[people/stevee/selinux-policy.git] / policy / modules / services / glance.te

policy_module(glance, 1.0.0)

########################################
#
# Declarations
#

attribute glance_domain;

type glance_registry_t, glance_domain;
type glance_registry_exec_t;
init_daemon_domain(glance_registry_t, glance_registry_exec_t)

type glance_registry_initrc_exec_t;
init_script_file(glance_registry_initrc_exec_t)

type glance_registry_tmp_t;
files_tmp_file(glance_registry_tmp_t)

type glance_api_t, glance_domain;
type glance_api_exec_t;
init_daemon_domain(glance_api_t, glance_api_exec_t)

type glance_api_initrc_exec_t;
init_script_file(glance_api_initrc_exec_t)

type glance_log_t;
logging_log_file(glance_log_t)

type glance_var_lib_t;
files_type(glance_var_lib_t)

type glance_tmp_t;
files_tmp_file(glance_tmp_t)

type glance_var_run_t;
files_pid_file(glance_var_run_t)

#######################################
#
# glance general domain local policy
#

allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t)
manage_files_pattern(glance_domain, glance_log_t, glance_log_t)

manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)

manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)

kernel_read_system_state(glance_domain)

corecmd_exec_bin(glance_domain)

dev_read_urand(glance_domain)

files_read_etc_files(glance_domain)
files_read_usr_files(glance_domain)

miscfiles_read_localization(glance_domain)

optional_policy(`
	sysnet_dns_name_resolve(glance_domain)
')

########################################
#
# glance-registry local policy
#

manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })

corenet_tcp_bind_generic_node(glance_registry_t)
corenet_tcp_bind_glance_registry_port(glance_registry_t)

########################################
#
# glance-api local policy
#

manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)

corecmd_exec_shell(glance_api_t)

corenet_tcp_bind_generic_node(glance_api_t)
corenet_tcp_bind_hplip_port(glance_api_t)
corenet_tcp_connect_glance_registry_port(glance_api_t)

dev_read_urand(glance_api_t)

fs_getattr_xattr_fs(glance_api_t)

libs_exec_ldconfig(glance_api_t)
Commit	Line	Data
b0de0be0 DW	1	policy_module(glance, 1.0.0)
	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
36bf2f79 MG	8	attribute glance_domain;
	9
	10	type glance_registry_t, glance_domain;
b0de0be0 DW	11	type glance_registry_exec_t;
	12	init_daemon_domain(glance_registry_t, glance_registry_exec_t)
	13
	14	type glance_registry_initrc_exec_t;
	15	init_script_file(glance_registry_initrc_exec_t)
	16
43228c85 MG	17	type glance_registry_tmp_t;
	18	files_tmp_file(glance_registry_tmp_t)
	19
36bf2f79	20	type glance_api_t, glance_domain;
b0de0be0 DW	21	type glance_api_exec_t;
	22	init_daemon_domain(glance_api_t, glance_api_exec_t)
	23
	24	type glance_api_initrc_exec_t;
	25	init_script_file(glance_api_initrc_exec_t)
	26
b0de0be0 DW	27	type glance_log_t;
	28	logging_log_file(glance_log_t)
	29
	30	type glance_var_lib_t;
	31	files_type(glance_var_lib_t)
	32
	33	type glance_tmp_t;
	34	files_tmp_file(glance_tmp_t)
	35
	36	type glance_var_run_t;
	37	files_pid_file(glance_var_run_t)
	38
36bf2f79	39	#######################################
b0de0be0	40	#
36bf2f79	41	# glance general domain local policy
b0de0be0 DW	42	#
b0de0be0 DW	43
36bf2f79 MG	44	allow glance_domain self:fifo_file rw_fifo_file_perms;
	45	allow glance_domain self:unix_stream_socket create_stream_socket_perms;
	46	allow glance_domain self:tcp_socket create_stream_socket_perms;
b0de0be0	47
36bf2f79 MG	48	manage_dirs_pattern(glance_domain, glance_log_t, glance_log_t)
36bf2f79 MG	49	manage_files_pattern(glance_domain, glance_log_t, glance_log_t)
43228c85	50
36bf2f79 MG	51	manage_dirs_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
36bf2f79 MG	52	manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
b0de0be0	53
36bf2f79 MG	54	manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
36bf2f79 MG	55	manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
b0de0be0	56
36bf2f79	57	kernel_read_system_state(glance_domain)
b0de0be0	58
36bf2f79	59	corecmd_exec_bin(glance_domain)
b0de0be0	60
36bf2f79	61	dev_read_urand(glance_domain)
b0de0be0	62
36bf2f79 MG	63	files_read_etc_files(glance_domain)
36bf2f79 MG	64	files_read_usr_files(glance_domain)
b0de0be0	65
36bf2f79	66	miscfiles_read_localization(glance_domain)
b0de0be0	67
36bf2f79 MG	68	optional_policy(`
	69	sysnet_dns_name_resolve(glance_domain)
	70	')
b0de0be0	71
36bf2f79 MG	72	########################################
	73	#
	74	# glance-registry local policy
	75	#
	76
	77	manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
	78	manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
	79	files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { file dir })
b0de0be0	80
36bf2f79 MG	81	corenet_tcp_bind_generic_node(glance_registry_t)
36bf2f79 MG	82	corenet_tcp_bind_glance_registry_port(glance_registry_t)
b0de0be0	83
b0de0be0 DW	84	########################################
	85	#
	86	# glance-api local policy
	87	#
	88
b0de0be0 DW	89	manage_dirs_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
	90	manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
	91	files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
	92	can_exec(glance_api_t, glance_tmp_t)
	93
b0de0be0 DW	94	corecmd_exec_shell(glance_api_t)
	95
	96	corenet_tcp_bind_generic_node(glance_api_t)
	97	corenet_tcp_bind_hplip_port(glance_api_t)
9761e98c	98	corenet_tcp_connect_glance_registry_port(glance_api_t)
b0de0be0 DW	99
	100	dev_read_urand(glance_api_t)
	101
43228c85 MG	102	fs_getattr_xattr_fs(glance_api_t)
43228c85 MG	103
b0de0be0	104	libs_exec_ldconfig(glance_api_t)