[people/stevee/selinux-policy.git] / policy / modules / services / ricci.te


policy_module(ricci, 1.7.0)

########################################
#
# Declarations
#

type ricci_t;
type ricci_exec_t;
domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t)

type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)

type ricci_var_lib_t;
files_type(ricci_var_lib_t)

type ricci_var_log_t;
logging_log_file(ricci_var_log_t)

type ricci_var_run_t;
files_pid_file(ricci_var_run_t)

type ricci_modcluster_t;
type ricci_modcluster_exec_t;
domain_type(ricci_modcluster_t)
domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
role system_r types ricci_modcluster_t;

type ricci_modcluster_var_lib_t;
files_type(ricci_modcluster_var_lib_t)

type ricci_modcluster_var_log_t;
logging_log_file(ricci_modcluster_var_log_t)

type ricci_modcluster_var_run_t;
files_pid_file(ricci_modcluster_var_run_t)

type ricci_modclusterd_t;
type ricci_modclusterd_exec_t;
domain_type(ricci_modclusterd_t)
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)

type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
role system_r types ricci_modlog_t;

type ricci_modrpm_t;
type ricci_modrpm_exec_t;
domain_type(ricci_modrpm_t)
domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
role system_r types ricci_modrpm_t;

type ricci_modservice_t;
type ricci_modservice_exec_t;
domain_type(ricci_modservice_t)
domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
role system_r types ricci_modservice_t;

type ricci_modstorage_t;
type ricci_modstorage_exec_t;
domain_type(ricci_modstorage_t)
domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
role system_r types ricci_modstorage_t;

type ricci_modstorage_lock_t;
files_lock_file(ricci_modstorage_lock_t)

########################################
#
# ricci local policy
#

allow ricci_t self:capability { setuid sys_nice sys_boot };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ricci_t self:tcp_socket create_stream_socket_perms;

domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)

manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })

manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })

allow ricci_t ricci_var_log_t:dir setattr;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })

manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(ricci_t)

corecmd_exec_bin(ricci_t)

corenet_all_recvfrom_unlabeled(ricci_t)
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_generic_if(ricci_t)
corenet_tcp_sendrecv_generic_node(ricci_t)
corenet_tcp_sendrecv_all_ports(ricci_t)
corenet_tcp_bind_generic_node(ricci_t)
corenet_udp_bind_generic_node(ricci_t)
corenet_tcp_bind_ricci_port(ricci_t)
corenet_udp_bind_ricci_port(ricci_t)
corenet_tcp_connect_http_port(ricci_t)

dev_read_urand(ricci_t)

domain_read_all_domains_state(ricci_t)

files_read_etc_files(ricci_t)
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)

auth_domtrans_chk_passwd(ricci_t)
auth_append_login_records(ricci_t)

init_stream_connect_script(ricci_t)

locallogin_dontaudit_use_fds(ricci_t)

logging_send_syslog_msg(ricci_t)

miscfiles_read_localization(ricci_t)

sysnet_dns_name_resolve(ricci_t)

optional_policy(`
	ccs_read_config(ricci_t)
')

optional_policy(`
	dbus_system_bus_client(ricci_t)

	oddjob_dbus_chat(ricci_t)
')

optional_policy(`
	# Needed so oddjob can run halt/reboot on behalf of ricci
	corecmd_bin_entry_type(ricci_t)
	term_dontaudit_search_ptys(ricci_t)
	init_exec(ricci_t)
	init_telinit(ricci_t)
	init_rw_utmp(ricci_t)

	oddjob_system_entry(ricci_t, ricci_exec_t)
')

optional_policy(`
	rpm_use_script_fds(ricci_t)
')

optional_policy(`
	sasl_connect(ricci_t)
')

optional_policy(`
	unconfined_use_fds(ricci_t)
')

optional_policy(`
	xen_domtrans_xm(ricci_t)
')

########################################
#
# ricci_modcluster local policy
#

allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;

kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)

corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)

corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
corenet_tcp_bind_reserved_port(ricci_modclusterd_t)

domain_read_all_domains_state(ricci_modcluster_t)

files_search_locks(ricci_modcluster_t)
files_read_etc_runtime_files(ricci_modcluster_t)
files_read_etc_files(ricci_modcluster_t)
files_search_usr(ricci_modcluster_t)

init_exec(ricci_modcluster_t)
init_domtrans_script(ricci_modcluster_t)

logging_send_syslog_msg(ricci_modcluster_t)

miscfiles_read_localization(ricci_modcluster_t)

modutils_domtrans_insmod(ricci_modcluster_t)

mount_domtrans(ricci_modcluster_t)

consoletype_exec(ricci_modcluster_t)

ricci_stream_connect_modclusterd(ricci_modcluster_t)

optional_policy(`
	aisexec_stream_connect(ricci_modcluster_t)
	corosync_stream_connect(ricci_modcluster_t)
')

optional_policy(`
	ccs_stream_connect(ricci_modcluster_t)
	ccs_domtrans(ricci_modcluster_t)
	ccs_manage_config(ricci_modcluster_t)
')

optional_policy(`
	lvm_domtrans(ricci_modcluster_t)
')

optional_policy(`
	nscd_socket_use(ricci_modcluster_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
')

optional_policy(`
	rgmanager_stream_connect(ricci_modclusterd_t)
')

optional_policy(`
	# XXX This has got to go.
	unconfined_domain(ricci_modcluster_t)
')

########################################
#
# ricci_modclusterd local policy
#

allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
# cjp: this needs to be fixed for a specific socket type:
allow ricci_modclusterd_t self:socket create_socket_perms;

allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;

allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })

manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)

corecmd_exec_bin(ricci_modclusterd_t)

corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
corenet_tcp_bind_generic_node(ricci_modclusterd_t)
corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)

domain_read_all_domains_state(ricci_modclusterd_t)

files_read_etc_files(ricci_modclusterd_t)
files_read_etc_runtime_files(ricci_modclusterd_t)

fs_getattr_xattr_fs(ricci_modclusterd_t)

auth_use_nsswitch(ricci_modclusterd_t)

init_stream_connect_script(ricci_modclusterd_t)

locallogin_dontaudit_use_fds(ricci_modclusterd_t)

logging_send_syslog_msg(ricci_modclusterd_t)

miscfiles_read_localization(ricci_modclusterd_t)

sysnet_domtrans_ifconfig(ricci_modclusterd_t)

optional_policy(`
	aisexec_stream_connect(ricci_modclusterd_t)
	corosync_stream_connect(ricci_modclusterd_t)
')

optional_policy(`
	ccs_domtrans(ricci_modclusterd_t)
	ccs_stream_connect(ricci_modclusterd_t)
	ccs_read_config(ricci_modclusterd_t)
')

optional_policy(`
	rgmanager_stream_connect(ricci_modclusterd_t)
')

optional_policy(`
	unconfined_use_fds(ricci_modclusterd_t)
')

########################################
#
# ricci_modlog local policy
#

allow ricci_modlog_t self:capability sys_nice;
allow ricci_modlog_t self:process setsched;

kernel_read_kernel_sysctls(ricci_modlog_t)
kernel_read_system_state(ricci_modlog_t)

corecmd_exec_bin(ricci_modlog_t)

domain_read_all_domains_state(ricci_modlog_t)

files_read_etc_files(ricci_modlog_t)
files_search_usr(ricci_modlog_t)

logging_read_generic_logs(ricci_modlog_t)

miscfiles_read_localization(ricci_modlog_t)

optional_policy(`
	nscd_dontaudit_search_pid(ricci_modlog_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
')

########################################
#
# ricci_modrpm local policy
#

allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;

kernel_read_kernel_sysctls(ricci_modrpm_t)

corecmd_exec_bin(ricci_modrpm_t)

files_search_usr(ricci_modrpm_t)
files_read_etc_files(ricci_modrpm_t)

miscfiles_read_localization(ricci_modrpm_t)

optional_policy(`
	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
')

optional_policy(`
	rpm_domtrans(ricci_modrpm_t)
')

########################################
#
# ricci_modservice local policy
#

allow ricci_modservice_t self:capability { dac_override sys_nice };
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
allow ricci_modservice_t self:process setsched;

kernel_read_kernel_sysctls(ricci_modservice_t)
kernel_read_system_state(ricci_modservice_t)

corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)

files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)

consoletype_exec(ricci_modservice_t)

init_domtrans_script(ricci_modservice_t)

miscfiles_read_localization(ricci_modservice_t)

optional_policy(`
	ccs_read_config(ricci_modservice_t)
')

optional_policy(`
	nscd_dontaudit_search_pid(ricci_modservice_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
')

########################################
#
# ricci_modstorage local policy
#

allow ricci_modstorage_t self:process { setsched signal };
dontaudit ricci_modstorage_t self:process ptrace;
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;

kernel_read_kernel_sysctls(ricci_modstorage_t)
kernel_read_system_state(ricci_modstorage_t)

create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)

corecmd_exec_shell(ricci_modstorage_t)
corecmd_exec_bin(ricci_modstorage_t)

dev_read_sysfs(ricci_modstorage_t)
dev_read_urand(ricci_modstorage_t)
dev_manage_generic_blk_files(ricci_modstorage_t)

domain_read_all_domains_state(ricci_modstorage_t)

#Needed for editing /etc/fstab
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)

storage_raw_read_fixed_disk(ricci_modstorage_t)

term_dontaudit_use_console(ricci_modstorage_t)

fstools_domtrans(ricci_modstorage_t)

logging_send_syslog_msg(ricci_modstorage_t)

miscfiles_read_localization(ricci_modstorage_t)

modutils_read_module_deps(ricci_modstorage_t)

consoletype_exec(ricci_modstorage_t)

mount_domtrans(ricci_modstorage_t)

optional_policy(`
	aisexec_stream_connect(ricci_modstorage_t)
	corosync_stream_connect(ricci_modstorage_t)
')

optional_policy(`
	ccs_stream_connect(ricci_modstorage_t)
	ccs_read_config(ricci_modstorage_t)
')

optional_policy(`
	lvm_domtrans(ricci_modstorage_t)
	lvm_manage_config(ricci_modstorage_t)
')

optional_policy(`
	nscd_socket_use(ricci_modstorage_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
')

optional_policy(`
	raid_domtrans_mdadm(ricci_modstorage_t)
')
Commit	Line	Data
fa45da0e	1
29af4c13	2	policy_module(ricci, 1.7.0)
fa45da0e CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type ricci_t;
	10	type ricci_exec_t;
	11	domain_type(ricci_t)
	12	init_daemon_domain(ricci_t, ricci_exec_t)
	13
fa45da0e CP	14	type ricci_tmp_t;
	15	files_tmp_file(ricci_tmp_t)
	16
fa45da0e CP	17	type ricci_var_lib_t;
	18	files_type(ricci_var_lib_t)
	19
fa45da0e CP	20	type ricci_var_log_t;
	21	logging_log_file(ricci_var_log_t)
	22
fa45da0e CP	23	type ricci_var_run_t;
	24	files_pid_file(ricci_var_run_t)
	25
	26	type ricci_modcluster_t;
	27	type ricci_modcluster_exec_t;
	28	domain_type(ricci_modcluster_t)
	29	domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
	30	role system_r types ricci_modcluster_t;
	31
fa45da0e CP	32	type ricci_modcluster_var_lib_t;
	33	files_type(ricci_modcluster_var_lib_t)
	34
fa45da0e CP	35	type ricci_modcluster_var_log_t;
	36	logging_log_file(ricci_modcluster_var_log_t)
	37
fa45da0e CP	38	type ricci_modcluster_var_run_t;
	39	files_pid_file(ricci_modcluster_var_run_t)
	40
	41	type ricci_modclusterd_t;
	42	type ricci_modclusterd_exec_t;
	43	domain_type(ricci_modclusterd_t)
	44	init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
	45
	46	type ricci_modlog_t;
	47	type ricci_modlog_exec_t;
	48	domain_type(ricci_modlog_t)
	49	domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
	50	role system_r types ricci_modlog_t;
	51
	52	type ricci_modrpm_t;
	53	type ricci_modrpm_exec_t;
	54	domain_type(ricci_modrpm_t)
	55	domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
	56	role system_r types ricci_modrpm_t;
	57
	58	type ricci_modservice_t;
	59	type ricci_modservice_exec_t;
	60	domain_type(ricci_modservice_t)
	61	domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
	62	role system_r types ricci_modservice_t;
	63
	64	type ricci_modstorage_t;
	65	type ricci_modstorage_exec_t;
	66	domain_type(ricci_modstorage_t)
	67	domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
	68	role system_r types ricci_modstorage_t;
	69
6b19be33 CP	70	type ricci_modstorage_lock_t;
	71	files_lock_file(ricci_modstorage_lock_t)
	72
fa45da0e CP	73	########################################
	74	#
	75	# ricci local policy
	76	#
	77
	78	allow ricci_t self:capability { setuid sys_nice sys_boot };
	79	allow ricci_t self:process setsched;
0b36a214	80	allow ricci_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	81	allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
	82	allow ricci_t self:tcp_socket create_stream_socket_perms;
	83
0bfccda4 CP	84	domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
	85	domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
	86	domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
	87	domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
	88	domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
fa45da0e	89
0bfccda4 CP	90	manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
0bfccda4 CP	91	manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
fa45da0e CP	92	files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
fa45da0e CP	93
0bfccda4 CP	94	manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
	95	manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
	96	manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
	97	files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
fa45da0e	98
c0868a7a	99	allow ricci_t ricci_var_log_t:dir setattr;
0bfccda4 CP	100	manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
	101	manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
	102	logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
fa45da0e	103
0bfccda4 CP	104	manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
	105	manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
	106	files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
fa45da0e CP	107
	108	kernel_read_kernel_sysctls(ricci_t)
	109
	110	corecmd_exec_bin(ricci_t)
fa45da0e	111
19006686 CP	112	corenet_all_recvfrom_unlabeled(ricci_t)
19006686 CP	113	corenet_all_recvfrom_netlabel(ricci_t)
668b3093	114	corenet_tcp_sendrecv_generic_if(ricci_t)
c1262146	115	corenet_tcp_sendrecv_generic_node(ricci_t)
fa45da0e	116	corenet_tcp_sendrecv_all_ports(ricci_t)
c1262146 CP	117	corenet_tcp_bind_generic_node(ricci_t)
c1262146 CP	118	corenet_udp_bind_generic_node(ricci_t)
fa45da0e CP	119	corenet_tcp_bind_ricci_port(ricci_t)
	120	corenet_udp_bind_ricci_port(ricci_t)
	121	corenet_tcp_connect_http_port(ricci_t)
	122
	123	dev_read_urand(ricci_t)
	124
1847443e CP	125	domain_read_all_domains_state(ricci_t)
1847443e CP	126
fa45da0e CP	127	files_read_etc_files(ricci_t)
	128	files_read_etc_runtime_files(ricci_t)
	129	files_create_boot_flag(ricci_t)
	130
	131	auth_domtrans_chk_passwd(ricci_t)
	132	auth_append_login_records(ricci_t)
	133
1847443e	134	init_stream_connect_script(ricci_t)
fa45da0e	135
fa45da0e CP	136	locallogin_dontaudit_use_fds(ricci_t)
	137
	138	logging_send_syslog_msg(ricci_t)
	139
	140	miscfiles_read_localization(ricci_t)
	141
	142	sysnet_dns_name_resolve(ricci_t)
	143
fa45da0e CP	144	optional_policy(`
	145	ccs_read_config(ricci_t)
	146	')
	147
	148	optional_policy(`
296273a7	149	dbus_system_bus_client(ricci_t)
bd973e3e	150
fa45da0e CP	151	oddjob_dbus_chat(ricci_t)
	152	')
	153
	154	optional_policy(`
	155	# Needed so oddjob can run halt/reboot on behalf of ricci
8021cb4f	156	corecmd_bin_entry_type(ricci_t)
fa45da0e CP	157	term_dontaudit_search_ptys(ricci_t)
	158	init_exec(ricci_t)
	159	init_telinit(ricci_t)
	160	init_rw_utmp(ricci_t)
	161
	162	oddjob_system_entry(ricci_t, ricci_exec_t)
	163	')
	164
	165	optional_policy(`
	166	rpm_use_script_fds(ricci_t)
	167	')
	168
	169	optional_policy(`
	170	sasl_connect(ricci_t)
	171	')
	172
	173	optional_policy(`
	174	unconfined_use_fds(ricci_t)
	175	')
	176
	177	optional_policy(`
	178	xen_domtrans_xm(ricci_t)
	179	')
	180
	181	########################################
	182	#
	183	# ricci_modcluster local policy
	184	#
	185
538cf9ab	186	allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
fa45da0e	187	allow ricci_modcluster_t self:process setsched;
c0868a7a	188	allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	189
	190	kernel_read_kernel_sysctls(ricci_modcluster_t)
	191	kernel_read_system_state(ricci_modcluster_t)
	192
	193	corecmd_exec_shell(ricci_modcluster_t)
fa45da0e CP	194	corecmd_exec_bin(ricci_modcluster_t)
fa45da0e CP	195
538cf9ab JS	196	corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
	197	corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
	198
1847443e	199	domain_read_all_domains_state(ricci_modcluster_t)
fa45da0e CP	200
	201	files_search_locks(ricci_modcluster_t)
	202	files_read_etc_runtime_files(ricci_modcluster_t)
	203	files_read_etc_files(ricci_modcluster_t)
	204	files_search_usr(ricci_modcluster_t)
	205
	206	init_exec(ricci_modcluster_t)
	207	init_domtrans_script(ricci_modcluster_t)
	208
fa45da0e CP	209	logging_send_syslog_msg(ricci_modcluster_t)
	210
	211	miscfiles_read_localization(ricci_modcluster_t)
	212
	213	modutils_domtrans_insmod(ricci_modcluster_t)
	214
	215	mount_domtrans(ricci_modcluster_t)
	216
538cf9ab JS	217	consoletype_exec(ricci_modcluster_t)
538cf9ab JS	218
fa45da0e CP	219	ricci_stream_connect_modclusterd(ricci_modcluster_t)
fa45da0e CP	220
538cf9ab JS	221	optional_policy(`
	222	aisexec_stream_connect(ricci_modcluster_t)
	223	corosync_stream_connect(ricci_modcluster_t)
	224	')
	225
fa45da0e CP	226	optional_policy(`
	227	ccs_stream_connect(ricci_modcluster_t)
	228	ccs_domtrans(ricci_modcluster_t)
	229	ccs_manage_config(ricci_modcluster_t)
	230	')
	231
fa45da0e CP	232	optional_policy(`
	233	lvm_domtrans(ricci_modcluster_t)
	234	')
	235
	236	optional_policy(`
	237	nscd_socket_use(ricci_modcluster_t)
	238	')
	239
	240	optional_policy(`
	241	oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
	242	')
	243
538cf9ab JS	244	optional_policy(`
	245	rgmanager_stream_connect(ricci_modclusterd_t)
	246	')
	247
350b6ab7 CP	248	optional_policy(`
	249	# XXX This has got to go.
	250	unconfined_domain(ricci_modcluster_t)
	251	')
fa45da0e CP	252
	253	########################################
	254	#
	255	# ricci_modclusterd local policy
	256	#
	257
226c0696	258	allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
fa45da0e	259	allow ricci_modclusterd_t self:process { signal sigkill setsched };
c0868a7a	260	allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	261	allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
fa45da0e CP	262	allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
fa45da0e CP	263	# cjp: this needs to be fixed for a specific socket type:
	264	allow ricci_modclusterd_t self:socket create_socket_perms;
	265
	266	allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
538cf9ab	267	allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
fa45da0e	268
c0868a7a	269	allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
0bfccda4 CP	270	manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
	271	manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
	272	logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
fa45da0e	273
0bfccda4 CP	274	manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
	275	manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
	276	files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })
fa45da0e CP	277
	278	kernel_read_kernel_sysctls(ricci_modclusterd_t)
	279	kernel_read_system_state(ricci_modclusterd_t)
	280
	281	corecmd_exec_bin(ricci_modclusterd_t)
fa45da0e	282
668b3093	283	corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
fa45da0e	284	corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
c1262146	285	corenet_tcp_bind_generic_node(ricci_modclusterd_t)
fa45da0e CP	286	corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
	287	corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
	288
1847443e	289	domain_read_all_domains_state(ricci_modclusterd_t)
fa45da0e CP	290
	291	files_read_etc_files(ricci_modclusterd_t)
	292	files_read_etc_runtime_files(ricci_modclusterd_t)
	293
	294	fs_getattr_xattr_fs(ricci_modclusterd_t)
	295
538cf9ab JS	296	auth_use_nsswitch(ricci_modclusterd_t)
538cf9ab JS	297
1847443e	298	init_stream_connect_script(ricci_modclusterd_t)
fa45da0e	299
fa45da0e CP	300	locallogin_dontaudit_use_fds(ricci_modclusterd_t)
	301
	302	logging_send_syslog_msg(ricci_modclusterd_t)
	303
	304	miscfiles_read_localization(ricci_modclusterd_t)
	305
	306	sysnet_domtrans_ifconfig(ricci_modclusterd_t)
538cf9ab JS	307
	308	optional_policy(`
	309	aisexec_stream_connect(ricci_modclusterd_t)
	310	corosync_stream_connect(ricci_modclusterd_t)
	311	')
fa45da0e	312
fa45da0e CP	313	optional_policy(`
	314	ccs_domtrans(ricci_modclusterd_t)
	315	ccs_stream_connect(ricci_modclusterd_t)
	316	ccs_read_config(ricci_modclusterd_t)
	317	')
	318
538cf9ab JS	319	optional_policy(`
	320	rgmanager_stream_connect(ricci_modclusterd_t)
	321	')
	322
fa45da0e CP	323	optional_policy(`
	324	unconfined_use_fds(ricci_modclusterd_t)
	325	')
	326
	327	########################################
	328	#
	329	# ricci_modlog local policy
	330	#
	331
	332	allow ricci_modlog_t self:capability sys_nice;
	333	allow ricci_modlog_t self:process setsched;
	334
	335	kernel_read_kernel_sysctls(ricci_modlog_t)
	336	kernel_read_system_state(ricci_modlog_t)
	337
	338	corecmd_exec_bin(ricci_modlog_t)
fa45da0e	339
1847443e	340	domain_read_all_domains_state(ricci_modlog_t)
fa45da0e CP	341
	342	files_read_etc_files(ricci_modlog_t)
	343	files_search_usr(ricci_modlog_t)
	344
fa45da0e CP	345	logging_read_generic_logs(ricci_modlog_t)
	346
	347	miscfiles_read_localization(ricci_modlog_t)
	348
fa45da0e CP	349	optional_policy(`
	350	nscd_dontaudit_search_pid(ricci_modlog_t)
	351	')
	352
	353	optional_policy(`
	354	oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
	355	')
	356
	357	########################################
	358	#
	359	# ricci_modrpm local policy
	360	#
	361
0b36a214	362	allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
fa45da0e	363
6b19be33 CP	364	kernel_read_kernel_sysctls(ricci_modrpm_t)
6b19be33 CP	365
fa45da0e CP	366	corecmd_exec_bin(ricci_modrpm_t)
fa45da0e CP	367
fa45da0e CP	368	files_search_usr(ricci_modrpm_t)
	369	files_read_etc_files(ricci_modrpm_t)
	370
	371	miscfiles_read_localization(ricci_modrpm_t)
	372
	373	optional_policy(`
	374	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
	375	')
	376
	377	optional_policy(`
	378	rpm_domtrans(ricci_modrpm_t)
	379	')
	380
	381	########################################
	382	#
	383	# ricci_modservice local policy
	384	#
	385
	386	allow ricci_modservice_t self:capability { dac_override sys_nice };
0b36a214	387	allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	388	allow ricci_modservice_t self:process setsched;
	389
	390	kernel_read_kernel_sysctls(ricci_modservice_t)
	391	kernel_read_system_state(ricci_modservice_t)
	392
fa45da0e CP	393	corecmd_exec_bin(ricci_modservice_t)
	394	corecmd_exec_shell(ricci_modservice_t)
	395
	396	files_read_etc_files(ricci_modservice_t)
	397	files_read_etc_runtime_files(ricci_modservice_t)
	398	files_search_usr(ricci_modservice_t)
6b19be33 CP	399	# Needed for running chkconfig
6b19be33 CP	400	files_manage_etc_symlinks(ricci_modservice_t)
fa45da0e CP	401
	402	consoletype_exec(ricci_modservice_t)
	403
	404	init_domtrans_script(ricci_modservice_t)
	405
fa45da0e CP	406	miscfiles_read_localization(ricci_modservice_t)
	407
	408	optional_policy(`
	409	ccs_read_config(ricci_modservice_t)
	410	')
	411
	412	optional_policy(`
	413	nscd_dontaudit_search_pid(ricci_modservice_t)
	414	')
	415
	416	optional_policy(`
	417	oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
	418	')
	419
	420	########################################
	421	#
	422	# ricci_modstorage local policy
	423	#
	424
	425	allow ricci_modstorage_t self:process { setsched signal };
19fd9301	426	dontaudit ricci_modstorage_t self:process ptrace;
fa45da0e	427	allow ricci_modstorage_t self:capability { mknod sys_nice };
c0868a7a	428	allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	429	allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
	430
	431	kernel_read_kernel_sysctls(ricci_modstorage_t)
	432	kernel_read_system_state(ricci_modstorage_t)
	433
0bfccda4 CP	434	create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
0bfccda4 CP	435	files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
6b19be33	436
8a948caf	437	corecmd_exec_shell(ricci_modstorage_t)
fa45da0e	438	corecmd_exec_bin(ricci_modstorage_t)
fa45da0e CP	439
	440	dev_read_sysfs(ricci_modstorage_t)
	441	dev_read_urand(ricci_modstorage_t)
	442	dev_manage_generic_blk_files(ricci_modstorage_t)
	443
1847443e	444	domain_read_all_domains_state(ricci_modstorage_t)
6b19be33	445
fa45da0e CP	446	#Needed for editing /etc/fstab
	447	files_manage_etc_files(ricci_modstorage_t)
	448	files_read_etc_runtime_files(ricci_modstorage_t)
	449	files_read_usr_files(ricci_modstorage_t)
6b19be33	450	files_read_kernel_modules(ricci_modstorage_t)
fa45da0e CP	451
	452	storage_raw_read_fixed_disk(ricci_modstorage_t)
	453
	454	term_dontaudit_use_console(ricci_modstorage_t)
	455
	456	fstools_domtrans(ricci_modstorage_t)
	457
fa45da0e CP	458	logging_send_syslog_msg(ricci_modstorage_t)
fa45da0e CP	459
fa45da0e CP	460	miscfiles_read_localization(ricci_modstorage_t)
	461
	462	modutils_read_module_deps(ricci_modstorage_t)
	463
1847443e CP	464	consoletype_exec(ricci_modstorage_t)
	465
	466	mount_domtrans(ricci_modstorage_t)
	467
538cf9ab JS	468	optional_policy(`
	469	aisexec_stream_connect(ricci_modstorage_t)
	470	corosync_stream_connect(ricci_modstorage_t)
	471	')
	472
fa45da0e	473	optional_policy(`
c5561c77	474	ccs_stream_connect(ricci_modstorage_t)
fa45da0e CP	475	ccs_read_config(ricci_modstorage_t)
	476	')
	477
19fd9301 CP	478	optional_policy(`
19fd9301 CP	479	lvm_domtrans(ricci_modstorage_t)
226c0696	480	lvm_manage_config(ricci_modstorage_t)
19fd9301 CP	481	')
19fd9301 CP	482
fa45da0e	483	optional_policy(`
c5561c77	484	nscd_socket_use(ricci_modstorage_t)
fa45da0e CP	485	')
	486
	487	optional_policy(`
	488	oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
	489	')
	490
	491	optional_policy(`
	492	raid_domtrans_mdadm(ricci_modstorage_t)
	493	')