[people/stevee/selinux-policy.git] / policy / modules / services / nut.te


policy_module(nut, 1.1.0)

########################################
#
# Declarations
#

type nut_conf_t;
files_config_file(nut_conf_t)

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

type nut_var_run_t;
files_pid_file(nut_var_run_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid dac_override };

allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;

allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(nut_upsd_t)

corenet_tcp_bind_ups_port(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

auth_use_nsswitch(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:tcp_socket create_socket_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

corenet_tcp_connect_ups_port(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)

# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
files_search_usr(nut_upsmon_t)

# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)

# upsmon runs shutdown, probably need a shutdown domain
init_rw_utmp(nut_upsmon_t)
init_telinit(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

auth_use_nsswitch(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

mta_send_mail(nut_upsmon_t)

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(nut_upsdrvctl_t)

# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)

term_use_unallocated_ttys(nut_upsdrvctl_t)

auth_use_nsswitch(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

#######################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#

optional_policy(`
	apache_content_template(nutups_cgi)

	read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)

	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)

	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
')
Commit	Line	Data
e526fca1	1
29af4c13	2	policy_module(nut, 1.1.0)
e526fca1 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type nut_conf_t;
	10	files_config_file(nut_conf_t)
	11
	12	type nut_upsd_t;
	13	type nut_upsd_exec_t;
	14	init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
	15
	16	type nut_upsmon_t;
	17	type nut_upsmon_exec_t;
	18	init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
	19
	20	type nut_upsdrvctl_t;
	21	type nut_upsdrvctl_exec_t;
	22	init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
	23
	24	type nut_var_run_t;
	25	files_pid_file(nut_var_run_t)
	26
	27	########################################
	28	#
	29	# Local policy for upsd
	30	#
	31
f8b3b7fa JS	32	allow nut_upsd_t self:capability { setgid setuid dac_override };
f8b3b7fa JS	33
e526fca1 CP	34	allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
	35	allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
	36
	37	allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
	38
	39	read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
	40
	41	# pid file
	42	manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
	43	manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
	44	manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
	45	files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })
	46
	47	kernel_read_kernel_sysctls(nut_upsd_t)
	48
	49	corenet_tcp_bind_ups_port(nut_upsd_t)
	50	corenet_tcp_bind_generic_port(nut_upsd_t)
	51	corenet_tcp_bind_all_nodes(nut_upsd_t)
	52
	53	files_read_usr_files(nut_upsd_t)
	54
	55	auth_use_nsswitch(nut_upsd_t)
	56
	57	logging_send_syslog_msg(nut_upsd_t)
	58
	59	miscfiles_read_localization(nut_upsd_t)
	60
	61	########################################
	62	#
	63	# Local policy for upsmon
	64	#
	65
	66	allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
	67	allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
	68	allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
	69	allow nut_upsmon_t self:tcp_socket create_socket_perms;
	70
	71	read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
	72
	73	# pid file
	74	manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
	75	manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
	76	files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
	77
	78	kernel_read_kernel_sysctls(nut_upsmon_t)
	79	kernel_read_system_state(nut_upsmon_t)
	80
	81	corecmd_exec_bin(nut_upsmon_t)
	82	corecmd_exec_shell(nut_upsmon_t)
	83
	84	corenet_tcp_connect_ups_port(nut_upsmon_t)
	85	corenet_tcp_connect_generic_port(nut_upsmon_t)
	86
	87	# Creates /etc/killpower
	88	files_manage_etc_runtime_files(nut_upsmon_t)
	89	files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
f8b3b7fa	90	files_search_usr(nut_upsmon_t)
e526fca1 CP	91
	92	# /usr/bin/wall
	93	term_write_all_terms(nut_upsmon_t)
	94
	95	# upsmon runs shutdown, probably need a shutdown domain
	96	init_rw_utmp(nut_upsmon_t)
	97	init_telinit(nut_upsmon_t)
	98
	99	logging_send_syslog_msg(nut_upsmon_t)
	100
	101	auth_use_nsswitch(nut_upsmon_t)
	102
	103	miscfiles_read_localization(nut_upsmon_t)
	104
f8b3b7fa JS	105	mta_send_mail(nut_upsmon_t)
f8b3b7fa JS	106
e526fca1 CP	107	########################################
	108	#
	109	# Local policy for upsdrvctl
	110	#
	111
	112	allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
	113	allow nut_upsdrvctl_t self:process { sigchld signal signull };
	114	allow nut_upsdrvctl_t self:fd use;
	115	allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
	116	allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
	117	allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
	118
	119	read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
	120
	121	# pid file
	122	manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
	123	manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
	124	manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
	125	files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
	126
	127	kernel_read_kernel_sysctls(nut_upsdrvctl_t)
	128
	129	# /sbin/upsdrvctl executes other drivers
	130	corecmd_exec_bin(nut_upsdrvctl_t)
	131
	132	dev_read_urand(nut_upsdrvctl_t)
	133	dev_rw_generic_usb_dev(nut_upsdrvctl_t)
	134
	135	term_use_unallocated_ttys(nut_upsdrvctl_t)
	136
	137	auth_use_nsswitch(nut_upsdrvctl_t)
	138
	139	init_sigchld(nut_upsdrvctl_t)
	140
	141	logging_send_syslog_msg(nut_upsdrvctl_t)
	142
	143	miscfiles_read_localization(nut_upsdrvctl_t)
	144
	145	#######################################
	146	#
	147	# Local policy for upscgi scripts
	148	# requires httpd_enable_cgi and httpd_can_network_connect
	149	#
	150
	151	optional_policy(`
	152	apache_content_template(nutups_cgi)
	153
	154	read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
	155
f8b3b7fa JS	156	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
	157	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
	158	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
	159	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
	160	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
e526fca1	161	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
f8b3b7fa JS	162	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
	163	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
	164	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
	165
	166	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
e526fca1	167	')