]>
Commit | Line | Data |
---|---|---|
538cf9ab JS |
1 | policy_module(rhcs, 1.1.0) |
2 | ||
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | ## <desc> | |
1e2abee1 DG |
9 | ## <p> |
10 | ## Allow fenced domain to connect to the network using TCP. | |
11 | ## </p> | |
538cf9ab JS |
12 | ## </desc> |
13 | gen_tunable(fenced_can_network_connect, false) | |
14 | ||
3b1e4e52 MG |
15 | ## <desc> |
16 | ## <p> | |
17 | ## Allow fenced domain to execute ssh. | |
18 | ## </p> | |
19 | ## </desc> | |
20 | gen_tunable(fenced_can_ssh, false) | |
21 | ||
538cf9ab | 22 | attribute cluster_domain; |
3eaa9939 DW |
23 | attribute cluster_tmpfs; |
24 | attribute cluster_pid; | |
538cf9ab JS |
25 | |
26 | rhcs_domain_template(dlm_controld) | |
27 | ||
28 | rhcs_domain_template(fenced) | |
29 | ||
30 | type fenced_lock_t; | |
31 | files_lock_file(fenced_lock_t) | |
32 | ||
538cf9ab JS |
33 | type fenced_tmp_t; |
34 | files_tmp_file(fenced_tmp_t) | |
35 | ||
d5816b86 | 36 | rhcs_domain_template(foghorn) |
d5816b86 | 37 | |
538cf9ab JS |
38 | rhcs_domain_template(gfs_controld) |
39 | ||
40 | rhcs_domain_template(groupd) | |
41 | ||
42 | rhcs_domain_template(qdiskd) | |
43 | ||
538cf9ab JS |
44 | type qdiskd_var_lib_t; |
45 | files_type(qdiskd_var_lib_t) | |
46 | ||
be5142fc MG |
47 | # type for cluster lib files |
48 | type cluster_var_lib_t; | |
49 | files_type(cluster_var_lib_t) | |
50 | ||
538cf9ab JS |
51 | ##################################### |
52 | # | |
53 | # dlm_controld local policy | |
54 | # | |
55 | ||
56 | allow dlm_controld_t self:capability { net_admin sys_admin sys_resource }; | |
57 | ||
58 | allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms; | |
59 | ||
60 | stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) | |
61 | stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) | |
62 | ||
63 | kernel_read_system_state(dlm_controld_t) | |
d008218c | 64 | kernel_rw_net_sysctls(dlm_controld_t) |
538cf9ab JS |
65 | |
66 | dev_rw_dlm_control(dlm_controld_t) | |
67 | dev_rw_sysfs(dlm_controld_t) | |
68 | ||
69 | fs_manage_configfs_files(dlm_controld_t) | |
70 | fs_manage_configfs_dirs(dlm_controld_t) | |
71 | ||
72 | init_rw_script_tmp_files(dlm_controld_t) | |
73 | ||
538cf9ab JS |
74 | ####################################### |
75 | # | |
76 | # fenced local policy | |
77 | # | |
78 | ||
79 | allow fenced_t self:capability { sys_rawio sys_resource }; | |
3eaa9939 | 80 | allow fenced_t self:process { getsched signal_perms }; |
538cf9ab JS |
81 | |
82 | allow fenced_t self:tcp_socket create_stream_socket_perms; | |
83 | allow fenced_t self:udp_socket create_socket_perms; | |
5aa3a839 | 84 | allow fenced_t self:unix_stream_socket connectto; |
538cf9ab JS |
85 | |
86 | can_exec(fenced_t, fenced_exec_t) | |
87 | ||
88 | manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) | |
89 | files_lock_filetrans(fenced_t, fenced_lock_t, file) | |
90 | ||
538cf9ab JS |
91 | manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) |
92 | manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) | |
93 | manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) | |
94 | files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir }) | |
95 | ||
96 | stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t) | |
97 | ||
3eaa9939 DW |
98 | kernel_read_system_state(fenced_t) |
99 | ||
538cf9ab | 100 | corecmd_exec_bin(fenced_t) |
3eaa9939 | 101 | corecmd_exec_shell(fenced_t) |
538cf9ab | 102 | |
ce14c83d | 103 | corenet_udp_bind_ionixnetmon_port(fenced_t) |
d33b1baa | 104 | corenet_tcp_bind_zented_port(fenced_t) |
538cf9ab JS |
105 | corenet_tcp_connect_http_port(fenced_t) |
106 | ||
107 | dev_read_sysfs(fenced_t) | |
108 | dev_read_urand(fenced_t) | |
109 | ||
110 | files_read_usr_symlinks(fenced_t) | |
111 | ||
112 | storage_raw_read_fixed_disk(fenced_t) | |
113 | storage_raw_write_fixed_disk(fenced_t) | |
114 | storage_raw_read_removable_device(fenced_t) | |
115 | ||
116 | term_getattr_pty_fs(fenced_t) | |
117 | term_use_ptmx(fenced_t) | |
118 | ||
119 | auth_use_nsswitch(fenced_t) | |
120 | ||
121 | tunable_policy(`fenced_can_network_connect',` | |
122 | corenet_tcp_connect_all_ports(fenced_t) | |
123 | ') | |
124 | ||
8592bbd7 DG |
125 | optional_policy(` |
126 | tunable_policy(`fenced_can_ssh',` | |
3b1e4e52 | 127 | |
8592bbd7 | 128 | allow fenced_t self:capability { setuid setgid }; |
3b1e4e52 | 129 | |
8592bbd7 | 130 | corenet_tcp_connect_ssh_port(fenced_t) |
3b1e4e52 | 131 | |
3b1e4e52 MG |
132 | ssh_exec(fenced_t) |
133 | ssh_read_user_home_files(fenced_t) | |
8592bbd7 | 134 | ') |
3b1e4e52 MG |
135 | ') |
136 | ||
be5142fc MG |
137 | # needed by fence_scsi |
138 | optional_policy(` | |
1e2abee1 | 139 | corosync_exec(fenced_t) |
be5142fc MG |
140 | ') |
141 | ||
538cf9ab JS |
142 | optional_policy(` |
143 | ccs_read_config(fenced_t) | |
538cf9ab JS |
144 | ') |
145 | ||
146 | optional_policy(` | |
147 | lvm_domtrans(fenced_t) | |
148 | lvm_read_config(fenced_t) | |
149 | ') | |
150 | ||
d5816b86 MG |
151 | ####################################### |
152 | # | |
153 | # foghorn local policy | |
154 | # | |
155 | ||
156 | allow foghorn_t self:process { signal }; | |
198e9346 | 157 | allow foghorn_t self:tcp_socket create_stream_socket_perms; |
9d130133 MG |
158 | allow foghorn_t self:udp_socket create_socket_perms; |
159 | ||
198e9346 MG |
160 | corenet_tcp_connect_agentx_port(foghorn_t) |
161 | ||
9d130133 | 162 | dev_read_urand(foghorn_t) |
d5816b86 MG |
163 | |
164 | files_read_etc_files(foghorn_t) | |
9d130133 | 165 | files_read_usr_files(foghorn_t) |
d5816b86 MG |
166 | |
167 | optional_policy(` | |
168 | dbus_connect_system_bus(foghorn_t) | |
169 | ') | |
170 | ||
171 | optional_policy(` | |
1fd2af3e | 172 | snmp_read_snmp_var_lib_files(foghorn_t) |
9d130133 | 173 | snmp_stream_connect(foghorn_t) |
d5816b86 MG |
174 | ') |
175 | ||
538cf9ab JS |
176 | ###################################### |
177 | # | |
178 | # gfs_controld local policy | |
179 | # | |
180 | ||
181 | allow gfs_controld_t self:capability { net_admin sys_resource }; | |
538cf9ab JS |
182 | allow gfs_controld_t self:shm create_shm_perms; |
183 | allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms; | |
184 | ||
185 | stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) | |
186 | stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t) | |
187 | stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t) | |
188 | ||
189 | kernel_read_system_state(gfs_controld_t) | |
190 | ||
191 | dev_rw_dlm_control(gfs_controld_t) | |
192 | dev_setattr_dlm_control(gfs_controld_t) | |
193 | dev_rw_sysfs(gfs_controld_t) | |
194 | ||
195 | storage_getattr_removable_dev(gfs_controld_t) | |
196 | ||
197 | init_rw_script_tmp_files(gfs_controld_t) | |
198 | ||
538cf9ab JS |
199 | optional_policy(` |
200 | lvm_exec(gfs_controld_t) | |
201 | dev_rw_lvm_control(gfs_controld_t) | |
202 | ') | |
203 | ||
204 | ####################################### | |
205 | # | |
206 | # groupd local policy | |
207 | # | |
208 | ||
209 | allow groupd_t self:capability { sys_nice sys_resource }; | |
210 | allow groupd_t self:process setsched; | |
538cf9ab JS |
211 | allow groupd_t self:shm create_shm_perms; |
212 | ||
5aa3a839 MG |
213 | domtrans_pattern(groupd_t, fenced_exec_t, fenced_t) |
214 | ||
538cf9ab JS |
215 | dev_list_sysfs(groupd_t) |
216 | ||
217 | files_read_etc_files(groupd_t) | |
218 | ||
219 | init_rw_script_tmp_files(groupd_t) | |
220 | ||
221 | ###################################### | |
222 | # | |
223 | # qdiskd local policy | |
224 | # | |
225 | ||
3eaa9939 | 226 | allow qdiskd_t self:capability { ipc_lock sys_boot }; |
538cf9ab JS |
227 | allow qdiskd_t self:tcp_socket create_stream_socket_perms; |
228 | allow qdiskd_t self:udp_socket create_socket_perms; | |
229 | ||
230 | manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) | |
231 | manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) | |
232 | manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t) | |
233 | files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file }) | |
234 | ||
235 | kernel_read_system_state(qdiskd_t) | |
236 | kernel_read_software_raid_state(qdiskd_t) | |
237 | kernel_getattr_core_if(qdiskd_t) | |
238 | ||
239 | corecmd_getattr_bin_files(qdiskd_t) | |
240 | corecmd_exec_shell(qdiskd_t) | |
241 | ||
242 | dev_read_sysfs(qdiskd_t) | |
243 | dev_list_all_dev_nodes(qdiskd_t) | |
244 | dev_getattr_all_blk_files(qdiskd_t) | |
245 | dev_getattr_all_chr_files(qdiskd_t) | |
246 | dev_manage_generic_blk_files(qdiskd_t) | |
247 | dev_manage_generic_chr_files(qdiskd_t) | |
248 | ||
249 | domain_dontaudit_getattr_all_pipes(qdiskd_t) | |
250 | domain_dontaudit_getattr_all_sockets(qdiskd_t) | |
251 | ||
252 | files_dontaudit_getattr_all_sockets(qdiskd_t) | |
253 | files_dontaudit_getattr_all_pipes(qdiskd_t) | |
254 | files_read_etc_files(qdiskd_t) | |
255 | ||
19e736ac DW |
256 | fs_list_hugetlbfs(qdiskd_t) |
257 | ||
538cf9ab JS |
258 | storage_raw_read_removable_device(qdiskd_t) |
259 | storage_raw_write_removable_device(qdiskd_t) | |
260 | storage_raw_read_fixed_disk(qdiskd_t) | |
261 | storage_raw_write_fixed_disk(qdiskd_t) | |
262 | ||
263 | auth_use_nsswitch(qdiskd_t) | |
264 | ||
538cf9ab JS |
265 | optional_policy(` |
266 | netutils_domtrans_ping(qdiskd_t) | |
267 | ') | |
268 | ||
269 | optional_policy(` | |
270 | udev_read_db(qdiskd_t) | |
271 | ') | |
272 | ||
273 | ##################################### | |
274 | # | |
275 | # rhcs domains common policy | |
276 | # | |
277 | ||
a25335e1 | 278 | allow cluster_domain self:capability sys_nice; |
538cf9ab | 279 | allow cluster_domain self:process setsched; |
538cf9ab JS |
280 | allow cluster_domain self:sem create_sem_perms; |
281 | allow cluster_domain self:fifo_file rw_fifo_file_perms; | |
282 | allow cluster_domain self:unix_stream_socket create_stream_socket_perms; | |
283 | allow cluster_domain self:unix_dgram_socket create_socket_perms; | |
284 | ||
be5142fc MG |
285 | manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) |
286 | manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t) | |
287 | ||
538cf9ab JS |
288 | logging_send_syslog_msg(cluster_domain) |
289 | ||
290 | miscfiles_read_localization(cluster_domain) | |
291 | ||
3eaa9939 DW |
292 | optional_policy(` |
293 | ccs_stream_connect(cluster_domain) | |
294 | ') | |
295 | ||
538cf9ab JS |
296 | optional_policy(` |
297 | corosync_stream_connect(cluster_domain) | |
298 | ') | |
4506a16b DW |
299 | |
300 | optional_policy(` | |
301 | dbus_system_bus_client(cluster_domain) | |
302 | ') |