2010-05-06 17:13:41 +00:00
|
|
|
policy_module(rhcs, 1.1.0)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
## <desc>
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-24 07:17:22 +00:00
|
|
|
## <p>
|
|
|
|
## Allow fenced domain to connect to the network using TCP.
|
|
|
|
## </p>
|
2010-05-06 17:13:41 +00:00
|
|
|
## </desc>
|
|
|
|
gen_tunable(fenced_can_network_connect, false)
|
|
|
|
|
|
|
|
attribute cluster_domain;
|
2010-08-26 13:41:21 +00:00
|
|
|
attribute cluster_tmpfs;
|
|
|
|
attribute cluster_pid;
|
2010-05-06 17:13:41 +00:00
|
|
|
|
|
|
|
rhcs_domain_template(dlm_controld)
|
|
|
|
|
|
|
|
rhcs_domain_template(fenced)
|
|
|
|
|
|
|
|
type fenced_lock_t;
|
|
|
|
files_lock_file(fenced_lock_t)
|
|
|
|
|
|
|
|
type fenced_tmp_t;
|
|
|
|
files_tmp_file(fenced_tmp_t)
|
|
|
|
|
|
|
|
rhcs_domain_template(gfs_controld)
|
|
|
|
|
|
|
|
rhcs_domain_template(groupd)
|
|
|
|
|
|
|
|
rhcs_domain_template(qdiskd)
|
|
|
|
|
|
|
|
type qdiskd_var_lib_t;
|
|
|
|
files_type(qdiskd_var_lib_t)
|
|
|
|
|
2010-09-16 11:44:53 +00:00
|
|
|
# type for cluster lib files
|
|
|
|
type cluster_var_lib_t;
|
|
|
|
files_type(cluster_var_lib_t)
|
|
|
|
|
2010-05-06 17:13:41 +00:00
|
|
|
#####################################
|
|
|
|
#
|
|
|
|
# dlm_controld local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
|
|
|
|
|
|
|
|
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
|
|
|
|
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
|
|
|
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
|
|
|
|
|
|
|
kernel_read_system_state(dlm_controld_t)
|
|
|
|
|
|
|
|
dev_rw_dlm_control(dlm_controld_t)
|
|
|
|
dev_rw_sysfs(dlm_controld_t)
|
|
|
|
|
|
|
|
fs_manage_configfs_files(dlm_controld_t)
|
|
|
|
fs_manage_configfs_dirs(dlm_controld_t)
|
|
|
|
|
|
|
|
init_rw_script_tmp_files(dlm_controld_t)
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
#
|
|
|
|
# fenced local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow fenced_t self:capability { sys_rawio sys_resource };
|
2010-08-26 13:41:21 +00:00
|
|
|
allow fenced_t self:process { getsched signal_perms };
|
2010-05-06 17:13:41 +00:00
|
|
|
|
|
|
|
allow fenced_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow fenced_t self:udp_socket create_socket_perms;
|
|
|
|
|
|
|
|
can_exec(fenced_t, fenced_exec_t)
|
|
|
|
|
|
|
|
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
|
|
|
|
files_lock_filetrans(fenced_t, fenced_lock_t, file)
|
|
|
|
|
|
|
|
manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
|
|
|
|
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
|
|
|
|
manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
|
|
|
|
files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
|
|
|
|
|
|
|
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
kernel_read_system_state(fenced_t)
|
|
|
|
|
2010-05-06 17:13:41 +00:00
|
|
|
corecmd_exec_bin(fenced_t)
|
2010-08-26 13:41:21 +00:00
|
|
|
corecmd_exec_shell(fenced_t)
|
2010-05-06 17:13:41 +00:00
|
|
|
|
|
|
|
corenet_tcp_connect_http_port(fenced_t)
|
|
|
|
|
|
|
|
dev_read_sysfs(fenced_t)
|
|
|
|
dev_read_urand(fenced_t)
|
|
|
|
|
|
|
|
files_read_usr_symlinks(fenced_t)
|
|
|
|
|
|
|
|
storage_raw_read_fixed_disk(fenced_t)
|
|
|
|
storage_raw_write_fixed_disk(fenced_t)
|
|
|
|
storage_raw_read_removable_device(fenced_t)
|
|
|
|
|
|
|
|
term_getattr_pty_fs(fenced_t)
|
|
|
|
term_use_ptmx(fenced_t)
|
|
|
|
|
|
|
|
auth_use_nsswitch(fenced_t)
|
|
|
|
|
|
|
|
tunable_policy(`fenced_can_network_connect',`
|
|
|
|
corenet_tcp_connect_all_ports(fenced_t)
|
|
|
|
')
|
|
|
|
|
2010-09-16 11:44:53 +00:00
|
|
|
# needed by fence_scsi
|
|
|
|
optional_policy(`
|
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
Whitespace, newline and tab fixes.
2010-09-24 07:17:22 +00:00
|
|
|
corosync_exec(fenced_t)
|
2010-09-16 11:44:53 +00:00
|
|
|
')
|
|
|
|
|
2010-05-06 17:13:41 +00:00
|
|
|
optional_policy(`
|
|
|
|
ccs_read_config(fenced_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
lvm_domtrans(fenced_t)
|
|
|
|
lvm_read_config(fenced_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
######################################
|
|
|
|
#
|
|
|
|
# gfs_controld local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow gfs_controld_t self:capability { net_admin sys_resource };
|
|
|
|
allow gfs_controld_t self:shm create_shm_perms;
|
|
|
|
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
|
|
|
|
stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
|
|
|
|
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
|
|
|
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
|
|
|
|
|
|
|
kernel_read_system_state(gfs_controld_t)
|
|
|
|
|
|
|
|
dev_rw_dlm_control(gfs_controld_t)
|
|
|
|
dev_setattr_dlm_control(gfs_controld_t)
|
|
|
|
dev_rw_sysfs(gfs_controld_t)
|
|
|
|
|
|
|
|
storage_getattr_removable_dev(gfs_controld_t)
|
|
|
|
|
|
|
|
init_rw_script_tmp_files(gfs_controld_t)
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
lvm_exec(gfs_controld_t)
|
|
|
|
dev_rw_lvm_control(gfs_controld_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
#
|
|
|
|
# groupd local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow groupd_t self:capability { sys_nice sys_resource };
|
|
|
|
allow groupd_t self:process setsched;
|
|
|
|
allow groupd_t self:shm create_shm_perms;
|
|
|
|
|
|
|
|
dev_list_sysfs(groupd_t)
|
|
|
|
|
|
|
|
files_read_etc_files(groupd_t)
|
|
|
|
|
|
|
|
init_rw_script_tmp_files(groupd_t)
|
|
|
|
|
|
|
|
######################################
|
|
|
|
#
|
|
|
|
# qdiskd local policy
|
|
|
|
#
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
allow qdiskd_t self:capability { ipc_lock sys_boot };
|
2010-05-06 17:13:41 +00:00
|
|
|
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow qdiskd_t self:udp_socket create_socket_perms;
|
|
|
|
|
|
|
|
manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
|
|
|
manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
|
|
|
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
|
|
|
|
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
|
|
|
|
|
|
|
|
kernel_read_system_state(qdiskd_t)
|
|
|
|
kernel_read_software_raid_state(qdiskd_t)
|
|
|
|
kernel_getattr_core_if(qdiskd_t)
|
|
|
|
|
|
|
|
corecmd_getattr_bin_files(qdiskd_t)
|
|
|
|
corecmd_exec_shell(qdiskd_t)
|
|
|
|
|
|
|
|
dev_read_sysfs(qdiskd_t)
|
|
|
|
dev_list_all_dev_nodes(qdiskd_t)
|
|
|
|
dev_getattr_all_blk_files(qdiskd_t)
|
|
|
|
dev_getattr_all_chr_files(qdiskd_t)
|
|
|
|
dev_manage_generic_blk_files(qdiskd_t)
|
|
|
|
dev_manage_generic_chr_files(qdiskd_t)
|
|
|
|
|
|
|
|
domain_dontaudit_getattr_all_pipes(qdiskd_t)
|
|
|
|
domain_dontaudit_getattr_all_sockets(qdiskd_t)
|
|
|
|
|
|
|
|
files_dontaudit_getattr_all_sockets(qdiskd_t)
|
|
|
|
files_dontaudit_getattr_all_pipes(qdiskd_t)
|
|
|
|
files_read_etc_files(qdiskd_t)
|
|
|
|
|
|
|
|
storage_raw_read_removable_device(qdiskd_t)
|
|
|
|
storage_raw_write_removable_device(qdiskd_t)
|
|
|
|
storage_raw_read_fixed_disk(qdiskd_t)
|
|
|
|
storage_raw_write_fixed_disk(qdiskd_t)
|
|
|
|
|
|
|
|
auth_use_nsswitch(qdiskd_t)
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
netutils_domtrans_ping(qdiskd_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
udev_read_db(qdiskd_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
#####################################
|
|
|
|
#
|
|
|
|
# rhcs domains common policy
|
|
|
|
#
|
|
|
|
|
|
|
|
allow cluster_domain self:capability { sys_nice };
|
|
|
|
allow cluster_domain self:process setsched;
|
|
|
|
allow cluster_domain self:sem create_sem_perms;
|
|
|
|
allow cluster_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow cluster_domain self:unix_dgram_socket create_socket_perms;
|
|
|
|
|
2010-09-16 11:44:53 +00:00
|
|
|
manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
|
|
|
|
manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
|
|
|
|
|
2010-05-06 17:13:41 +00:00
|
|
|
logging_send_syslog_msg(cluster_domain)
|
|
|
|
|
|
|
|
miscfiles_read_localization(cluster_domain)
|
|
|
|
|
2010-08-26 13:41:21 +00:00
|
|
|
optional_policy(`
|
|
|
|
ccs_stream_connect(cluster_domain)
|
|
|
|
')
|
|
|
|
|
2010-05-06 17:13:41 +00:00
|
|
|
optional_policy(`
|
|
|
|
corosync_stream_connect(cluster_domain)
|
|
|
|
')
|