policy/modules/services/matahari.if

   1 ## <summary>policy for matahari</summary>
   2
   3 ######################################
   4 ## <summary>
   5 ##      Creates types and rules for a basic
   6 ##      matahari init daemon domain.
   7 ## </summary>
   8 ## <param name="prefix">
   9 ##      <summary>
  10 ##      Prefix for the domain.
  11 ##      </summary>
  12 ## </param>
  13 #
  14 template(`matahari_domain_template',`
  15         gen_require(`
  16                 attribute matahari_domain;
  17         ')
  18
  19         ##############################
  20         #
  21         #  Declarations
  22         #
  23
  24         type matahari_$1_t, matahari_domain;
  25         type matahari_$1_exec_t;
  26         init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
  27 ')
  28
  29 ########################################
  30 ## <summary>
  31 ##      Search matahari lib directories.
  32 ## </summary>
  33 ## <param name="domain">
  34 ##      <summary>
  35 ##      Domain allowed access.
  36 ##      </summary>
  37 ## </param>
  38 #
  39 interface(`matahari_search_lib',`
  40         gen_require(`
  41                 type matahari_var_lib_t;
  42         ')
  43
  44         allow $1 matahari_var_lib_t:dir search_dir_perms;
  45         files_search_var_lib($1)
  46 ')
  47
  48 ########################################
  49 ## <summary>
  50 ##      Read matahari lib files.
  51 ## </summary>
  52 ## <param name="domain">
  53 ##      <summary>
  54 ##      Domain allowed access.
  55 ##      </summary>
  56 ## </param>
  57 #
  58 interface(`matahari_read_lib_files',`
  59         gen_require(`
  60                 type matahari_var_lib_t;
  61         ')
  62
  63         files_search_var_lib($1)
  64         read_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
  65 ')
  66
  67 ########################################
  68 ## <summary>
  69 ##      Create, read, write, and delete
  70 ##      matahari lib files.
  71 ## </summary>
  72 ## <param name="domain">
  73 ##      <summary>
  74 ##      Domain allowed access.
  75 ##      </summary>
  76 ## </param>
  77 #
  78 interface(`matahari_manage_lib_files',`
  79         gen_require(`
  80                 type matahari_var_lib_t;
  81         ')
  82
  83         files_search_var_lib($1)
  84         manage_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
  85 ')
  86
  87 ########################################
  88 ## <summary>
  89 ##      Manage matahari lib dirs files.
  90 ## </summary>
  91 ## <param name="domain">
  92 ##      <summary>
  93 ##      Domain allowed access.
  94 ##      </summary>
  95 ## </param>
  96 #
  97 interface(`matahari_manage_lib_dirs',`
  98         gen_require(`
  99                 type matahari_var_lib_t;
 100         ')
 101
 102         files_search_var_lib($1)
 103         manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
 104 ')
 105
 106 ########################################
 107 ## <summary>
 108 ##      Read matahari PID files.
 109 ## </summary>
 110 ## <param name="domain">
 111 ##      <summary>
 112 ##      Domain allowed access.
 113 ##      </summary>
 114 ## </param>
 115 #
 116 interface(`matahari_read_pid_files',`
 117         gen_require(`
 118                 type matahari_var_run_t;
 119         ')
 120
 121         files_search_pids($1)
 122         allow $1 matahari_var_run_t:file read_file_perms;
 123 ')
 124
 125 ########################################
 126 ## <summary>
 127 ##      Read matahari PID files.
 128 ## </summary>
 129 ## <param name="domain">
 130 ##      <summary>
 131 ##      Domain allowed access.
 132 ##      </summary>
 133 ## </param>
 134 #
 135 interface(`matahari_manage_pid_files',`
 136         gen_require(`
 137                 type matahari_var_run_t;
 138         ')
 139
 140         files_search_pids($1)
 141         manage_files_pattern($1, matahari_var_run_t, matahari_var_run_t)
 142 ')
 143
 144 ########################################
 145 ## <summary>
 146 ##      Execute a domain transition to run matahari_hostd.
 147 ## </summary>
 148 ## <param name="domain">
 149 ## <summary>
 150 ##      Domain allowed access.
 151 ## </summary>
 152 ## </param>
 153 #
 154 interface(`matahari_hostd_domtrans',`
 155         gen_require(`
 156                 type matahari_hostd_t, matahari_hostd_exec_t;
 157         ')
 158
 159         domtrans_pattern($1, matahari_hostd_exec_t, matahari_hostd_t)
 160 ')
 161
 162 ########################################
 163 ## <summary>
 164 ##      Execute a domain transition to run matahari_netd.
 165 ## </summary>
 166 ## <param name="domain">
 167 ## <summary>
 168 ##      Domain allowed access.
 169 ## </summary>
 170 ## </param>
 171 #
 172 interface(`matahari_netd_domtrans',`
 173         gen_require(`
 174                 type matahari_netd_t, matahari_netd_exec_t;
 175         ')
 176
 177         domtrans_pattern($1, matahari_netd_exec_t, matahari_netd_t)
 178 ')
 179
 180 ########################################
 181 ## <summary>
 182 ##      Execute a domain transition to run matahari_serviced.
 183 ## </summary>
 184 ## <param name="domain">
 185 ## <summary>
 186 ##      Domain allowed access.
 187 ## </summary>
 188 ## </param>
 189 #
 190 interface(`matahari_serviced_domtrans',`
 191         gen_require(`
 192                 type matahari_serviced_t, matahari_serviced_exec_t;
 193         ')
 194
 195         domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t)
 196 ')
 197
 198 ########################################
 199 ## <summary>
 200 ##      All of the rules required to administrate
 201 ##      an matahari environment
 202 ## </summary>
 203 ## <param name="domain">
 204 ##      <summary>
 205 ##      Domain allowed access.
 206 ##      </summary>
 207 ## </param>
 208 ## <param name="role">
 209 ##      <summary>
 210 ##      Role allowed access.
 211 ##      </summary>
 212 ## </param>
 213 ## <rolecap/>
 214 #
 215 interface(`matahari_admin',`
 216         gen_require(`
 217                 type matahari_initrc_exec_t, matahari_hostd_t;
 218                 type matahari_netd_t, matahari_serviced_t;
 219                 type matahari_var_lib_t, matahari_var_run_t;
 220         ')
 221
 222         init_labeled_script_domtrans($1, matahari_initrc_exec_t)
 223         domain_system_change_exemption($1)
 224         role_transition $2 matahari_initrc_exec_t system_r;
 225         allow $2 system_r;
 226
 227         allow $1 matahari_netd_t:process { ptrace signal_perms };
 228         ps_process_pattern($1, matahari_netd_t)
 229
 230         allow $1 matahari_hostd_t:process { ptrace signal_perms };
 231         ps_process_pattern($1, matahari_hostd_t)
 232
 233         allow $1 matahari_serviced_t:process { ptrace signal_perms };
 234         ps_process_pattern($1, matahari_serviced_t)
 235
 236         allow $1 matahari_sysconfigd_t:process { ptrace signal_perms };
 237         ps_process_pattern($1, matahari_sysconfigd_t)
 238
 239         files_search_var_lib($1)
 240         admin_pattern($1, matahari_var_lib_t)
 241
 242         files_search_pids($1)
 243         admin_pattern($1, matahari_var_run_t)
 244 ')