selinux-policy/policy/modules/services/ccs.te

policy_module(ccs, 1.5.0)

########################################
#
# Declarations
#

type ccs_t;
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)

type cluster_conf_t;
files_type(cluster_conf_t)

type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)

type ccs_tmpfs_t;
files_tmpfs_file(ccs_tmpfs_t)

type ccs_var_lib_t;
logging_log_file(ccs_var_lib_t)

type ccs_var_log_t;
logging_log_file(ccs_var_log_t)

type ccs_var_run_t;
files_pid_file(ccs_var_run_t)

########################################
#
# ccs local policy
#

allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow ccs_t self:unix_dgram_socket create_socket_perms;
allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
allow ccs_t self:tcp_socket create_stream_socket_perms;
allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
# cjp: this needs to be fixed to be specific
allow ccs_t self:socket create_socket_perms;

manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)

# tmp file
allow ccs_t ccs_tmp_t:dir manage_dir_perms;
manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })

manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })

# var lib files
manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })

allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })

# pid file
manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })

kernel_read_kernel_sysctls(ccs_t)

corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)

corenet_all_recvfrom_unlabeled(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_generic_if(ccs_t)
corenet_udp_sendrecv_generic_if(ccs_t)
corenet_tcp_sendrecv_generic_node(ccs_t)
corenet_udp_sendrecv_generic_node(ccs_t)
corenet_tcp_sendrecv_all_ports(ccs_t)
corenet_udp_sendrecv_all_ports(ccs_t)
corenet_tcp_bind_generic_node(ccs_t)
corenet_udp_bind_generic_node(ccs_t)
corenet_tcp_bind_cluster_port(ccs_t)
corenet_udp_bind_cluster_port(ccs_t)
corenet_udp_bind_netsupport_port(ccs_t)

dev_read_urand(ccs_t)

files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)

init_rw_script_tmp_files(ccs_t)

logging_send_syslog_msg(ccs_t)

miscfiles_read_localization(ccs_t)

sysnet_dns_name_resolve(ccs_t)

userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)

ifdef(`hide_broken_symptoms',`
	corecmd_dontaudit_write_bin_dirs(ccs_t)
	files_manage_isid_type_files(ccs_t)
')

optional_policy(`
	aisexec_stream_connect(ccs_t)
	corosync_stream_connect(ccs_t)
')

optional_policy(`
	qpidd_rw_semaphores(ccs_t)
	qpidd_rw_shm(ccs_t)
')

optional_policy(`
	unconfined_use_fds(ccs_t)
')