trunk: varnishd from dan.

Changelog

@@ -31,6 +31,7 @@
 	portreserve (Dan Walsh)
 	sssd (Dan Walsh)
 	ulogd (Dan Walsh)
+	varnishd (Dan Walsh)
 	webadm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)

policy/modules/services/varnishd.fc

@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/varnish	--	gen_context(system_u:object_r:varnishd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishlog	--	gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/varnishncsa	--	gen_context(system_u:object_r:varnishlog_initrc_exec_t,s0)
+
+/etc/varnish(/.*)?			gen_context(system_u:object_r:varnishd_etc_t,s0)
+
+/usr/bin/varnishlog		--	gen_context(system_u:object_r:varnishlog_exec_t,s0)
+/usr/bin/varnisncsa		--	gen_context(system_u:object_r:varnishlog_exec_t,s0)
+
+/usr/sbin/varnishd		--	gen_context(system_u:object_r:varnishd_exec_t,s0)
+
+/var/lib/varnish(/.*)?			gen_context(system_u:object_r:varnishd_var_lib_t,s0)
+
+/var/log/varnish(/.*)?			gen_context(system_u:object_r:varnishlog_log_t,s0)
+
+/var/run/varnish\.pid		--	gen_context(system_u:object_r:varnishd_var_run_t,s0)
+/var/run/varnishlog\.pid	--	gen_context(system_u:object_r:varnishlog_var_run_t,s0)
+/var/run/varnishncsa\.pid	--	gen_context(system_u:object_r:varnishlog_var_run_t,s0)

policy/modules/services/varnishd.if

@@ -0,0 +1,200 @@
+## <summary>Varnishd http accelerator daemon</summary>
+
+#######################################
+## <summary>
+##	Execute varnishd in the varnishd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`varnishd_domtrans',`
+	gen_require(`
+		type varnishd_t, varnishd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, varnishd_exec_t, varnishd_t)
+')
+
+#######################################
+## <summary>
+##	Execute varnishd 
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`varnishd_exec',`
+	gen_require(`
+		type varnishd_exec_t;
+	')
+
+	can_exec($1, varnishd_exec_t)
+')
+
+######################################
+## <summary>
+##	Read varnishd configuration file.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishd_read_config',`
+	gen_require(`
+		type varnishd_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
+')
+
+#######################################
+## <summary>
+##	Read varnish logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnish_read_log',`
+	gen_require(`
+		type varnishlog_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+## <summary>
+##	Append varnish logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishlog_append_log',`
+	gen_require(`
+		type varnishlog_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+#####################################
+## <summary>
+##	Manage varnish logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`varnishlog_manage_log',`
+	gen_require(`
+		type varnishlog_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t)
+')
+
+######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an varnishlog environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the varnishlog domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`varnishd_admin_varnishlog',`
+	gen_require(`
+		type varnishlog_t;
+		type varnishlog_var_run_t, varnishlog_log_t;
+		type varnishlog_initrc_exec_t;
+	')
+
+	allow $1 varnishlog_t:process { ptrace signal_perms };
+	ps_process_pattern($1, varnishlog_t)
+
+	init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 varnishlog_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_pids($1)
+ 	admin_pattern($1, varnishlog_var_run_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, varnishlog_log_t)
+
+')
+
+#######################################
+## <summary>
+##	All of the rules required to administrate 
+##	an varnishd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the varnishd domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`varnishd_admin',`
+	gen_require(`
+		type varnishd_t, varnishd_var_lib_t, varnishd_etc_t;
+		type varnishd_var_run_t, varnishd_tmp_t; 
+		type varnishd_initrc_exec_t;
+	')
+
+	allow $1 varnishd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, varnishd_t)
+
+	init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 varnishd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, varnishd_var_lib_t)
+
+	files_search_etc($1)
+	admin_pattern($1, varnishd_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, varnishd_var_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, varnishd_tmp_t)
+
+')

policy/modules/services/varnishd.te

@@ -0,0 +1,117 @@
+
+policy_module(varnishd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow varnishd to connect to all ports,
+## not just HTTP.
+## </p>
+## </desc>
+gen_tunable(varnishd_connect_any, false)
+
+type varnishd_t;
+type varnishd_exec_t;
+init_daemon_domain(varnishd_t, varnishd_exec_t)
+
+type varnishd_initrc_exec_t;
+init_script_file(varnishd_initrc_exec_t)
+
+type varnishd_etc_t;
+files_type(varnishd_etc_t)
+
+type varnishd_tmp_t;
+files_tmp_file(varnishd_tmp_t)
+
+type varnishd_var_lib_t;
+files_type(varnishd_var_lib_t)
+
+type varnishd_var_run_t;
+files_pid_file(varnishd_var_run_t)
+
+type varnishlog_t;
+type varnishlog_exec_t;
+init_daemon_domain(varnishlog_t, varnishlog_exec_t)
+
+type varnishlog_initrc_exec_t;
+init_script_file(varnishlog_initrc_exec_t)
+
+type varnishlog_var_run_t;
+files_pid_file(varnishlog_var_run_t)
+
+type varnishlog_log_t;
+files_type(varnishlog_log_t)
+
+########################################
+#
+# varnishd local policy
+#
+
+allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
+allow varnishd_t self:process signal;
+allow varnishd_t self:fifo_file rw_fifo_file_perms;
+allow varnishd_t self:tcp_socket create_stream_socket_perms;
+allow varnishd_t self:udp_socket create_socket_perms;
+
+read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
+
+manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
+files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
+
+exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
+files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
+
+manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
+files_pid_filetrans(varnishd_t, varnishd_var_run_t, { file })
+
+kernel_read_system_state(varnishd_t)
+
+corecmd_exec_bin(varnishd_t)
+corecmd_exec_shell(varnishd_t)
+
+corenet_tcp_sendrecv_generic_if(varnishd_t)
+corenet_tcp_bind_generic_node(varnishd_t)
+corenet_tcp_bind_http_port(varnishd_t)
+corenet_tcp_bind_http_cache_port(varnishd_t)
+corenet_tcp_connect_http_cache_port(varnishd_t)
+corenet_tcp_connect_http_port(varnishd_t)
+
+dev_read_urand(varnishd_t)
+
+fs_getattr_all_fs(varnishd_t)
+
+auth_use_nsswitch(varnishd_t)
+
+logging_send_syslog_msg(varnishd_t)
+
+miscfiles_read_localization(varnishd_t)
+
+sysnet_read_config(varnishd_t)
+
+tunable_policy(`varnishd_connect_any',`
+	corenet_tcp_connect_all_ports(varnishd_t)
+	corenet_tcp_bind_all_ports(varnishd_t)
+')
+
+#######################################
+#
+# varnishlog local policy
+#
+
+manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
+files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, { file })
+
+manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
+logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
+
+files_search_var_lib(varnishlog_t)
+read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)