policy/modules/services/rhcs.if

   1 ## <summary>RHCS - Red Hat Cluster Suite</summary>
   2
   3 #######################################
   4 ## <summary>
   5 ##      Creates types and rules for a basic
   6 ##      rhcs init daemon domain.
   7 ## </summary>
   8 ## <param name="prefix">
   9 ##      <summary>
  10 ##      Prefix for the domain.
  11 ##      </summary>
  12 ## </param>
  13 #
  14 template(`rhcs_domain_template',`
  15         gen_require(`
  16                 attribute cluster_domain, cluster_tmpfs, cluster_pid;
  17         ')
  18
  19         ##############################
  20         #
  21         # Declarations
  22         #
  23
  24         type $1_t, cluster_domain;
  25         type $1_exec_t;
  26         init_daemon_domain($1_t, $1_exec_t)
  27
  28         type $1_tmpfs_t, cluster_tmpfs;
  29         files_tmpfs_file($1_tmpfs_t)
  30
  31         type $1_var_log_t;
  32         logging_log_file($1_var_log_t)
  33
  34         type $1_var_run_t, cluster_pid;
  35         files_pid_file($1_var_run_t)
  36
  37         ##############################
  38         #
  39         # Local policy
  40         #
  41
  42         manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  43         manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  44         fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
  45
  46         manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
  47         manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
  48         logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
  49
  50         manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  51         manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  52         manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  53         files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
  54 ')
  55
  56 ######################################
  57 ## <summary>
  58 ##      Execute a domain transition to run dlm_controld.
  59 ## </summary>
  60 ## <param name="domain">
  61 ##      <summary>
  62 ##      Domain allowed to transition.
  63 ##      </summary>
  64 ## </param>
  65 #
  66 interface(`rhcs_domtrans_dlm_controld',`
  67         gen_require(`
  68         type dlm_controld_t, dlm_controld_exec_t;
  69         ')
  70
  71         corecmd_search_bin($1)
  72         domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
  73 ')
  74
  75 #####################################
  76 ## <summary>
  77 ##      Connect to dlm_controld over a unix domain
  78 ##      stream socket.
  79 ## </summary>
  80 ## <param name="domain">
  81 ##      <summary>
  82 ##      Domain allowed access.
  83 ##      </summary>
  84 ## </param>
  85 #
  86 interface(`rhcs_stream_connect_dlm_controld',`
  87         gen_require(`
  88                 type dlm_controld_t, dlm_controld_var_run_t;
  89         ')
  90
  91         files_search_pids($1)
  92         stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
  93 ')
  94
  95 #####################################
  96 ## <summary>
  97 ##      Allow read and write access to dlm_controld semaphores.
  98 ## </summary>
  99 ## <param name="domain">
 100 ##      <summary>
 101 ##      Domain allowed access.
 102 ##      </summary>
 103 ## </param>
 104 #
 105 interface(`rhcs_rw_dlm_controld_semaphores',`
 106         gen_require(`
 107                 type dlm_controld_t, dlm_controld_tmpfs_t;
 108         ')
 109
 110         allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
 111
 112         fs_search_tmpfs($1)
 113         manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
 114 ')
 115
 116 ######################################
 117 ## <summary>
 118 ##      Execute a domain transition to run fenced.
 119 ## </summary>
 120 ## <param name="domain">
 121 ##      <summary>
 122 ##      Domain allowed to transition.
 123 ##      </summary>
 124 ## </param>
 125 #
 126 interface(`rhcs_domtrans_fenced',`
 127         gen_require(`
 128                 type fenced_t, fenced_exec_t;
 129         ')
 130
 131         corecmd_search_bin($1)
 132         domtrans_pattern($1, fenced_exec_t, fenced_t)
 133 ')
 134
 135 #####################################
 136 ## <summary>
 137 ##  Allow a domain to getattr on fenced executable.
 138 ## </summary>
 139 ## <param name="domain">
 140 ##  <summary>
 141 ##  Domain allowed to transition.
 142 ##  </summary>
 143 ## </param>
 144 #
 145 interface(`rhcs_getattr_fenced',`
 146     gen_require(`
 147         type fenced_t, fenced_exec_t;
 148     ')
 149
 150         allow $1 fenced_exec_t:file getattr;
 151 ')
 152
 153 ######################################
 154 ## <summary>
 155 ##      Allow read and write access to fenced semaphores.
 156 ## </summary>
 157 ## <param name="domain">
 158 ##      <summary>
 159 ##      Domain allowed access.
 160 ##      </summary>
 161 ## </param>
 162 #
 163 interface(`rhcs_rw_fenced_semaphores',`
 164         gen_require(`
 165                 type fenced_t, fenced_tmpfs_t;
 166         ')
 167
 168         allow $1 fenced_t:sem { rw_sem_perms destroy };
 169
 170         fs_search_tmpfs($1)
 171         manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
 172 ')
 173
 174 ######################################
 175 ## <summary>
 176 ##      Connect to fenced over an unix domain stream socket.
 177 ## </summary>
 178 ## <param name="domain">
 179 ##      <summary>
 180 ##      Domain allowed access.
 181 ##      </summary>
 182 ## </param>
 183 #
 184 interface(`rhcs_stream_connect_fenced',`
 185         gen_require(`
 186                 type fenced_var_run_t, fenced_t;
 187         ')
 188
 189         files_search_pids($1)
 190         stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
 191 ')
 192
 193 #####################################
 194 ## <summary>
 195 ##      Execute a domain transition to run gfs_controld.
 196 ## </summary>
 197 ## <param name="domain">
 198 ##      <summary>
 199 ##      Domain allowed to transition.
 200 ##      </summary>
 201 ## </param>
 202 #
 203 interface(`rhcs_domtrans_gfs_controld',`
 204         gen_require(`
 205         type gfs_controld_t, gfs_controld_exec_t;
 206         ')
 207
 208         corecmd_search_bin($1)
 209         domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
 210 ')
 211
 212 ####################################
 213 ## <summary>
 214 ##      Allow read and write access to gfs_controld semaphores.
 215 ## </summary>
 216 ## <param name="domain">
 217 ##      <summary>
 218 ##      Domain allowed access.
 219 ##      </summary>
 220 ## </param>
 221 #
 222 interface(`rhcs_rw_gfs_controld_semaphores',`
 223         gen_require(`
 224                 type gfs_controld_t, gfs_controld_tmpfs_t;
 225         ')
 226
 227         allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
 228
 229         fs_search_tmpfs($1)
 230         manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
 231 ')
 232
 233 ########################################
 234 ## <summary>
 235 ##      Read and write to gfs_controld_t shared memory.
 236 ## </summary>
 237 ## <param name="domain">
 238 ##      <summary>
 239 ##      Domain allowed access.
 240 ##      </summary>
 241 ## </param>
 242 #
 243 interface(`rhcs_rw_gfs_controld_shm',`
 244         gen_require(`
 245                 type gfs_controld_t, gfs_controld_tmpfs_t;
 246         ')
 247
 248         allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
 249
 250         fs_search_tmpfs($1)
 251         manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
 252 ')
 253
 254 #####################################
 255 ## <summary>
 256 ##      Connect to gfs_controld_t over an unix domain stream socket.
 257 ## </summary>
 258 ## <param name="domain">
 259 ##      <summary>
 260 ##      Domain allowed access.
 261 ##      </summary>
 262 ## </param>
 263 #
 264 interface(`rhcs_stream_connect_gfs_controld',`
 265         gen_require(`
 266                 type gfs_controld_t, gfs_controld_var_run_t;
 267         ')
 268
 269         files_search_pids($1)
 270         stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
 271 ')
 272
 273 ######################################
 274 ## <summary>
 275 ##      Execute a domain transition to run groupd.
 276 ## </summary>
 277 ## <param name="domain">
 278 ## <summary>
 279 ##      Domain allowed to transition.
 280 ## </summary>
 281 ## </param>
 282 #
 283 interface(`rhcs_domtrans_groupd',`
 284         gen_require(`
 285                 type groupd_t, groupd_exec_t;
 286         ')
 287
 288         corecmd_search_bin($1)
 289         domtrans_pattern($1, groupd_exec_t, groupd_t)
 290 ')
 291
 292 #####################################
 293 ## <summary>
 294 ##      Connect to groupd over a unix domain
 295 ##      stream socket.
 296 ## </summary>
 297 ## <param name="domain">
 298 ##      <summary>
 299 ##      Domain allowed access.
 300 ##      </summary>
 301 ## </param>
 302 #
 303 interface(`rhcs_stream_connect_groupd',`
 304         gen_require(`
 305                 type groupd_t, groupd_var_run_t;
 306         ')
 307
 308         files_search_pids($1)
 309         stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
 310 ')
 311
 312 #####################################
 313 ## <summary>
 314 ##      Allow read and write access to groupd semaphores.
 315 ## </summary>
 316 ## <param name="domain">
 317 ##      <summary>
 318 ##      Domain allowed access.
 319 ##      </summary>
 320 ## </param>
 321 #
 322 interface(`rhcs_rw_groupd_semaphores',`
 323         gen_require(`
 324                 type groupd_t, groupd_tmpfs_t;
 325         ')
 326
 327         allow $1 groupd_t:sem { rw_sem_perms destroy };
 328
 329         fs_search_tmpfs($1)
 330         manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 331 ')
 332
 333 ########################################
 334 ## <summary>
 335 ##      Read and write to group shared memory.
 336 ## </summary>
 337 ## <param name="domain">
 338 ##      <summary>
 339 ##      Domain allowed access.
 340 ##      </summary>
 341 ## </param>
 342 #
 343 interface(`rhcs_rw_groupd_shm',`
 344         gen_require(`
 345                 type groupd_t, groupd_tmpfs_t;
 346         ')
 347
 348         allow $1 groupd_t:shm { rw_shm_perms destroy };
 349
 350         fs_search_tmpfs($1)
 351         manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 352 ')
 353
 354 ########################################
 355 ## <summary>
 356 ##      Read and write to group shared memory.
 357 ## </summary>
 358 ## <param name="domain">
 359 ##      <summary>
 360 ##      Domain allowed access.
 361 ##      </summary>
 362 ## </param>
 363 #
 364 interface(`rhcs_rw_cluster_shm',`
 365         gen_require(`
 366                 attribute cluster_domain, cluster_tmpfs;
 367         ')
 368
 369         allow $1 cluster_domain:shm { rw_shm_perms destroy };
 370
 371         fs_search_tmpfs($1)
 372         manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
 373 ')
 374
 375 ####################################
 376 ## <summary>
 377 ##      Read and write access to cluster domains semaphores.
 378 ## </summary>
 379 ## <param name="domain">
 380 ##      <summary>
 381 ##      Domain allowed access.
 382 ##      </summary>
 383 ## </param>
 384 #
 385 interface(`rhcs_rw_cluster_semaphores',`
 386         gen_require(`
 387                 attribute cluster_domain;
 388         ')
 389
 390         allow $1 cluster_domain:sem { rw_sem_perms destroy };
 391 ')
 392
 393 ####################################
 394 ## <summary>
 395 ##      Connect to cluster domains over a unix domain
 396 ##      stream socket.
 397 ## </summary>
 398 ## <param name="domain">
 399 ##      <summary>
 400 ##      Domain allowed access.
 401 ##      </summary>
 402 ## </param>
 403 #
 404 interface(`rhcs_stream_connect_cluster',`
 405         gen_require(`
 406                 attribute cluster_domain, cluster_pid;
 407         ')
 408
 409         files_search_pids($1)
 410         stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
 411 ')
 412
 413 ######################################
 414 ## <summary>
 415 ##      Execute a domain transition to run qdiskd.
 416 ## </summary>
 417 ## <param name="domain">
 418 ##      <summary>
 419 ##      Domain allowed to transition.
 420 ##      </summary>
 421 ## </param>
 422 #
 423 interface(`rhcs_domtrans_qdiskd',`
 424         gen_require(`
 425                 type qdiskd_t, qdiskd_exec_t;
 426         ')
 427
 428         corecmd_search_bin($1)
 429         domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
 430 ')
 431
 432 ########################################
 433 ## <summary>
 434 ##      Allow domain to read qdiskd tmpfs files
 435 ## </summary>
 436 ## <param name="domain">
 437 ##      <summary>
 438 ##      Domain allowed access.
 439 ##      </summary>
 440 ## </param>
 441 #
 442 interface(`rhcs_read_qdiskd_tmpfs_files',`
 443         gen_require(`
 444                 type qdiskd_tmpfs_t;
 445         ')
 446
 447         fs_search_tmpfs($1)
 448         allow $1 qdiskd_tmpfs_t:file read_file_perms;
 449 ')
 450
 451 ######################################
 452 ## <summary>
 453 ##      Allow domain to read cluster lib files
 454 ## </summary>
 455 ## <param name="domain">
 456 ##      <summary>
 457 ##      Domain allowed access.
 458 ##      </summary>
 459 ## </param>
 460 #
 461 interface(`rhcs_read_cluster_lib_files',`
 462         gen_require(`
 463                 type cluster_var_lib_t;
 464         ')
 465
 466         files_search_var_lib($1)
 467         read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 468 ')
 469
 470 #####################################
 471 ## <summary>
 472 ##  Allow domain to manage cluster lib files
 473 ## </summary>
 474 ## <param name="domain">
 475 ##  <summary>
 476 ##  Domain allowed access.
 477 ##  </summary>
 478 ## </param>
 479 #
 480 interface(`rhcs_manage_cluster_lib_files',`
 481     gen_require(`
 482         type cluster_var_lib_t;
 483     ')
 484
 485     files_search_var_lib($1)
 486     manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 487 ')
 488
 489 ####################################
 490 ## <summary>
 491 ##  Allow domain to relabel cluster lib files
 492 ## </summary>
 493 ## <param name="domain">
 494 ##  <summary>
 495 ##  Domain allowed access.
 496 ##  </summary>
 497 ## </param>
 498 #
 499 interface(`rhcs_relabel_cluster_lib_files',`
 500     gen_require(`
 501         type cluster_var_lib_t;
 502     ')
 503
 504     files_search_var_lib($1)
 505     relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 506         relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 507 ')