a25335e1fa
Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here. Redundant brace nothing to expand here.
119 lines
3.2 KiB
Plaintext
119 lines
3.2 KiB
Plaintext
policy_module(varnishd, 1.1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow varnishd to connect to all ports,
|
|
## not just HTTP.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(varnishd_connect_any, false)
|
|
|
|
type varnishd_t;
|
|
type varnishd_exec_t;
|
|
init_daemon_domain(varnishd_t, varnishd_exec_t)
|
|
|
|
type varnishd_initrc_exec_t;
|
|
init_script_file(varnishd_initrc_exec_t)
|
|
|
|
type varnishd_etc_t;
|
|
files_type(varnishd_etc_t)
|
|
|
|
type varnishd_tmp_t;
|
|
files_tmp_file(varnishd_tmp_t)
|
|
|
|
type varnishd_var_lib_t;
|
|
files_type(varnishd_var_lib_t)
|
|
|
|
type varnishd_var_run_t;
|
|
files_pid_file(varnishd_var_run_t)
|
|
|
|
type varnishlog_t;
|
|
type varnishlog_exec_t;
|
|
init_daemon_domain(varnishlog_t, varnishlog_exec_t)
|
|
|
|
type varnishlog_initrc_exec_t;
|
|
init_script_file(varnishlog_initrc_exec_t)
|
|
|
|
type varnishlog_var_run_t;
|
|
files_pid_file(varnishlog_var_run_t)
|
|
|
|
type varnishlog_log_t;
|
|
files_type(varnishlog_log_t)
|
|
|
|
########################################
|
|
#
|
|
# varnishd local policy
|
|
#
|
|
|
|
allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
|
|
dontaudit varnishd_t self:capability sys_tty_config;
|
|
allow varnishd_t self:process signal;
|
|
allow varnishd_t self:fifo_file rw_fifo_file_perms;
|
|
allow varnishd_t self:tcp_socket create_stream_socket_perms;
|
|
allow varnishd_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
|
|
list_dirs_pattern(varnishd_t, varnishd_etc_t, varnishd_etc_t)
|
|
|
|
manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
|
|
manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
|
|
files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })
|
|
|
|
exec_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
|
|
manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
|
|
manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
|
|
files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })
|
|
|
|
manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
|
|
files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)
|
|
|
|
kernel_read_system_state(varnishd_t)
|
|
|
|
corecmd_exec_bin(varnishd_t)
|
|
corecmd_exec_shell(varnishd_t)
|
|
|
|
corenet_tcp_sendrecv_generic_if(varnishd_t)
|
|
corenet_tcp_bind_generic_node(varnishd_t)
|
|
corenet_tcp_bind_http_port(varnishd_t)
|
|
corenet_tcp_bind_http_cache_port(varnishd_t)
|
|
corenet_tcp_bind_varnishd_port(varnishd_t)
|
|
corenet_tcp_connect_http_cache_port(varnishd_t)
|
|
corenet_tcp_connect_http_port(varnishd_t)
|
|
|
|
dev_read_urand(varnishd_t)
|
|
|
|
fs_getattr_all_fs(varnishd_t)
|
|
|
|
auth_use_nsswitch(varnishd_t)
|
|
|
|
logging_send_syslog_msg(varnishd_t)
|
|
|
|
miscfiles_read_localization(varnishd_t)
|
|
|
|
sysnet_read_config(varnishd_t)
|
|
|
|
tunable_policy(`varnishd_connect_any',`
|
|
corenet_tcp_connect_all_ports(varnishd_t)
|
|
corenet_tcp_bind_all_ports(varnishd_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# varnishlog local policy
|
|
#
|
|
|
|
manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
|
|
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)
|
|
|
|
manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
|
|
manage_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
|
|
logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })
|
|
|
|
files_search_var_lib(varnishlog_t)
|
|
read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)
|