[people/stevee/selinux-policy.git] / policy / modules / services / sanlock.te

policy_module(sanlock,1.0.0)

########################################
#
# Declarations
#

## <desc>
##  <p>
##  Allow confined virtual guests to manage nfs files
##  </p>
## </desc>
gen_tunable(sanlock_use_nfs, false)

## <desc>
##  <p>
##  Allow confined virtual guests to manage cifs files
##  </p>
## </desc>
gen_tunable(sanlock_use_samba, false)

type sanlock_t;
type sanlock_exec_t;
init_daemon_domain(sanlock_t, sanlock_exec_t)

type sanlock_var_run_t;
files_pid_file(sanlock_var_run_t)

type sanlock_log_t;
logging_log_file(sanlock_log_t)

type sanlock_initrc_exec_t;
init_script_file(sanlock_initrc_exec_t)

ifdef(`enable_mcs',`
	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
')

ifdef(`enable_mls',`
	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
')

########################################
#
# sanlock local policy
#
allow sanlock_t self:capability { sys_nice ipc_lock };
allow sanlock_t self:process { setsched signull };

allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;

manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
logging_log_filetrans(sanlock_t, sanlock_log_t, file)

manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })

kernel_read_system_state(sanlock_t)

domain_use_interactive_fds(sanlock_t)

files_read_etc_files(sanlock_t)

storage_raw_rw_fixed_disk(sanlock_t)

dev_read_urand(sanlock_t)

init_read_utmp(sanlock_t)
init_dontaudit_write_utmp(sanlock_t)

logging_send_syslog_msg(sanlock_t)

miscfiles_read_localization(sanlock_t)

tunable_policy(`sanlock_use_nfs',`
    fs_manage_nfs_dirs(sanlock_t)
    fs_manage_nfs_files(sanlock_t)
    fs_manage_nfs_named_sockets(sanlock_t)
    fs_read_nfs_symlinks(sanlock_t)
')

tunable_policy(`sanlock_use_samba',`
    fs_manage_cifs_dirs(sanlock_t)
    fs_manage_cifs_files(sanlock_t)
    fs_manage_cifs_named_sockets(sanlock_t)
    fs_read_cifs_symlinks(sanlock_t)
')

optional_policy(`
	wdmd_stream_connect(sanlock_t)
')

optional_policy(`
	virt_kill_svirt(sanlock_t)
	virt_manage_lib_files(sanlock_t)
	virt_signal_svirt(sanlock_t)
')
Commit	Line	Data
92e5b2cd DW	1	policy_module(sanlock,1.0.0)
	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
57b1b4b0 MG	8	## <desc>
	9	## <p>
	10	## Allow confined virtual guests to manage nfs files
	11	## </p>
	12	## </desc>
	13	gen_tunable(sanlock_use_nfs, false)
	14
	15	## <desc>
	16	## <p>
	17	## Allow confined virtual guests to manage cifs files
	18	## </p>
	19	## </desc>
	20	gen_tunable(sanlock_use_samba, false)
	21
92e5b2cd DW	22	type sanlock_t;
	23	type sanlock_exec_t;
	24	init_daemon_domain(sanlock_t, sanlock_exec_t)
	25
92e5b2cd DW	26	type sanlock_var_run_t;
	27	files_pid_file(sanlock_var_run_t)
	28
2faaa1b1 DW	29	type sanlock_log_t;
	30	logging_log_file(sanlock_log_t)
	31
92e5b2cd DW	32	type sanlock_initrc_exec_t;
	33	init_script_file(sanlock_initrc_exec_t)
	34
7067fb81 DW	35	ifdef(`enable_mcs',`
	36	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
	37	')
	38
	39	ifdef(`enable_mls',`
	40	init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
	41	')
	42
92e5b2cd DW	43	########################################
	44	#
	45	# sanlock local policy
	46	#
0703a8c8	47	allow sanlock_t self:capability { sys_nice ipc_lock };
92e5b2cd DW	48	allow sanlock_t self:process { setsched signull };
	49
	50	allow sanlock_t self:fifo_file rw_fifo_file_perms;
	51	allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
	52
2faaa1b1 DW	53	manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
	54	logging_log_filetrans(sanlock_t, sanlock_log_t, file)
	55
92e5b2cd DW	56	manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
	57	manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
	58	manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
c6b38c7e	59	files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
92e5b2cd	60
053ca8f9 MG	61	kernel_read_system_state(sanlock_t)
053ca8f9 MG	62
92e5b2cd DW	63	domain_use_interactive_fds(sanlock_t)
	64
	65	files_read_etc_files(sanlock_t)
	66
da08d886 DW	67	storage_raw_rw_fixed_disk(sanlock_t)
da08d886 DW	68
053ca8f9 MG	69	dev_read_urand(sanlock_t)
053ca8f9 MG	70
92e5b2cd DW	71	init_read_utmp(sanlock_t)
	72	init_dontaudit_write_utmp(sanlock_t)
	73
0703a8c8 DW	74	logging_send_syslog_msg(sanlock_t)
0703a8c8 DW	75
92e5b2cd DW	76	miscfiles_read_localization(sanlock_t)
92e5b2cd DW	77
57b1b4b0 MG	78	tunable_policy(`sanlock_use_nfs',`
	79	fs_manage_nfs_dirs(sanlock_t)
	80	fs_manage_nfs_files(sanlock_t)
	81	fs_manage_nfs_named_sockets(sanlock_t)
	82	fs_read_nfs_symlinks(sanlock_t)
	83	')
	84
	85	tunable_policy(`sanlock_use_samba',`
	86	fs_manage_cifs_dirs(sanlock_t)
	87	fs_manage_cifs_files(sanlock_t)
	88	fs_manage_cifs_named_sockets(sanlock_t)
	89	fs_read_cifs_symlinks(sanlock_t)
	90	')
	91
da08d886 DW	92	optional_policy(`
da08d886 DW	93	wdmd_stream_connect(sanlock_t)
92e5b2cd DW	94	')
92e5b2cd DW	95
da08d886 DW	96	optional_policy(`
da08d886 DW	97	virt_kill_svirt(sanlock_t)
72fdd09f	98	virt_manage_lib_files(sanlock_t)
da08d886 DW	99	virt_signal_svirt(sanlock_t)
da08d886 DW	100	')