[people/stevee/selinux-policy.git] / policy / modules / services / rhcs.te

policy_module(rhcs, 1.1.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow fenced domain to connect to the network using TCP.
##	</p>
## </desc>
gen_tunable(fenced_can_network_connect, false)

## <desc>
##  <p>
##  Allow fenced domain to execute ssh.
##  </p>
## </desc>
gen_tunable(fenced_can_ssh, false)

attribute cluster_domain;
attribute cluster_tmpfs;
attribute cluster_pid;

rhcs_domain_template(dlm_controld)

rhcs_domain_template(fenced)

type fenced_lock_t;
files_lock_file(fenced_lock_t)

type fenced_tmp_t;
files_tmp_file(fenced_tmp_t)

rhcs_domain_template(foghorn)

rhcs_domain_template(gfs_controld)

rhcs_domain_template(groupd)

rhcs_domain_template(qdiskd)

type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)

# type for cluster lib files
type cluster_var_lib_t;
files_type(cluster_var_lib_t)

#####################################
#
# dlm_controld local policy
#

allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };

allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;

stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)

kernel_read_system_state(dlm_controld_t)
kernel_rw_net_sysctls(dlm_controld_t)

dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)

fs_manage_configfs_files(dlm_controld_t)
fs_manage_configfs_dirs(dlm_controld_t)

init_rw_script_tmp_files(dlm_controld_t)

#######################################
#
# fenced local policy
#

allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process { getsched signal_perms };

allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
allow fenced_t self:unix_stream_socket connectto;

can_exec(fenced_t, fenced_exec_t)

manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)

manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })

stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)

kernel_read_system_state(fenced_t)

corecmd_exec_bin(fenced_t)
corecmd_exec_shell(fenced_t)

corenet_udp_bind_ionixnetmon_port(fenced_t)
corenet_tcp_bind_zented_port(fenced_t)
corenet_tcp_connect_http_port(fenced_t)

dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)

files_read_usr_symlinks(fenced_t)

storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
storage_raw_read_removable_device(fenced_t)

term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)

auth_use_nsswitch(fenced_t)

tunable_policy(`fenced_can_network_connect',`
	corenet_tcp_connect_all_ports(fenced_t)
')

optional_policy(`
	tunable_policy(`fenced_can_ssh',`

		allow fenced_t self:capability { setuid setgid };

		corenet_tcp_connect_ssh_port(fenced_t)

		ssh_exec(fenced_t)
		ssh_read_user_home_files(fenced_t)
	')
')

# needed by fence_scsi
optional_policy(`
	corosync_exec(fenced_t)
')

optional_policy(`
	ccs_read_config(fenced_t)
')

optional_policy(`
	lvm_domtrans(fenced_t)
	lvm_read_config(fenced_t)
')

#######################################
#
# foghorn local policy
#

allow foghorn_t self:process { signal };
allow foghorn_t self:tcp_socket create_stream_socket_perms;
allow foghorn_t self:udp_socket create_socket_perms;

corenet_tcp_connect_agentx_port(foghorn_t)

dev_read_urand(foghorn_t)

files_read_etc_files(foghorn_t)
files_read_usr_files(foghorn_t)

optional_policy(`
        dbus_connect_system_bus(foghorn_t)
')

optional_policy(`
		snmp_read_snmp_var_lib_files(foghorn_t)
		snmp_stream_connect(foghorn_t)
')

######################################
#
# gfs_controld local policy
#

allow gfs_controld_t self:capability { net_admin sys_resource };
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;

stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)

kernel_read_system_state(gfs_controld_t)

dev_rw_dlm_control(gfs_controld_t)
dev_setattr_dlm_control(gfs_controld_t)
dev_rw_sysfs(gfs_controld_t)

storage_getattr_removable_dev(gfs_controld_t)

init_rw_script_tmp_files(gfs_controld_t)

optional_policy(`
	lvm_exec(gfs_controld_t)
	dev_rw_lvm_control(gfs_controld_t)
')

#######################################
#
# groupd local policy
#

allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
allow groupd_t self:shm create_shm_perms;

domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)

dev_list_sysfs(groupd_t)

files_read_etc_files(groupd_t)

init_rw_script_tmp_files(groupd_t)

######################################
#
# qdiskd local policy
#

allow qdiskd_t self:capability { ipc_lock sys_boot };
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;

manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })

kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)

corecmd_getattr_bin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)

dev_read_sysfs(qdiskd_t)
dev_list_all_dev_nodes(qdiskd_t)
dev_getattr_all_blk_files(qdiskd_t)
dev_getattr_all_chr_files(qdiskd_t)
dev_manage_generic_blk_files(qdiskd_t)
dev_manage_generic_chr_files(qdiskd_t)

domain_dontaudit_getattr_all_pipes(qdiskd_t)
domain_dontaudit_getattr_all_sockets(qdiskd_t)

files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)

fs_list_hugetlbfs(qdiskd_t)

storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
storage_raw_write_fixed_disk(qdiskd_t)

auth_use_nsswitch(qdiskd_t)

optional_policy(`
	netutils_domtrans_ping(qdiskd_t)
')

optional_policy(`
	udev_read_db(qdiskd_t)
')

#####################################
#
# rhcs domains common policy
#

allow cluster_domain self:capability sys_nice;
allow cluster_domain self:process setsched;
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;

manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)

logging_send_syslog_msg(cluster_domain)

miscfiles_read_localization(cluster_domain)

optional_policy(`
	ccs_stream_connect(cluster_domain)
')

optional_policy(`
	corosync_stream_connect(cluster_domain)
')

optional_policy(`
	dbus_system_bus_client(cluster_domain)
')
Commit	Line	Data
538cf9ab JS	1	policy_module(rhcs, 1.1.0)
	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	## <desc>
1e2abee1 DG	9	## <p>
	10	## Allow fenced domain to connect to the network using TCP.
	11	## </p>
538cf9ab JS	12	## </desc>
	13	gen_tunable(fenced_can_network_connect, false)
	14
3b1e4e52 MG	15	## <desc>
	16	## <p>
	17	## Allow fenced domain to execute ssh.
	18	## </p>
	19	## </desc>
	20	gen_tunable(fenced_can_ssh, false)
	21
538cf9ab	22	attribute cluster_domain;
3eaa9939 DW	23	attribute cluster_tmpfs;
3eaa9939 DW	24	attribute cluster_pid;
538cf9ab JS	25
	26	rhcs_domain_template(dlm_controld)
	27
	28	rhcs_domain_template(fenced)
	29
	30	type fenced_lock_t;
	31	files_lock_file(fenced_lock_t)
	32
538cf9ab JS	33	type fenced_tmp_t;
	34	files_tmp_file(fenced_tmp_t)
	35
d5816b86	36	rhcs_domain_template(foghorn)
d5816b86	37
538cf9ab JS	38	rhcs_domain_template(gfs_controld)
	39
	40	rhcs_domain_template(groupd)
	41
	42	rhcs_domain_template(qdiskd)
	43
538cf9ab JS	44	type qdiskd_var_lib_t;
	45	files_type(qdiskd_var_lib_t)
	46
be5142fc MG	47	# type for cluster lib files
	48	type cluster_var_lib_t;
	49	files_type(cluster_var_lib_t)
	50
538cf9ab JS	51	#####################################
	52	#
	53	# dlm_controld local policy
	54	#
	55
	56	allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
	57
	58	allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
	59
	60	stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
	61	stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
	62
	63	kernel_read_system_state(dlm_controld_t)
d008218c	64	kernel_rw_net_sysctls(dlm_controld_t)
538cf9ab JS	65
	66	dev_rw_dlm_control(dlm_controld_t)
	67	dev_rw_sysfs(dlm_controld_t)
	68
	69	fs_manage_configfs_files(dlm_controld_t)
	70	fs_manage_configfs_dirs(dlm_controld_t)
	71
	72	init_rw_script_tmp_files(dlm_controld_t)
	73
538cf9ab JS	74	#######################################
	75	#
	76	# fenced local policy
	77	#
	78
	79	allow fenced_t self:capability { sys_rawio sys_resource };
3eaa9939	80	allow fenced_t self:process { getsched signal_perms };
538cf9ab JS	81
	82	allow fenced_t self:tcp_socket create_stream_socket_perms;
	83	allow fenced_t self:udp_socket create_socket_perms;
5aa3a839	84	allow fenced_t self:unix_stream_socket connectto;
538cf9ab JS	85
	86	can_exec(fenced_t, fenced_exec_t)
	87
	88	manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
	89	files_lock_filetrans(fenced_t, fenced_lock_t, file)
	90
538cf9ab JS	91	manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
	92	manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
	93	manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
	94	files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
	95
	96	stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
	97
3eaa9939 DW	98	kernel_read_system_state(fenced_t)
3eaa9939 DW	99
538cf9ab	100	corecmd_exec_bin(fenced_t)
3eaa9939	101	corecmd_exec_shell(fenced_t)
538cf9ab	102
ce14c83d	103	corenet_udp_bind_ionixnetmon_port(fenced_t)
d33b1baa	104	corenet_tcp_bind_zented_port(fenced_t)
538cf9ab JS	105	corenet_tcp_connect_http_port(fenced_t)
	106
	107	dev_read_sysfs(fenced_t)
	108	dev_read_urand(fenced_t)
	109
	110	files_read_usr_symlinks(fenced_t)
	111
	112	storage_raw_read_fixed_disk(fenced_t)
	113	storage_raw_write_fixed_disk(fenced_t)
	114	storage_raw_read_removable_device(fenced_t)
	115
	116	term_getattr_pty_fs(fenced_t)
	117	term_use_ptmx(fenced_t)
	118
	119	auth_use_nsswitch(fenced_t)
	120
	121	tunable_policy(`fenced_can_network_connect',`
	122	corenet_tcp_connect_all_ports(fenced_t)
	123	')
	124
8592bbd7 DG	125	optional_policy(`
8592bbd7 DG	126	tunable_policy(`fenced_can_ssh',`
3b1e4e52	127
8592bbd7	128	allow fenced_t self:capability { setuid setgid };
3b1e4e52	129
8592bbd7	130	corenet_tcp_connect_ssh_port(fenced_t)
3b1e4e52	131
3b1e4e52 MG	132	ssh_exec(fenced_t)
3b1e4e52 MG	133	ssh_read_user_home_files(fenced_t)
8592bbd7	134	')
3b1e4e52 MG	135	')
3b1e4e52 MG	136
be5142fc MG	137	# needed by fence_scsi
be5142fc MG	138	optional_policy(`
1e2abee1	139	corosync_exec(fenced_t)
be5142fc MG	140	')
be5142fc MG	141
538cf9ab JS	142	optional_policy(`
538cf9ab JS	143	ccs_read_config(fenced_t)
538cf9ab JS	144	')
	145
	146	optional_policy(`
	147	lvm_domtrans(fenced_t)
	148	lvm_read_config(fenced_t)
	149	')
	150
d5816b86 MG	151	#######################################
	152	#
	153	# foghorn local policy
	154	#
	155
	156	allow foghorn_t self:process { signal };
198e9346	157	allow foghorn_t self:tcp_socket create_stream_socket_perms;
9d130133 MG	158	allow foghorn_t self:udp_socket create_socket_perms;
9d130133 MG	159
198e9346 MG	160	corenet_tcp_connect_agentx_port(foghorn_t)
198e9346 MG	161
9d130133	162	dev_read_urand(foghorn_t)
d5816b86 MG	163
d5816b86 MG	164	files_read_etc_files(foghorn_t)
9d130133	165	files_read_usr_files(foghorn_t)
d5816b86 MG	166
	167	optional_policy(`
	168	dbus_connect_system_bus(foghorn_t)
	169	')
	170
	171	optional_policy(`
1fd2af3e	172	snmp_read_snmp_var_lib_files(foghorn_t)
9d130133	173	snmp_stream_connect(foghorn_t)
d5816b86 MG	174	')
d5816b86 MG	175
538cf9ab JS	176	######################################
	177	#
	178	# gfs_controld local policy
	179	#
	180
	181	allow gfs_controld_t self:capability { net_admin sys_resource };
538cf9ab JS	182	allow gfs_controld_t self:shm create_shm_perms;
	183	allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
	184
	185	stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
	186	stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
	187	stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
	188
	189	kernel_read_system_state(gfs_controld_t)
	190
	191	dev_rw_dlm_control(gfs_controld_t)
	192	dev_setattr_dlm_control(gfs_controld_t)
	193	dev_rw_sysfs(gfs_controld_t)
	194
	195	storage_getattr_removable_dev(gfs_controld_t)
	196
	197	init_rw_script_tmp_files(gfs_controld_t)
	198
538cf9ab JS	199	optional_policy(`
	200	lvm_exec(gfs_controld_t)
	201	dev_rw_lvm_control(gfs_controld_t)
	202	')
	203
	204	#######################################
	205	#
	206	# groupd local policy
	207	#
	208
	209	allow groupd_t self:capability { sys_nice sys_resource };
	210	allow groupd_t self:process setsched;
538cf9ab JS	211	allow groupd_t self:shm create_shm_perms;
538cf9ab JS	212
5aa3a839 MG	213	domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
5aa3a839 MG	214
538cf9ab JS	215	dev_list_sysfs(groupd_t)
	216
	217	files_read_etc_files(groupd_t)
	218
	219	init_rw_script_tmp_files(groupd_t)
	220
	221	######################################
	222	#
	223	# qdiskd local policy
	224	#
	225
3eaa9939	226	allow qdiskd_t self:capability { ipc_lock sys_boot };
538cf9ab JS	227	allow qdiskd_t self:tcp_socket create_stream_socket_perms;
	228	allow qdiskd_t self:udp_socket create_socket_perms;
	229
	230	manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
	231	manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
	232	manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
	233	files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
	234
	235	kernel_read_system_state(qdiskd_t)
	236	kernel_read_software_raid_state(qdiskd_t)
	237	kernel_getattr_core_if(qdiskd_t)
	238
	239	corecmd_getattr_bin_files(qdiskd_t)
	240	corecmd_exec_shell(qdiskd_t)
	241
	242	dev_read_sysfs(qdiskd_t)
	243	dev_list_all_dev_nodes(qdiskd_t)
	244	dev_getattr_all_blk_files(qdiskd_t)
	245	dev_getattr_all_chr_files(qdiskd_t)
	246	dev_manage_generic_blk_files(qdiskd_t)
	247	dev_manage_generic_chr_files(qdiskd_t)
	248
	249	domain_dontaudit_getattr_all_pipes(qdiskd_t)
	250	domain_dontaudit_getattr_all_sockets(qdiskd_t)
	251
	252	files_dontaudit_getattr_all_sockets(qdiskd_t)
	253	files_dontaudit_getattr_all_pipes(qdiskd_t)
	254	files_read_etc_files(qdiskd_t)
	255
19e736ac DW	256	fs_list_hugetlbfs(qdiskd_t)
19e736ac DW	257
538cf9ab JS	258	storage_raw_read_removable_device(qdiskd_t)
	259	storage_raw_write_removable_device(qdiskd_t)
	260	storage_raw_read_fixed_disk(qdiskd_t)
	261	storage_raw_write_fixed_disk(qdiskd_t)
	262
	263	auth_use_nsswitch(qdiskd_t)
	264
538cf9ab JS	265	optional_policy(`
	266	netutils_domtrans_ping(qdiskd_t)
	267	')
	268
	269	optional_policy(`
	270	udev_read_db(qdiskd_t)
	271	')
	272
	273	#####################################
	274	#
	275	# rhcs domains common policy
	276	#
	277
a25335e1	278	allow cluster_domain self:capability sys_nice;
538cf9ab	279	allow cluster_domain self:process setsched;
538cf9ab JS	280	allow cluster_domain self:sem create_sem_perms;
	281	allow cluster_domain self:fifo_file rw_fifo_file_perms;
	282	allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
	283	allow cluster_domain self:unix_dgram_socket create_socket_perms;
	284
be5142fc MG	285	manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
	286	manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
	287
538cf9ab JS	288	logging_send_syslog_msg(cluster_domain)
	289
	290	miscfiles_read_localization(cluster_domain)
	291
3eaa9939 DW	292	optional_policy(`
	293	ccs_stream_connect(cluster_domain)
	294	')
	295
538cf9ab JS	296	optional_policy(`
	297	corosync_stream_connect(cluster_domain)
	298	')
4506a16b DW	299
	300	optional_policy(`
	301	dbus_system_bus_client(cluster_domain)
	302	')