Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/rgmanager.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/rgmanager.te')
-rw-r--r--policy/modules/services/rgmanager.te205
1 files changed, 205 insertions, 0 deletions
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
new file mode 100644
index 00000000..2329f8e3
--- /dev/null
+++ b/policy/modules/services/rgmanager.te
@@ -0,0 +1,205 @@
+policy_module(rgmanager, 1.7.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether rgmanager can
+## connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+type rgmanager_initrc_exec_t;
+init_script_file(rgmanager_initrc_exec_t)
+
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rgmanager_t self:capability { dac_override ipc_lock net_raw sys_admin sys_nice sys_resource };
+allow rgmanager_t self:process { setsched signal };
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { accept listen };
+allow rgmanager_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
+
+allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
+
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
+kernel_manage_unlabeled_dirs(rgmanager_t)
+
+corenet_all_recvfrom_unlabeled(rgmanager_t)
+corenet_all_recvfrom_netlabel(rgmanager_t)
+corenet_tcp_sendrecv_generic_if(rgmanager_t)
+corenet_tcp_sendrecv_generic_node(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+files_list_all(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
+files_read_non_security_files(rgmanager_t)
+
+fs_getattr_all_fs(rgmanager_t)
+
+storage_raw_read_fixed_disk(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+
+auth_dontaudit_getattr_shadow(rgmanager_t)
+auth_use_nsswitch(rgmanager_t)
+
+init_domtrans_script(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+ corenet_sendrecv_all_client_packets(rgmanager_t)
+ corenet_tcp_connect_all_ports(rgmanager_t)
+ corenet_tcp_sendrecv_all_ports(rgmanager_t)
+')
+
+optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ consoletype_exec(rgmanager_t)
+')
+
+optional_policy(`
+ corosync_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+ fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ rhcs_stream_connect_groupd(rgmanager_t)
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
+')
+
+optional_policy(`
+ hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mount_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(rgmanager_t)
+ mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ netutils_domtrans(rgmanager_t)
+ netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(rgmanager_t)
+ postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+ rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+ rpc_manage_nfs_state_data(rgmanager_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(rgmanager_t)
+ samba_domtrans_nmbd(rgmanager_t)
+ samba_manage_var_files(rgmanager_t)
+ samba_rw_config(rgmanager_t)
+ samba_signal_smbd(rgmanager_t)
+ samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+ udev_read_db(rgmanager_t)
+')
+
+optional_policy(`
+ virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')