policy_module(aisexec, 1.0.0) ######################################## # # Declarations # type aisexec_t; type aisexec_exec_t; init_daemon_domain(aisexec_t, aisexec_exec_t) type aisexec_initrc_exec_t; init_script_file(aisexec_initrc_exec_t); # tmp files type aisexec_tmp_t; files_tmp_file(aisexec_tmp_t) type aisexec_tmpfs_t; files_tmpfs_file(aisexec_tmpfs_t) # var/lib files type aisexec_var_lib_t; files_type(aisexec_var_lib_t) # log files type aisexec_var_log_t; logging_log_file(aisexec_var_log_t) # pid files type aisexec_var_run_t; files_pid_file(aisexec_var_run_t) ######################################## # # aisexec local policy # allow aisexec_t self:capability { sys_nice sys_resource ipc_lock }; allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow aisexec_t self:unix_dgram_socket create_socket_perms; allow aisexec_t self:udp_socket create_socket_perms; # tmp files manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir }) manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) # var/lib files manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file }) # log files manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file }) # pid file manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) kernel_read_system_state(aisexec_t) corecmd_exec_bin(aisexec_t) corenet_udp_bind_netsupport_port(aisexec_t) corenet_tcp_bind_reserved_port(aisexec_t) corenet_udp_bind_cluster_port(aisexec_t) dev_read_urand(aisexec_t) files_manage_mounttab(aisexec_t) auth_use_nsswitch(aisexec_t) init_rw_script_tmp_files(aisexec_t) libs_use_ld_so(aisexec_t) libs_use_shared_libs(aisexec_t) logging_send_syslog_msg(aisexec_t) miscfiles_read_localization(aisexec_t) optional_policy(` ccs_stream_connect(aisexec_t) ') optional_policy(` # to communication with RHCS dlm_controld_manage_tmpfs_files(aisexec_t) dlm_controld_rw_semaphores(aisexec_t) fenced_manage_tmpfs_files(aisexec_t) fenced_rw_semaphores(aisexec_t) gfs_controld_manage_tmpfs_files(aisexec_t) gfs_controld_rw_semaphores(aisexec_t) gfs_controld_t_rw_shm(aisexec_t) groupd_manage_tmpfs_files(aisexec_t) groupd_rw_semaphores(aisexec_t) groupd_rw_shm(aisexec_t) ')