]>
Commit | Line | Data |
---|---|---|
e526fca1 | 1 | |
29af4c13 | 2 | policy_module(nut, 1.1.0) |
e526fca1 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type nut_conf_t; | |
10 | files_config_file(nut_conf_t) | |
11 | ||
12 | type nut_upsd_t; | |
13 | type nut_upsd_exec_t; | |
14 | init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) | |
15 | ||
16 | type nut_upsmon_t; | |
17 | type nut_upsmon_exec_t; | |
18 | init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) | |
19 | ||
20 | type nut_upsdrvctl_t; | |
21 | type nut_upsdrvctl_exec_t; | |
22 | init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) | |
23 | ||
24 | type nut_var_run_t; | |
25 | files_pid_file(nut_var_run_t) | |
26 | ||
27 | ######################################## | |
28 | # | |
29 | # Local policy for upsd | |
30 | # | |
31 | ||
f8b3b7fa JS |
32 | allow nut_upsd_t self:capability { setgid setuid dac_override }; |
33 | ||
e526fca1 CP |
34 | allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; |
35 | allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; | |
36 | ||
37 | allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; | |
38 | ||
39 | read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) | |
40 | ||
41 | # pid file | |
42 | manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) | |
43 | manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) | |
44 | manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) | |
45 | files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file }) | |
46 | ||
47 | kernel_read_kernel_sysctls(nut_upsd_t) | |
48 | ||
49 | corenet_tcp_bind_ups_port(nut_upsd_t) | |
50 | corenet_tcp_bind_generic_port(nut_upsd_t) | |
51 | corenet_tcp_bind_all_nodes(nut_upsd_t) | |
52 | ||
53 | files_read_usr_files(nut_upsd_t) | |
54 | ||
55 | auth_use_nsswitch(nut_upsd_t) | |
56 | ||
57 | logging_send_syslog_msg(nut_upsd_t) | |
58 | ||
59 | miscfiles_read_localization(nut_upsd_t) | |
60 | ||
61 | ######################################## | |
62 | # | |
63 | # Local policy for upsmon | |
64 | # | |
65 | ||
66 | allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; | |
67 | allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; | |
68 | allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; | |
69 | allow nut_upsmon_t self:tcp_socket create_socket_perms; | |
70 | ||
71 | read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) | |
72 | ||
73 | # pid file | |
74 | manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) | |
75 | manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) | |
76 | files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) | |
77 | ||
78 | kernel_read_kernel_sysctls(nut_upsmon_t) | |
79 | kernel_read_system_state(nut_upsmon_t) | |
80 | ||
81 | corecmd_exec_bin(nut_upsmon_t) | |
82 | corecmd_exec_shell(nut_upsmon_t) | |
83 | ||
84 | corenet_tcp_connect_ups_port(nut_upsmon_t) | |
85 | corenet_tcp_connect_generic_port(nut_upsmon_t) | |
86 | ||
87 | # Creates /etc/killpower | |
88 | files_manage_etc_runtime_files(nut_upsmon_t) | |
89 | files_etc_filetrans_etc_runtime(nut_upsmon_t, file) | |
f8b3b7fa | 90 | files_search_usr(nut_upsmon_t) |
e526fca1 CP |
91 | |
92 | # /usr/bin/wall | |
93 | term_write_all_terms(nut_upsmon_t) | |
94 | ||
95 | # upsmon runs shutdown, probably need a shutdown domain | |
96 | init_rw_utmp(nut_upsmon_t) | |
97 | init_telinit(nut_upsmon_t) | |
98 | ||
99 | logging_send_syslog_msg(nut_upsmon_t) | |
100 | ||
101 | auth_use_nsswitch(nut_upsmon_t) | |
102 | ||
103 | miscfiles_read_localization(nut_upsmon_t) | |
104 | ||
f8b3b7fa JS |
105 | mta_send_mail(nut_upsmon_t) |
106 | ||
e526fca1 CP |
107 | ######################################## |
108 | # | |
109 | # Local policy for upsdrvctl | |
110 | # | |
111 | ||
112 | allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; | |
113 | allow nut_upsdrvctl_t self:process { sigchld signal signull }; | |
114 | allow nut_upsdrvctl_t self:fd use; | |
115 | allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; | |
116 | allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; | |
117 | allow nut_upsdrvctl_t self:udp_socket create_socket_perms; | |
118 | ||
119 | read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) | |
120 | ||
121 | # pid file | |
122 | manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) | |
123 | manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) | |
124 | manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) | |
125 | files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) | |
126 | ||
127 | kernel_read_kernel_sysctls(nut_upsdrvctl_t) | |
128 | ||
129 | # /sbin/upsdrvctl executes other drivers | |
130 | corecmd_exec_bin(nut_upsdrvctl_t) | |
131 | ||
132 | dev_read_urand(nut_upsdrvctl_t) | |
133 | dev_rw_generic_usb_dev(nut_upsdrvctl_t) | |
134 | ||
135 | term_use_unallocated_ttys(nut_upsdrvctl_t) | |
136 | ||
137 | auth_use_nsswitch(nut_upsdrvctl_t) | |
138 | ||
139 | init_sigchld(nut_upsdrvctl_t) | |
140 | ||
141 | logging_send_syslog_msg(nut_upsdrvctl_t) | |
142 | ||
143 | miscfiles_read_localization(nut_upsdrvctl_t) | |
144 | ||
145 | ####################################### | |
146 | # | |
147 | # Local policy for upscgi scripts | |
148 | # requires httpd_enable_cgi and httpd_can_network_connect | |
149 | # | |
150 | ||
151 | optional_policy(` | |
152 | apache_content_template(nutups_cgi) | |
153 | ||
154 | read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) | |
155 | ||
f8b3b7fa JS |
156 | corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) |
157 | corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) | |
158 | corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) | |
159 | corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) | |
160 | corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) | |
e526fca1 | 161 | corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) |
f8b3b7fa JS |
162 | corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) |
163 | corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) | |
164 | corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) | |
165 | ||
166 | sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) | |
e526fca1 | 167 | ') |