[people/stevee/selinux-policy.git] / policy / modules / services / glance.if


## <summary>policy for glance</summary>

########################################
## <summary>
##	Transition to glance.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`glance_domtrans_registry',`
	gen_require(`
		type glance_registry_t, glance_registry_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, glance_registry_exec_t, glance_registry_t)
')

########################################
## <summary>
##	Transition to glance.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`glance_domtrans_api',`
	gen_require(`
		type glance_api_t, glance_api_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, glance_api_exec_t, glance_api_t)
')

########################################
## <summary>
##	Read glance's log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`glance_read_log',`
	gen_require(`
		type glance_log_t;
	')

	logging_search_logs($1)
	read_files_pattern($1, glance_log_t, glance_log_t)
')

########################################
## <summary>
##	Append to glance log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_append_log',`
	gen_require(`
		type glance_log_t;
	')

	logging_search_logs($1)
	append_files_pattern($1, glance_log_t, glance_log_t)
')

########################################
## <summary>
##	Manage glance log files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_manage_log',`
	gen_require(`
		type glance_log_t;
	')

	logging_search_logs($1)
	manage_dirs_pattern($1, glance_log_t, glance_log_t)
	manage_files_pattern($1, glance_log_t, glance_log_t)
	manage_lnk_files_pattern($1, glance_log_t, glance_log_t)
')

########################################
## <summary>
##	Search glance lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_search_lib',`
	gen_require(`
		type glance_var_lib_t;
	')

	allow $1 glance_var_lib_t:dir search_dir_perms;
	files_search_var_lib($1)
')

########################################
## <summary>
##	Read glance lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_read_lib_files',`
	gen_require(`
		type glance_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
')

########################################
## <summary>
##	Manage glance lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_manage_lib_files',`
	gen_require(`
		type glance_var_lib_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
')

########################################
## <summary>
##	Manage glance lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_manage_lib_dirs',`
	gen_require(`
		type glance_var_lib_t;
	')

	files_search_var_lib($1)
	manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
')


########################################
## <summary>
##	Read glance PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_read_pid_files',`
	gen_require(`
		type glance_var_run_t;
	')

	files_search_pids($1)
	read_files_pattern($1, glance_var_run_t, glance_var_run_t)
')

########################################
## <summary>
##	Manage glance PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`glance_manage_pid_files',`
	gen_require(`
		type glance_var_run_t;
	')

	files_search_pids($1)
	manage_files_pattern($1, glance_var_run_t, glance_var_run_t)
')


########################################
## <summary>
##	All of the rules required to administrate
##	an glance environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`glance_admin',`
	gen_require(`
		type glance_registry_t, glance_api_t, glance_log_t;
		type glance_var_lib_t, glance_var_run_t;
		type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
	')

	allow $1 glance_registry_t:process signal_perms;
	ps_process_pattern($1, glance_registry_t)
	tunable_policy(`deny_ptrace',`',`
		allow $1 glance_registry_t:process ptrace;
		allow $1 glance_api_t:process ptrace;
	')

	allow $1 glance_api_t:process signal_perms;
	ps_process_pattern($1, glance_api_t)

	init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 glance_registry_initrc_exec_t system_r;
	allow $2 system_r;

	init_labeled_script_domtrans($1, glance_api_initrc_exec_t)
	role_transition $2 glance_api_initrc_exec_t system_r;

	logging_search_logs($1)
	admin_pattern($1, glance_log_t)

	files_search_var_lib($1)
	admin_pattern($1, glance_var_lib_t)

	files_search_pids($1)
	admin_pattern($1, glance_var_run_t)
')
Commit	Line	Data
b0de0be0 DW	1
	2	## <summary>policy for glance</summary>
	3
b0de0be0 DW	4	########################################
	5	## <summary>
	6	## Transition to glance.
	7	## </summary>
	8	## <param name="domain">
	9	## <summary>
	10	## Domain allowed to transition.
	11	## </summary>
	12	## </param>
	13	#
	14	interface(`glance_domtrans_registry',`
	15	gen_require(`
	16	type glance_registry_t, glance_registry_exec_t;
	17	')
	18
	19	corecmd_search_bin($1)
	20	domtrans_pattern($1, glance_registry_exec_t, glance_registry_t)
	21	')
	22
	23	########################################
	24	## <summary>
	25	## Transition to glance.
	26	## </summary>
	27	## <param name="domain">
	28	## <summary>
	29	## Domain allowed to transition.
	30	## </summary>
	31	## </param>
	32	#
	33	interface(`glance_domtrans_api',`
	34	gen_require(`
	35	type glance_api_t, glance_api_exec_t;
	36	')
	37
	38	corecmd_search_bin($1)
	39	domtrans_pattern($1, glance_api_exec_t, glance_api_t)
	40	')
	41
b0de0be0 DW	42	########################################
	43	## <summary>
	44	## Read glance's log files.
	45	## </summary>
	46	## <param name="domain">
	47	## <summary>
	48	## Domain allowed access.
	49	## </summary>
	50	## </param>
	51	## <rolecap/>
	52	#
	53	interface(`glance_read_log',`
	54	gen_require(`
	55	type glance_log_t;
	56	')
	57
	58	logging_search_logs($1)
	59	read_files_pattern($1, glance_log_t, glance_log_t)
	60	')
	61
	62	########################################
	63	## <summary>
	64	## Append to glance log files.
	65	## </summary>
	66	## <param name="domain">
	67	## <summary>
	68	## Domain allowed access.
	69	## </summary>
	70	## </param>
	71	#
	72	interface(`glance_append_log',`
	73	gen_require(`
	74	type glance_log_t;
	75	')
	76
	77	logging_search_logs($1)
	78	append_files_pattern($1, glance_log_t, glance_log_t)
	79	')
	80
	81	########################################
	82	## <summary>
	83	## Manage glance log files
	84	## </summary>
	85	## <param name="domain">
	86	## <summary>
	87	## Domain allowed access.
	88	## </summary>
	89	## </param>
	90	#
	91	interface(`glance_manage_log',`
	92	gen_require(`
	93	type glance_log_t;
	94	')
	95
	96	logging_search_logs($1)
	97	manage_dirs_pattern($1, glance_log_t, glance_log_t)
	98	manage_files_pattern($1, glance_log_t, glance_log_t)
	99	manage_lnk_files_pattern($1, glance_log_t, glance_log_t)
	100	')
	101
	102	########################################
	103	## <summary>
	104	## Search glance lib directories.
	105	## </summary>
106	## <param name="domain">
107	## <summary>
108	## Domain allowed access.
109	## </summary>
110	## </param>
111	#
112	interface(`glance_search_lib',`
113	gen_require(`
114	type glance_var_lib_t;
115	')
116
117	allow $1 glance_var_lib_t:dir search_dir_perms;
118	files_search_var_lib($1)
119	')
120
121	########################################
122	## <summary>
123	## Read glance lib files.
124	## </summary>
125	## <param name="domain">
126	## <summary>
127	## Domain allowed access.
128	## </summary>
129	## </param>
130	#
131	interface(`glance_read_lib_files',`
132	gen_require(`
133	type glance_var_lib_t;
134	')
135
136	files_search_var_lib($1)
137	read_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
138	')
139
140	########################################
141	## <summary>
142	## Manage glance lib files.
143	## </summary>
144	## <param name="domain">
145	## <summary>
146	## Domain allowed access.
147	## </summary>
148	## </param>
149	#
150	interface(`glance_manage_lib_files',`
151	gen_require(`
152	type glance_var_lib_t;
153	')
154
155	files_search_var_lib($1)
156	manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t)
157	')
158
159	########################################
160	## <summary>
161	## Manage glance lib directories.
162	## </summary>
163	## <param name="domain">
164	## <summary>
165	## Domain allowed access.
166	## </summary>
167	## </param>
168	#
169	interface(`glance_manage_lib_dirs',`
170	gen_require(`
171	type glance_var_lib_t;
172	')
173
174	files_search_var_lib($1)
175	manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t)
176	')
177
178
179	########################################
180	## <summary>
181	## Read glance PID files.
182	## </summary>
183	## <param name="domain">
184	## <summary>
185	## Domain allowed access.
186	## </summary>
187	## </param>
188	#
189	interface(`glance_read_pid_files',`
190	gen_require(`
191	type glance_var_run_t;
192	')
193
194	files_search_pids($1)
195	read_files_pattern($1, glance_var_run_t, glance_var_run_t)
196	')
197
198	########################################
199	## <summary>
200	## Manage glance PID files.
201	## </summary>
202	## <param name="domain">
203	## <summary>
204	## Domain allowed access.
205	## </summary>
206	## </param>
207	#
208	interface(`glance_manage_pid_files',`
209	gen_require(`
210	type glance_var_run_t;
211	')
212
213	files_search_pids($1)
214	manage_files_pattern($1, glance_var_run_t, glance_var_run_t)
215	')
216
217
218	########################################
219	## <summary>
220	## All of the rules required to administrate
221	## an glance environment
222	## </summary>
223	## <param name="domain">
224	## <summary>
225	## Domain allowed access.
226	## </summary>
227	## </param>
228	## <param name="role">
229	## <summary>
230	## Role allowed access.
231	## </summary>
232	## </param>
233	## <rolecap/>
234	#
235	interface(`glance_admin',`
236	gen_require(`
0703a8c8 DW	237	type glance_registry_t, glance_api_t, glance_log_t;
	238	type glance_var_lib_t, glance_var_run_t;
	239	type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
b0de0be0 DW	240	')
b0de0be0 DW	241
995bdbb1	242	allow $1 glance_registry_t:process signal_perms;
b0de0be0	243	ps_process_pattern($1, glance_registry_t)
995bdbb1	244	tunable_policy(`deny_ptrace',`',`
	245	allow $1 glance_registry_t:process ptrace;
	246	allow $1 glance_api_t:process ptrace;
	247	')
b0de0be0	248
995bdbb1	249	allow $1 glance_api_t:process signal_perms;
b0de0be0 DW	250	ps_process_pattern($1, glance_api_t)
	251
	252	init_labeled_script_domtrans($1, glance_registry_initrc_exec_t)
	253	domain_system_change_exemption($1)
	254	role_transition $2 glance_registry_initrc_exec_t system_r;
	255	allow $2 system_r;
	256
	257	init_labeled_script_domtrans($1, glance_api_initrc_exec_t)
	258	role_transition $2 glance_api_initrc_exec_t system_r;
	259
	260	logging_search_logs($1)
	261	admin_pattern($1, glance_log_t)
	262
	263	files_search_var_lib($1)
	264	admin_pattern($1, glance_var_lib_t)
	265
	266	files_search_pids($1)
	267	admin_pattern($1, glance_var_run_t)
b0de0be0	268	')