Redhat Cluster Suite Policy from Dan Walsh

Edits:
 - Style and whitespace fixes
 - Removed interfaces for default_t from ricci.te - this didn't seem right
 - Removed link files from rgmanager_manage_tmpfs_files
 - Removed rdisc.if patch. it was previously committed
 - Not including kernel_kill interface call for rgmanager
 - Not including ldap interfaces in rgmanager.te (currently not in refpolicy)
 - Not including files_create_var_run_dirs call for rgmanager (not in refpolicy)
This commit is contained in:
Jeremy Solt 2010-05-06 13:13:41 -04:00 committed by Chris PeBenito
parent b8c9879a8c
commit 538cf9ab83
14 changed files with 1498 additions and 5 deletions

View File

@ -0,0 +1,9 @@
/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)

View File

@ -0,0 +1,106 @@
## <summary>SELinux policy for Aisexec Cluster Engine</summary>
########################################
## <summary>
## Execute a domain transition to run aisexec.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aisexec_domtrans',`
gen_require(`
type aisexec_t, aisexec_exec_t;
')
domtrans_pattern($1, aisexec_exec_t, aisexec_t)
')
#####################################
## <summary>
## Connect to aisexec over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aisexec_stream_connect',`
gen_require(`
type aisexec_t, aisexec_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
')
#######################################
## <summary>
## Allow the specified domain to read aisexec's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`aisexec_read_log',`
gen_require(`
type aisexec_var_log_t;
')
logging_search_logs($1)
list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
')
######################################
## <summary>
## All of the rules required to administrate
## an aisexec environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the aisexecd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`aisexecd_admin',`
gen_require(`
type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
type aisexec_initrc_exec_t;
')
allow $1 aisexec_t:process { ptrace signal_perms };
ps_process_pattern($1, aisexec_t)
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 aisexec_initrc_exec_t system_r;
allow $2 system_r;
files_list_var_lib($1)
admin_pattern($1, aisexec_var_lib_t)
logging_list_logs($1)
admin_pattern($1, aisexec_var_log_t)
files_list_pids($1)
admin_pattern($1, aisexec_var_run_t)
files_list_tmp($1)
admin_pattern($1, aisexec_tmp_t)
admin_pattern($1, aisexec_tmpfs_t)
')

View File

@ -0,0 +1,115 @@
policy_module(aisexec, 1.0.0)
########################################
#
# Declarations
#
type aisexec_t;
type aisexec_exec_t;
init_daemon_domain(aisexec_t, aisexec_exec_t)
type aisexec_initrc_exec_t;
init_script_file(aisexec_initrc_exec_t);
# tmp files
type aisexec_tmp_t;
files_tmp_file(aisexec_tmp_t)
type aisexec_tmpfs_t;
files_tmpfs_file(aisexec_tmpfs_t)
# var/lib files
type aisexec_var_lib_t;
files_type(aisexec_var_lib_t)
# log files
type aisexec_var_log_t;
logging_log_file(aisexec_var_log_t)
# pid files
type aisexec_var_run_t;
files_pid_file(aisexec_var_run_t)
########################################
#
# aisexec local policy
#
allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow aisexec_t self:unix_dgram_socket create_socket_perms;
allow aisexec_t self:udp_socket create_socket_perms;
# tmp files
manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
# var/lib files
manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
# log files
manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file })
# pid file
manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
kernel_read_system_state(aisexec_t)
corecmd_exec_bin(aisexec_t)
corenet_udp_bind_netsupport_port(aisexec_t)
corenet_tcp_bind_reserved_port(aisexec_t)
corenet_udp_bind_cluster_port(aisexec_t)
dev_read_urand(aisexec_t)
files_manage_mounttab(aisexec_t)
auth_use_nsswitch(aisexec_t)
init_rw_script_tmp_files(aisexec_t)
libs_use_ld_so(aisexec_t)
libs_use_shared_libs(aisexec_t)
logging_send_syslog_msg(aisexec_t)
miscfiles_read_localization(aisexec_t)
optional_policy(`
ccs_stream_connect(aisexec_t)
')
optional_policy(`
# to communication with RHCS
dlm_controld_manage_tmpfs_files(aisexec_t)
dlm_controld_rw_semaphores(aisexec_t)
fenced_manage_tmpfs_files(aisexec_t)
fenced_rw_semaphores(aisexec_t)
gfs_controld_manage_tmpfs_files(aisexec_t)
gfs_controld_rw_semaphores(aisexec_t)
gfs_controld_t_rw_shm(aisexec_t)
groupd_manage_tmpfs_files(aisexec_t)
groupd_rw_semaphores(aisexec_t)
groupd_rw_shm(aisexec_t)
')

View File

@ -113,6 +113,11 @@ ifdef(`hide_broken_symptoms', `
files_manage_isid_type_files(ccs_t)
')
optional_policy(`
aisexec_stream_connect(ccs_t)
corosync_stream_connect(ccs_t)
')
optional_policy(`
unconfined_use_fds(ccs_t)
')

View File

@ -0,0 +1,12 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)

View File

@ -0,0 +1,106 @@
## <summary>SELinux policy for Corosync Cluster Engine</summary>
########################################
## <summary>
## Execute a domain transition to run corosync.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corosync_domtrans',`
gen_require(`
type corosync_t, corosync_exec_t;
')
domtrans_pattern($1, corosync_exec_t, corosync_t)
')
#######################################
## <summary>
## Allow the specified domain to read corosync's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corosync_read_log',`
gen_require(`
type corosync_var_log_t;
')
logging_search_logs($1)
list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
')
#####################################
## <summary>
## Connect to corosync over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`corosync_stream_connect',`
gen_require(`
type corosync_t, corosync_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
######################################
## <summary>
## All of the rules required to administrate
## an corosync environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the corosyncd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`corosyncd_admin',`
gen_require(`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
')
allow $1 corosync_t:process { ptrace signal_perms };
ps_process_pattern($1, corosync_t)
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
allow $2 system_r;
files_list_tmp($1)
admin_pattern($1, corosync_tmp_t)
admin_pattern($1, corosync_tmpfs_t)
files_list_var_lib($1)
admin_pattern($1, corosync_var_lib_t)
logging_list_logs($1)
admin_pattern($1, corosync_var_log_t)
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
')

View File

@ -0,0 +1,115 @@
policy_module(corosync, 1.0.0)
########################################
#
# Declarations
#
type corosync_t;
type corosync_exec_t;
init_daemon_domain(corosync_t, corosync_exec_t)
type corosync_initrc_exec_t;
init_script_file(corosync_initrc_exec_t);
# tmp files
type corosync_tmp_t;
files_tmp_file(corosync_tmp_t)
type corosync_tmpfs_t;
files_tmpfs_file(corosync_tmpfs_t)
# var/lib files
type corosync_var_lib_t;
files_type(corosync_var_lib_t)
# log files
type corosync_var_log_t;
logging_log_file(corosync_var_log_t)
# pid files
type corosync_var_run_t;
files_pid_file(corosync_var_run_t)
########################################
#
# corosync local policy
#
allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
allow corosync_t self:process { setrlimit setsched signal };
allow corosync_t self:fifo_file rw_fifo_file_perms;
allow corosync_t self:sem create_sem_perms;
allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow corosync_t self:unix_dgram_socket create_socket_perms;
allow corosync_t self:udp_socket create_socket_perms;
# tmp files
manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
# var/lib files
manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
# log files
manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
# pid file
manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
kernel_read_system_state(corosync_t)
corecmd_exec_bin(corosync_t)
corenet_udp_bind_netsupport_port(corosync_t)
dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
auth_use_nsswitch(corosync_t)
init_read_script_state(corosync_t)
init_rw_script_tmp_files(corosync_t)
logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
userdom_rw_user_tmpfs_files(corosync_t)
optional_policy(`
ccs_read_config(corosync_t)
')
optional_policy(`
# to communication with RHCS
dlm_controld_manage_tmpfs_files(corosync_t)
dlm_controld_rw_semaphores(corosync_t)
fenced_manage_tmpfs_files(corosync_t)
fenced_rw_semaphores(corosync_t)
gfs_controld_manage_tmpfs_files(corosync_t)
gfs_controld_rw_semaphores(corosync_t)
')
optional_policy(`
rgmanager_manage_tmpfs_files(corosync_t)
')

View File

@ -0,0 +1,7 @@
/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)

View File

@ -0,0 +1,95 @@
## <summary>SELinux policy for rgmanager</summary>
#######################################
## <summary>
## Execute a domain transition to run rgmanager.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_domtrans',`
gen_require(`
type rgmanager_t, rgmanager_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
')
#######################################
## <summary>
## Allow read and write access to rgmanager semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_rw_semaphores',`
gen_require(`
type rgmanager_t;
')
allow $1 rgmanager_t:sem rw_sem_perms;
')
########################################
## <summary>
## Connect to rgmanager over an unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_stream_connect',`
gen_require(`
type rgmanager_t, rgmanager_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
')
######################################
## <summary>
## Allow manage rgmanager tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_manage_tmp_files',`
gen_require(`
type rgmanager_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
')
######################################
## <summary>
## Allow manage rgmanager tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rgmanager_manage_tmpfs_files',`
gen_require(`
type rgmanager_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
')

View File

@ -0,0 +1,212 @@
policy_module(rgmanager, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow rgmanager domain to connect to the network using TCP.
## </p>
## </desc>
gen_tunable(rgmanager_can_network_connect, false)
type rgmanager_t;
type rgmanager_exec_t;
domain_type(rgmanager_t)
init_daemon_domain(rgmanager_t, rgmanager_exec_t)
# tmp files
type rgmanager_tmp_t;
files_tmp_file(rgmanager_tmp_t)
type rgmanager_tmpfs_t;
files_tmpfs_file(rgmanager_tmpfs_t)
# log files
type rgmanager_var_log_t;
logging_log_file(rgmanager_var_log_t)
# pid files
type rgmanager_var_run_t;
files_pid_file(rgmanager_var_run_t)
########################################
#
# rgmanager local policy
#
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
dontaudit rgmanager_t self:capability { sys_ptrace };
allow rgmanager_t self:process { setsched signal };
dontaudit rgmanager_t self:process { ptrace };
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
allow rgmanager_t self:unix_dgram_socket create_socket_perms;
allow rgmanager_t self:tcp_socket create_stream_socket_perms;
# tmp files
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
# log files
manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
# pid file
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(rgmanager_t)
kernel_read_system_state(rgmanager_t)
kernel_rw_rpc_sysctls(rgmanager_t)
kernel_search_debugfs(rgmanager_t)
kernel_search_network_state(rgmanager_t)
corecmd_exec_bin(rgmanager_t)
corecmd_exec_shell(rgmanager_t)
consoletype_exec(rgmanager_t)
# need to write to /dev/misc/dlm-control
dev_rw_dlm_control(rgmanager_t)
dev_setattr_dlm_control(rgmanager_t)
dev_search_sysfs(rgmanager_t)
domain_read_all_domains_state(rgmanager_t)
domain_getattr_all_domains(rgmanager_t)
domain_dontaudit_ptrace_all_domains(rgmanager_t)
files_list_all(rgmanager_t)
files_getattr_all_symlinks(rgmanager_t)
files_manage_mnt_dirs(rgmanager_t)
files_manage_isid_type_dirs(rgmanager_t)
fs_getattr_xattr_fs(rgmanager_t)
fs_getattr_all_fs(rgmanager_t)
storage_getattr_fixed_disk_dev(rgmanager_t)
term_getattr_pty_fs(rgmanager_t)
#term_use_ptmx(rgmanager_t)
# needed by resources scripts
auth_read_all_files_except_shadow(rgmanager_t)
auth_dontaudit_getattr_shadow(rgmanager_t)
auth_use_nsswitch(rgmanager_t)
libs_use_ld_so(rgmanager_t)
libs_use_shared_libs(rgmanager_t)
logging_send_syslog_msg(rgmanager_t)
miscfiles_read_localization(rgmanager_t)
mount_domtrans(rgmanager_t)
tunable_policy(`rgmanager_can_network_connect',`
corenet_tcp_connect_all_ports(rgmanager_t)
')
# rgmanager can run resource scripts
optional_policy(`
aisexec_stream_connect(rgmanager_t)
corosync_stream_connect(rgmanager_t)
')
optional_policy(`
apache_domtrans(rgmanager_t)
apache_signal(rgmanager_t)
')
optional_policy(`
fstools_domtrans(rgmanager_t)
')
optional_policy(`
groupd_stream_connect(rgmanager_t)
')
optional_policy(`
hostname_exec(rgmanager_t)
')
optional_policy(`
ccs_manage_config(rgmanager_t)
ccs_stream_connect(rgmanager_t)
gfs_controld_stream_connect(rgmanager_t)
')
optional_policy(`
lvm_domtrans(rgmanager_t)
')
optional_policy(`
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
optional_policy(`
netutils_domtrans(rgmanager_t)
netutils_domtrans_ping(rgmanager_t)
')
optional_policy(`
postgresql_domtrans(rgmanager_t)
postgresql_signal(rgmanager_t)
')
optional_policy(`
rdisc_exec(rgmanager_t)
')
optional_policy(`
ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
')
optional_policy(`
rpc_initrc_domtrans_nfsd(rgmanager_t)
rpc_initrc_domtrans_rpcd(rgmanager_t)
rpc_domtrans_nfsd(rgmanager_t)
rpc_domtrans_rpcd(rgmanager_t)
rpc_manage_nfs_state_data(rgmanager_t)
')
optional_policy(`
samba_initrc_domtrans(rgmanager_t)
samba_domtrans_smbd(rgmanager_t)
samba_domtrans_nmbd(rgmanager_t)
samba_manage_var_files(rgmanager_t)
samba_rw_config(rgmanager_t)
samba_signal_smbd(rgmanager_t)
samba_signal_nmbd(rgmanager_t)
')
optional_policy(`
sysnet_domtrans_ifconfig(rgmanager_t)
')
optional_policy(`
udev_read_db(rgmanager_t)
')
optional_policy(`
virt_stream_connect(rgmanager_t)
')
optional_policy(`
unconfined_domain(rgmanager_t)
')
optional_policy(`
xen_domtrans_xm(rgmanager_t)
')

View File

@ -0,0 +1,22 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)

View File

@ -0,0 +1,415 @@
## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
#######################################
## <summary>
## Creates types and rules for a basic
## rhcs init daemon domain.
## </summary>
## <param name="prefix">
## <summary>
## Prefix for the domain.
## </summary>
## </param>
#
template(`rhcs_domain_template',`
gen_require(`
attribute cluster_domain;
')
##############################
#
# $1_t declarations
#
type $1_t, cluster_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
# log files
type $1_var_log_t;
logging_log_file($1_var_log_t)
# pid files
type $1_var_run_t;
files_pid_file($1_var_run_t)
##############################
#
# $1_t local policy
#
manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
')
######################################
## <summary>
## Execute a domain transition to run dlm_controld.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dlm_controld_domtrans',`
gen_require(`
type dlm_controld_t, dlm_controld_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
')
#####################################
## <summary>
## Connect to dlm_controld over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dlm_controld_stream_connect',`
gen_require(`
type dlm_controld_t, dlm_controld_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
')
#####################################
## <summary>
## Allow read and write access to dlm_controld semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dlm_controld_rw_semaphores',`
gen_require(`
type dlm_controld_t;
')
allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
')
#####################################
## <summary>
## Manage dlm_controld tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dlm_controld_manage_tmpfs_files',`
gen_require(`
type dlm_controld_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
')
######################################
## <summary>
## Execute a domain transition to run fenced.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fenced_domtrans',`
gen_require(`
type fenced_t, fenced_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, fenced_exec_t, fenced_t)
')
######################################
## <summary>
## Allow read and write access to fenced semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fenced_rw_semaphores',`
gen_require(`
type fenced_t;
')
allow $1 fenced_t:sem { rw_sem_perms destroy };
')
######################################
## <summary>
## Connect to fenced over an unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fenced_stream_connect',`
gen_require(`
type fenced_var_run_t, fenced_t;
')
allow $1 fenced_t:unix_stream_socket connectto;
allow $1 fenced_var_run_t:sock_file { getattr write };
files_search_pids($1)
')
#####################################
## <summary>
## Managed fenced tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fenced_manage_tmpfs_files',`
gen_require(`
type fenced_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
')
#####################################
## <summary>
## Execute a domain transition to run gfs_controld.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gfs_controld_domtrans',`
gen_require(`
type gfs_controld_t, gfs_controld_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
')
###################################
## <summary>
## Manage gfs_controld tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gfs_controld_manage_tmpfs_files',`
gen_require(`
type gfs_controld_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
')
####################################
## <summary>
## Allow read and write access to gfs_controld semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gfs_controld_rw_semaphores',`
gen_require(`
type gfs_controld_t;
')
allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
')
########################################
## <summary>
## Read and write to gfs_controld_t shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gfs_controld_t_rw_shm',`
gen_require(`
type gfs_controld_t;
')
allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
')
#####################################
## <summary>
## Connect to gfs_controld_t over an unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gfs_controld_stream_connect',`
gen_require(`
type gfs_controld_t, gfs_controld_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
')
######################################
## <summary>
## Execute a domain transition to run groupd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`groupd_domtrans',`
gen_require(`
type groupd_t, groupd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, groupd_exec_t, groupd_t)
')
#####################################
## <summary>
## Connect to groupd over a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`groupd_stream_connect',`
gen_require(`
type groupd_t, groupd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
')
#####################################
## <summary>
## Allow read and write access to groupd semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`groupd_rw_semaphores',`
gen_require(`
type groupd_t;
')
allow $1 groupd_t:sem { rw_sem_perms destroy };
')
########################################
## <summary>
## Read and write to group shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`groupd_rw_shm',`
gen_require(`
type groupd_t;
')
allow $1 groupd_t:shm { rw_shm_perms destroy };
')
#####################################
## <summary>
## Manage groupd tmpfs files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`groupd_manage_tmpfs_files',`
gen_require(`
type groupd_tmpfs_t;
')
fs_search_tmpfs($1)
manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
')
######################################
## <summary>
## Execute a domain transition to run qdiskd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`qdiskd_domtrans',`
gen_require(`
type qdiskd_t, qdiskd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')

View File

@ -0,0 +1,247 @@
policy_module(rhcs, 1.1.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow fenced domain to connect to the network using TCP.
## </p>
## </desc>
gen_tunable(fenced_can_network_connect, false)
attribute cluster_domain;
rhcs_domain_template(dlm_controld)
rhcs_domain_template(fenced)
type fenced_lock_t;
files_lock_file(fenced_lock_t)
# tmp files
type fenced_tmp_t;
files_tmp_file(fenced_tmp_t)
rhcs_domain_template(gfs_controld)
rhcs_domain_template(groupd)
rhcs_domain_template(qdiskd)
# var/lib files
type qdiskd_var_lib_t;
files_type(qdiskd_var_lib_t)
#####################################
#
# dlm_controld local policy
#
allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(dlm_controld_t)
dev_rw_dlm_control(dlm_controld_t)
dev_rw_sysfs(dlm_controld_t)
fs_manage_configfs_files(dlm_controld_t)
fs_manage_configfs_dirs(dlm_controld_t)
init_rw_script_tmp_files(dlm_controld_t)
optional_policy(`
ccs_stream_connect(dlm_controld_t)
')
#######################################
#
# fenced local policy
#
allow fenced_t self:capability { sys_rawio sys_resource };
allow fenced_t self:process getsched;
allow fenced_t self:tcp_socket create_stream_socket_perms;
allow fenced_t self:udp_socket create_socket_perms;
can_exec(fenced_t, fenced_exec_t)
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
files_lock_filetrans(fenced_t, fenced_lock_t, file)
# tmp files
manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
corecmd_exec_bin(fenced_t)
corenet_tcp_connect_http_port(fenced_t)
dev_read_sysfs(fenced_t)
dev_read_urand(fenced_t)
files_read_usr_symlinks(fenced_t)
storage_raw_read_fixed_disk(fenced_t)
storage_raw_write_fixed_disk(fenced_t)
storage_raw_read_removable_device(fenced_t)
term_getattr_pty_fs(fenced_t)
term_use_ptmx(fenced_t)
auth_use_nsswitch(fenced_t)
tunable_policy(`fenced_can_network_connect',`
corenet_tcp_connect_all_ports(fenced_t)
')
optional_policy(`
ccs_read_config(fenced_t)
ccs_stream_connect(fenced_t)
')
optional_policy(`
lvm_domtrans(fenced_t)
lvm_read_config(fenced_t)
')
######################################
#
# gfs_controld local policy
#
allow gfs_controld_t self:capability { net_admin sys_resource };
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
kernel_read_system_state(gfs_controld_t)
dev_rw_dlm_control(gfs_controld_t)
dev_setattr_dlm_control(gfs_controld_t)
dev_rw_sysfs(gfs_controld_t)
storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
ccs_stream_connect(gfs_controld_t)
')
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
#######################################
#
# groupd local policy
#
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
allow groupd_t self:shm create_shm_perms;
dev_list_sysfs(groupd_t)
files_read_etc_files(groupd_t)
init_rw_script_tmp_files(groupd_t)
######################################
#
# qdiskd local policy
#
allow qdiskd_t self:capability ipc_lock;
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
corecmd_getattr_bin_files(qdiskd_t)
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
dev_list_all_dev_nodes(qdiskd_t)
dev_getattr_all_blk_files(qdiskd_t)
dev_getattr_all_chr_files(qdiskd_t)
dev_manage_generic_blk_files(qdiskd_t)
dev_manage_generic_chr_files(qdiskd_t)
domain_dontaudit_getattr_all_pipes(qdiskd_t)
domain_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
storage_raw_read_fixed_disk(qdiskd_t)
storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
ccs_stream_connect(qdiskd_t)
')
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
optional_policy(`
udev_read_db(qdiskd_t)
')
#####################################
#
# rhcs domains common policy
#
allow cluster_domain self:capability { sys_nice };
allow cluster_domain self:process setsched;
allow cluster_domain self:sem create_sem_perms;
allow cluster_domain self:fifo_file rw_fifo_file_perms;
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
allow cluster_domain self:unix_dgram_socket create_socket_perms;
libs_use_ld_so(cluster_domain)
libs_use_shared_libs(cluster_domain)
logging_send_syslog_msg(cluster_domain)
miscfiles_read_localization(cluster_domain)
optional_policy(`
corosync_stream_connect(cluster_domain)
')

View File

@ -194,7 +194,7 @@ optional_policy(`
# ricci_modcluster local policy
#
allow ricci_modcluster_t self:capability sys_nice;
allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
@ -204,6 +204,9 @@ kernel_read_system_state(ricci_modcluster_t)
corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
domain_read_all_domains_state(ricci_modcluster_t)
files_search_locks(ricci_modcluster_t)
@ -216,16 +219,21 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
consoletype_exec(ricci_modcluster_t)
miscfiles_read_localization(ricci_modcluster_t)
modutils_domtrans_insmod(ricci_modcluster_t)
mount_domtrans(ricci_modcluster_t)
consoletype_exec(ricci_modcluster_t)
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
corosync_stream_connect(ricci_modcluster_t)
')
optional_policy(`
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
@ -244,6 +252,10 @@ optional_policy(`
oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
')
optional_policy(`
rgmanager_stream_connect(ricci_modclusterd_t)
')
optional_policy(`
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
@ -259,11 +271,11 @@ allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
# cjp: this needs to be fixed for a specific socket type:
allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
@ -294,6 +306,8 @@ files_read_etc_runtime_files(ricci_modclusterd_t)
fs_getattr_xattr_fs(ricci_modclusterd_t)
auth_use_nsswitch(ricci_modclusterd_t)
init_stream_connect_script(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
@ -303,7 +317,11 @@ logging_send_syslog_msg(ricci_modclusterd_t)
miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
sysnet_dns_name_resolve(ricci_modclusterd_t)
optional_policy(`
aisexec_stream_connect(ricci_modclusterd_t)
corosync_stream_connect(ricci_modclusterd_t)
')
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
@ -311,6 +329,10 @@ optional_policy(`
ccs_read_config(ricci_modclusterd_t)
')
optional_policy(`
rgmanager_stream_connect(ricci_modclusterd_t)
')
optional_policy(`
unconfined_use_fds(ricci_modclusterd_t)
')
@ -456,6 +478,11 @@ consoletype_exec(ricci_modstorage_t)
mount_domtrans(ricci_modstorage_t)
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
')
optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)