1 ## <summary>RHCS - Red Hat Cluster Suite</summary>
3 #######################################
5 ## Creates types and rules for a basic
6 ## rhcs init daemon domain.
8 ## <param name="prefix">
10 ## Prefix for the domain.
14 template(`rhcs_domain_template',`
16 attribute cluster_domain, cluster_tmpfs, cluster_pid;
19 ##############################
24 type $1_t, cluster_domain;
26 init_daemon_domain($1_t, $1_exec_t)
28 type $1_tmpfs_t, cluster_tmpfs;
29 files_tmpfs_file($1_tmpfs_t)
32 logging_log_file($1_var_log_t)
34 type $1_var_run_t, cluster_pid;
35 files_pid_file($1_var_run_t)
37 ##############################
42 manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
43 manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
44 fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
46 manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
47 manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
48 logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
50 manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
51 manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
52 manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
53 files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
56 ######################################
58 ## Execute a domain transition to run dlm_controld.
60 ## <param name="domain">
62 ## Domain allowed to transition.
66 interface(`rhcs_domtrans_dlm_controld',`
68 type dlm_controld_t, dlm_controld_exec_t;
71 corecmd_search_bin($1)
72 domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
75 #####################################
77 ## Connect to dlm_controld over a unix domain
80 ## <param name="domain">
82 ## Domain allowed access.
86 interface(`rhcs_stream_connect_dlm_controld',`
88 type dlm_controld_t, dlm_controld_var_run_t;
92 stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
95 #####################################
97 ## Allow read and write access to dlm_controld semaphores.
99 ## <param name="domain">
101 ## Domain allowed access.
105 interface(`rhcs_rw_dlm_controld_semaphores',`
107 type dlm_controld_t, dlm_controld_tmpfs_t;
110 allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
113 manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
116 ######################################
118 ## Execute a domain transition to run fenced.
120 ## <param name="domain">
122 ## Domain allowed to transition.
126 interface(`rhcs_domtrans_fenced',`
128 type fenced_t, fenced_exec_t;
131 corecmd_search_bin($1)
132 domtrans_pattern($1, fenced_exec_t, fenced_t)
135 #####################################
137 ## Allow a domain to getattr on fenced executable.
139 ## <param name="domain">
141 ## Domain allowed to transition.
145 interface(`rhcs_getattr_fenced',`
147 type fenced_t, fenced_exec_t;
150 allow $1 fenced_exec_t:file getattr;
153 ######################################
155 ## Allow read and write access to fenced semaphores.
157 ## <param name="domain">
159 ## Domain allowed access.
163 interface(`rhcs_rw_fenced_semaphores',`
165 type fenced_t, fenced_tmpfs_t;
168 allow $1 fenced_t:sem { rw_sem_perms destroy };
171 manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
174 ######################################
176 ## Connect to fenced over an unix domain stream socket.
178 ## <param name="domain">
180 ## Domain allowed access.
184 interface(`rhcs_stream_connect_fenced',`
186 type fenced_var_run_t, fenced_t;
189 files_search_pids($1)
190 stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t)
193 #####################################
195 ## Execute a domain transition to run gfs_controld.
197 ## <param name="domain">
199 ## Domain allowed to transition.
203 interface(`rhcs_domtrans_gfs_controld',`
205 type gfs_controld_t, gfs_controld_exec_t;
208 corecmd_search_bin($1)
209 domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
212 ####################################
214 ## Allow read and write access to gfs_controld semaphores.
216 ## <param name="domain">
218 ## Domain allowed access.
222 interface(`rhcs_rw_gfs_controld_semaphores',`
224 type gfs_controld_t, gfs_controld_tmpfs_t;
227 allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
230 manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
233 ########################################
235 ## Read and write to gfs_controld_t shared memory.
237 ## <param name="domain">
239 ## Domain allowed access.
243 interface(`rhcs_rw_gfs_controld_shm',`
245 type gfs_controld_t, gfs_controld_tmpfs_t;
248 allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
251 manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
254 #####################################
256 ## Connect to gfs_controld_t over an unix domain stream socket.
258 ## <param name="domain">
260 ## Domain allowed access.
264 interface(`rhcs_stream_connect_gfs_controld',`
266 type gfs_controld_t, gfs_controld_var_run_t;
269 files_search_pids($1)
270 stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
273 ######################################
275 ## Execute a domain transition to run groupd.
277 ## <param name="domain">
279 ## Domain allowed to transition.
283 interface(`rhcs_domtrans_groupd',`
285 type groupd_t, groupd_exec_t;
288 corecmd_search_bin($1)
289 domtrans_pattern($1, groupd_exec_t, groupd_t)
292 #####################################
294 ## Connect to groupd over a unix domain
297 ## <param name="domain">
299 ## Domain allowed access.
303 interface(`rhcs_stream_connect_groupd',`
305 type groupd_t, groupd_var_run_t;
308 files_search_pids($1)
309 stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
312 #####################################
314 ## Allow read and write access to groupd semaphores.
316 ## <param name="domain">
318 ## Domain allowed access.
322 interface(`rhcs_rw_groupd_semaphores',`
324 type groupd_t, groupd_tmpfs_t;
327 allow $1 groupd_t:sem { rw_sem_perms destroy };
330 manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
333 ########################################
335 ## Read and write to group shared memory.
337 ## <param name="domain">
339 ## Domain allowed access.
343 interface(`rhcs_rw_groupd_shm',`
345 type groupd_t, groupd_tmpfs_t;
348 allow $1 groupd_t:shm { rw_shm_perms destroy };
351 manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
354 ########################################
356 ## Read and write to group shared memory.
358 ## <param name="domain">
360 ## Domain allowed access.
364 interface(`rhcs_rw_cluster_shm',`
366 attribute cluster_domain, cluster_tmpfs;
369 allow $1 cluster_domain:shm { rw_shm_perms destroy };
372 manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs)
375 ####################################
377 ## Read and write access to cluster domains semaphores.
379 ## <param name="domain">
381 ## Domain allowed access.
385 interface(`rhcs_rw_cluster_semaphores',`
387 attribute cluster_domain;
390 allow $1 cluster_domain:sem { rw_sem_perms destroy };
393 ####################################
395 ## Connect to cluster domains over a unix domain
398 ## <param name="domain">
400 ## Domain allowed access.
404 interface(`rhcs_stream_connect_cluster',`
406 attribute cluster_domain, cluster_pid;
409 files_search_pids($1)
410 stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
413 ######################################
415 ## Execute a domain transition to run qdiskd.
417 ## <param name="domain">
419 ## Domain allowed to transition.
423 interface(`rhcs_domtrans_qdiskd',`
425 type qdiskd_t, qdiskd_exec_t;
428 corecmd_search_bin($1)
429 domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
432 ########################################
434 ## Allow domain to read qdiskd tmpfs files
436 ## <param name="domain">
438 ## Domain allowed access.
442 interface(`rhcs_read_qdiskd_tmpfs_files',`
448 allow $1 qdiskd_tmpfs_t:file read_file_perms;
451 ######################################
453 ## Allow domain to read cluster lib files
455 ## <param name="domain">
457 ## Domain allowed access.
461 interface(`rhcs_read_cluster_lib_files',`
463 type cluster_var_lib_t;
466 files_search_var_lib($1)
467 read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
470 #####################################
472 ## Allow domain to manage cluster lib files
474 ## <param name="domain">
476 ## Domain allowed access.
480 interface(`rhcs_manage_cluster_lib_files',`
482 type cluster_var_lib_t;
485 files_search_var_lib($1)
486 manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
489 ####################################
491 ## Allow domain to relabel cluster lib files
493 ## <param name="domain">
495 ## Domain allowed access.
499 interface(`rhcs_relabel_cluster_lib_files',`
501 type cluster_var_lib_t;
504 files_search_var_lib($1)
505 relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
506 relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)