policy/modules/services/rabbitmq.te

   1 policy_module(rabbitmq, 1.0.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type rabbitmq_epmd_t;
   9 type rabbitmq_epmd_exec_t;
  10 init_daemon_domain(rabbitmq_epmd_t, rabbitmq_epmd_exec_t)
  11
  12 type rabbitmq_beam_t;
  13 type rabbitmq_beam_exec_t;
  14 init_daemon_domain(rabbitmq_beam_t, rabbitmq_beam_exec_t)
  15
  16 type rabbitmq_var_lib_t;
  17 files_type(rabbitmq_var_lib_t)
  18
  19 type rabbitmq_var_log_t;
  20 logging_log_file(rabbitmq_var_log_t)
  21
  22 ######################################
  23 #
  24 # beam local policy
  25 #
  26
  27 allow rabbitmq_beam_t self:process { setsched signal signull };
  28
  29 allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
  30 allow rabbitmq_beam_t self:tcp_socket { accept listen };
  31
  32 manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  33 manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  34
  35 manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
  36 manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
  37
  38 can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
  39
  40 kernel_read_system_state(rabbitmq_beam_t)
  41
  42 corecmd_exec_bin(rabbitmq_beam_t)
  43 corecmd_exec_shell(rabbitmq_beam_t)
  44
  45 corenet_tcp_bind_generic_node(rabbitmq_beam_t)
  46 corenet_udp_bind_generic_node(rabbitmq_beam_t)
  47 corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
  48 corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
  49 corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
  50
  51 dev_read_sysfs(rabbitmq_beam_t)
  52
  53 files_read_etc_files(rabbitmq_beam_t)
  54
  55 miscfiles_read_localization(rabbitmq_beam_t)
  56
  57 optional_policy(`
  58     sysnet_dns_name_resolve(rabbitmq_beam_t)
  59 ')
  60
  61 ########################################
  62 #
  63 # epmd local policy
  64 #
  65
  66 domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
  67
  68 allow rabbitmq_epmd_t self:process { signal };
  69
  70 allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  71 allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
  72 allow rabbitmq_epmd_t self:unix_stream_socket create_stream_socket_perms;
  73
  74 # should be append
  75 allow rabbitmq_epmd_t rabbitmq_var_log_t:file write_file_perms;
  76
  77 corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
  78 corenet_udp_bind_generic_node(rabbitmq_epmd_t)
  79 corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  80
  81 files_read_etc_files(rabbitmq_epmd_t)
  82
  83 logging_send_syslog_msg(rabbitmq_epmd_t)
  84
  85 miscfiles_read_localization(rabbitmq_epmd_t)
  86