policy/modules/services/rgmanager.te

   1 policy_module(rgmanager, 1.0.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow rgmanager domain to connect to the network using TCP.
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(rgmanager_can_network_connect, false)
  14
  15 type rgmanager_t;
  16 type rgmanager_exec_t;
  17 domain_type(rgmanager_t)
  18 init_daemon_domain(rgmanager_t, rgmanager_exec_t)
  19
  20 type rgmanager_initrc_exec_t;
  21 init_script_file(rgmanager_initrc_exec_t)
  22
  23 type rgmanager_tmp_t;
  24 files_tmp_file(rgmanager_tmp_t)
  25
  26 type rgmanager_tmpfs_t;
  27 files_tmpfs_file(rgmanager_tmpfs_t)
  28
  29 type rgmanager_var_log_t;
  30 logging_log_file(rgmanager_var_log_t)
  31
  32 type rgmanager_var_run_t;
  33 files_pid_file(rgmanager_var_run_t)
  34
  35 ########################################
  36 #
  37 # rgmanager local policy
  38 #
  39
  40 allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
  41 dontaudit rgmanager_t self:capability { sys_ptrace };
  42 allow rgmanager_t self:process { setsched signal };
  43 dontaudit rgmanager_t self:process { ptrace };
  44
  45 allow rgmanager_t self:fifo_file rw_fifo_file_perms;
  46 allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
  47 allow rgmanager_t self:unix_dgram_socket create_socket_perms;
  48 allow rgmanager_t self:tcp_socket create_stream_socket_perms;
  49
  50 manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
  51 manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
  52 files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
  53
  54 manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
  55 manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
  56 fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
  57
  58 manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
  59 logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
  60
  61 manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
  62 manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
  63 manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
  64 files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
  65
  66 kernel_kill(rgmanager_t)
  67 kernel_read_kernel_sysctls(rgmanager_t)
  68 kernel_read_rpc_sysctls(rgmanager_t)
  69 kernel_read_system_state(rgmanager_t)
  70 kernel_rw_rpc_sysctls(rgmanager_t)
  71 kernel_search_debugfs(rgmanager_t)
  72 kernel_search_network_state(rgmanager_t)
  73
  74 corecmd_exec_bin(rgmanager_t)
  75 corecmd_exec_shell(rgmanager_t)
  76 consoletype_exec(rgmanager_t)
  77
  78 # need to write to /dev/misc/dlm-control
  79 dev_rw_dlm_control(rgmanager_t)
  80 dev_setattr_dlm_control(rgmanager_t)
  81 dev_search_sysfs(rgmanager_t)
  82
  83 domain_read_all_domains_state(rgmanager_t)
  84 domain_getattr_all_domains(rgmanager_t)
  85 domain_dontaudit_ptrace_all_domains(rgmanager_t)
  86
  87 files_create_var_run_dirs(rgmanager_t)
  88 files_getattr_all_symlinks(rgmanager_t)
  89 files_list_all(rgmanager_t)
  90 files_manage_mnt_dirs(rgmanager_t)
  91 files_manage_mnt_files(rgmanager_t)
  92 files_manage_mnt_symlinks(rgmanager_t)
  93 files_manage_isid_type_files(rgmanager_t)
  94 files_manage_isid_type_dirs(rgmanager_t)
  95
  96 fs_getattr_xattr_fs(rgmanager_t)
  97 fs_getattr_all_fs(rgmanager_t)
  98
  99 storage_raw_read_fixed_disk(rgmanager_t)
 100 storage_getattr_fixed_disk_dev(rgmanager_t)
 101
 102 term_getattr_pty_fs(rgmanager_t)
 103 #term_use_ptmx(rgmanager_t)
 104
 105 # needed by resources scripts
 106 auth_read_all_files_except_shadow(rgmanager_t)
 107 auth_dontaudit_getattr_shadow(rgmanager_t)
 108 auth_use_nsswitch(rgmanager_t)
 109
 110 logging_send_syslog_msg(rgmanager_t)
 111
 112 miscfiles_read_localization(rgmanager_t)
 113
 114 mount_domtrans(rgmanager_t)
 115
 116 tunable_policy(`rgmanager_can_network_connect',`
 117         corenet_tcp_connect_all_ports(rgmanager_t)
 118 ')
 119
 120 # rgmanager can run resource scripts
 121 optional_policy(`
 122         aisexec_stream_connect(rgmanager_t)
 123         corosync_stream_connect(rgmanager_t)
 124 ')
 125
 126 optional_policy(`
 127         apache_domtrans(rgmanager_t)
 128         apache_signal(rgmanager_t)
 129 ')
 130
 131 optional_policy(`
 132         fstools_domtrans(rgmanager_t)
 133 ')
 134
 135 optional_policy(`
 136         rhcs_stream_connect_groupd(rgmanager_t)
 137 ')
 138
 139 optional_policy(`
 140         hostname_exec(rgmanager_t)
 141 ')
 142
 143 optional_policy(`
 144         ccs_manage_config(rgmanager_t)
 145         ccs_stream_connect(rgmanager_t)
 146         rhcs_stream_connect_gfs_controld(rgmanager_t)
 147 ')
 148
 149 optional_policy(`
 150         lvm_domtrans(rgmanager_t)
 151 ')
 152
 153 optional_policy(`
 154         ldap_initrc_domtrans(rgmanager_t)
 155         ldap_domtrans(rgmanager_t)
 156 ')
 157
 158 optional_policy(`
 159         mysql_domtrans_mysql_safe(rgmanager_t)
 160         mysql_stream_connect(rgmanager_t)
 161 ')
 162
 163 optional_policy(`
 164         netutils_domtrans(rgmanager_t)
 165         netutils_domtrans_ping(rgmanager_t)
 166 ')
 167
 168 optional_policy(`
 169         postgresql_domtrans(rgmanager_t)
 170         postgresql_signal(rgmanager_t)
 171 ')
 172
 173 optional_policy(`
 174         rdisc_exec(rgmanager_t)
 175 ')
 176
 177 optional_policy(`
 178         ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
 179 ')
 180
 181 optional_policy(`
 182         rpc_initrc_domtrans_nfsd(rgmanager_t)
 183         rpc_initrc_domtrans_rpcd(rgmanager_t)
 184
 185         rpc_domtrans_nfsd(rgmanager_t)
 186         rpc_domtrans_rpcd(rgmanager_t)
 187         rpc_manage_nfs_state_data(rgmanager_t)
 188 ')
 189
 190 optional_policy(`
 191         samba_initrc_domtrans(rgmanager_t)
 192         samba_domtrans_smbd(rgmanager_t)
 193         samba_domtrans_nmbd(rgmanager_t)
 194         samba_manage_var_files(rgmanager_t)
 195         samba_rw_config(rgmanager_t)
 196         samba_signal_smbd(rgmanager_t)
 197         samba_signal_nmbd(rgmanager_t)
 198 ')
 199
 200 optional_policy(`
 201         sysnet_domtrans_ifconfig(rgmanager_t)
 202 ')
 203
 204 optional_policy(`
 205         udev_read_db(rgmanager_t)
 206 ')
 207
 208 optional_policy(`
 209         virt_stream_connect(rgmanager_t)
 210 ')
 211
 212 optional_policy(`
 213         unconfined_domain(rgmanager_t)
 214 ')
 215
 216 optional_policy(`
 217         xen_domtrans_xm(rgmanager_t)
 218 ')