## SELinux policy for Aisexec Cluster Engine ######################################## ## ## Execute a domain transition to run aisexec. ## ## ## ## Domain allowed access. ## ## # interface(`aisexec_domtrans',` gen_require(` type aisexec_t, aisexec_exec_t; ') domtrans_pattern($1, aisexec_exec_t, aisexec_t) ') ##################################### ## ## Connect to aisexec over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`aisexec_stream_connect',` gen_require(` type aisexec_t, aisexec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) ') ####################################### ## ## Allow the specified domain to read aisexec's log files. ## ## ## ## Domain allowed access. ## ## # interface(`aisexec_read_log',` gen_require(` type aisexec_var_log_t; ') logging_search_logs($1) list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) ') ###################################### ## ## All of the rules required to administrate ## an aisexec environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the aisexecd domain. ## ## ## # interface(`aisexecd_admin',` gen_require(` type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; type aisexec_initrc_exec_t; ') allow $1 aisexec_t:process { ptrace signal_perms }; ps_process_pattern($1, aisexec_t) init_labeled_script_domtrans($1, aisexec_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, aisexec_var_lib_t) logging_list_logs($1) admin_pattern($1, aisexec_var_log_t) files_list_pids($1) admin_pattern($1, aisexec_var_run_t) files_list_tmp($1) admin_pattern($1, aisexec_tmp_t) admin_pattern($1, aisexec_tmpfs_t) ')