[people/stevee/selinux-policy.git] / policy / modules / services / ricci.te

policy_module(ricci, 1.7.0)

########################################
#
# Declarations
#

type ricci_t;
type ricci_exec_t;
init_daemon_domain(ricci_t, ricci_exec_t)

type ricci_initrc_exec_t;
init_script_file(ricci_initrc_exec_t)

type ricci_tmp_t;
files_tmp_file(ricci_tmp_t)

type ricci_var_lib_t;
files_type(ricci_var_lib_t)

type ricci_var_log_t;
logging_log_file(ricci_var_log_t)

type ricci_var_run_t;
files_pid_file(ricci_var_run_t)

type ricci_modcluster_t;
type ricci_modcluster_exec_t;
domain_type(ricci_modcluster_t)
domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
role system_r types ricci_modcluster_t;

type ricci_modcluster_var_lib_t;
files_type(ricci_modcluster_var_lib_t)

type ricci_modcluster_var_log_t;
logging_log_file(ricci_modcluster_var_log_t)

type ricci_modcluster_var_run_t;
files_pid_file(ricci_modcluster_var_run_t)

type ricci_modclusterd_t;
type ricci_modclusterd_exec_t;
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)

type ricci_modclusterd_tmpfs_t;
files_tmpfs_file(ricci_modclusterd_tmpfs_t)

type ricci_modlog_t;
type ricci_modlog_exec_t;
domain_type(ricci_modlog_t)
domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
role system_r types ricci_modlog_t;

type ricci_modrpm_t;
type ricci_modrpm_exec_t;
domain_type(ricci_modrpm_t)
domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
role system_r types ricci_modrpm_t;

type ricci_modservice_t;
type ricci_modservice_exec_t;
domain_type(ricci_modservice_t)
domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
role system_r types ricci_modservice_t;

type ricci_modstorage_t;
type ricci_modstorage_exec_t;
domain_type(ricci_modstorage_t)
domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
role system_r types ricci_modstorage_t;

type ricci_modstorage_lock_t;
files_lock_file(ricci_modstorage_lock_t)

########################################
#
# ricci local policy
#

allow ricci_t self:capability { setuid sys_nice sys_boot };
allow ricci_t self:process setsched;
allow ricci_t self:fifo_file rw_fifo_file_perms;
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ricci_t self:tcp_socket create_stream_socket_perms;

domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)

manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })

manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })

allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })

manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(ricci_t)
kernel_read_system_state(ricci_t)

corecmd_exec_bin(ricci_t)

corenet_all_recvfrom_unlabeled(ricci_t)
corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_generic_if(ricci_t)
corenet_tcp_sendrecv_generic_node(ricci_t)
corenet_tcp_sendrecv_all_ports(ricci_t)
corenet_tcp_bind_generic_node(ricci_t)
corenet_udp_bind_generic_node(ricci_t)
corenet_tcp_bind_ricci_port(ricci_t)
corenet_udp_bind_ricci_port(ricci_t)
corenet_tcp_connect_http_port(ricci_t)

dev_read_urand(ricci_t)

domain_read_all_domains_state(ricci_t)

files_read_etc_files(ricci_t)
files_read_etc_runtime_files(ricci_t)
files_create_boot_flag(ricci_t)

auth_domtrans_chk_passwd(ricci_t)
auth_append_login_records(ricci_t)

init_stream_connect_script(ricci_t)

locallogin_dontaudit_use_fds(ricci_t)

logging_send_syslog_msg(ricci_t)

miscfiles_read_localization(ricci_t)

sysnet_dns_name_resolve(ricci_t)

optional_policy(`
	ccs_read_config(ricci_t)
')

optional_policy(`
	dbus_system_bus_client(ricci_t)

	oddjob_dbus_chat(ricci_t)
')

optional_policy(`
	# Needed so oddjob can run halt/reboot on behalf of ricci
	corecmd_bin_entry_type(ricci_t)
	term_dontaudit_search_ptys(ricci_t)
	init_exec(ricci_t)
	init_telinit(ricci_t)
	init_rw_utmp(ricci_t)

	oddjob_system_entry(ricci_t, ricci_exec_t)
')

optional_policy(`
	rpm_use_script_fds(ricci_t)
')

optional_policy(`
	sasl_connect(ricci_t)
')

optional_policy(`
	shutdown_domtrans(ricci_t)
')

optional_policy(`
	unconfined_use_fds(ricci_t)
')

optional_policy(`
	xen_domtrans_xm(ricci_t)
')

########################################
#
# ricci_modcluster local policy
#

allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;

kernel_read_kernel_sysctls(ricci_modcluster_t)
kernel_read_system_state(ricci_modcluster_t)

corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)

corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
corenet_tcp_connect_cluster_port(ricci_modclusterd_t)

domain_read_all_domains_state(ricci_modcluster_t)

files_search_locks(ricci_modcluster_t)
files_read_etc_runtime_files(ricci_modcluster_t)
files_read_etc_files(ricci_modcluster_t)
files_search_usr(ricci_modcluster_t)

auth_use_nsswitch(ricci_modcluster_t)

init_exec(ricci_modcluster_t)
init_domtrans_script(ricci_modcluster_t)

logging_send_syslog_msg(ricci_modcluster_t)

miscfiles_read_localization(ricci_modcluster_t)

optional_policy(`
	ricci_stream_connect_modclusterd(ricci_modcluster_t)
')

optional_policy(`
	aisexec_stream_connect(ricci_modcluster_t)
	corosync_stream_connect(ricci_modcluster_t)
')

optional_policy(`
	ccs_stream_connect(ricci_modcluster_t)
	ccs_domtrans(ricci_modcluster_t)
	ccs_manage_config(ricci_modcluster_t)
')

optional_policy(`
	lvm_domtrans(ricci_modcluster_t)
')

optional_policy(`
	modutils_domtrans_insmod(ricci_modcluster_t)
')

optional_policy(`
	mount_domtrans(ricci_modcluster_t)
')

optional_policy(`
	consoletype_exec(ricci_modcluster_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
')

optional_policy(`
	rgmanager_stream_connect(ricci_modclusterd_t)
')

########################################
#
# ricci_modclusterd local policy
#

allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
# cjp: this needs to be fixed for a specific socket type:
allow ricci_modclusterd_t self:socket create_socket_perms;

allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;

manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })

allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })

manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })

kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
kernel_request_load_module(ricci_modclusterd_t)

corecmd_exec_bin(ricci_modclusterd_t)

corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
corenet_tcp_bind_generic_node(ricci_modclusterd_t)
corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)

domain_read_all_domains_state(ricci_modclusterd_t)

files_read_etc_files(ricci_modclusterd_t)
files_read_etc_runtime_files(ricci_modclusterd_t)

fs_getattr_xattr_fs(ricci_modclusterd_t)

auth_use_nsswitch(ricci_modclusterd_t)

init_stream_connect_script(ricci_modclusterd_t)

locallogin_dontaudit_use_fds(ricci_modclusterd_t)

logging_send_syslog_msg(ricci_modclusterd_t)

miscfiles_read_localization(ricci_modclusterd_t)

sysnet_domtrans_ifconfig(ricci_modclusterd_t)

optional_policy(`
	aisexec_stream_connect(ricci_modclusterd_t)
	corosync_stream_connect(ricci_modclusterd_t)
')

optional_policy(`
	ccs_domtrans(ricci_modclusterd_t)
	ccs_stream_connect(ricci_modclusterd_t)
	ccs_read_config(ricci_modclusterd_t)
')

optional_policy(`
	rgmanager_stream_connect(ricci_modclusterd_t)
')

optional_policy(`
	unconfined_use_fds(ricci_modclusterd_t)
')

########################################
#
# ricci_modlog local policy
#

allow ricci_modlog_t self:capability sys_nice;
allow ricci_modlog_t self:process setsched;

kernel_read_kernel_sysctls(ricci_modlog_t)
kernel_read_system_state(ricci_modlog_t)

corecmd_exec_bin(ricci_modlog_t)

domain_read_all_domains_state(ricci_modlog_t)

files_read_etc_files(ricci_modlog_t)
files_search_usr(ricci_modlog_t)

logging_read_generic_logs(ricci_modlog_t)

miscfiles_read_localization(ricci_modlog_t)

optional_policy(`
	nscd_dontaudit_search_pid(ricci_modlog_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
')

########################################
#
# ricci_modrpm local policy
#

allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;

kernel_read_kernel_sysctls(ricci_modrpm_t)

corecmd_exec_bin(ricci_modrpm_t)

files_search_usr(ricci_modrpm_t)
files_read_etc_files(ricci_modrpm_t)

logging_send_syslog_msg(ricci_modrpm_t)

miscfiles_read_localization(ricci_modrpm_t)

optional_policy(`
	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
')

optional_policy(`
	rpm_domtrans(ricci_modrpm_t)
')

########################################
#
# ricci_modservice local policy
#

allow ricci_modservice_t self:capability { dac_override sys_nice };
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
allow ricci_modservice_t self:process setsched;

kernel_read_kernel_sysctls(ricci_modservice_t)
kernel_read_system_state(ricci_modservice_t)

corecmd_exec_bin(ricci_modservice_t)
corecmd_exec_shell(ricci_modservice_t)

files_read_etc_files(ricci_modservice_t)
files_read_etc_runtime_files(ricci_modservice_t)
files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)

init_domtrans_script(ricci_modservice_t)

logging_send_syslog_msg(ricci_modservice_t)

miscfiles_read_localization(ricci_modservice_t)

optional_policy(`
	ccs_read_config(ricci_modservice_t)
')

optional_policy(`
	consoletype_exec(ricci_modservice_t)
')

optional_policy(`
	nscd_dontaudit_search_pid(ricci_modservice_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
')

########################################
#
# ricci_modstorage local policy
#

allow ricci_modstorage_t self:process { setsched signal };
dontaudit ricci_modstorage_t self:process ptrace;
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;

kernel_read_kernel_sysctls(ricci_modstorage_t)
kernel_read_system_state(ricci_modstorage_t)

create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)

corecmd_exec_shell(ricci_modstorage_t)
corecmd_exec_bin(ricci_modstorage_t)

dev_read_sysfs(ricci_modstorage_t)
dev_read_urand(ricci_modstorage_t)
dev_manage_generic_blk_files(ricci_modstorage_t)

domain_read_all_domains_state(ricci_modstorage_t)

#Needed for editing /etc/fstab
files_manage_etc_files(ricci_modstorage_t)
files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)

files_create_default_dir(ricci_modstorage_t)
files_root_filetrans_default(ricci_modstorage_t, dir)
files_mounton_default(ricci_modstorage_t)
files_manage_default_dirs(ricci_modstorage_t)
files_manage_default_files(ricci_modstorage_t)

storage_raw_read_fixed_disk(ricci_modstorage_t)

term_dontaudit_use_console(ricci_modstorage_t)

auth_use_nsswitch(ricci_modstorage_t)

logging_send_syslog_msg(ricci_modstorage_t)

miscfiles_read_localization(ricci_modstorage_t)

optional_policy(`
	aisexec_stream_connect(ricci_modstorage_t)
	corosync_stream_connect(ricci_modstorage_t)
')

optional_policy(`
	ccs_stream_connect(ricci_modstorage_t)
	ccs_read_config(ricci_modstorage_t)
')

optional_policy(`
	consoletype_exec(ricci_modstorage_t)
')

optional_policy(`
	fstools_domtrans(ricci_modstorage_t)
')

optional_policy(`
	lvm_domtrans(ricci_modstorage_t)
	lvm_manage_config(ricci_modstorage_t)
')

optional_policy(`
	modutils_read_module_deps(ricci_modstorage_t)
')

optional_policy(`
	mount_domtrans(ricci_modstorage_t)
')

optional_policy(`
	oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
')

optional_policy(`
	raid_domtrans_mdadm(ricci_modstorage_t)
')
Commit	Line	Data
29af4c13	1	policy_module(ricci, 1.7.0)
fa45da0e CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type ricci_t;
	9	type ricci_exec_t;
fa45da0e CP	10	init_daemon_domain(ricci_t, ricci_exec_t)
fa45da0e CP	11
3eaa9939 DW	12	type ricci_initrc_exec_t;
	13	init_script_file(ricci_initrc_exec_t)
	14
fa45da0e CP	15	type ricci_tmp_t;
	16	files_tmp_file(ricci_tmp_t)
	17
fa45da0e CP	18	type ricci_var_lib_t;
	19	files_type(ricci_var_lib_t)
	20
fa45da0e CP	21	type ricci_var_log_t;
	22	logging_log_file(ricci_var_log_t)
	23
fa45da0e CP	24	type ricci_var_run_t;
	25	files_pid_file(ricci_var_run_t)
	26
	27	type ricci_modcluster_t;
	28	type ricci_modcluster_exec_t;
	29	domain_type(ricci_modcluster_t)
	30	domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
	31	role system_r types ricci_modcluster_t;
	32
fa45da0e CP	33	type ricci_modcluster_var_lib_t;
	34	files_type(ricci_modcluster_var_lib_t)
	35
fa45da0e CP	36	type ricci_modcluster_var_log_t;
	37	logging_log_file(ricci_modcluster_var_log_t)
	38
fa45da0e CP	39	type ricci_modcluster_var_run_t;
	40	files_pid_file(ricci_modcluster_var_run_t)
	41
	42	type ricci_modclusterd_t;
	43	type ricci_modclusterd_exec_t;
fa45da0e CP	44	init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
fa45da0e CP	45
3eaa9939 DW	46	type ricci_modclusterd_tmpfs_t;
	47	files_tmpfs_file(ricci_modclusterd_tmpfs_t)
	48
fa45da0e CP	49	type ricci_modlog_t;
	50	type ricci_modlog_exec_t;
	51	domain_type(ricci_modlog_t)
	52	domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
	53	role system_r types ricci_modlog_t;
	54
	55	type ricci_modrpm_t;
	56	type ricci_modrpm_exec_t;
	57	domain_type(ricci_modrpm_t)
	58	domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
	59	role system_r types ricci_modrpm_t;
	60
	61	type ricci_modservice_t;
	62	type ricci_modservice_exec_t;
	63	domain_type(ricci_modservice_t)
	64	domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
	65	role system_r types ricci_modservice_t;
	66
	67	type ricci_modstorage_t;
	68	type ricci_modstorage_exec_t;
	69	domain_type(ricci_modstorage_t)
	70	domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
	71	role system_r types ricci_modstorage_t;
	72
6b19be33 CP	73	type ricci_modstorage_lock_t;
	74	files_lock_file(ricci_modstorage_lock_t)
	75
fa45da0e CP	76	########################################
	77	#
	78	# ricci local policy
	79	#
	80
	81	allow ricci_t self:capability { setuid sys_nice sys_boot };
	82	allow ricci_t self:process setsched;
0b36a214	83	allow ricci_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	84	allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
	85	allow ricci_t self:tcp_socket create_stream_socket_perms;
	86
0bfccda4 CP	87	domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
	88	domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
	89	domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
	90	domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
	91	domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
fa45da0e	92
0bfccda4 CP	93	manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
0bfccda4 CP	94	manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
fa45da0e CP	95	files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
fa45da0e CP	96
0bfccda4 CP	97	manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
	98	manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
	99	manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
	100	files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
fa45da0e	101
7d1f5642	102	allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
0bfccda4 CP	103	manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
	104	manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
	105	logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
fa45da0e	106
0bfccda4 CP	107	manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
	108	manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
	109	files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
fa45da0e CP	110
fa45da0e CP	111	kernel_read_kernel_sysctls(ricci_t)
3eaa9939	112	kernel_read_system_state(ricci_t)
fa45da0e CP	113
fa45da0e CP	114	corecmd_exec_bin(ricci_t)
fa45da0e	115
19006686 CP	116	corenet_all_recvfrom_unlabeled(ricci_t)
19006686 CP	117	corenet_all_recvfrom_netlabel(ricci_t)
668b3093	118	corenet_tcp_sendrecv_generic_if(ricci_t)
c1262146	119	corenet_tcp_sendrecv_generic_node(ricci_t)
fa45da0e	120	corenet_tcp_sendrecv_all_ports(ricci_t)
c1262146 CP	121	corenet_tcp_bind_generic_node(ricci_t)
c1262146 CP	122	corenet_udp_bind_generic_node(ricci_t)
fa45da0e CP	123	corenet_tcp_bind_ricci_port(ricci_t)
	124	corenet_udp_bind_ricci_port(ricci_t)
	125	corenet_tcp_connect_http_port(ricci_t)
	126
	127	dev_read_urand(ricci_t)
	128
1847443e CP	129	domain_read_all_domains_state(ricci_t)
1847443e CP	130
fa45da0e CP	131	files_read_etc_files(ricci_t)
	132	files_read_etc_runtime_files(ricci_t)
	133	files_create_boot_flag(ricci_t)
	134
	135	auth_domtrans_chk_passwd(ricci_t)
	136	auth_append_login_records(ricci_t)
	137
1847443e	138	init_stream_connect_script(ricci_t)
fa45da0e	139
fa45da0e CP	140	locallogin_dontaudit_use_fds(ricci_t)
	141
	142	logging_send_syslog_msg(ricci_t)
	143
	144	miscfiles_read_localization(ricci_t)
	145
	146	sysnet_dns_name_resolve(ricci_t)
	147
fa45da0e CP	148	optional_policy(`
	149	ccs_read_config(ricci_t)
	150	')
	151
	152	optional_policy(`
296273a7	153	dbus_system_bus_client(ricci_t)
bd973e3e	154
fa45da0e CP	155	oddjob_dbus_chat(ricci_t)
	156	')
	157
	158	optional_policy(`
	159	# Needed so oddjob can run halt/reboot on behalf of ricci
8021cb4f	160	corecmd_bin_entry_type(ricci_t)
fa45da0e CP	161	term_dontaudit_search_ptys(ricci_t)
	162	init_exec(ricci_t)
	163	init_telinit(ricci_t)
	164	init_rw_utmp(ricci_t)
	165
	166	oddjob_system_entry(ricci_t, ricci_exec_t)
	167	')
	168
	169	optional_policy(`
	170	rpm_use_script_fds(ricci_t)
	171	')
	172
	173	optional_policy(`
	174	sasl_connect(ricci_t)
	175	')
	176
3eaa9939 DW	177	optional_policy(`
	178	shutdown_domtrans(ricci_t)
	179	')
	180
fa45da0e CP	181	optional_policy(`
	182	unconfined_use_fds(ricci_t)
	183	')
	184
	185	optional_policy(`
	186	xen_domtrans_xm(ricci_t)
	187	')
	188
	189	########################################
	190	#
	191	# ricci_modcluster local policy
	192	#
	193
538cf9ab	194	allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
fa45da0e	195	allow ricci_modcluster_t self:process setsched;
c0868a7a	196	allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	197
	198	kernel_read_kernel_sysctls(ricci_modcluster_t)
	199	kernel_read_system_state(ricci_modcluster_t)
	200
	201	corecmd_exec_shell(ricci_modcluster_t)
fa45da0e CP	202	corecmd_exec_bin(ricci_modcluster_t)
fa45da0e CP	203
538cf9ab	204	corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
67c46a35	205	corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
80454fb2	206	corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
538cf9ab	207
1847443e	208	domain_read_all_domains_state(ricci_modcluster_t)
fa45da0e CP	209
	210	files_search_locks(ricci_modcluster_t)
	211	files_read_etc_runtime_files(ricci_modcluster_t)
	212	files_read_etc_files(ricci_modcluster_t)
	213	files_search_usr(ricci_modcluster_t)
	214
9f8f5cb1 DW	215	auth_use_nsswitch(ricci_modcluster_t)
9f8f5cb1 DW	216
fa45da0e CP	217	init_exec(ricci_modcluster_t)
	218	init_domtrans_script(ricci_modcluster_t)
	219
fa45da0e CP	220	logging_send_syslog_msg(ricci_modcluster_t)
	221
	222	miscfiles_read_localization(ricci_modcluster_t)
	223
e689c53a MG	224	optional_policy(`
	225	ricci_stream_connect_modclusterd(ricci_modcluster_t)
	226	')
fa45da0e	227
538cf9ab JS	228	optional_policy(`
	229	aisexec_stream_connect(ricci_modcluster_t)
	230	corosync_stream_connect(ricci_modcluster_t)
	231	')
	232
fa45da0e CP	233	optional_policy(`
	234	ccs_stream_connect(ricci_modcluster_t)
	235	ccs_domtrans(ricci_modcluster_t)
	236	ccs_manage_config(ricci_modcluster_t)
	237	')
	238
fa45da0e CP	239	optional_policy(`
	240	lvm_domtrans(ricci_modcluster_t)
	241	')
	242
2371d8d8 MG	243	optional_policy(`
	244	modutils_domtrans_insmod(ricci_modcluster_t)
	245	')
	246
	247	optional_policy(`
	248	mount_domtrans(ricci_modcluster_t)
	249	')
	250
	251	optional_policy(`
	252	consoletype_exec(ricci_modcluster_t)
	253	')
	254
fa45da0e CP	255	optional_policy(`
	256	oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
	257	')
	258
350b6ab7	259	optional_policy(`
3eaa9939	260	rgmanager_stream_connect(ricci_modclusterd_t)
350b6ab7	261	')
fa45da0e CP	262
	263	########################################
	264	#
	265	# ricci_modclusterd local policy
	266	#
	267
226c0696	268	allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
fa45da0e	269	allow ricci_modclusterd_t self:process { signal sigkill setsched };
c0868a7a	270	allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	271	allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
fa45da0e CP	272	allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
fa45da0e CP	273	# cjp: this needs to be fixed for a specific socket type:
	274	allow ricci_modclusterd_t self:socket create_socket_perms;
	275
	276	allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
538cf9ab	277	allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
fa45da0e	278
3eaa9939 DW	279	manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
	280	manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
	281	fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
	282
c0868a7a	283	allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
0bfccda4 CP	284	manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
	285	manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
	286	logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
fa45da0e	287
0bfccda4 CP	288	manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
	289	manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
	290	files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })
fa45da0e CP	291
	292	kernel_read_kernel_sysctls(ricci_modclusterd_t)
	293	kernel_read_system_state(ricci_modclusterd_t)
3eaa9939	294	kernel_request_load_module(ricci_modclusterd_t)
fa45da0e CP	295
fa45da0e CP	296	corecmd_exec_bin(ricci_modclusterd_t)
fa45da0e	297
668b3093	298	corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
fa45da0e	299	corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
c1262146	300	corenet_tcp_bind_generic_node(ricci_modclusterd_t)
fa45da0e CP	301	corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
	302	corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
	303
1847443e	304	domain_read_all_domains_state(ricci_modclusterd_t)
fa45da0e CP	305
	306	files_read_etc_files(ricci_modclusterd_t)
	307	files_read_etc_runtime_files(ricci_modclusterd_t)
	308
	309	fs_getattr_xattr_fs(ricci_modclusterd_t)
	310
538cf9ab JS	311	auth_use_nsswitch(ricci_modclusterd_t)
538cf9ab JS	312
1847443e	313	init_stream_connect_script(ricci_modclusterd_t)
fa45da0e	314
fa45da0e CP	315	locallogin_dontaudit_use_fds(ricci_modclusterd_t)
	316
	317	logging_send_syslog_msg(ricci_modclusterd_t)
	318
	319	miscfiles_read_localization(ricci_modclusterd_t)
	320
	321	sysnet_domtrans_ifconfig(ricci_modclusterd_t)
538cf9ab JS	322
	323	optional_policy(`
	324	aisexec_stream_connect(ricci_modclusterd_t)
	325	corosync_stream_connect(ricci_modclusterd_t)
	326	')
fa45da0e	327
fa45da0e CP	328	optional_policy(`
	329	ccs_domtrans(ricci_modclusterd_t)
	330	ccs_stream_connect(ricci_modclusterd_t)
	331	ccs_read_config(ricci_modclusterd_t)
	332	')
	333
538cf9ab JS	334	optional_policy(`
	335	rgmanager_stream_connect(ricci_modclusterd_t)
	336	')
	337
fa45da0e CP	338	optional_policy(`
	339	unconfined_use_fds(ricci_modclusterd_t)
	340	')
	341
	342	########################################
	343	#
	344	# ricci_modlog local policy
	345	#
	346
	347	allow ricci_modlog_t self:capability sys_nice;
	348	allow ricci_modlog_t self:process setsched;
	349
	350	kernel_read_kernel_sysctls(ricci_modlog_t)
	351	kernel_read_system_state(ricci_modlog_t)
	352
	353	corecmd_exec_bin(ricci_modlog_t)
fa45da0e	354
1847443e	355	domain_read_all_domains_state(ricci_modlog_t)
fa45da0e CP	356
	357	files_read_etc_files(ricci_modlog_t)
	358	files_search_usr(ricci_modlog_t)
	359
fa45da0e CP	360	logging_read_generic_logs(ricci_modlog_t)
	361
	362	miscfiles_read_localization(ricci_modlog_t)
	363
fa45da0e CP	364	optional_policy(`
	365	nscd_dontaudit_search_pid(ricci_modlog_t)
	366	')
	367
	368	optional_policy(`
	369	oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
	370	')
	371
	372	########################################
	373	#
	374	# ricci_modrpm local policy
	375	#
	376
0b36a214	377	allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
fa45da0e	378
6b19be33 CP	379	kernel_read_kernel_sysctls(ricci_modrpm_t)
6b19be33 CP	380
fa45da0e CP	381	corecmd_exec_bin(ricci_modrpm_t)
fa45da0e CP	382
fa45da0e CP	383	files_search_usr(ricci_modrpm_t)
	384	files_read_etc_files(ricci_modrpm_t)
	385
9bb4d7ce MG	386	logging_send_syslog_msg(ricci_modrpm_t)
9bb4d7ce MG	387
fa45da0e CP	388	miscfiles_read_localization(ricci_modrpm_t)
	389
	390	optional_policy(`
	391	oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
	392	')
	393
	394	optional_policy(`
	395	rpm_domtrans(ricci_modrpm_t)
	396	')
	397
	398	########################################
	399	#
	400	# ricci_modservice local policy
	401	#
	402
	403	allow ricci_modservice_t self:capability { dac_override sys_nice };
0b36a214	404	allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	405	allow ricci_modservice_t self:process setsched;
	406
	407	kernel_read_kernel_sysctls(ricci_modservice_t)
	408	kernel_read_system_state(ricci_modservice_t)
	409
fa45da0e CP	410	corecmd_exec_bin(ricci_modservice_t)
	411	corecmd_exec_shell(ricci_modservice_t)
	412
	413	files_read_etc_files(ricci_modservice_t)
	414	files_read_etc_runtime_files(ricci_modservice_t)
	415	files_search_usr(ricci_modservice_t)
6b19be33 CP	416	# Needed for running chkconfig
6b19be33 CP	417	files_manage_etc_symlinks(ricci_modservice_t)
fa45da0e	418
fa45da0e CP	419	init_domtrans_script(ricci_modservice_t)
fa45da0e CP	420
a7bc589a MG	421	logging_send_syslog_msg(ricci_modservice_t)
a7bc589a MG	422
fa45da0e CP	423	miscfiles_read_localization(ricci_modservice_t)
	424
	425	optional_policy(`
	426	ccs_read_config(ricci_modservice_t)
	427	')
	428
e689c53a MG	429	optional_policy(`
	430	consoletype_exec(ricci_modservice_t)
	431	')
	432
fa45da0e CP	433	optional_policy(`
	434	nscd_dontaudit_search_pid(ricci_modservice_t)
	435	')
	436
	437	optional_policy(`
	438	oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
	439	')
	440
	441	########################################
	442	#
	443	# ricci_modstorage local policy
	444	#
	445
	446	allow ricci_modstorage_t self:process { setsched signal };
19fd9301	447	dontaudit ricci_modstorage_t self:process ptrace;
fa45da0e	448	allow ricci_modstorage_t self:capability { mknod sys_nice };
c0868a7a	449	allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
fa45da0e CP	450	allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
	451
	452	kernel_read_kernel_sysctls(ricci_modstorage_t)
	453	kernel_read_system_state(ricci_modstorage_t)
	454
0bfccda4 CP	455	create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
0bfccda4 CP	456	files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
6b19be33	457
8a948caf	458	corecmd_exec_shell(ricci_modstorage_t)
fa45da0e	459	corecmd_exec_bin(ricci_modstorage_t)
fa45da0e CP	460
	461	dev_read_sysfs(ricci_modstorage_t)
	462	dev_read_urand(ricci_modstorage_t)
	463	dev_manage_generic_blk_files(ricci_modstorage_t)
	464
1847443e	465	domain_read_all_domains_state(ricci_modstorage_t)
6b19be33	466
fa45da0e CP	467	#Needed for editing /etc/fstab
	468	files_manage_etc_files(ricci_modstorage_t)
	469	files_read_etc_runtime_files(ricci_modstorage_t)
	470	files_read_usr_files(ricci_modstorage_t)
6b19be33	471	files_read_kernel_modules(ricci_modstorage_t)
fa45da0e	472
3eaa9939 DW	473	files_create_default_dir(ricci_modstorage_t)
	474	files_root_filetrans_default(ricci_modstorage_t, dir)
	475	files_mounton_default(ricci_modstorage_t)
	476	files_manage_default_dirs(ricci_modstorage_t)
	477	files_manage_default_files(ricci_modstorage_t)
	478
fa45da0e CP	479	storage_raw_read_fixed_disk(ricci_modstorage_t)
	480
	481	term_dontaudit_use_console(ricci_modstorage_t)
	482
9f8f5cb1 DW	483	auth_use_nsswitch(ricci_modstorage_t)
9f8f5cb1 DW	484
fa45da0e CP	485	logging_send_syslog_msg(ricci_modstorage_t)
fa45da0e CP	486
fa45da0e CP	487	miscfiles_read_localization(ricci_modstorage_t)
fa45da0e CP	488
538cf9ab JS	489	optional_policy(`
	490	aisexec_stream_connect(ricci_modstorage_t)
	491	corosync_stream_connect(ricci_modstorage_t)
	492	')
	493
fa45da0e	494	optional_policy(`
c5561c77	495	ccs_stream_connect(ricci_modstorage_t)
fa45da0e CP	496	ccs_read_config(ricci_modstorage_t)
	497	')
	498
e689c53a MG	499	optional_policy(`
	500	consoletype_exec(ricci_modstorage_t)
	501	')
	502
	503	optional_policy(`
	504	fstools_domtrans(ricci_modstorage_t)
	505	')
	506
19fd9301 CP	507	optional_policy(`
19fd9301 CP	508	lvm_domtrans(ricci_modstorage_t)
226c0696	509	lvm_manage_config(ricci_modstorage_t)
19fd9301 CP	510	')
19fd9301 CP	511
e689c53a MG	512	optional_policy(`
	513	modutils_read_module_deps(ricci_modstorage_t)
	514	')
	515
	516	optional_policy(`
	517	mount_domtrans(ricci_modstorage_t)
	518	')
	519
fa45da0e CP	520	optional_policy(`
	521	oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
	522	')
	523
	524	optional_policy(`
	525	raid_domtrans_mdadm(ricci_modstorage_t)
	526	')