7d1f5642b0
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
508 lines
14 KiB
Plaintext
508 lines
14 KiB
Plaintext
policy_module(ricci, 1.7.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type ricci_t;
|
|
type ricci_exec_t;
|
|
init_daemon_domain(ricci_t, ricci_exec_t)
|
|
|
|
type ricci_initrc_exec_t;
|
|
init_script_file(ricci_initrc_exec_t)
|
|
|
|
type ricci_tmp_t;
|
|
files_tmp_file(ricci_tmp_t)
|
|
|
|
type ricci_var_lib_t;
|
|
files_type(ricci_var_lib_t)
|
|
|
|
type ricci_var_log_t;
|
|
logging_log_file(ricci_var_log_t)
|
|
|
|
type ricci_var_run_t;
|
|
files_pid_file(ricci_var_run_t)
|
|
|
|
type ricci_modcluster_t;
|
|
type ricci_modcluster_exec_t;
|
|
domain_type(ricci_modcluster_t)
|
|
domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t)
|
|
role system_r types ricci_modcluster_t;
|
|
|
|
type ricci_modcluster_var_lib_t;
|
|
files_type(ricci_modcluster_var_lib_t)
|
|
|
|
type ricci_modcluster_var_log_t;
|
|
logging_log_file(ricci_modcluster_var_log_t)
|
|
|
|
type ricci_modcluster_var_run_t;
|
|
files_pid_file(ricci_modcluster_var_run_t)
|
|
|
|
type ricci_modclusterd_t;
|
|
type ricci_modclusterd_exec_t;
|
|
init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
|
|
|
|
type ricci_modclusterd_tmpfs_t;
|
|
files_tmpfs_file(ricci_modclusterd_tmpfs_t)
|
|
|
|
type ricci_modlog_t;
|
|
type ricci_modlog_exec_t;
|
|
domain_type(ricci_modlog_t)
|
|
domain_entry_file(ricci_modlog_t, ricci_modlog_exec_t)
|
|
role system_r types ricci_modlog_t;
|
|
|
|
type ricci_modrpm_t;
|
|
type ricci_modrpm_exec_t;
|
|
domain_type(ricci_modrpm_t)
|
|
domain_entry_file(ricci_modrpm_t, ricci_modrpm_exec_t)
|
|
role system_r types ricci_modrpm_t;
|
|
|
|
type ricci_modservice_t;
|
|
type ricci_modservice_exec_t;
|
|
domain_type(ricci_modservice_t)
|
|
domain_entry_file(ricci_modservice_t, ricci_modservice_exec_t)
|
|
role system_r types ricci_modservice_t;
|
|
|
|
type ricci_modstorage_t;
|
|
type ricci_modstorage_exec_t;
|
|
domain_type(ricci_modstorage_t)
|
|
domain_entry_file(ricci_modstorage_t, ricci_modstorage_exec_t)
|
|
role system_r types ricci_modstorage_t;
|
|
|
|
type ricci_modstorage_lock_t;
|
|
files_lock_file(ricci_modstorage_lock_t)
|
|
|
|
########################################
|
|
#
|
|
# ricci local policy
|
|
#
|
|
|
|
allow ricci_t self:capability { setuid sys_nice sys_boot };
|
|
allow ricci_t self:process setsched;
|
|
allow ricci_t self:fifo_file rw_fifo_file_perms;
|
|
allow ricci_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow ricci_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
domain_auto_trans(ricci_t, ricci_modcluster_exec_t, ricci_modcluster_t)
|
|
domain_auto_trans(ricci_t, ricci_modlog_exec_t, ricci_modlog_t)
|
|
domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t)
|
|
domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t)
|
|
domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t)
|
|
|
|
manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
|
|
manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t)
|
|
files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
|
|
manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
|
|
manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t)
|
|
files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file })
|
|
|
|
allow ricci_t ricci_var_log_t:dir setattr_dir_perms;
|
|
manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
|
|
manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t)
|
|
logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir })
|
|
|
|
manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
|
|
manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t)
|
|
files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file })
|
|
|
|
kernel_read_kernel_sysctls(ricci_t)
|
|
kernel_read_system_state(ricci_t)
|
|
|
|
corecmd_exec_bin(ricci_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(ricci_t)
|
|
corenet_all_recvfrom_netlabel(ricci_t)
|
|
corenet_tcp_sendrecv_generic_if(ricci_t)
|
|
corenet_tcp_sendrecv_generic_node(ricci_t)
|
|
corenet_tcp_sendrecv_all_ports(ricci_t)
|
|
corenet_tcp_bind_generic_node(ricci_t)
|
|
corenet_udp_bind_generic_node(ricci_t)
|
|
corenet_tcp_bind_ricci_port(ricci_t)
|
|
corenet_udp_bind_ricci_port(ricci_t)
|
|
corenet_tcp_connect_http_port(ricci_t)
|
|
|
|
dev_read_urand(ricci_t)
|
|
|
|
domain_read_all_domains_state(ricci_t)
|
|
|
|
files_read_etc_files(ricci_t)
|
|
files_read_etc_runtime_files(ricci_t)
|
|
files_create_boot_flag(ricci_t)
|
|
|
|
auth_domtrans_chk_passwd(ricci_t)
|
|
auth_append_login_records(ricci_t)
|
|
|
|
init_stream_connect_script(ricci_t)
|
|
|
|
locallogin_dontaudit_use_fds(ricci_t)
|
|
|
|
logging_send_syslog_msg(ricci_t)
|
|
|
|
miscfiles_read_localization(ricci_t)
|
|
|
|
sysnet_dns_name_resolve(ricci_t)
|
|
|
|
optional_policy(`
|
|
ccs_read_config(ricci_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(ricci_t)
|
|
|
|
oddjob_dbus_chat(ricci_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Needed so oddjob can run halt/reboot on behalf of ricci
|
|
corecmd_bin_entry_type(ricci_t)
|
|
term_dontaudit_search_ptys(ricci_t)
|
|
init_exec(ricci_t)
|
|
init_telinit(ricci_t)
|
|
init_rw_utmp(ricci_t)
|
|
|
|
oddjob_system_entry(ricci_t, ricci_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_use_script_fds(ricci_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sasl_connect(ricci_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
shutdown_domtrans(ricci_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_use_fds(ricci_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xen_domtrans_xm(ricci_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ricci_modcluster local policy
|
|
#
|
|
|
|
allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
|
|
allow ricci_modcluster_t self:process setsched;
|
|
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(ricci_modcluster_t)
|
|
kernel_read_system_state(ricci_modcluster_t)
|
|
|
|
corecmd_exec_shell(ricci_modcluster_t)
|
|
corecmd_exec_bin(ricci_modcluster_t)
|
|
|
|
corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
|
|
corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
|
|
|
|
domain_read_all_domains_state(ricci_modcluster_t)
|
|
|
|
files_search_locks(ricci_modcluster_t)
|
|
files_read_etc_runtime_files(ricci_modcluster_t)
|
|
files_read_etc_files(ricci_modcluster_t)
|
|
files_search_usr(ricci_modcluster_t)
|
|
|
|
init_exec(ricci_modcluster_t)
|
|
init_domtrans_script(ricci_modcluster_t)
|
|
|
|
logging_send_syslog_msg(ricci_modcluster_t)
|
|
|
|
miscfiles_read_localization(ricci_modcluster_t)
|
|
|
|
modutils_domtrans_insmod(ricci_modcluster_t)
|
|
|
|
mount_domtrans(ricci_modcluster_t)
|
|
|
|
consoletype_exec(ricci_modcluster_t)
|
|
|
|
ricci_stream_connect_modclusterd(ricci_modcluster_t)
|
|
|
|
optional_policy(`
|
|
aisexec_stream_connect(ricci_modcluster_t)
|
|
corosync_stream_connect(ricci_modcluster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ccs_stream_connect(ricci_modcluster_t)
|
|
ccs_domtrans(ricci_modcluster_t)
|
|
ccs_manage_config(ricci_modcluster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_domtrans(ricci_modcluster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(ricci_modcluster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
oddjob_system_entry(ricci_modcluster_t, ricci_modcluster_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rgmanager_stream_connect(ricci_modclusterd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ricci_modclusterd local policy
|
|
#
|
|
|
|
allow ricci_modclusterd_t self:capability { sys_nice sys_tty_config };
|
|
allow ricci_modclusterd_t self:process { signal sigkill setsched };
|
|
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
|
|
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
|
|
# cjp: this needs to be fixed for a specific socket type:
|
|
allow ricci_modclusterd_t self:socket create_socket_perms;
|
|
|
|
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
|
|
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
|
|
|
|
manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
|
|
manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
|
|
fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
|
|
|
|
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
|
|
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
|
|
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
|
|
logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir })
|
|
|
|
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
|
|
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t)
|
|
files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })
|
|
|
|
kernel_read_kernel_sysctls(ricci_modclusterd_t)
|
|
kernel_read_system_state(ricci_modclusterd_t)
|
|
kernel_request_load_module(ricci_modclusterd_t)
|
|
|
|
corecmd_exec_bin(ricci_modclusterd_t)
|
|
|
|
corenet_tcp_sendrecv_generic_if(ricci_modclusterd_t)
|
|
corenet_tcp_sendrecv_all_ports(ricci_modclusterd_t)
|
|
corenet_tcp_bind_generic_node(ricci_modclusterd_t)
|
|
corenet_tcp_bind_ricci_modcluster_port(ricci_modclusterd_t)
|
|
corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
|
|
|
|
domain_read_all_domains_state(ricci_modclusterd_t)
|
|
|
|
files_read_etc_files(ricci_modclusterd_t)
|
|
files_read_etc_runtime_files(ricci_modclusterd_t)
|
|
|
|
fs_getattr_xattr_fs(ricci_modclusterd_t)
|
|
|
|
auth_use_nsswitch(ricci_modclusterd_t)
|
|
|
|
init_stream_connect_script(ricci_modclusterd_t)
|
|
|
|
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
|
|
|
|
logging_send_syslog_msg(ricci_modclusterd_t)
|
|
|
|
miscfiles_read_localization(ricci_modclusterd_t)
|
|
|
|
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
|
|
|
|
optional_policy(`
|
|
aisexec_stream_connect(ricci_modclusterd_t)
|
|
corosync_stream_connect(ricci_modclusterd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ccs_domtrans(ricci_modclusterd_t)
|
|
ccs_stream_connect(ricci_modclusterd_t)
|
|
ccs_read_config(ricci_modclusterd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rgmanager_stream_connect(ricci_modclusterd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_use_fds(ricci_modclusterd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ricci_modlog local policy
|
|
#
|
|
|
|
allow ricci_modlog_t self:capability sys_nice;
|
|
allow ricci_modlog_t self:process setsched;
|
|
|
|
kernel_read_kernel_sysctls(ricci_modlog_t)
|
|
kernel_read_system_state(ricci_modlog_t)
|
|
|
|
corecmd_exec_bin(ricci_modlog_t)
|
|
|
|
domain_read_all_domains_state(ricci_modlog_t)
|
|
|
|
files_read_etc_files(ricci_modlog_t)
|
|
files_search_usr(ricci_modlog_t)
|
|
|
|
logging_read_generic_logs(ricci_modlog_t)
|
|
|
|
miscfiles_read_localization(ricci_modlog_t)
|
|
|
|
optional_policy(`
|
|
nscd_dontaudit_search_pid(ricci_modlog_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
oddjob_system_entry(ricci_modlog_t, ricci_modlog_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ricci_modrpm local policy
|
|
#
|
|
|
|
allow ricci_modrpm_t self:fifo_file read_fifo_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(ricci_modrpm_t)
|
|
|
|
corecmd_exec_bin(ricci_modrpm_t)
|
|
|
|
files_search_usr(ricci_modrpm_t)
|
|
files_read_etc_files(ricci_modrpm_t)
|
|
|
|
miscfiles_read_localization(ricci_modrpm_t)
|
|
|
|
optional_policy(`
|
|
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_domtrans(ricci_modrpm_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ricci_modservice local policy
|
|
#
|
|
|
|
allow ricci_modservice_t self:capability { dac_override sys_nice };
|
|
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
|
|
allow ricci_modservice_t self:process setsched;
|
|
|
|
kernel_read_kernel_sysctls(ricci_modservice_t)
|
|
kernel_read_system_state(ricci_modservice_t)
|
|
|
|
corecmd_exec_bin(ricci_modservice_t)
|
|
corecmd_exec_shell(ricci_modservice_t)
|
|
|
|
files_read_etc_files(ricci_modservice_t)
|
|
files_read_etc_runtime_files(ricci_modservice_t)
|
|
files_search_usr(ricci_modservice_t)
|
|
# Needed for running chkconfig
|
|
files_manage_etc_symlinks(ricci_modservice_t)
|
|
|
|
consoletype_exec(ricci_modservice_t)
|
|
|
|
init_domtrans_script(ricci_modservice_t)
|
|
|
|
miscfiles_read_localization(ricci_modservice_t)
|
|
|
|
optional_policy(`
|
|
ccs_read_config(ricci_modservice_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_dontaudit_search_pid(ricci_modservice_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
oddjob_system_entry(ricci_modservice_t, ricci_modservice_exec_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# ricci_modstorage local policy
|
|
#
|
|
|
|
allow ricci_modstorage_t self:process { setsched signal };
|
|
dontaudit ricci_modstorage_t self:process ptrace;
|
|
allow ricci_modstorage_t self:capability { mknod sys_nice };
|
|
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
|
|
allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
kernel_read_kernel_sysctls(ricci_modstorage_t)
|
|
kernel_read_system_state(ricci_modstorage_t)
|
|
|
|
create_files_pattern(ricci_modstorage_t, ricci_modstorage_lock_t, ricci_modstorage_lock_t)
|
|
files_lock_filetrans(ricci_modstorage_t, ricci_modstorage_lock_t, file)
|
|
|
|
corecmd_exec_shell(ricci_modstorage_t)
|
|
corecmd_exec_bin(ricci_modstorage_t)
|
|
|
|
dev_read_sysfs(ricci_modstorage_t)
|
|
dev_read_urand(ricci_modstorage_t)
|
|
dev_manage_generic_blk_files(ricci_modstorage_t)
|
|
|
|
domain_read_all_domains_state(ricci_modstorage_t)
|
|
|
|
#Needed for editing /etc/fstab
|
|
files_manage_etc_files(ricci_modstorage_t)
|
|
files_read_etc_runtime_files(ricci_modstorage_t)
|
|
files_read_usr_files(ricci_modstorage_t)
|
|
files_read_kernel_modules(ricci_modstorage_t)
|
|
|
|
files_create_default_dir(ricci_modstorage_t)
|
|
files_root_filetrans_default(ricci_modstorage_t, dir)
|
|
files_mounton_default(ricci_modstorage_t)
|
|
files_manage_default_dirs(ricci_modstorage_t)
|
|
files_manage_default_files(ricci_modstorage_t)
|
|
|
|
storage_raw_read_fixed_disk(ricci_modstorage_t)
|
|
|
|
term_dontaudit_use_console(ricci_modstorage_t)
|
|
|
|
fstools_domtrans(ricci_modstorage_t)
|
|
|
|
logging_send_syslog_msg(ricci_modstorage_t)
|
|
|
|
miscfiles_read_localization(ricci_modstorage_t)
|
|
|
|
modutils_read_module_deps(ricci_modstorage_t)
|
|
|
|
consoletype_exec(ricci_modstorage_t)
|
|
|
|
mount_domtrans(ricci_modstorage_t)
|
|
|
|
optional_policy(`
|
|
aisexec_stream_connect(ricci_modstorage_t)
|
|
corosync_stream_connect(ricci_modstorage_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ccs_stream_connect(ricci_modstorage_t)
|
|
ccs_read_config(ricci_modstorage_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_domtrans(ricci_modstorage_t)
|
|
lvm_manage_config(ricci_modstorage_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(ricci_modstorage_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
oddjob_system_entry(ricci_modstorage_t, ricci_modstorage_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
raid_domtrans_mdadm(ricci_modstorage_t)
|
|
')
|