selinux-policy/policy/modules/services/rhcs.te

245 lines
6.0 KiB
Plaintext
Raw Normal View History

policy_module(rhcs, 1.1.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow fenced domain to connect to the network using TCP.
## </p>
## </desc>
gen_tunable(fenced_can_network_connect, false)
attribute cluster_domain;
2010-08-26 13:41:21 +00:00
attribute cluster_tmpfs;
attribute cluster_pid;
rhcs_domain_template(dlm_controld)
rhcs_domain_template(fenced)
type fenced_lock_t;
files_lock_file(fenced_lock_t)
type fenced_tmp_t;
files_tmp_file(fenced_tmp_t)
rhcs_domain_template(gfs_controld)
rhcs_domain_template(groupd)
rhcs_domain_template(qdiskd)
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
2010-09-16 11:44:53 +00:00
# type for cluster lib files
type cluster_var_lib_t;
files_type(cluster_var_lib_t)
#####################################
#
# dlm_controld local policy
#
allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(dlm_controld_t)
dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)
fs_manage_configfs_files(dlm_controld_t)
fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
#######################################
#
# fenced local policy
#
allow fenced_t self:capability { sys_rawio sys_resource };
2010-08-26 13:41:21 +00:00
allow fenced_t self:process { getsched signal_perms };
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
can_exec(fenced_t, fenced_exec_t)
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
2010-08-26 13:41:21 +00:00
kernel_read_system_state(fenced_t)
corecmd_exec_bin(fenced_t)
2010-08-26 13:41:21 +00:00
corecmd_exec_shell(fenced_t)
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
files_read_usr_symlinks(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)
auth_use_nsswitch(fenced_t)
tunable_policy(`fenced_can_network_connect',`
corenet_tcp_connect_all_ports(fenced_t)
')
2010-09-16 11:44:53 +00:00
# needed by fence_scsi
optional_policy(`
corosync_exec(fenced_t)
2010-09-16 11:44:53 +00:00
')
optional_policy(`
ccs_read_config(fenced_t)
')
optional_policy(`
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
######################################
#
# gfs_controld local policy
#
allow gfs_controld_t self:capability { net_admin sys_resource };
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(gfs_controld_t)
dev_rw_dlm_control(gfs_controld_t)
dev_setattr_dlm_control(gfs_controld_t)
dev_rw_sysfs(gfs_controld_t)
storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
#######################################
#
# groupd local policy
#
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
allow groupd_t self:shm create_shm_perms;
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
init_rw_script_tmp_files(groupd_t)
######################################
#
# qdiskd local policy
#
2010-08-26 13:41:21 +00:00
allow qdiskd_t self:capability { ipc_lock sys_boot };
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
corecmd_getattr_bin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
dev_list_all_dev_nodes(qdiskd_t)
dev_getattr_all_blk_files(qdiskd_t)
dev_getattr_all_chr_files(qdiskd_t)
dev_manage_generic_blk_files(qdiskd_t)
dev_manage_generic_chr_files(qdiskd_t)
domain_dontaudit_getattr_all_pipes(qdiskd_t)
domain_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
optional_policy(`
udev_read_db(qdiskd_t)
')
#####################################
#
# rhcs domains common policy
#
allow cluster_domain self:capability { sys_nice };
allow cluster_domain self:process setsched;
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
2010-09-16 11:44:53 +00:00
manage_files_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
manage_dirs_pattern(cluster_domain, cluster_var_lib_t, cluster_var_lib_t)
logging_send_syslog_msg(cluster_domain)
miscfiles_read_localization(cluster_domain)
2010-08-26 13:41:21 +00:00
optional_policy(`
ccs_stream_connect(cluster_domain)
')
optional_policy(`
corosync_stream_connect(cluster_domain)
')