1 policy_module(daemontools, 1.2.0)
3 ########################################
15 type svc_multilog_exec_t;
16 application_domain(svc_multilog_t, svc_multilog_exec_t)
17 role system_r types svc_multilog_t;
21 application_domain(svc_run_t, svc_run_exec_t)
22 role system_r types svc_run_t;
25 type svc_start_exec_t;
26 init_domain(svc_start_t, svc_start_exec_t)
27 init_system_domain(svc_start_t, svc_start_exec_t)
28 role system_r types svc_start_t;
33 ########################################
35 # multilog local policy
38 # multilog creates /service/*/log/status
39 manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
41 term_write_console(svc_multilog_t)
43 init_use_fds(svc_multilog_t)
44 init_dontaudit_use_script_fds(svc_multilog_t)
46 # writes to /var/log/*/*
47 logging_manage_generic_logs(svc_multilog_t)
49 daemontools_ipc_domain(svc_multilog_t)
51 ########################################
53 # local policy for binaries that impose
54 # a given environment to supervised daemons
55 # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
58 allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
59 allow svc_run_t self:process setrlimit;
60 allow svc_run_t self:fifo_file rw_fifo_file_perms;
61 allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
63 allow svc_run_t svc_conf_t:dir list_dir_perms;
64 allow svc_run_t svc_conf_t:file read_file_perms;
66 can_exec(svc_run_t, svc_run_exec_t)
68 kernel_read_system_state(svc_run_t)
70 dev_read_urand(svc_run_t)
72 corecmd_exec_bin(svc_run_t)
73 corecmd_exec_shell(svc_run_t)
75 term_write_console(svc_run_t)
77 files_read_etc_files(svc_run_t)
78 files_read_etc_runtime_files(svc_run_t)
79 files_search_pids(svc_run_t)
80 files_search_var_lib(svc_run_t)
82 init_use_script_fds(svc_run_t)
83 init_use_fds(svc_run_t)
85 daemontools_domtrans_multilog(svc_run_t)
86 daemontools_read_svc(svc_run_t)
89 qmail_read_config(svc_run_t)
92 ########################################
94 # local policy for service monitoring programs
95 # ie svc, svscan, supervise ...
98 allow svc_start_t svc_run_t:process { signal setrlimit };
100 allow svc_start_t self:fifo_file rw_fifo_file_perms;
101 allow svc_start_t self:capability kill;
102 allow svc_start_t self:tcp_socket create_stream_socket_perms;
103 allow svc_start_t self:unix_stream_socket create_socket_perms;
105 can_exec(svc_start_t, svc_start_exec_t)
107 mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
109 kernel_read_kernel_sysctls(svc_start_t)
110 kernel_read_system_state(svc_start_t)
112 corecmd_exec_bin(svc_start_t)
113 corecmd_exec_shell(svc_start_t)
115 corenet_tcp_bind_generic_node(svc_start_t)
116 corenet_tcp_bind_generic_port(svc_start_t)
118 term_write_console(svc_start_t)
120 files_read_etc_files(svc_start_t)
121 files_read_etc_runtime_files(svc_start_t)
122 files_search_var(svc_start_t)
123 files_search_pids(svc_start_t)
125 logging_send_syslog_msg(svc_start_t)
127 miscfiles_read_localization(svc_start_t)
129 daemontools_domtrans_run(svc_start_t)
130 daemontools_manage_svc(svc_start_t)