119 lines
2.7 KiB
Plaintext
119 lines
2.7 KiB
Plaintext
|
|
policy_module(daemontools,1.2.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type svc_conf_t;
|
|
files_type(svc_conf_t)
|
|
|
|
type svc_log_t;
|
|
files_type(svc_log_t)
|
|
|
|
type svc_multilog_t;
|
|
type svc_multilog_exec_t;
|
|
application_domain(svc_multilog_t,svc_multilog_exec_t)
|
|
role system_r types svc_multilog_t;
|
|
|
|
type svc_run_t;
|
|
type svc_run_exec_t;
|
|
application_domain(svc_run_t,svc_run_exec_t)
|
|
role system_r types svc_run_t;
|
|
|
|
type svc_start_t;
|
|
type svc_start_exec_t;
|
|
init_domain(svc_start_t,svc_start_exec_t)
|
|
init_system_domain(svc_start_t,svc_start_exec_t)
|
|
role system_r types svc_start_t;
|
|
|
|
type svc_svc_t;
|
|
files_type(svc_svc_t)
|
|
|
|
########################################
|
|
#
|
|
# multilog local policy
|
|
#
|
|
|
|
# multilog creates /service/*/log/status
|
|
manage_files_pattern(svc_multilog_t,svc_svc_t,svc_svc_t)
|
|
|
|
init_use_fds(svc_multilog_t)
|
|
|
|
libs_use_ld_so(svc_multilog_t)
|
|
libs_use_shared_libs(svc_multilog_t)
|
|
|
|
# writes to /var/log/*/*
|
|
logging_manage_generic_logs(svc_multilog_t)
|
|
|
|
daemontools_ipc_domain(svc_multilog_t)
|
|
|
|
########################################
|
|
#
|
|
# local policy for binaries that impose
|
|
# a given environment to supervised daemons
|
|
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
|
|
#
|
|
|
|
allow svc_run_t self:capability { setgid setuid chown fsetid };
|
|
allow svc_run_t self:process setrlimit;
|
|
allow svc_run_t self:fifo_file rw_fifo_file_perms;
|
|
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow svc_run_t svc_conf_t:dir list_dir_perms;
|
|
allow svc_run_t svc_conf_t:file read_file_perms;
|
|
|
|
can_exec(svc_run_t, svc_run_exec_t)
|
|
|
|
kernel_read_system_state(svc_run_t)
|
|
|
|
corecmd_exec_bin(svc_run_t)
|
|
corecmd_exec_shell(svc_run_t)
|
|
|
|
files_read_etc_files(svc_run_t)
|
|
files_read_etc_runtime_files(svc_run_t)
|
|
files_search_pids(svc_run_t)
|
|
files_search_var_lib(svc_run_t)
|
|
|
|
init_use_script_fds(svc_run_t)
|
|
init_use_fds(svc_run_t)
|
|
|
|
libs_use_ld_so(svc_run_t)
|
|
libs_use_shared_libs(svc_run_t)
|
|
|
|
daemontools_domtrans_multilog(svc_run_t)
|
|
daemontools_read_svc(svc_run_t)
|
|
|
|
optional_policy(`
|
|
qmail_read_config(svc_run_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# local policy for service monitoring programs
|
|
# ie svc, svscan, supervise ...
|
|
#
|
|
|
|
allow svc_start_t svc_run_t:process signal;
|
|
|
|
allow svc_start_t self:fifo_file rw_fifo_file_perms;
|
|
allow svc_start_t self:capability kill;
|
|
allow svc_start_t self:unix_stream_socket create_socket_perms;
|
|
|
|
can_exec(svc_start_t, svc_start_exec_t)
|
|
|
|
corecmd_exec_bin(svc_start_t)
|
|
corecmd_exec_shell(svc_start_t)
|
|
|
|
files_read_etc_files(svc_start_t)
|
|
files_read_etc_runtime_files(svc_start_t)
|
|
files_search_var(svc_start_t)
|
|
files_search_pids(svc_start_t)
|
|
|
|
libs_use_ld_so(svc_start_t)
|
|
libs_use_shared_libs(svc_start_t)
|
|
|
|
daemontools_domtrans_run(svc_start_t)
|
|
daemontools_manage_svc(svc_start_t)
|