]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(cobbler, 1.1.0) |
1031ee6f DG |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Cobbler personal declarations. | |
6 | # | |
7 | ||
8 | ## <desc> | |
9 | ## <p> | |
2968e068 DW |
10 | ## Allow Cobbler to modify public files |
11 | ## used for public file transfer services. | |
1031ee6f DG |
12 | ## </p> |
13 | ## </desc> | |
14 | gen_tunable(cobbler_anon_write, false) | |
3eaa9939 DW |
15 | |
16 | ## <desc> | |
17 | ## <p> | |
18 | ## Allow Cobbler to connect to the | |
19 | ## network using TCP. | |
20 | ## </p> | |
21 | ## </desc> | |
22 | gen_tunable(cobbler_can_network_connect, false) | |
23 | ||
24 | ## <desc> | |
25 | ## <p> | |
26 | ## Allow Cobbler to access cifs file systems. | |
27 | ## </p> | |
28 | ## </desc> | |
29 | gen_tunable(cobbler_use_cifs, false) | |
30 | ||
31 | ## <desc> | |
32 | ## <p> | |
33 | ## Allow Cobbler to access nfs file systems. | |
34 | ## </p> | |
35 | ## </desc> | |
36 | gen_tunable(cobbler_use_nfs, false) | |
1031ee6f DG |
37 | |
38 | type cobblerd_t; | |
39 | type cobblerd_exec_t; | |
40 | init_daemon_domain(cobblerd_t, cobblerd_exec_t) | |
41 | ||
42 | type cobblerd_initrc_exec_t; | |
43 | init_script_file(cobblerd_initrc_exec_t) | |
44 | ||
45 | type cobbler_etc_t; | |
46 | files_config_file(cobbler_etc_t) | |
47 | ||
48 | type cobbler_var_log_t; | |
49 | logging_log_file(cobbler_var_log_t) | |
50 | ||
2968e068 DW |
51 | type cobbler_var_lib_t alias cobbler_content_t; |
52 | files_type(cobbler_var_lib_t) | |
53 | ||
3eaa9939 DW |
54 | type cobbler_tmp_t; |
55 | files_tmp_file(cobbler_tmp_t) | |
56 | ||
1031ee6f DG |
57 | ######################################## |
58 | # | |
2968e068 | 59 | # Cobbler personal policy. |
1031ee6f DG |
60 | # |
61 | ||
3eaa9939 DW |
62 | allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice }; |
63 | dontaudit cobblerd_t self:capability { sys_ptrace sys_tty_config }; | |
64 | ||
1031ee6f DG |
65 | allow cobblerd_t self:process { getsched setsched signal }; |
66 | allow cobblerd_t self:fifo_file rw_fifo_file_perms; | |
3eaa9939 | 67 | allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms; |
1031ee6f | 68 | allow cobblerd_t self:tcp_socket create_stream_socket_perms; |
3eaa9939 DW |
69 | allow cobblerd_t self:udp_socket create_socket_perms; |
70 | allow cobblerd_t self:unix_dgram_socket create_socket_perms; | |
1031ee6f | 71 | |
a2524cfa | 72 | list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) |
1031ee6f DG |
73 | read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) |
74 | ||
2968e068 DW |
75 | # Something that runs in the cobberd_t domain tries to relabelfrom cobbler_var_lib_t dir to httpd_sys_content_t. |
76 | dontaudit cobblerd_t cobbler_var_lib_t:dir relabel_dir_perms; | |
3eaa9939 | 77 | |
2968e068 DW |
78 | manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) |
79 | manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) | |
80 | manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) | |
81 | files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file lnk_file }) | |
3eaa9939 DW |
82 | |
83 | # Something really needs to write to cobbler.log. Ideally this should not be happening. | |
84 | allow cobblerd_t cobbler_var_log_t:file write; | |
1031ee6f DG |
85 | |
86 | append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) | |
87 | create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) | |
88 | read_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) | |
89 | setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t) | |
90 | logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file) | |
91 | ||
3eaa9939 DW |
92 | manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) |
93 | manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t) | |
94 | files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file }) | |
95 | ||
27eab81f | 96 | kernel_read_system_state(cobblerd_t) |
3eaa9939 | 97 | kernel_dontaudit_search_network_state(cobblerd_t) |
27eab81f | 98 | |
1031ee6f DG |
99 | corecmd_exec_bin(cobblerd_t) |
100 | corecmd_exec_shell(cobblerd_t) | |
101 | ||
102 | corenet_all_recvfrom_netlabel(cobblerd_t) | |
103 | corenet_all_recvfrom_unlabeled(cobblerd_t) | |
2968e068 DW |
104 | corenet_sendrecv_cobbler_server_packets(cobblerd_t) |
105 | corenet_tcp_bind_cobbler_port(cobblerd_t) | |
1031ee6f DG |
106 | corenet_tcp_bind_generic_node(cobblerd_t) |
107 | corenet_tcp_sendrecv_generic_if(cobblerd_t) | |
108 | corenet_tcp_sendrecv_generic_node(cobblerd_t) | |
109 | corenet_tcp_sendrecv_generic_port(cobblerd_t) | |
3eaa9939 | 110 | corenet_tcp_sendrecv_cobbler_port(cobblerd_t) |
3eaa9939 DW |
111 | # sync and rsync to ftp and http are permitted by default, for any other media use cobbler_can_network_connect. |
112 | corenet_tcp_connect_ftp_port(cobblerd_t) | |
113 | corenet_tcp_sendrecv_ftp_port(cobblerd_t) | |
114 | corenet_sendrecv_ftp_client_packets(cobblerd_t) | |
115 | corenet_tcp_connect_http_port(cobblerd_t) | |
116 | corenet_tcp_sendrecv_http_port(cobblerd_t) | |
117 | corenet_sendrecv_http_client_packets(cobblerd_t) | |
1031ee6f DG |
118 | |
119 | dev_read_urand(cobblerd_t) | |
120 | ||
3eaa9939 DW |
121 | domain_dontaudit_exec_all_entry_files(cobblerd_t) |
122 | domain_dontaudit_read_all_domains_state(cobblerd_t) | |
123 | ||
124 | files_read_etc_files(cobblerd_t) | |
125 | # mtab | |
126 | files_read_etc_runtime_files(cobblerd_t) | |
1031ee6f | 127 | files_read_usr_files(cobblerd_t) |
1031ee6f | 128 | files_list_boot(cobblerd_t) |
3eaa9939 | 129 | files_read_boot_files(cobblerd_t) |
1031ee6f | 130 | files_list_tmp(cobblerd_t) |
3eaa9939 DW |
131 | |
132 | # read from mounted images (install media) | |
133 | fs_read_iso9660_files(cobblerd_t) | |
134 | ||
135 | init_dontaudit_read_all_script_files(cobblerd_t) | |
136 | ||
137 | term_use_console(cobblerd_t) | |
1031ee6f | 138 | |
1031ee6f DG |
139 | miscfiles_read_localization(cobblerd_t) |
140 | miscfiles_read_public_files(cobblerd_t) | |
141 | ||
3eaa9939 DW |
142 | selinux_dontaudit_read_fs(cobblerd_t) |
143 | ||
1031ee6f DG |
144 | sysnet_read_config(cobblerd_t) |
145 | sysnet_rw_dhcp_config(cobblerd_t) | |
146 | sysnet_write_config(cobblerd_t) | |
147 | ||
3eaa9939 DW |
148 | userdom_dontaudit_use_user_terminals(cobblerd_t) |
149 | userdom_dontaudit_search_user_home_dirs(cobblerd_t) | |
150 | userdom_dontaudit_search_admin_dir(cobblerd_t) | |
151 | ||
1031ee6f DG |
152 | tunable_policy(`cobbler_anon_write',` |
153 | miscfiles_manage_public_files(cobblerd_t) | |
154 | ') | |
155 | ||
3eaa9939 DW |
156 | tunable_policy(`cobbler_can_network_connect',` |
157 | corenet_tcp_connect_all_ports(cobblerd_t) | |
158 | corenet_tcp_sendrecv_all_ports(cobblerd_t) | |
159 | corenet_sendrecv_all_client_packets(cobblerd_t) | |
160 | ') | |
161 | ||
162 | tunable_policy(`cobbler_use_cifs',` | |
163 | fs_manage_cifs_dirs(cobblerd_t) | |
164 | fs_manage_cifs_files(cobblerd_t) | |
165 | fs_manage_cifs_symlinks(cobblerd_t) | |
166 | ') | |
167 | ||
168 | tunable_policy(`cobbler_use_nfs',` | |
169 | fs_manage_nfs_dirs(cobblerd_t) | |
170 | fs_manage_nfs_files(cobblerd_t) | |
171 | fs_manage_nfs_symlinks(cobblerd_t) | |
172 | ') | |
173 | ||
174 | optional_policy(` | |
175 | # Cobbler traverses /var/www to get to /var/www/cobbler/* | |
176 | apache_search_sys_content(cobblerd_t) | |
177 | ') | |
178 | ||
1031ee6f DG |
179 | optional_policy(` |
180 | bind_read_config(cobblerd_t) | |
181 | bind_write_config(cobblerd_t) | |
182 | bind_domtrans_ndc(cobblerd_t) | |
183 | bind_domtrans(cobblerd_t) | |
184 | bind_initrc_domtrans(cobblerd_t) | |
185 | bind_manage_zone(cobblerd_t) | |
186 | ') | |
187 | ||
3eaa9939 DW |
188 | optional_policy(` |
189 | certmaster_exec(cobblerd_t) | |
190 | ') | |
191 | ||
1031ee6f DG |
192 | optional_policy(` |
193 | dhcpd_domtrans(cobblerd_t) | |
194 | dhcpd_initrc_domtrans(cobblerd_t) | |
195 | ') | |
196 | ||
197 | optional_policy(` | |
198 | dnsmasq_domtrans(cobblerd_t) | |
199 | dnsmasq_initrc_domtrans(cobblerd_t) | |
200 | dnsmasq_write_config(cobblerd_t) | |
201 | ') | |
202 | ||
3eaa9939 DW |
203 | optional_policy(` |
204 | gnome_dontaudit_search_config(cobblerd_t) | |
205 | ') | |
206 | ||
1031ee6f DG |
207 | optional_policy(` |
208 | rpm_exec(cobblerd_t) | |
209 | ') | |
210 | ||
211 | optional_policy(` | |
3eaa9939 DW |
212 | rsync_exec(cobblerd_t) |
213 | rsync_manage_config(cobblerd_t) | |
214 | # cobbler creates /etc/rsync.conf if its not there. | |
215 | rsync_filetrans_config(cobblerd_t, file) | |
1031ee6f DG |
216 | ') |
217 | ||
218 | optional_policy(` | |
3eaa9939 DW |
219 | # Cobbler puts objects in both /var/lib/tftpdir as well as /var/lib/tftpdir/images. |
220 | # tftp_manage_rw_content(cobblerd_t) can be used instead if: | |
221 | # 1. cobbler package installs /var/lib/tftpdir/images. | |
222 | # 2. no FILES in /var/lib/TFTPDIR are hard linked. | |
223 | # Cobbler also creates other directories in /var/lib/tftpdir (etc, s390x, ppc, pxelinux.cfg) | |
224 | # are any of those hard linked? | |
2968e068 | 225 | tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file }) |
1031ee6f | 226 | ') |
a2524cfa JS |
227 | |
228 | ######################################## | |
229 | # | |
230 | # Cobbler web local policy. | |
231 | # | |
232 | ||
2968e068 DW |
233 | apache_content_template(cobbler) |
234 | manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) | |
235 | manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) |