#DESC Daemontools - Tools for managing UNIX services
#
# Author:  Petre Rodan <kaiowas@gentoo.org>
# with the help of Chris PeBenito, Russell Coker and Tad Glines
# 

#
# selinux policy for daemontools
# http://cr.yp.to/daemontools.html
#
# thanks for D. J. Bernstein and the NSA team for the great software
# they provide
#

##############################################################
# type definitions

type svc_conf_t, file_type, sysadmfile;
type svc_log_t, file_type, sysadmfile;
type svc_svc_t, file_type, sysadmfile;


##############################################################
# Macros
define(`svc_filedir_domain', `
create_dir_file($1, svc_svc_t)
file_type_auto_trans($1, svc_svc_t, svc_svc_t);
')

##############################################################
# the domains
daemon_base_domain(svc_script)
svc_filedir_domain(svc_script_t)

# part started by initrc_t
daemon_base_domain(svc_start)
domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
svc_filedir_domain(svc_start_t)

# also get here from svc_script_t
domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)

# the domain for /service/*/run and /service/*/log/run
daemon_sub_domain(svc_start_t, svc_run)
r_dir_file(svc_run_t, svc_conf_t)

# the logger
daemon_sub_domain(svc_run_t, svc_multilog)
file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);

######
# rules for all those domains

# sysadm can tweak svc_run_exec_t files
allow sysadm_t svc_run_exec_t:file create_file_perms;

# run_init can control svc_script_t and svc_start_t domains
domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
svc_filedir_domain(initrc_t)

# svc_start_t
allow svc_start_t self:fifo_file rw_file_perms;
allow svc_start_t self:capability kill;
allow svc_start_t self:unix_stream_socket create_socket_perms;

allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
allow svc_start_t { var_t var_run_t }:dir search;
can_exec(svc_start_t, bin_t)
can_exec(svc_start_t, shell_exec_t)
allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
allow svc_start_t svc_run_t:process signal;
dontaudit svc_start_t proc_t:file r_file_perms;
dontaudit svc_start_t devtty_t:chr_file { read write };

# svc script
allow svc_script_t self:capability sys_admin;
allow svc_script_t self:fifo_file { getattr read write };
allow svc_script_t self:file r_file_perms;
allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
allow svc_script_t bin_t:lnk_file r_file_perms;
can_exec(svc_script_t, bin_t)
can_exec(svc_script_t, shell_exec_t)
allow svc_script_t proc_t:file r_file_perms;
allow svc_script_t shell_exec_t:file rx_file_perms;
allow svc_script_t devtty_t:chr_file rw_file_perms;
allow svc_script_t etc_runtime_t:file r_file_perms;
allow svc_script_t svc_run_exec_t:file r_file_perms;
allow svc_script_t svc_script_exec_t:file execute_no_trans;
allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
allow svc_script_t sysctl_kernel_t:file r_file_perms;

# svc_run_t
allow svc_run_t self:capability { setgid setuid chown fsetid };
allow svc_run_t self:fifo_file rw_file_perms;
allow svc_run_t self:file r_file_perms;
allow svc_run_t self:process { fork setrlimit };
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
allow svc_run_t svc_svc_t:dir r_dir_perms;
allow svc_run_t svc_svc_t:file r_file_perms;
allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
allow svc_run_t { var_t var_run_t }:dir search;
can_exec(svc_run_t, etc_t)
can_exec(svc_run_t, lib_t)
can_exec(svc_run_t, bin_t)
can_exec(svc_run_t, sbin_t)
can_exec(svc_run_t, ls_exec_t)
can_exec(svc_run_t, shell_exec_t)
allow svc_run_t devtty_t:chr_file rw_file_perms;
allow svc_run_t etc_runtime_t:file r_file_perms;
allow svc_run_t exec_type:{ file lnk_file } getattr;
allow svc_run_t init_t:fd use;
allow svc_run_t initrc_t:fd use;
allow svc_run_t proc_t:file r_file_perms;
allow svc_run_t sysctl_t:dir search;
allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
allow svc_run_t sysctl_kernel_t:file r_file_perms;
allow svc_run_t var_lib_t:dir r_dir_perms;

# multilog creates /service/*/log/status
allow svc_multilog_t svc_svc_t:dir { read search };
allow svc_multilog_t svc_svc_t:file { append write };
# writes to /var/log/*/*
allow svc_multilog_t var_t:dir search;
allow svc_multilog_t var_log_t:dir create_dir_perms;
allow svc_multilog_t var_log_t:file create_file_perms;
# misc
allow svc_multilog_t init_t:fd use;
allow svc_start_t svc_multilog_t:process signal;
svc_ipc_domain(svc_multilog_t)

################################################################
# scripts that can be started by daemontools
# keep it sorted please.

ifdef(`apache.te', `
domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
svc_ipc_domain(httpd_t)
dontaudit httpd_t svc_svc_t:dir { search };
')

ifdef(`clamav.te', `
domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
svc_ipc_domain(clamd_t)
')

ifdef(`clockspeed.te', `
domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
svc_ipc_domain(clockspeed_t)
r_dir_file(svc_run_t, clockspeed_var_lib_t)
allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
')

ifdef(`dante.te', `
domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
svc_ipc_domain(dante_t)
')

ifdef(`publicfile.te', `
svc_ipc_domain(publicfile_t)
')

ifdef(`qmail.te', `
allow svc_run_t qmail_start_exec_t:file rx_file_perms;
domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
r_dir_file(svc_run_t, qmail_etc_t)
svc_ipc_domain(qmail_send_t)
svc_ipc_domain(qmail_start_t)
svc_ipc_domain(qmail_queue_t)
svc_ipc_domain(qmail_smtpd_t)
')

ifdef(`rsyncd.te', `
domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
svc_ipc_domain(rsyncd_t)
')

ifdef(`spamd.te', `
domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
svc_ipc_domain(spamd_t)
')

ifdef(`ssh.te', `
domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
svc_ipc_domain(sshd_t)
')

ifdef(`stunnel.te', `
domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
svc_ipc_domain(stunnel_t)
')

ifdef(`ucspi-tcp.te', `
domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
allow svc_run_t utcpserver_t:process { signal };
svc_ipc_domain(utcpserver_t)
')