From 6055ab8d1da46833e4b54446983d0bf0b023460e Mon Sep 17 00:00:00 2001 From: Jeremy Solt Date: May 24 2010 17:08:08 +0000 Subject: clogd policy from Dan Walsh edits: - style and whitespace fixes - removed read_lnk_files_pattern from shm interface - removed permissive line --- diff --git a/policy/modules/services/clogd.fc b/policy/modules/services/clogd.fc new file mode 100644 index 0000000..6793948 --- /dev/null +++ b/policy/modules/services/clogd.fc @@ -0,0 +1,3 @@ +/usr/sbin/clogd -- gen_context(system_u:object_r:clogd_exec_t,s0) + +/var/run/clogd\.pid -- gen_context(system_u:object_r:clogd_var_run_t,s0) diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if new file mode 100644 index 0000000..c0a66a4 --- /dev/null +++ b/policy/modules/services/clogd.if @@ -0,0 +1,79 @@ +## clogd - Clustered Mirror Log Server + +###################################### +## +## Execute a domain transition to run clogd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`clogd_domtrans',` + gen_require(` + type clogd_t, clogd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, clogd_exec_t, clogd_t) +') + +##################################### +## +## Connect to clogd over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`clogd_stream_connect',` + gen_require(` + type clogd_t, clogd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, clogd_var_run_t, clogd_var_run_t, clogd_t) +') + +##################################### +## +## Allow read and write access to clogd semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`clogd_rw_semaphores',` + gen_require(` + type clogd_t; + ') + + allow $1 clogd_t:sem rw_sem_perms; +') + +######################################## +## +## Read and write to group shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`clogd_rw_shm',` + gen_require(` + type clogd_t, clogd_tmpfs_t; + ') + + allow $1 clogd_t:shm rw_shm_perms; + allow $1 clogd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) + fs_search_tmpfs($1) +') diff --git a/policy/modules/services/clogd.te b/policy/modules/services/clogd.te new file mode 100644 index 0000000..892d0c1 --- /dev/null +++ b/policy/modules/services/clogd.te @@ -0,0 +1,61 @@ + +policy_module(clogd,1.0.0) + +######################################## +# +# Declarations +# + +type clogd_t; +type clogd_exec_t; +init_daemon_domain(clogd_t, clogd_exec_t) + +type clogd_tmpfs_t; +files_tmpfs_file(clogd_tmpfs_t) + +# pid files +type clogd_var_run_t; +files_pid_file(clogd_var_run_t) + +######################################## +# +# clogd local policy +# + +allow clogd_t self:capability { net_admin mknod }; +allow clogd_t self:process signal; + +allow clogd_t self:sem create_sem_perms; +allow clogd_t self:shm create_shm_perms; +allow clogd_t self:netlink_socket create_socket_perms; +allow clogd_t self:unix_dgram_socket create_socket_perms; + +manage_dirs_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) +manage_files_pattern(clogd_t, clogd_tmpfs_t, clogd_tmpfs_t) +fs_tmpfs_filetrans(clogd_t, clogd_tmpfs_t,{ dir file }) + +# pid files +manage_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t) +files_pid_filetrans(clogd_t, clogd_var_run_t, { file }) + +dev_manage_generic_blk_files(clogd_t) + +storage_raw_read_fixed_disk(clogd_t) +storage_raw_write_fixed_disk(clogd_t) + +libs_use_ld_so(clogd_t) +libs_use_shared_libs(clogd_t) + +logging_send_syslog_msg(clogd_t) + +miscfiles_read_localization(clogd_t) + +optional_policy(` + aisexec_stream_connect(clogd_t) + corosync_stream_connect(clogd_t) +') + +optional_policy(` + dev_read_lvm_control(clogd_t) +')