Chris PeBenito 31b7c0
#DESC Daemontools - Tools for managing UNIX services
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author:  Petre Rodan <kaiowas@gentoo.org>
Chris PeBenito 31b7c0
# with the help of Chris PeBenito, Russell Coker and Tad Glines
Chris PeBenito 31b7c0
# 
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# selinux policy for daemontools
Chris PeBenito 31b7c0
# http://cr.yp.to/daemontools.html
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# thanks for D. J. Bernstein and the NSA team for the great software
Chris PeBenito 31b7c0
# they provide
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##############################################################
Chris PeBenito 31b7c0
# type definitions
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
type svc_conf_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
type svc_log_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
type svc_svc_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##############################################################
Chris PeBenito 31b7c0
# Macros
Chris PeBenito 31b7c0
define(`svc_filedir_domain', `
Chris PeBenito 31b7c0
create_dir_file($1, svc_svc_t)
Chris PeBenito 31b7c0
file_type_auto_trans($1, svc_svc_t, svc_svc_t);
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##############################################################
Chris PeBenito 31b7c0
# the domains
Chris PeBenito 31b7c0
daemon_base_domain(svc_script)
Chris PeBenito 31b7c0
svc_filedir_domain(svc_script_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# part started by initrc_t
Chris PeBenito 31b7c0
daemon_base_domain(svc_start)
Chris PeBenito 31b7c0
domain_auto_trans(init_t, svc_start_exec_t, svc_start_t)
Chris PeBenito 31b7c0
svc_filedir_domain(svc_start_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# also get here from svc_script_t
Chris PeBenito 31b7c0
domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# the domain for /service/*/run and /service/*/log/run
Chris PeBenito 31b7c0
daemon_sub_domain(svc_start_t, svc_run)
Chris PeBenito 31b7c0
r_dir_file(svc_run_t, svc_conf_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# the logger
Chris PeBenito 31b7c0
daemon_sub_domain(svc_run_t, svc_multilog)
Chris PeBenito 31b7c0
file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
######
Chris PeBenito 31b7c0
# rules for all those domains
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# sysadm can tweak svc_run_exec_t files
Chris PeBenito 31b7c0
allow sysadm_t svc_run_exec_t:file create_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# run_init can control svc_script_t and svc_start_t domains
Chris PeBenito 31b7c0
domain_auto_trans(run_init_t, svc_script_exec_t, svc_script_t)
Chris PeBenito 31b7c0
domain_auto_trans(run_init_t, svc_start_exec_t, svc_start_t)
Chris PeBenito 31b7c0
allow initrc_t { svc_script_exec_t svc_start_exec_t }:file entrypoint;
Chris PeBenito 31b7c0
svc_filedir_domain(initrc_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# svc_start_t
Chris PeBenito 31b7c0
allow svc_start_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow svc_start_t self:capability kill;
Chris PeBenito 31b7c0
allow svc_start_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
Chris PeBenito 31b7c0
allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
Chris PeBenito 31b7c0
allow svc_start_t { etc_t etc_runtime_t }:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_start_t { var_t var_run_t }:dir search;
Chris PeBenito 31b7c0
can_exec(svc_start_t, bin_t)
Chris PeBenito 31b7c0
can_exec(svc_start_t, shell_exec_t)
Chris PeBenito 31b7c0
allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
Chris PeBenito 31b7c0
allow svc_start_t svc_run_t:process signal;
Chris PeBenito 31b7c0
dontaudit svc_start_t proc_t:file r_file_perms;
Chris PeBenito 31b7c0
dontaudit svc_start_t devtty_t:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# svc script
Chris PeBenito 31b7c0
allow svc_script_t self:capability sys_admin;
Chris PeBenito 31b7c0
allow svc_script_t self:fifo_file { getattr read write };
Chris PeBenito 31b7c0
allow svc_script_t self:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_script_t { bin_t sbin_t var_t }:dir r_dir_perms;
Chris PeBenito 31b7c0
allow svc_script_t bin_t:lnk_file r_file_perms;
Chris PeBenito 31b7c0
can_exec(svc_script_t, bin_t)
Chris PeBenito 31b7c0
can_exec(svc_script_t, shell_exec_t)
Chris PeBenito 31b7c0
allow svc_script_t proc_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_script_t shell_exec_t:file rx_file_perms;
Chris PeBenito 31b7c0
allow svc_script_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow svc_script_t etc_runtime_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_script_t svc_run_exec_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_script_t svc_script_exec_t:file execute_no_trans;
Chris PeBenito 31b7c0
allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow svc_script_t sysctl_kernel_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# svc_run_t
Chris PeBenito 31b7c0
allow svc_run_t self:capability { setgid setuid chown fsetid };
Chris PeBenito 31b7c0
allow svc_run_t self:fifo_file rw_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t self:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t self:process { fork setrlimit };
Chris PeBenito 31b7c0
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 31b7c0
allow svc_run_t svc_svc_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow svc_run_t svc_svc_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
Chris PeBenito 31b7c0
allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
Chris PeBenito 31b7c0
allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t { var_t var_run_t }:dir search;
Chris PeBenito 31b7c0
can_exec(svc_run_t, etc_t)
Chris PeBenito 31b7c0
can_exec(svc_run_t, lib_t)
Chris PeBenito 31b7c0
can_exec(svc_run_t, bin_t)
Chris PeBenito 31b7c0
can_exec(svc_run_t, sbin_t)
Chris PeBenito 31b7c0
can_exec(svc_run_t, ls_exec_t)
Chris PeBenito 31b7c0
can_exec(svc_run_t, shell_exec_t)
Chris PeBenito 31b7c0
allow svc_run_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t etc_runtime_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t exec_type:{ file lnk_file } getattr;
Chris PeBenito 31b7c0
allow svc_run_t init_t:fd use;
Chris PeBenito 31b7c0
allow svc_run_t initrc_t:fd use;
Chris PeBenito 31b7c0
allow svc_run_t proc_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t sysctl_t:dir search;
Chris PeBenito 31b7c0
allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow svc_run_t sysctl_kernel_t:file r_file_perms;
Chris PeBenito 31b7c0
allow svc_run_t var_lib_t:dir r_dir_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# multilog creates /service/*/log/status
Chris PeBenito 31b7c0
allow svc_multilog_t svc_svc_t:dir { read search };
Chris PeBenito 31b7c0
allow svc_multilog_t svc_svc_t:file { append write };
Chris PeBenito 31b7c0
# writes to /var/log/*/*
Chris PeBenito 31b7c0
allow svc_multilog_t var_t:dir search;
Chris PeBenito 31b7c0
allow svc_multilog_t var_log_t:dir create_dir_perms;
Chris PeBenito 31b7c0
allow svc_multilog_t var_log_t:file create_file_perms;
Chris PeBenito 31b7c0
# misc
Chris PeBenito 31b7c0
allow svc_multilog_t init_t:fd use;
Chris PeBenito 31b7c0
allow svc_start_t svc_multilog_t:process signal;
Chris PeBenito 31b7c0
svc_ipc_domain(svc_multilog_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
################################################################
Chris PeBenito 31b7c0
# scripts that can be started by daemontools
Chris PeBenito 31b7c0
# keep it sorted please.
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`apache.te', `
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, httpd_exec_t, httpd_t)
Chris PeBenito 31b7c0
svc_ipc_domain(httpd_t)
Chris PeBenito 31b7c0
dontaudit httpd_t svc_svc_t:dir { search };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`clamav.te', `
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, clamd_exec_t, clamd_t)
Chris PeBenito 31b7c0
svc_ipc_domain(clamd_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`clockspeed.te', `
Chris PeBenito 31b7c0
domain_auto_trans( svc_run_t, clockspeed_exec_t, clockspeed_t)
Chris PeBenito 31b7c0
svc_ipc_domain(clockspeed_t)
Chris PeBenito 31b7c0
r_dir_file(svc_run_t, clockspeed_var_lib_t)
Chris PeBenito 31b7c0
allow svc_run_t clockspeed_var_lib_t:fifo_file { rw_file_perms setattr };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`dante.te', `
Chris PeBenito 31b7c0
domain_auto_trans( svc_run_t, dante_exec_t, dante_t);
Chris PeBenito 31b7c0
svc_ipc_domain(dante_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`publicfile.te', `
Chris PeBenito 31b7c0
svc_ipc_domain(publicfile_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`qmail.te', `
Chris PeBenito 31b7c0
allow svc_run_t qmail_start_exec_t:file rx_file_perms;
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
Chris PeBenito 31b7c0
r_dir_file(svc_run_t, qmail_etc_t)
Chris PeBenito 31b7c0
svc_ipc_domain(qmail_send_t)
Chris PeBenito 31b7c0
svc_ipc_domain(qmail_start_t)
Chris PeBenito 31b7c0
svc_ipc_domain(qmail_queue_t)
Chris PeBenito 31b7c0
svc_ipc_domain(qmail_smtpd_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`rsyncd.te', `
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, rsyncd_exec_t, rsyncd_t)
Chris PeBenito 31b7c0
svc_ipc_domain(rsyncd_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`spamd.te', `
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, spamd_exec_t, spamd_t)
Chris PeBenito 31b7c0
svc_ipc_domain(spamd_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`ssh.te', `
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
Chris PeBenito 31b7c0
svc_ipc_domain(sshd_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`stunnel.te', `
Chris PeBenito 31b7c0
domain_auto_trans( svc_run_t, stunnel_exec_t, stunnel_t)
Chris PeBenito 31b7c0
svc_ipc_domain(stunnel_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`ucspi-tcp.te', `
Chris PeBenito 31b7c0
domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
Chris PeBenito 31b7c0
allow svc_run_t utcpserver_t:process { signal };
Chris PeBenito 31b7c0
svc_ipc_domain(utcpserver_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0