204 lines
6.4 KiB
Plaintext
204 lines
6.4 KiB
Plaintext
#DESC Daemontools - Tools for managing UNIX services
|
|
#
|
|
# Author: Petre Rodan <kaiowas@gentoo.org>
|
|
# with the help of Chris PeBenito, Russell Coker and Tad Glines
|
|
#
|
|
|
|
#
|
|
# selinux policy for daemontools
|
|
# http://cr.yp.to/daemontools.html
|
|
#
|
|
# thanks for D. J. Bernstein and the NSA team for the great software
|
|
# they provide
|
|
#
|
|
|
|
##############################################################
|
|
# type definitions
|
|
|
|
type svc_conf_t, file_type, sysadmfile;
|
|
type svc_log_t, file_type, sysadmfile;
|
|
type svc_svc_t, file_type, sysadmfile;
|
|
|
|
|
|
##############################################################
|
|
# Macros
|
|
define(`svc_filedir_domain', `
|
|
create_dir_file($1, svc_svc_t)
|
|
file_type_auto_trans($1, svc_svc_t, svc_svc_t);
|
|
')
|
|
|
|
##############################################################
|
|
# the domains
|
|
daemon_base_domain(svc_script)
|
|
svc_filedir_domain(svc_script_t)
|
|
|
|
# part started by initrc_t
|
|
daemon_base_domain(svc_start)
|
|
domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
|
|
svc_filedir_domain(svc_start_t)
|
|
|
|
# also get here from svc_script_t
|
|
domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
|
|
|
|
# the domain for /service/*/run and /service/*/log/run
|
|
daemon_sub_domain(svc_start_t, svc_run)
|
|
r_dir_file(svc_run_t, svc_conf_t)
|
|
|
|
# the logger
|
|
daemon_sub_domain(svc_run_t, svc_multilog)
|
|
file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
|
|
|
|
######
|
|
# rules for all those domains
|
|
|
|
# sysadm can tweak svc_run_exec_t files
|
|
allow sysadm_t svc_run_exec_t:file create_file_perms;
|
|
|
|
# run_init can control svc_script_t and svc_start_t domains
|
|
domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
|
|
domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
|
|
allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
|
|
svc_filedir_domain(initrc_t)
|
|
|
|
# svc_start_t
|
|
allow svc_start_t self:fifo_file rw_file_perms;
|
|
allow svc_start_t self:capability kill;
|
|
allow svc_start_t self:unix_stream_socket create_socket_perms;
|
|
|
|
allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
|
|
allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
|
|
allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
|
|
allow svc_start_t { var_t var_run_t }:dir search;
|
|
can_exec(svc_start_t, bin_t)
|
|
can_exec(svc_start_t, shell_exec_t)
|
|
allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
|
|
allow svc_start_t svc_run_t:process signal;
|
|
dontaudit svc_start_t proc_t:file r_file_perms;
|
|
dontaudit svc_start_t devtty_t:chr_file { read write };
|
|
|
|
# svc script
|
|
allow svc_script_t self:capability sys_admin;
|
|
allow svc_script_t self:fifo_file { getattr read write };
|
|
allow svc_script_t self:file r_file_perms;
|
|
allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
|
|
allow svc_script_t bin_t:lnk_file r_file_perms;
|
|
can_exec(svc_script_t, bin_t)
|
|
can_exec(svc_script_t, shell_exec_t)
|
|
allow svc_script_t proc_t:file r_file_perms;
|
|
allow svc_script_t shell_exec_t:file rx_file_perms;
|
|
allow svc_script_t devtty_t:chr_file rw_file_perms;
|
|
allow svc_script_t etc_runtime_t:file r_file_perms;
|
|
allow svc_script_t svc_run_exec_t:file r_file_perms;
|
|
allow svc_script_t svc_script_exec_t:file execute_no_trans;
|
|
allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
|
|
allow svc_script_t sysctl_kernel_t:file r_file_perms;
|
|
|
|
# svc_run_t
|
|
allow svc_run_t self:capability { setgid setuid chown fsetid };
|
|
allow svc_run_t self:fifo_file rw_file_perms;
|
|
allow svc_run_t self:file r_file_perms;
|
|
allow svc_run_t self:process { fork setrlimit };
|
|
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow svc_run_t svc_svc_t:dir r_dir_perms;
|
|
allow svc_run_t svc_svc_t:file r_file_perms;
|
|
allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
|
|
allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
|
|
allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
|
|
allow svc_run_t { var_t var_run_t }:dir search;
|
|
can_exec(svc_run_t, etc_t)
|
|
can_exec(svc_run_t, lib_t)
|
|
can_exec(svc_run_t, bin_t)
|
|
can_exec(svc_run_t, sbin_t)
|
|
can_exec(svc_run_t, ls_exec_t)
|
|
can_exec(svc_run_t, shell_exec_t)
|
|
allow svc_run_t devtty_t:chr_file rw_file_perms;
|
|
allow svc_run_t etc_runtime_t:file r_file_perms;
|
|
allow svc_run_t exec_type:{ file lnk_file } getattr;
|
|
allow svc_run_t init_t:fd use;
|
|
allow svc_run_t initrc_t:fd use;
|
|
allow svc_run_t proc_t:file r_file_perms;
|
|
allow svc_run_t sysctl_t:dir search;
|
|
allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
|
|
allow svc_run_t sysctl_kernel_t:file r_file_perms;
|
|
allow svc_run_t var_lib_t:dir r_dir_perms;
|
|
|
|
# multilog creates /service/*/log/status
|
|
allow svc_multilog_t svc_svc_t:dir { read search };
|
|
allow svc_multilog_t svc_svc_t:file { append write };
|
|
# writes to /var/log/*/*
|
|
allow svc_multilog_t var_t:dir search;
|
|
allow svc_multilog_t var_log_t:dir create_dir_perms;
|
|
allow svc_multilog_t var_log_t:file create_file_perms;
|
|
# misc
|
|
allow svc_multilog_t init_t:fd use;
|
|
allow svc_start_t svc_multilog_t:process signal;
|
|
svc_ipc_domain(svc_multilog_t)
|
|
|
|
################################################################
|
|
# scripts that can be started by daemontools
|
|
# keep it sorted please.
|
|
|
|
ifdef(`apache.te', `
|
|
domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
|
|
svc_ipc_domain(httpd_t)
|
|
dontaudit httpd_t svc_svc_t:dir { search };
|
|
')
|
|
|
|
ifdef(`clamav.te', `
|
|
domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
|
|
svc_ipc_domain(clamd_t)
|
|
')
|
|
|
|
ifdef(`clockspeed.te', `
|
|
domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
|
|
svc_ipc_domain(clockspeed_t)
|
|
r_dir_file(svc_run_t, clockspeed_var_lib_t)
|
|
allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
|
|
')
|
|
|
|
ifdef(`dante.te', `
|
|
domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
|
|
svc_ipc_domain(dante_t)
|
|
')
|
|
|
|
ifdef(`publicfile.te', `
|
|
svc_ipc_domain(publicfile_t)
|
|
')
|
|
|
|
ifdef(`qmail.te', `
|
|
allow svc_run_t qmail_start_exec_t:file rx_file_perms;
|
|
domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
|
|
r_dir_file(svc_run_t, qmail_etc_t)
|
|
svc_ipc_domain(qmail_send_t)
|
|
svc_ipc_domain(qmail_start_t)
|
|
svc_ipc_domain(qmail_queue_t)
|
|
svc_ipc_domain(qmail_smtpd_t)
|
|
')
|
|
|
|
ifdef(`rsyncd.te', `
|
|
domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
|
|
svc_ipc_domain(rsyncd_t)
|
|
')
|
|
|
|
ifdef(`spamd.te', `
|
|
domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
|
|
svc_ipc_domain(spamd_t)
|
|
')
|
|
|
|
ifdef(`ssh.te', `
|
|
domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
|
|
svc_ipc_domain(sshd_t)
|
|
')
|
|
|
|
ifdef(`stunnel.te', `
|
|
domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
|
|
svc_ipc_domain(stunnel_t)
|
|
')
|
|
|
|
ifdef(`ucspi-tcp.te', `
|
|
domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
|
|
allow svc_run_t utcpserver_t:process { signal };
|
|
svc_ipc_domain(utcpserver_t)
|
|
')
|
|
|