[people/stevee/selinux-policy.git] / policy / modules / services / varnishd.te

policy_module(varnishd, 1.2.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow varnishd to connect to all ports,
##	not just HTTP.
##	</p>
## </desc>
gen_tunable(varnishd_connect_any, false)

type varnishd_t;
type varnishd_exec_t;
init_daemon_domain(varnishd_t, varnishd_exec_t)

type varnishd_initrc_exec_t;
init_script_file(varnishd_initrc_exec_t)

type varnishd_etc_t;
files_config_file(varnishd_etc_t)

type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)

type varnishd_var_lib_t;
files_type(varnishd_var_lib_t)

type varnishd_var_run_t;
files_pid_file(varnishd_var_run_t)

type varnishlog_t;
type varnishlog_exec_t;
init_daemon_domain(varnishlog_t, varnishlog_exec_t)

type varnishlog_initrc_exec_t;
init_script_file(varnishlog_initrc_exec_t)

type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)

type varnishlog_log_t;
logging_log_file(varnishlog_log_t)

########################################
#
# varnishd local policy
#

allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
dontaudit varnishd_t self:capability sys_tty_config;
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket create_stream_socket_perms;
allow varnishd_t self:udp_socket create_socket_perms;

read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)

manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })

exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })

manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)

kernel_read_system_state(varnishd_t)

corecmd_exec_bin(varnishd_t)
corecmd_exec_shell(varnishd_t)

corenet_tcp_sendrecv_generic_if(varnishd_t)
corenet_tcp_bind_generic_node(varnishd_t)
corenet_tcp_bind_http_port(varnishd_t)
corenet_tcp_bind_http_cache_port(varnishd_t)
corenet_tcp_bind_varnishd_port(varnishd_t)
corenet_tcp_connect_http_cache_port(varnishd_t)
corenet_tcp_connect_http_port(varnishd_t)

dev_read_urand(varnishd_t)

fs_getattr_all_fs(varnishd_t)

auth_use_nsswitch(varnishd_t)

logging_send_syslog_msg(varnishd_t)

miscfiles_read_localization(varnishd_t)

sysnet_read_config(varnishd_t)

tunable_policy(`varnishd_connect_any',`
	corenet_tcp_connect_all_ports(varnishd_t)
	corenet_tcp_bind_all_ports(varnishd_t)
')

#######################################
#
# varnishlog local policy
#

manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)

manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })

files_search_var_lib(varnishlog_t)
read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
Commit	Line	Data
826d0142	1	policy_module(varnishd, 1.2.0)
267d9c60 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	## <desc>
aaf8a677 DG	9	## <p>
	10	## Allow varnishd to connect to all ports,
	11	## not just HTTP.
	12	## </p>
267d9c60 CP	13	## </desc>
	14	gen_tunable(varnishd_connect_any, false)
	15
	16	type varnishd_t;
	17	type varnishd_exec_t;
	18	init_daemon_domain(varnishd_t, varnishd_exec_t)
	19
	20	type varnishd_initrc_exec_t;
	21	init_script_file(varnishd_initrc_exec_t)
	22
	23	type varnishd_etc_t;
5e4542af	24	files_config_file(varnishd_etc_t)
267d9c60 CP	25
	26	type varnishd_tmp_t;
	27	files_tmp_file(varnishd_tmp_t)
	28
	29	type varnishd_var_lib_t;
	30	files_type(varnishd_var_lib_t)
	31
	32	type varnishd_var_run_t;
	33	files_pid_file(varnishd_var_run_t)
	34
	35	type varnishlog_t;
	36	type varnishlog_exec_t;
	37	init_daemon_domain(varnishlog_t, varnishlog_exec_t)
	38
	39	type varnishlog_initrc_exec_t;
	40	init_script_file(varnishlog_initrc_exec_t)
	41
	42	type varnishlog_var_run_t;
	43	files_pid_file(varnishlog_var_run_t)
	44
	45	type varnishlog_log_t;
2b3649c1	46	logging_log_file(varnishlog_log_t)
267d9c60 CP	47
	48	########################################
	49	#
	50	# varnishd local policy
	51	#
	52
3eaa9939 DW	53	allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
3eaa9939 DW	54	dontaudit varnishd_t self:capability sys_tty_config;
267d9c60 CP	55	allow varnishd_t self:process signal;
	56	allow varnishd_t self:fifo_file rw_fifo_file_perms;
	57	allow varnishd_t self:tcp_socket create_stream_socket_perms;
	58	allow varnishd_t self:udp_socket create_socket_perms;
	59
	60	read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
	61	list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
	62
	63	manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
	64	manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
	65	files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
	66
	67	exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
	68	manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
	69	manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
	70	files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
	71
	72	manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
a25335e1	73	files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
267d9c60 CP	74
	75	kernel_read_system_state(varnishd_t)
	76
	77	corecmd_exec_bin(varnishd_t)
	78	corecmd_exec_shell(varnishd_t)
	79
	80	corenet_tcp_sendrecv_generic_if(varnishd_t)
	81	corenet_tcp_bind_generic_node(varnishd_t)
	82	corenet_tcp_bind_http_port(varnishd_t)
	83	corenet_tcp_bind_http_cache_port(varnishd_t)
45b975db	84	corenet_tcp_bind_varnishd_port(varnishd_t)
267d9c60 CP	85	corenet_tcp_connect_http_cache_port(varnishd_t)
	86	corenet_tcp_connect_http_port(varnishd_t)
	87
	88	dev_read_urand(varnishd_t)
	89
	90	fs_getattr_all_fs(varnishd_t)
	91
	92	auth_use_nsswitch(varnishd_t)
	93
	94	logging_send_syslog_msg(varnishd_t)
	95
	96	miscfiles_read_localization(varnishd_t)
	97
	98	sysnet_read_config(varnishd_t)
	99
	100	tunable_policy(`varnishd_connect_any',`
	101	corenet_tcp_connect_all_ports(varnishd_t)
	102	corenet_tcp_bind_all_ports(varnishd_t)
	103	')
	104
	105	#######################################
	106	#
	107	# varnishlog local policy
	108	#
	109
	110	manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
a25335e1	111	files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
267d9c60 CP	112
	113	manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
	114	manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
	115	logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
	116
	117	files_search_var_lib(varnishlog_t)
	118	read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)