]>
Commit | Line | Data |
---|---|---|
b0de0be0 DW |
1 | |
2 | ## <summary>policy for glance</summary> | |
3 | ||
b0de0be0 DW |
4 | ######################################## |
5 | ## <summary> | |
6 | ## Transition to glance. | |
7 | ## </summary> | |
8 | ## <param name="domain"> | |
9 | ## <summary> | |
10 | ## Domain allowed to transition. | |
11 | ## </summary> | |
12 | ## </param> | |
13 | # | |
14 | interface(`glance_domtrans_registry',` | |
15 | gen_require(` | |
16 | type glance_registry_t, glance_registry_exec_t; | |
17 | ') | |
18 | ||
19 | corecmd_search_bin($1) | |
20 | domtrans_pattern($1, glance_registry_exec_t, glance_registry_t) | |
21 | ') | |
22 | ||
23 | ######################################## | |
24 | ## <summary> | |
25 | ## Transition to glance. | |
26 | ## </summary> | |
27 | ## <param name="domain"> | |
28 | ## <summary> | |
29 | ## Domain allowed to transition. | |
30 | ## </summary> | |
31 | ## </param> | |
32 | # | |
33 | interface(`glance_domtrans_api',` | |
34 | gen_require(` | |
35 | type glance_api_t, glance_api_exec_t; | |
36 | ') | |
37 | ||
38 | corecmd_search_bin($1) | |
39 | domtrans_pattern($1, glance_api_exec_t, glance_api_t) | |
40 | ') | |
41 | ||
b0de0be0 DW |
42 | ######################################## |
43 | ## <summary> | |
44 | ## Read glance's log files. | |
45 | ## </summary> | |
46 | ## <param name="domain"> | |
47 | ## <summary> | |
48 | ## Domain allowed access. | |
49 | ## </summary> | |
50 | ## </param> | |
51 | ## <rolecap/> | |
52 | # | |
53 | interface(`glance_read_log',` | |
54 | gen_require(` | |
55 | type glance_log_t; | |
56 | ') | |
57 | ||
58 | logging_search_logs($1) | |
59 | read_files_pattern($1, glance_log_t, glance_log_t) | |
60 | ') | |
61 | ||
62 | ######################################## | |
63 | ## <summary> | |
64 | ## Append to glance log files. | |
65 | ## </summary> | |
66 | ## <param name="domain"> | |
67 | ## <summary> | |
68 | ## Domain allowed access. | |
69 | ## </summary> | |
70 | ## </param> | |
71 | # | |
72 | interface(`glance_append_log',` | |
73 | gen_require(` | |
74 | type glance_log_t; | |
75 | ') | |
76 | ||
77 | logging_search_logs($1) | |
78 | append_files_pattern($1, glance_log_t, glance_log_t) | |
79 | ') | |
80 | ||
81 | ######################################## | |
82 | ## <summary> | |
83 | ## Manage glance log files | |
84 | ## </summary> | |
85 | ## <param name="domain"> | |
86 | ## <summary> | |
87 | ## Domain allowed access. | |
88 | ## </summary> | |
89 | ## </param> | |
90 | # | |
91 | interface(`glance_manage_log',` | |
92 | gen_require(` | |
93 | type glance_log_t; | |
94 | ') | |
95 | ||
96 | logging_search_logs($1) | |
97 | manage_dirs_pattern($1, glance_log_t, glance_log_t) | |
98 | manage_files_pattern($1, glance_log_t, glance_log_t) | |
99 | manage_lnk_files_pattern($1, glance_log_t, glance_log_t) | |
100 | ') | |
101 | ||
102 | ######################################## | |
103 | ## <summary> | |
104 | ## Search glance lib directories. | |
105 | ## </summary> | |
106 | ## <param name="domain"> | |
107 | ## <summary> | |
108 | ## Domain allowed access. | |
109 | ## </summary> | |
110 | ## </param> | |
111 | # | |
112 | interface(`glance_search_lib',` | |
113 | gen_require(` | |
114 | type glance_var_lib_t; | |
115 | ') | |
116 | ||
117 | allow $1 glance_var_lib_t:dir search_dir_perms; | |
118 | files_search_var_lib($1) | |
119 | ') | |
120 | ||
121 | ######################################## | |
122 | ## <summary> | |
123 | ## Read glance lib files. | |
124 | ## </summary> | |
125 | ## <param name="domain"> | |
126 | ## <summary> | |
127 | ## Domain allowed access. | |
128 | ## </summary> | |
129 | ## </param> | |
130 | # | |
131 | interface(`glance_read_lib_files',` | |
132 | gen_require(` | |
133 | type glance_var_lib_t; | |
134 | ') | |
135 | ||
136 | files_search_var_lib($1) | |
137 | read_files_pattern($1, glance_var_lib_t, glance_var_lib_t) | |
138 | ') | |
139 | ||
140 | ######################################## | |
141 | ## <summary> | |
142 | ## Manage glance lib files. | |
143 | ## </summary> | |
144 | ## <param name="domain"> | |
145 | ## <summary> | |
146 | ## Domain allowed access. | |
147 | ## </summary> | |
148 | ## </param> | |
149 | # | |
150 | interface(`glance_manage_lib_files',` | |
151 | gen_require(` | |
152 | type glance_var_lib_t; | |
153 | ') | |
154 | ||
155 | files_search_var_lib($1) | |
156 | manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t) | |
157 | ') | |
158 | ||
159 | ######################################## | |
160 | ## <summary> | |
161 | ## Manage glance lib directories. | |
162 | ## </summary> | |
163 | ## <param name="domain"> | |
164 | ## <summary> | |
165 | ## Domain allowed access. | |
166 | ## </summary> | |
167 | ## </param> | |
168 | # | |
169 | interface(`glance_manage_lib_dirs',` | |
170 | gen_require(` | |
171 | type glance_var_lib_t; | |
172 | ') | |
173 | ||
174 | files_search_var_lib($1) | |
175 | manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t) | |
176 | ') | |
177 | ||
178 | ||
179 | ######################################## | |
180 | ## <summary> | |
181 | ## Read glance PID files. | |
182 | ## </summary> | |
183 | ## <param name="domain"> | |
184 | ## <summary> | |
185 | ## Domain allowed access. | |
186 | ## </summary> | |
187 | ## </param> | |
188 | # | |
189 | interface(`glance_read_pid_files',` | |
190 | gen_require(` | |
191 | type glance_var_run_t; | |
192 | ') | |
193 | ||
194 | files_search_pids($1) | |
195 | read_files_pattern($1, glance_var_run_t, glance_var_run_t) | |
196 | ') | |
197 | ||
198 | ######################################## | |
199 | ## <summary> | |
200 | ## Manage glance PID files. | |
201 | ## </summary> | |
202 | ## <param name="domain"> | |
203 | ## <summary> | |
204 | ## Domain allowed access. | |
205 | ## </summary> | |
206 | ## </param> | |
207 | # | |
208 | interface(`glance_manage_pid_files',` | |
209 | gen_require(` | |
210 | type glance_var_run_t; | |
211 | ') | |
212 | ||
213 | files_search_pids($1) | |
214 | manage_files_pattern($1, glance_var_run_t, glance_var_run_t) | |
215 | ') | |
216 | ||
217 | ||
218 | ######################################## | |
219 | ## <summary> | |
220 | ## All of the rules required to administrate | |
221 | ## an glance environment | |
222 | ## </summary> | |
223 | ## <param name="domain"> | |
224 | ## <summary> | |
225 | ## Domain allowed access. | |
226 | ## </summary> | |
227 | ## </param> | |
228 | ## <param name="role"> | |
229 | ## <summary> | |
230 | ## Role allowed access. | |
231 | ## </summary> | |
232 | ## </param> | |
233 | ## <rolecap/> | |
234 | # | |
235 | interface(`glance_admin',` | |
236 | gen_require(` | |
0703a8c8 DW |
237 | type glance_registry_t, glance_api_t, glance_log_t; |
238 | type glance_var_lib_t, glance_var_run_t; | |
239 | type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; | |
b0de0be0 DW |
240 | ') |
241 | ||
995bdbb1 | 242 | allow $1 glance_registry_t:process signal_perms; |
b0de0be0 | 243 | ps_process_pattern($1, glance_registry_t) |
995bdbb1 | 244 | tunable_policy(`deny_ptrace',`',` |
245 | allow $1 glance_registry_t:process ptrace; | |
246 | allow $1 glance_api_t:process ptrace; | |
247 | ') | |
b0de0be0 | 248 | |
995bdbb1 | 249 | allow $1 glance_api_t:process signal_perms; |
b0de0be0 DW |
250 | ps_process_pattern($1, glance_api_t) |
251 | ||
252 | init_labeled_script_domtrans($1, glance_registry_initrc_exec_t) | |
253 | domain_system_change_exemption($1) | |
254 | role_transition $2 glance_registry_initrc_exec_t system_r; | |
255 | allow $2 system_r; | |
256 | ||
257 | init_labeled_script_domtrans($1, glance_api_initrc_exec_t) | |
258 | role_transition $2 glance_api_initrc_exec_t system_r; | |
259 | ||
260 | logging_search_logs($1) | |
261 | admin_pattern($1, glance_log_t) | |
262 | ||
263 | files_search_var_lib($1) | |
264 | admin_pattern($1, glance_var_lib_t) | |
265 | ||
266 | files_search_pids($1) | |
267 | admin_pattern($1, glance_var_run_t) | |
b0de0be0 | 268 | ') |