policy/modules/system/daemontools.te

   1 policy_module(daemontools, 1.2.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type svc_conf_t;
   9 files_type(svc_conf_t)
  10
  11 type svc_log_t;
  12 files_type(svc_log_t)
  13
  14 type svc_multilog_t;
  15 type svc_multilog_exec_t;
  16 application_domain(svc_multilog_t, svc_multilog_exec_t)
  17 role system_r types svc_multilog_t;
  18
  19 type svc_run_t;
  20 type svc_run_exec_t;
  21 application_domain(svc_run_t, svc_run_exec_t)
  22 role system_r types svc_run_t;
  23
  24 type svc_start_t;
  25 type svc_start_exec_t;
  26 init_domain(svc_start_t, svc_start_exec_t)
  27 init_system_domain(svc_start_t, svc_start_exec_t)
  28 role system_r types svc_start_t;
  29
  30 type svc_svc_t;
  31 files_type(svc_svc_t)
  32
  33 ########################################
  34 #
  35 # multilog local policy
  36 #
  37
  38 # multilog creates /service/*/log/status
  39 manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
  40
  41 term_write_console(svc_multilog_t)
  42
  43 init_use_fds(svc_multilog_t)
  44 init_dontaudit_use_script_fds(svc_multilog_t)
  45
  46 # writes to /var/log/*/*
  47 logging_manage_generic_logs(svc_multilog_t)
  48
  49 daemontools_ipc_domain(svc_multilog_t)
  50
  51 ########################################
  52 #
  53 # local policy for binaries that impose
  54 # a given environment to supervised daemons
  55 # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
  56 #
  57
  58 allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
  59 allow svc_run_t self:process setrlimit;
  60 allow svc_run_t self:fifo_file rw_fifo_file_perms;
  61 allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
  62
  63 allow svc_run_t svc_conf_t:dir list_dir_perms;
  64 allow svc_run_t svc_conf_t:file read_file_perms;
  65
  66 can_exec(svc_run_t, svc_run_exec_t)
  67
  68 kernel_read_system_state(svc_run_t)
  69
  70 dev_read_urand(svc_run_t)
  71
  72 corecmd_exec_bin(svc_run_t)
  73 corecmd_exec_shell(svc_run_t)
  74
  75 term_write_console(svc_run_t)
  76
  77 files_read_etc_files(svc_run_t)
  78 files_read_etc_runtime_files(svc_run_t)
  79 files_search_pids(svc_run_t)
  80 files_search_var_lib(svc_run_t)
  81
  82 init_use_script_fds(svc_run_t)
  83 init_use_fds(svc_run_t)
  84
  85 daemontools_domtrans_multilog(svc_run_t)
  86 daemontools_read_svc(svc_run_t)
  87
  88 optional_policy(`
  89         qmail_read_config(svc_run_t)
  90 ')
  91
  92 ########################################
  93 #
  94 # local policy for service monitoring programs
  95 # ie svc, svscan, supervise ...
  96 #
  97
  98 allow svc_start_t svc_run_t:process { signal setrlimit };
  99
 100 allow svc_start_t self:fifo_file rw_fifo_file_perms;
 101 allow svc_start_t self:capability kill;
 102 allow svc_start_t self:tcp_socket create_stream_socket_perms;
 103 allow svc_start_t self:unix_stream_socket create_socket_perms;
 104
 105 can_exec(svc_start_t, svc_start_exec_t)
 106
 107 mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
 108
 109 kernel_read_kernel_sysctls(svc_start_t)
 110 kernel_read_system_state(svc_start_t)
 111
 112 corecmd_exec_bin(svc_start_t)
 113 corecmd_exec_shell(svc_start_t)
 114
 115 corenet_tcp_bind_generic_node(svc_start_t)
 116 corenet_tcp_bind_generic_port(svc_start_t)
 117
 118 term_write_console(svc_start_t)
 119
 120 files_read_etc_files(svc_start_t)
 121 files_read_etc_runtime_files(svc_start_t)
 122 files_search_var(svc_start_t)
 123 files_search_pids(svc_start_t)
 124
 125 logging_send_syslog_msg(svc_start_t)
 126
 127 miscfiles_read_localization(svc_start_t)
 128
 129 daemontools_domtrans_run(svc_start_t)
 130 daemontools_manage_svc(svc_start_t)