Removed unnecessary comments

Removed 'SELinux policy for' from policy summaries
Removed rgmanager interface for semaphores (doesn't appear to be needed or used)
Removed redundant calls to libs_use_ld_so and libs_use_shared_libs
Fixed rhcs interface names to match naming rules
Merged tmpfs and semaphore/shm interfaces
This commit is contained in:
Jeremy Solt 2010-05-21 15:59:16 -04:00 committed by Chris PeBenito
parent 538cf9ab83
commit 21d23c878e
9 changed files with 50 additions and 182 deletions

View File

@ -1,4 +1,4 @@
## <summary>SELinux policy for Aisexec Cluster Engine</summary> ## <summary>Aisexec Cluster Engine</summary>
######################################## ########################################
## <summary> ## <summary>

View File

@ -13,22 +13,18 @@ init_daemon_domain(aisexec_t, aisexec_exec_t)
type aisexec_initrc_exec_t; type aisexec_initrc_exec_t;
init_script_file(aisexec_initrc_exec_t); init_script_file(aisexec_initrc_exec_t);
# tmp files
type aisexec_tmp_t; type aisexec_tmp_t;
files_tmp_file(aisexec_tmp_t) files_tmp_file(aisexec_tmp_t)
type aisexec_tmpfs_t; type aisexec_tmpfs_t;
files_tmpfs_file(aisexec_tmpfs_t) files_tmpfs_file(aisexec_tmpfs_t)
# var/lib files
type aisexec_var_lib_t; type aisexec_var_lib_t;
files_type(aisexec_var_lib_t) files_type(aisexec_var_lib_t)
# log files
type aisexec_var_log_t; type aisexec_var_log_t;
logging_log_file(aisexec_var_log_t) logging_log_file(aisexec_var_log_t)
# pid files
type aisexec_var_run_t; type aisexec_var_run_t;
files_pid_file(aisexec_var_run_t) files_pid_file(aisexec_var_run_t)
@ -45,7 +41,6 @@ allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto }
allow aisexec_t self:unix_dgram_socket create_socket_perms; allow aisexec_t self:unix_dgram_socket create_socket_perms;
allow aisexec_t self:udp_socket create_socket_perms; allow aisexec_t self:udp_socket create_socket_perms;
# tmp files
manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir }) files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
@ -54,18 +49,15 @@ manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
# var/lib files
manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
# log files
manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file }) logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file })
# pid file
manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
@ -86,9 +78,6 @@ auth_use_nsswitch(aisexec_t)
init_rw_script_tmp_files(aisexec_t) init_rw_script_tmp_files(aisexec_t)
libs_use_ld_so(aisexec_t)
libs_use_shared_libs(aisexec_t)
logging_send_syslog_msg(aisexec_t) logging_send_syslog_msg(aisexec_t)
miscfiles_read_localization(aisexec_t) miscfiles_read_localization(aisexec_t)
@ -99,17 +88,13 @@ optional_policy(`
optional_policy(` optional_policy(`
# to communication with RHCS # to communication with RHCS
dlm_controld_manage_tmpfs_files(aisexec_t) rhcs_rw_dlm_controld_semaphores(aisexec_t)
dlm_controld_rw_semaphores(aisexec_t)
fenced_manage_tmpfs_files(aisexec_t) rhcs_rw_fenced_semaphores(aisexec_t)
fenced_rw_semaphores(aisexec_t)
gfs_controld_manage_tmpfs_files(aisexec_t) rhcs_rw_gfs_controld_semaphores(aisexec_t)
gfs_controld_rw_semaphores(aisexec_t) rhcs_rw_gfs_controld_shm(aisexec_t)
gfs_controld_t_rw_shm(aisexec_t)
groupd_manage_tmpfs_files(aisexec_t) rhcs_rw_groupd_semaphores(aisexec_t)
groupd_rw_semaphores(aisexec_t) rhcs_rw_groupd_shm(aisexec_t)
groupd_rw_shm(aisexec_t)
') ')

View File

@ -1,4 +1,4 @@
## <summary>SELinux policy for Corosync Cluster Engine</summary> ## <summary>Corosync Cluster Engine</summary>
######################################## ########################################
## <summary> ## <summary>

View File

@ -13,22 +13,18 @@ init_daemon_domain(corosync_t, corosync_exec_t)
type corosync_initrc_exec_t; type corosync_initrc_exec_t;
init_script_file(corosync_initrc_exec_t); init_script_file(corosync_initrc_exec_t);
# tmp files
type corosync_tmp_t; type corosync_tmp_t;
files_tmp_file(corosync_tmp_t) files_tmp_file(corosync_tmp_t)
type corosync_tmpfs_t; type corosync_tmpfs_t;
files_tmpfs_file(corosync_tmpfs_t) files_tmpfs_file(corosync_tmpfs_t)
# var/lib files
type corosync_var_lib_t; type corosync_var_lib_t;
files_type(corosync_var_lib_t) files_type(corosync_var_lib_t)
# log files
type corosync_var_log_t; type corosync_var_log_t;
logging_log_file(corosync_var_log_t) logging_log_file(corosync_var_log_t)
# pid files
type corosync_var_run_t; type corosync_var_run_t;
files_pid_file(corosync_var_run_t) files_pid_file(corosync_var_run_t)
@ -46,7 +42,6 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto
allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms;
# tmp files
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
@ -55,18 +50,15 @@ manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file }) fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
# var/lib files
manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
# log files
manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
# pid file
manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
@ -100,14 +92,11 @@ optional_policy(`
optional_policy(` optional_policy(`
# to communication with RHCS # to communication with RHCS
dlm_controld_manage_tmpfs_files(corosync_t) rhcs_rw_dlm_controld_semaphores(corosync_t)
dlm_controld_rw_semaphores(corosync_t)
fenced_manage_tmpfs_files(corosync_t) rhcs_rw_fenced_semaphores(corosync_t)
fenced_rw_semaphores(corosync_t)
gfs_controld_manage_tmpfs_files(corosync_t) rhcs_rw_gfs_controld_semaphores(corosync_t)
gfs_controld_rw_semaphores(corosync_t)
') ')
optional_policy(` optional_policy(`

View File

@ -1,4 +1,4 @@
## <summary>SELinux policy for rgmanager</summary> ## <summary>rgmanager - Resource Group Manager</summary>
####################################### #######################################
## <summary> ## <summary>
@ -19,24 +19,6 @@ interface(`rgmanager_domtrans',`
domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
') ')
#######################################
## <summary>
## Allow read and write access to rgmanager semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_rw_semaphores',`
gen_require(`
type rgmanager_t;
')
allow $1 rgmanager_t:sem rw_sem_perms;
')
######################################## ########################################
## <summary> ## <summary>
## Connect to rgmanager over an unix stream socket. ## Connect to rgmanager over an unix stream socket.

View File

@ -18,18 +18,15 @@ type rgmanager_exec_t;
domain_type(rgmanager_t) domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t)
# tmp files
type rgmanager_tmp_t; type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t) files_tmp_file(rgmanager_tmp_t)
type rgmanager_tmpfs_t; type rgmanager_tmpfs_t;
files_tmpfs_file(rgmanager_tmpfs_t) files_tmpfs_file(rgmanager_tmpfs_t)
# log files
type rgmanager_var_log_t; type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t) logging_log_file(rgmanager_var_log_t)
# pid files
type rgmanager_var_run_t; type rgmanager_var_run_t;
files_pid_file(rgmanager_var_run_t) files_pid_file(rgmanager_var_run_t)
@ -48,7 +45,6 @@ allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
allow rgmanager_t self:unix_dgram_socket create_socket_perms; allow rgmanager_t self:unix_dgram_socket create_socket_perms;
allow rgmanager_t self:tcp_socket create_stream_socket_perms; allow rgmanager_t self:tcp_socket create_stream_socket_perms;
# tmp files
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
@ -57,11 +53,9 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file }) fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
# log files
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
# pid file
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
@ -103,9 +97,6 @@ auth_read_all_files_except_shadow(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t) auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t) auth_use_nsswitch(rgmanager_t)
libs_use_ld_so(rgmanager_t)
libs_use_shared_libs(rgmanager_t)
logging_send_syslog_msg(rgmanager_t) logging_send_syslog_msg(rgmanager_t)
miscfiles_read_localization(rgmanager_t) miscfiles_read_localization(rgmanager_t)
@ -132,7 +123,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
groupd_stream_connect(rgmanager_t) rhcs_stream_connect_groupd(rgmanager_t)
') ')
optional_policy(` optional_policy(`
@ -142,7 +133,7 @@ optional_policy(`
optional_policy(` optional_policy(`
ccs_manage_config(rgmanager_t) ccs_manage_config(rgmanager_t)
ccs_stream_connect(rgmanager_t) ccs_stream_connect(rgmanager_t)
gfs_controld_stream_connect(rgmanager_t) rhcs_stream_connect_gfs_controld(rgmanager_t)
') ')
optional_policy(` optional_policy(`

View File

@ -1,4 +1,4 @@
## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary> ## <summary>RHCS - Red Hat Cluster Suite</summary>
####################################### #######################################
## <summary> ## <summary>
@ -18,7 +18,7 @@ template(`rhcs_domain_template',`
############################## ##############################
# #
# $1_t declarations # Declarations
# #
type $1_t, cluster_domain; type $1_t, cluster_domain;
@ -28,17 +28,15 @@ template(`rhcs_domain_template',`
type $1_tmpfs_t; type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t) files_tmpfs_file($1_tmpfs_t)
# log files
type $1_var_log_t; type $1_var_log_t;
logging_log_file($1_var_log_t) logging_log_file($1_var_log_t)
# pid files
type $1_var_run_t; type $1_var_run_t;
files_pid_file($1_var_run_t) files_pid_file($1_var_run_t)
############################## ##############################
# #
# $1_t local policy # Local policy
# #
manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
@ -66,7 +64,7 @@ template(`rhcs_domain_template',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`dlm_controld_domtrans',` interface(`rhcs_domtrans_dlm_controld',`
gen_require(` gen_require(`
type dlm_controld_t, dlm_controld_exec_t; type dlm_controld_t, dlm_controld_exec_t;
') ')
@ -86,7 +84,7 @@ interface(`dlm_controld_domtrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`dlm_controld_stream_connect',` interface(`rhcs_stream_connect_dlm_controld',`
gen_require(` gen_require(`
type dlm_controld_t, dlm_controld_var_run_t; type dlm_controld_t, dlm_controld_var_run_t;
') ')
@ -105,28 +103,12 @@ interface(`dlm_controld_stream_connect',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`dlm_controld_rw_semaphores',` interface(`rhcs_rw_dlm_controld_semaphores',`
gen_require(` gen_require(`
type dlm_controld_t; type dlm_controld_t, dlm_controld_tmpfs_t;
') ')
allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
')
#####################################
## <summary>
## Manage dlm_controld tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dlm_controld_manage_tmpfs_files',`
gen_require(`
type dlm_controld_tmpfs_t;
')
fs_search_tmpfs($1) fs_search_tmpfs($1)
manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
@ -142,7 +124,7 @@ interface(`dlm_controld_manage_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`fenced_domtrans',` interface(`rhcs_domtrans_fenced',`
gen_require(` gen_require(`
type fenced_t, fenced_exec_t; type fenced_t, fenced_exec_t;
') ')
@ -161,12 +143,15 @@ interface(`fenced_domtrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`fenced_rw_semaphores',` interface(`rhcs_rw_fenced_semaphores',`
gen_require(` gen_require(`
type fenced_t; type fenced_t, fenced_tmpfs_t;
') ')
allow $1 fenced_t:sem { rw_sem_perms destroy }; allow $1 fenced_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
') ')
###################################### ######################################
@ -179,7 +164,7 @@ interface(`fenced_rw_semaphores',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`fenced_stream_connect',` interface(`rhcs_stream_connect_fenced',`
gen_require(` gen_require(`
type fenced_var_run_t, fenced_t; type fenced_var_run_t, fenced_t;
') ')
@ -189,25 +174,6 @@ interface(`fenced_stream_connect',`
files_search_pids($1) files_search_pids($1)
') ')
#####################################
## <summary>
## Managed fenced tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fenced_manage_tmpfs_files',`
gen_require(`
type fenced_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
##################################### #####################################
## <summary> ## <summary>
## Execute a domain transition to run gfs_controld. ## Execute a domain transition to run gfs_controld.
@ -218,7 +184,7 @@ interface(`fenced_manage_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`gfs_controld_domtrans',` interface(`rhcs_domtrans_gfs_controld',`
gen_require(` gen_require(`
type gfs_controld_t, gfs_controld_exec_t; type gfs_controld_t, gfs_controld_exec_t;
') ')
@ -227,25 +193,6 @@ interface(`gfs_controld_domtrans',`
domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
') ')
###################################
## <summary>
## Manage gfs_controld tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gfs_controld_manage_tmpfs_files',`
gen_require(`
type gfs_controld_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
')
#################################### ####################################
## <summary> ## <summary>
## Allow read and write access to gfs_controld semaphores. ## Allow read and write access to gfs_controld semaphores.
@ -256,12 +203,15 @@ interface(`gfs_controld_manage_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`gfs_controld_rw_semaphores',` interface(`rhcs_rw_gfs_controld_semaphores',`
gen_require(` gen_require(`
type gfs_controld_t; type gfs_controld_t, gfs_controld_tmpfs_t;
') ')
allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
') ')
######################################## ########################################
@ -274,12 +224,15 @@ interface(`gfs_controld_rw_semaphores',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`gfs_controld_t_rw_shm',` interface(`rhcs_rw_gfs_controld_shm',`
gen_require(` gen_require(`
type gfs_controld_t; type gfs_controld_t, gfs_controld_tmpfs_t;
') ')
allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
') ')
##################################### #####################################
@ -292,7 +245,7 @@ interface(`gfs_controld_t_rw_shm',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`gfs_controld_stream_connect',` interface(`rhcs_stream_connect_gfs_controld',`
gen_require(` gen_require(`
type gfs_controld_t, gfs_controld_var_run_t; type gfs_controld_t, gfs_controld_var_run_t;
') ')
@ -311,7 +264,7 @@ interface(`gfs_controld_stream_connect',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`groupd_domtrans',` interface(`rhcs_domtrans_groupd',`
gen_require(` gen_require(`
type groupd_t, groupd_exec_t; type groupd_t, groupd_exec_t;
') ')
@ -331,7 +284,7 @@ interface(`groupd_domtrans',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`groupd_stream_connect',` interface(`rhcs_stream_connect_groupd',`
gen_require(` gen_require(`
type groupd_t, groupd_var_run_t; type groupd_t, groupd_var_run_t;
') ')
@ -350,12 +303,15 @@ interface(`groupd_stream_connect',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`groupd_rw_semaphores',` interface(`rhcs_rw_groupd_semaphores',`
gen_require(` gen_require(`
type groupd_t; type groupd_t, groupd_tmpfs_t;
') ')
allow $1 groupd_t:sem { rw_sem_perms destroy }; allow $1 groupd_t:sem { rw_sem_perms destroy };
fs_search_tmpfs($1)
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
') ')
######################################## ########################################
@ -368,28 +324,12 @@ interface(`groupd_rw_semaphores',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`groupd_rw_shm',` interface(`rhcs_rw_groupd_shm',`
gen_require(` gen_require(`
type groupd_t; type groupd_t, groupd_tmpfs_t;
') ')
allow $1 groupd_t:shm { rw_shm_perms destroy }; allow $1 groupd_t:shm { rw_shm_perms destroy };
')
#####################################
## <summary>
## Manage groupd tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`groupd_manage_tmpfs_files',`
gen_require(`
type groupd_tmpfs_t;
')
fs_search_tmpfs($1) fs_search_tmpfs($1)
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
@ -405,7 +345,7 @@ interface(`groupd_manage_tmpfs_files',`
## </summary> ## </summary>
## </param> ## </param>
# #
interface(`qdiskd_domtrans',` interface(`rhcs_domtrans_qdiskd',`
gen_require(` gen_require(`
type qdiskd_t, qdiskd_exec_t; type qdiskd_t, qdiskd_exec_t;
') ')

View File

@ -22,7 +22,6 @@ rhcs_domain_template(fenced)
type fenced_lock_t; type fenced_lock_t;
files_lock_file(fenced_lock_t) files_lock_file(fenced_lock_t)
# tmp files
type fenced_tmp_t; type fenced_tmp_t;
files_tmp_file(fenced_tmp_t) files_tmp_file(fenced_tmp_t)
@ -32,7 +31,6 @@ rhcs_domain_template(groupd)
rhcs_domain_template(qdiskd) rhcs_domain_template(qdiskd)
# var/lib files
type qdiskd_var_lib_t; type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t) files_type(qdiskd_var_lib_t)
@ -78,7 +76,6 @@ can_exec(fenced_t, fenced_exec_t)
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file) files_lock_filetrans(fenced_t, fenced_lock_t, file)
# tmp files
manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
@ -235,9 +232,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms; allow cluster_domain self:unix_dgram_socket create_socket_perms;
libs_use_ld_so(cluster_domain)
libs_use_shared_libs(cluster_domain)
logging_send_syslog_msg(cluster_domain) logging_send_syslog_msg(cluster_domain)
miscfiles_read_localization(cluster_domain) miscfiles_read_localization(cluster_domain)

View File

@ -11,19 +11,15 @@ type ricci_exec_t;
domain_type(ricci_t) domain_type(ricci_t)
init_daemon_domain(ricci_t, ricci_exec_t) init_daemon_domain(ricci_t, ricci_exec_t)
# tmp files
type ricci_tmp_t; type ricci_tmp_t;
files_tmp_file(ricci_tmp_t) files_tmp_file(ricci_tmp_t)
# var/lib files
type ricci_var_lib_t; type ricci_var_lib_t;
files_type(ricci_var_lib_t) files_type(ricci_var_lib_t)
# log files
type ricci_var_log_t; type ricci_var_log_t;
logging_log_file(ricci_var_log_t) logging_log_file(ricci_var_log_t)
# pid files
type ricci_var_run_t; type ricci_var_run_t;
files_pid_file(ricci_var_run_t) files_pid_file(ricci_var_run_t)
@ -33,15 +29,12 @@ domain_type(ricci_modcluster_t)
domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
role system_r types ricci_modcluster_t; role system_r types ricci_modcluster_t;
# var/lib files
type ricci_modcluster_var_lib_t; type ricci_modcluster_var_lib_t;
files_type(ricci_modcluster_var_lib_t) files_type(ricci_modcluster_var_lib_t)
# log files
type ricci_modcluster_var_log_t; type ricci_modcluster_var_log_t;
logging_log_file(ricci_modcluster_var_log_t) logging_log_file(ricci_modcluster_var_log_t)
# pid files
type ricci_modcluster_var_run_t; type ricci_modcluster_var_run_t;
files_pid_file(ricci_modcluster_var_run_t) files_pid_file(ricci_modcluster_var_run_t)
@ -94,24 +87,20 @@ domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
# tmp file
manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
# var/lib files for ricci
manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
# log files
allow ricci_t ricci_var_log_t:dir setattr; allow ricci_t ricci_var_log_t:dir setattr;
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
# pid file
manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
@ -277,13 +266,11 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
# pid file
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file }) files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })