]>
Commit | Line | Data |
---|---|---|
4693e1b6 | 1 | policy_module(cloudform, 1.0) |
4693e1b6 MG |
2 | ######################################## |
3 | # | |
4 | # Declarations | |
5 | # | |
6 | ||
7 | attribute cloudform_domain; | |
8 | ||
9 | cloudform_domain_template(deltacloudd) | |
10 | cloudform_domain_template(iwhd) | |
11 | cloudform_domain_template(mongod) | |
12 | cloudform_domain_template(thin) | |
13 | ||
d5badaf8 | 14 | type deltacloudd_log_t; |
15 | logging_log_file(deltacloudd_log_t) | |
16 | ||
17 | type deltacloudd_var_run_t; | |
18 | files_pid_file(deltacloudd_var_run_t) | |
19 | ||
4693e1b6 MG |
20 | type deltacloudd_tmp_t; |
21 | files_tmp_file(deltacloudd_tmp_t) | |
22 | ||
23 | type iwhd_initrc_exec_t; | |
24 | init_script_file(iwhd_initrc_exec_t) | |
25 | ||
26 | type iwhd_var_lib_t; | |
27 | files_type(iwhd_var_lib_t) | |
28 | ||
29 | type iwhd_var_run_t; | |
30 | files_pid_file(iwhd_var_run_t) | |
31 | ||
32 | type mongod_initrc_exec_t; | |
33 | init_script_file(mongod_initrc_exec_t) | |
34 | ||
35 | type mongod_log_t; | |
36 | logging_log_file(mongod_log_t) | |
37 | ||
38 | type mongod_var_lib_t; | |
39 | files_type(mongod_var_lib_t) | |
40 | ||
41 | type mongod_tmp_t; | |
42 | files_tmp_file(mongod_tmp_t) | |
43 | ||
44 | type mongod_var_run_t; | |
45 | files_pid_file(mongod_var_run_t) | |
46 | ||
47 | type thin_var_run_t; | |
48 | files_pid_file(thin_var_run_t) | |
49 | ||
50 | type iwhd_log_t; | |
51 | logging_log_file(iwhd_log_t) | |
52 | ||
53 | ######################################## | |
54 | # | |
55 | # cloudform_domain local policy | |
56 | # | |
57 | ||
58 | allow cloudform_domain self:fifo_file rw_fifo_file_perms; | |
59 | allow cloudform_domain self:tcp_socket create_stream_socket_perms; | |
60 | ||
61 | dev_read_urand(cloudform_domain) | |
62 | ||
63 | files_read_etc_files(cloudform_domain) | |
64 | ||
65 | miscfiles_read_certs(cloudform_domain) | |
66 | miscfiles_read_localization(cloudform_domain) | |
67 | ||
68 | ######################################## | |
69 | # | |
70 | # deltacloudd local policy | |
71 | # | |
72 | ||
73 | allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms; | |
74 | allow deltacloudd_t self:udp_socket create_socket_perms; | |
75 | ||
76 | allow deltacloudd_t self:process signal; | |
77 | ||
78 | allow deltacloudd_t self:fifo_file rw_fifo_file_perms; | |
79 | allow deltacloudd_t self:tcp_socket create_stream_socket_perms; | |
80 | allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms; | |
81 | ||
82 | manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) | |
83 | manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t) | |
84 | files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir }) | |
85 | ||
d5badaf8 | 86 | manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) |
87 | manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) | |
88 | manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t) | |
89 | files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir }) | |
90 | ||
91 | manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) | |
92 | manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t) | |
93 | logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir }) | |
94 | ||
95 | kernel_read_system_state(deltacloudd_t) | |
96 | ||
4693e1b6 MG |
97 | corecmd_exec_bin(deltacloudd_t) |
98 | ||
99 | corenet_tcp_bind_generic_node(deltacloudd_t) | |
100 | corenet_tcp_bind_generic_port(deltacloudd_t) | |
101 | ||
102 | files_read_usr_files(deltacloudd_t) | |
103 | ||
104 | logging_send_syslog_msg(deltacloudd_t) | |
105 | ||
106 | optional_policy(` | |
107 | sysnet_read_config(deltacloudd_t) | |
108 | ') | |
109 | ||
110 | ######################################## | |
111 | # | |
112 | # iwhd local policy | |
113 | # | |
114 | ||
115 | allow iwhd_t self:capability { chown kill }; | |
116 | allow iwhd_t self:process { fork }; | |
117 | ||
118 | allow iwhd_t self:netlink_route_socket r_netlink_socket_perms; | |
119 | allow iwhd_t self:unix_stream_socket create_stream_socket_perms; | |
120 | ||
121 | manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) | |
122 | manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t) | |
123 | ||
124 | manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t) | |
125 | logging_log_filetrans(iwhd_t, iwhd_log_t, { file }) | |
126 | ||
127 | manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) | |
128 | manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t) | |
129 | files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file }) | |
130 | ||
131 | kernel_read_system_state(iwhd_t) | |
132 | ||
133 | corenet_tcp_bind_generic_node(iwhd_t) | |
854eccf5 | 134 | corenet_tcp_bind_websm_port(iwhd_t) |
942841b6 | 135 | corenet_tcp_connect_all_ports(iwhd_t) |
4693e1b6 MG |
136 | |
137 | dev_read_rand(iwhd_t) | |
138 | dev_read_urand(iwhd_t) | |
139 | ||
ed2ac112 | 140 | userdom_home_manager(iwhd_t) |
4693e1b6 MG |
141 | |
142 | ######################################## | |
143 | # | |
144 | # mongod local policy | |
145 | # | |
146 | ||
b2b22fcf | 147 | allow mongod_t self:process { setsched signal }; |
4693e1b6 | 148 | |
b2b22fcf | 149 | allow mongod_t self:netlink_route_socket r_netlink_socket_perms; |
4693e1b6 | 150 | allow mongod_t self:unix_stream_socket create_stream_socket_perms; |
b2b22fcf | 151 | allow mongod_t self:udp_socket create_socket_perms; |
4693e1b6 MG |
152 | |
153 | manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t) | |
154 | manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t) | |
155 | ||
156 | manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) | |
157 | manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t) | |
158 | ||
159 | manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) | |
160 | manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) | |
161 | manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t) | |
162 | files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file }) | |
163 | ||
164 | manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) | |
165 | manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t) | |
b2b22fcf MG |
166 | #needed by dbomatic |
167 | files_pid_filetrans(mongod_t, mongod_var_run_t, { file }) | |
4693e1b6 MG |
168 | |
169 | corenet_tcp_bind_generic_node(mongod_t) | |
4693e1b6 MG |
170 | corenet_tcp_bind_generic_port(mongod_t) |
171 | ||
b2b22fcf MG |
172 | files_read_usr_files(mongod_t) |
173 | ||
174 | optional_policy(` | |
175 | mysql_stream_connect(mongod_t) | |
176 | ') | |
177 | ||
178 | optional_policy(` | |
179 | postgresql_stream_connect(mongod_t) | |
180 | ') | |
4693e1b6 MG |
181 | |
182 | optional_policy(` | |
183 | sysnet_dns_name_resolve(mongod_t) | |
184 | ') | |
185 | ||
186 | ######################################## | |
187 | # | |
188 | # thin local policy | |
189 | # | |
190 | ||
191 | allow thin_t self:capability { setuid kill setgid dac_override }; | |
192 | ||
193 | allow thin_t self:netlink_route_socket r_netlink_socket_perms; | |
194 | allow thin_t self:udp_socket create_socket_perms; | |
195 | allow thin_t self:unix_stream_socket create_stream_socket_perms; | |
196 | ||
197 | manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) | |
198 | files_pid_filetrans(thin_t, thin_var_run_t, { file }) | |
199 | ||
200 | corecmd_exec_bin(thin_t) | |
201 | ||
202 | corenet_tcp_bind_generic_node(thin_t) | |
203 | corenet_tcp_bind_ntop_port(thin_t) | |
204 | corenet_tcp_connect_postgresql_port(thin_t) | |
942841b6 | 205 | corenet_tcp_connect_all_ports(iwhd_t) |
4693e1b6 MG |
206 | |
207 | files_read_usr_files(thin_t) | |
208 | ||
209 | fs_search_auto_mountpoints(thin_t) | |
210 | ||
211 | init_read_utmp(thin_t) | |
212 | ||
213 | kernel_read_kernel_sysctls(thin_t) | |
214 | ||
215 | optional_policy(` | |
216 | sysnet_read_config(thin_t) | |
217 | ') | |
218 |