(deltacloudd_t)
	100	corenet_tcp_bind_generic_port(deltacloudd_t)
	101
	102	files_read_usr_files(deltacloudd_t)
	103
	104	logging_send_syslog_msg(deltacloudd_t)
	105
	106	optional_policy(`
	107	sysnet_read_config(deltacloudd_t)
	108	')
	109
	110	########################################
	111	#
	112	# iwhd local policy
	113	#
	114
	115	allow iwhd_t self:capability { chown kill };
	116	allow iwhd_t self:process { fork };
	117
	118	allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
	119	allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
	120
	121	manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
	122	manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
	123
	124	manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
	125	logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
	126
	127	manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
	128	manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
	129	files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
	130
	131	kernel_read_system_state(iwhd_t)
	132
	133	corenet_tcp_bind_generic_node(iwhd_t)
854eccf5	134	corenet_tcp_bind_websm_port(iwhd_t)
942841b6	135	corenet_tcp_connect_all_ports(iwhd_t)
4693e1b6 MG	136
	137	dev_read_rand(iwhd_t)
	138	dev_read_urand(iwhd_t)
	139
ed2ac112	140	userdom_home_manager(iwhd_t)
4693e1b6 MG	141
	142	########################################
	143	#
	144	# mongod local policy
	145	#
	146
b2b22fcf	147	allow mongod_t self:process { setsched signal };
4693e1b6	148
b2b22fcf	149	allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
4693e1b6	150	allow mongod_t self:unix_stream_socket create_stream_socket_perms;
b2b22fcf	151	allow mongod_t self:udp_socket create_socket_perms;
4693e1b6 MG	152
	153	manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
	154	manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
	155
	156	manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
	157	manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
	158
	159	manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
	160	manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
	161	manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
	162	files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
	163
	164	manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
	165	manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
b2b22fcf MG	166	#needed by dbomatic
b2b22fcf MG	167	files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
4693e1b6 MG	168
4693e1b6 MG	169	corenet_tcp_bind_generic_node(mongod_t)
4693e1b6 MG	170	corenet_tcp_bind_generic_port(mongod_t)
4693e1b6 MG	171
b2b22fcf MG	172	files_read_usr_files(mongod_t)
	173
	174	optional_policy(`
	175	mysql_stream_connect(mongod_t)
	176	')
	177
	178	optional_policy(`
	179	postgresql_stream_connect(mongod_t)
	180	')
4693e1b6 MG	181
	182	optional_policy(`
	183	sysnet_dns_name_resolve(mongod_t)
	184	')
	185
	186	########################################
	187	#
	188	# thin local policy
	189	#
	190
	191	allow thin_t self:capability { setuid kill setgid dac_override };
	192
	193	allow thin_t self:netlink_route_socket r_netlink_socket_perms;
	194	allow thin_t self:udp_socket create_socket_perms;
	195	allow thin_t self:unix_stream_socket create_stream_socket_perms;
	196
	197	manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
	198	files_pid_filetrans(thin_t, thin_var_run_t, { file })
	199
	200	corecmd_exec_bin(thin_t)
	201
	202	corenet_tcp_bind_generic_node(thin_t)
	203	corenet_tcp_bind_ntop_port(thin_t)
	204	corenet_tcp_connect_postgresql_port(thin_t)
942841b6	205	corenet_tcp_connect_all_ports(iwhd_t)
4693e1b6 MG	206
	207	files_read_usr_files(thin_t)
	208
	209	fs_search_auto_mountpoints(thin_t)
	210
	211	init_read_utmp(thin_t)
	212
	213	kernel_read_kernel_sysctls(thin_t)
	214
	215	optional_policy(`
	216	sysnet_read_config(thin_t)
	217	')
	218