From 21d23c878eef2a5304b410b5961cfa5d767bf5dc Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: May 24 2010 17:08:08 +0000 Subject: Removed unnecessary comments Removed 'SELinux policy for' from policy summaries Removed rgmanager interface for semaphores (doesn't appear to be needed or used) Removed redundant calls to libs_use_ld_so and libs_use_shared_libs Fixed rhcs interface names to match naming rules Merged tmpfs and semaphore/shm interfaces --- diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if index 58acae2..7fb41c2 100644 --- a/policy/modules/services/aisexec.if +++ b/policy/modules/services/aisexec.if @@ -1,4 +1,4 @@ -## SELinux policy for Aisexec Cluster Engine +## Aisexec Cluster Engine ######################################## ## diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te index 1b0bba7..22f2004 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te @@ -13,22 +13,18 @@ init_daemon_domain(aisexec_t, aisexec_exec_t) type aisexec_initrc_exec_t; init_script_file(aisexec_initrc_exec_t); -# tmp files type aisexec_tmp_t; files_tmp_file(aisexec_tmp_t) type aisexec_tmpfs_t; files_tmpfs_file(aisexec_tmpfs_t) -# var/lib files type aisexec_var_lib_t; files_type(aisexec_var_lib_t) -# log files type aisexec_var_log_t; logging_log_file(aisexec_var_log_t) -# pid files type aisexec_var_run_t; files_pid_file(aisexec_var_run_t) @@ -45,7 +41,6 @@ allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto } allow aisexec_t self:unix_dgram_socket create_socket_perms; allow aisexec_t self:udp_socket create_socket_perms; -# tmp files manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t) files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir }) @@ -54,18 +49,15 @@ manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t) fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file }) -# var/lib files manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t) files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file }) -# log files manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t) logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file }) -# pid file manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t) files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file }) @@ -86,9 +78,6 @@ auth_use_nsswitch(aisexec_t) init_rw_script_tmp_files(aisexec_t) -libs_use_ld_so(aisexec_t) -libs_use_shared_libs(aisexec_t) - logging_send_syslog_msg(aisexec_t) miscfiles_read_localization(aisexec_t) @@ -99,17 +88,13 @@ optional_policy(` optional_policy(` # to communication with RHCS - dlm_controld_manage_tmpfs_files(aisexec_t) - dlm_controld_rw_semaphores(aisexec_t) + rhcs_rw_dlm_controld_semaphores(aisexec_t) - fenced_manage_tmpfs_files(aisexec_t) - fenced_rw_semaphores(aisexec_t) + rhcs_rw_fenced_semaphores(aisexec_t) - gfs_controld_manage_tmpfs_files(aisexec_t) - gfs_controld_rw_semaphores(aisexec_t) - gfs_controld_t_rw_shm(aisexec_t) + rhcs_rw_gfs_controld_semaphores(aisexec_t) + rhcs_rw_gfs_controld_shm(aisexec_t) - groupd_manage_tmpfs_files(aisexec_t) - groupd_rw_semaphores(aisexec_t) - groupd_rw_shm(aisexec_t) + rhcs_rw_groupd_semaphores(aisexec_t) + rhcs_rw_groupd_shm(aisexec_t) ') diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if index 64f4ff9..3626db1 100644 --- a/policy/modules/services/corosync.if +++ b/policy/modules/services/corosync.if @@ -1,4 +1,4 @@ -## SELinux policy for Corosync Cluster Engine +## Corosync Cluster Engine ######################################## ## diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te index ddccc21..ad8d017 100644 --- a/policy/modules/services/corosync.te +++ b/policy/modules/services/corosync.te @@ -13,22 +13,18 @@ init_daemon_domain(corosync_t, corosync_exec_t) type corosync_initrc_exec_t; init_script_file(corosync_initrc_exec_t); -# tmp files type corosync_tmp_t; files_tmp_file(corosync_tmp_t) type corosync_tmpfs_t; files_tmpfs_file(corosync_tmpfs_t) -# var/lib files type corosync_var_lib_t; files_type(corosync_var_lib_t) -# log files type corosync_var_log_t; logging_log_file(corosync_var_log_t) -# pid files type corosync_var_run_t; files_pid_file(corosync_var_run_t) @@ -46,7 +42,6 @@ allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto allow corosync_t self:unix_dgram_socket create_socket_perms; allow corosync_t self:udp_socket create_socket_perms; -# tmp files manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) @@ -55,18 +50,15 @@ manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file }) -# var/lib files manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) -# log files manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) -# pid file manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) @@ -100,14 +92,11 @@ optional_policy(` optional_policy(` # to communication with RHCS - dlm_controld_manage_tmpfs_files(corosync_t) - dlm_controld_rw_semaphores(corosync_t) + rhcs_rw_dlm_controld_semaphores(corosync_t) - fenced_manage_tmpfs_files(corosync_t) - fenced_rw_semaphores(corosync_t) + rhcs_rw_fenced_semaphores(corosync_t) - gfs_controld_manage_tmpfs_files(corosync_t) - gfs_controld_rw_semaphores(corosync_t) + rhcs_rw_gfs_controld_semaphores(corosync_t) ') optional_policy(` diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if index c220b3d..4504355 100644 --- a/policy/modules/services/rgmanager.if +++ b/policy/modules/services/rgmanager.if @@ -1,4 +1,4 @@ -## SELinux policy for rgmanager +## rgmanager - Resource Group Manager ####################################### ## @@ -19,24 +19,6 @@ interface(`rgmanager_domtrans',` domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) ') -####################################### -## -## Allow read and write access to rgmanager semaphores. -## -## -## -## Domain allowed access. -## -## -# -interface(`rgmanager_rw_semaphores',` - gen_require(` - type rgmanager_t; - ') - - allow $1 rgmanager_t:sem rw_sem_perms; -') - ######################################## ## ## Connect to rgmanager over an unix stream socket. diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te index 419da00..4bba0fb 100644 --- a/policy/modules/services/rgmanager.te +++ b/policy/modules/services/rgmanager.te @@ -18,18 +18,15 @@ type rgmanager_exec_t; domain_type(rgmanager_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t) -# tmp files type rgmanager_tmp_t; files_tmp_file(rgmanager_tmp_t) type rgmanager_tmpfs_t; files_tmpfs_file(rgmanager_tmpfs_t) -# log files type rgmanager_var_log_t; logging_log_file(rgmanager_var_log_t) -# pid files type rgmanager_var_run_t; files_pid_file(rgmanager_var_run_t) @@ -48,7 +45,6 @@ allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms }; allow rgmanager_t self:unix_dgram_socket create_socket_perms; allow rgmanager_t self:tcp_socket create_stream_socket_perms; -# tmp files manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t) files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir }) @@ -57,11 +53,9 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t) fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file }) -# log files manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t) logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file }) -# pid file manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t) files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file }) @@ -103,9 +97,6 @@ auth_read_all_files_except_shadow(rgmanager_t) auth_dontaudit_getattr_shadow(rgmanager_t) auth_use_nsswitch(rgmanager_t) -libs_use_ld_so(rgmanager_t) -libs_use_shared_libs(rgmanager_t) - logging_send_syslog_msg(rgmanager_t) miscfiles_read_localization(rgmanager_t) @@ -132,7 +123,7 @@ optional_policy(` ') optional_policy(` - groupd_stream_connect(rgmanager_t) + rhcs_stream_connect_groupd(rgmanager_t) ') optional_policy(` @@ -142,7 +133,7 @@ optional_policy(` optional_policy(` ccs_manage_config(rgmanager_t) ccs_stream_connect(rgmanager_t) - gfs_controld_stream_connect(rgmanager_t) + rhcs_stream_connect_gfs_controld(rgmanager_t) ') optional_policy(` diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if index 1516fcd..c9ce9ab 100644 --- a/policy/modules/services/rhcs.if +++ b/policy/modules/services/rhcs.if @@ -1,4 +1,4 @@ -## SELinux policy for RHCS - Red Hat Cluster Suite +## RHCS - Red Hat Cluster Suite ####################################### ## @@ -18,7 +18,7 @@ template(`rhcs_domain_template',` ############################## # - # $1_t declarations + # Declarations # type $1_t, cluster_domain; @@ -28,17 +28,15 @@ template(`rhcs_domain_template',` type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) - # log files type $1_var_log_t; logging_log_file($1_var_log_t) - # pid files type $1_var_run_t; files_pid_file($1_var_run_t) ############################## # - # $1_t local policy + # Local policy # manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) @@ -66,7 +64,7 @@ template(`rhcs_domain_template',` ## ## # -interface(`dlm_controld_domtrans',` +interface(`rhcs_domtrans_dlm_controld',` gen_require(` type dlm_controld_t, dlm_controld_exec_t; ') @@ -86,7 +84,7 @@ interface(`dlm_controld_domtrans',` ## ## # -interface(`dlm_controld_stream_connect',` +interface(`rhcs_stream_connect_dlm_controld',` gen_require(` type dlm_controld_t, dlm_controld_var_run_t; ') @@ -105,28 +103,12 @@ interface(`dlm_controld_stream_connect',` ## ## # -interface(`dlm_controld_rw_semaphores',` +interface(`rhcs_rw_dlm_controld_semaphores',` gen_require(` - type dlm_controld_t; + type dlm_controld_t, dlm_controld_tmpfs_t; ') allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; -') - -##################################### -## -## Manage dlm_controld tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`dlm_controld_manage_tmpfs_files',` - gen_require(` - type dlm_controld_tmpfs_t; - ') fs_search_tmpfs($1) manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) @@ -142,7 +124,7 @@ interface(`dlm_controld_manage_tmpfs_files',` ## ## # -interface(`fenced_domtrans',` +interface(`rhcs_domtrans_fenced',` gen_require(` type fenced_t, fenced_exec_t; ') @@ -161,12 +143,15 @@ interface(`fenced_domtrans',` ## ## # -interface(`fenced_rw_semaphores',` +interface(`rhcs_rw_fenced_semaphores',` gen_require(` - type fenced_t; + type fenced_t, fenced_tmpfs_t; ') allow $1 fenced_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) ') ###################################### @@ -179,7 +164,7 @@ interface(`fenced_rw_semaphores',` ## ## # -interface(`fenced_stream_connect',` +interface(`rhcs_stream_connect_fenced',` gen_require(` type fenced_var_run_t, fenced_t; ') @@ -191,25 +176,6 @@ interface(`fenced_stream_connect',` ##################################### ## -## Managed fenced tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`fenced_manage_tmpfs_files',` - gen_require(` - type fenced_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) -') - -##################################### -## ## Execute a domain transition to run gfs_controld. ## ## @@ -218,7 +184,7 @@ interface(`fenced_manage_tmpfs_files',` ## ## # -interface(`gfs_controld_domtrans',` +interface(`rhcs_domtrans_gfs_controld',` gen_require(` type gfs_controld_t, gfs_controld_exec_t; ') @@ -227,25 +193,6 @@ interface(`gfs_controld_domtrans',` domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) ') -################################### -## -## Manage gfs_controld tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`gfs_controld_manage_tmpfs_files',` - gen_require(` - type gfs_controld_tmpfs_t; - ') - - fs_search_tmpfs($1) - manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) -') - #################################### ## ## Allow read and write access to gfs_controld semaphores. @@ -256,12 +203,15 @@ interface(`gfs_controld_manage_tmpfs_files',` ## ## # -interface(`gfs_controld_rw_semaphores',` +interface(`rhcs_rw_gfs_controld_semaphores',` gen_require(` - type gfs_controld_t; + type gfs_controld_t, gfs_controld_tmpfs_t; ') allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) ') ######################################## @@ -274,12 +224,15 @@ interface(`gfs_controld_rw_semaphores',` ## ## # -interface(`gfs_controld_t_rw_shm',` +interface(`rhcs_rw_gfs_controld_shm',` gen_require(` - type gfs_controld_t; + type gfs_controld_t, gfs_controld_tmpfs_t; ') allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) ') ##################################### @@ -292,7 +245,7 @@ interface(`gfs_controld_t_rw_shm',` ## ## # -interface(`gfs_controld_stream_connect',` +interface(`rhcs_stream_connect_gfs_controld',` gen_require(` type gfs_controld_t, gfs_controld_var_run_t; ') @@ -311,7 +264,7 @@ interface(`gfs_controld_stream_connect',` ## ## # -interface(`groupd_domtrans',` +interface(`rhcs_domtrans_groupd',` gen_require(` type groupd_t, groupd_exec_t; ') @@ -331,7 +284,7 @@ interface(`groupd_domtrans',` ## ## # -interface(`groupd_stream_connect',` +interface(`rhcs_stream_connect_groupd',` gen_require(` type groupd_t, groupd_var_run_t; ') @@ -350,12 +303,15 @@ interface(`groupd_stream_connect',` ## ## # -interface(`groupd_rw_semaphores',` +interface(`rhcs_rw_groupd_semaphores',` gen_require(` - type groupd_t; + type groupd_t, groupd_tmpfs_t; ') allow $1 groupd_t:sem { rw_sem_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) ') ######################################## @@ -368,28 +324,12 @@ interface(`groupd_rw_semaphores',` ## ## # -interface(`groupd_rw_shm',` +interface(`rhcs_rw_groupd_shm',` gen_require(` - type groupd_t; + type groupd_t, groupd_tmpfs_t; ') allow $1 groupd_t:shm { rw_shm_perms destroy }; -') - -##################################### -## -## Manage groupd tmpfs files. -## -## -## -## Domain allowed access. -## -## -# -interface(`groupd_manage_tmpfs_files',` - gen_require(` - type groupd_tmpfs_t; - ') fs_search_tmpfs($1) manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) @@ -405,7 +345,7 @@ interface(`groupd_manage_tmpfs_files',` ## ## # -interface(`qdiskd_domtrans',` +interface(`rhcs_domtrans_qdiskd',` gen_require(` type qdiskd_t, qdiskd_exec_t; ') diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te index 3fa9819..9203e3b 100644 --- a/policy/modules/services/rhcs.te +++ b/policy/modules/services/rhcs.te @@ -22,7 +22,6 @@ rhcs_domain_template(fenced) type fenced_lock_t; files_lock_file(fenced_lock_t) -# tmp files type fenced_tmp_t; files_tmp_file(fenced_tmp_t) @@ -32,7 +31,6 @@ rhcs_domain_template(groupd) rhcs_domain_template(qdiskd) -# var/lib files type qdiskd_var_lib_t; files_type(qdiskd_var_lib_t) @@ -78,7 +76,6 @@ can_exec(fenced_t, fenced_exec_t) manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t) files_lock_filetrans(fenced_t, fenced_lock_t, file) -# tmp files manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t) @@ -235,9 +232,6 @@ allow cluster_domain self:fifo_file rw_fifo_file_perms; allow cluster_domain self:unix_stream_socket create_stream_socket_perms; allow cluster_domain self:unix_dgram_socket create_socket_perms; -libs_use_ld_so(cluster_domain) -libs_use_shared_libs(cluster_domain) - logging_send_syslog_msg(cluster_domain) miscfiles_read_localization(cluster_domain) diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te index c759445..feeefcb 100644 --- a/policy/modules/services/ricci.te +++ b/policy/modules/services/ricci.te @@ -11,19 +11,15 @@ type ricci_exec_t; domain_type(ricci_t) init_daemon_domain(ricci_t, ricci_exec_t) -# tmp files type ricci_tmp_t; files_tmp_file(ricci_tmp_t) -# var/lib files type ricci_var_lib_t; files_type(ricci_var_lib_t) -# log files type ricci_var_log_t; logging_log_file(ricci_var_log_t) -# pid files type ricci_var_run_t; files_pid_file(ricci_var_run_t) @@ -33,15 +29,12 @@ domain_type(ricci_modcluster_t) domain_entry_file(ricci_modcluster_t, ricci_modcluster_exec_t) role system_r types ricci_modcluster_t; -# var/lib files type ricci_modcluster_var_lib_t; files_type(ricci_modcluster_var_lib_t) -# log files type ricci_modcluster_var_log_t; logging_log_file(ricci_modcluster_var_log_t) -# pid files type ricci_modcluster_var_run_t; files_pid_file(ricci_modcluster_var_run_t) @@ -94,24 +87,20 @@ domain_auto_trans(ricci_t, ricci_modrpm_exec_t, ricci_modrpm_t) domain_auto_trans(ricci_t, ricci_modservice_exec_t, ricci_modservice_t) domain_auto_trans(ricci_t, ricci_modstorage_exec_t, ricci_modstorage_t) -# tmp file manage_dirs_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) manage_files_pattern(ricci_t, ricci_tmp_t, ricci_tmp_t) files_tmp_filetrans(ricci_t, ricci_tmp_t, { file dir }) -# var/lib files for ricci manage_dirs_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) manage_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) manage_sock_files_pattern(ricci_t, ricci_var_lib_t, ricci_var_lib_t) files_var_lib_filetrans(ricci_t, ricci_var_lib_t, { file dir sock_file }) -# log files allow ricci_t ricci_var_log_t:dir setattr; manage_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) manage_sock_files_pattern(ricci_t, ricci_var_log_t, ricci_var_log_t) logging_log_filetrans(ricci_t, ricci_var_log_t, { sock_file file dir }) -# pid file manage_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) manage_sock_files_pattern(ricci_t, ricci_var_run_t, ricci_var_run_t) files_pid_filetrans(ricci_t, ricci_var_run_t, { file sock_file }) @@ -277,13 +266,11 @@ allow ricci_modclusterd_t self:socket create_socket_perms; allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; -# log files allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) logging_log_filetrans(ricci_modclusterd_t, ricci_modcluster_var_log_t, { sock_file file dir }) -# pid file manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t) files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock_file })