[selinux-policy: 2689/3172] Redhat Cluster Suite Policy from Dan Walsh
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:59:06 UTC 2010
commit 538cf9ab83093f0d923448c0e81a8b5e38038d60
Author: Jeremy Solt <jsolt at tresys.com>
Date: Thu May 6 13:13:41 2010 -0400
Redhat Cluster Suite Policy from Dan Walsh
Edits:
- Style and whitespace fixes
- Removed interfaces for default_t from ricci.te - this didn't seem right
- Removed link files from rgmanager_manage_tmpfs_files
- Removed rdisc.if patch. it was previously committed
- Not including kernel_kill interface call for rgmanager
- Not including ldap interfaces in rgmanager.te (currently not in refpolicy)
- Not including files_create_var_run_dirs call for rgmanager (not in refpolicy)
policy/modules/services/aisexec.fc | 9 +
policy/modules/services/aisexec.if | 106 +++++++++
policy/modules/services/aisexec.te | 115 ++++++++++
policy/modules/services/ccs.te | 5 +
policy/modules/services/corosync.fc | 12 +
policy/modules/services/corosync.if | 106 +++++++++
policy/modules/services/corosync.te | 115 ++++++++++
policy/modules/services/rgmanager.fc | 7 +
policy/modules/services/rgmanager.if | 95 ++++++++
policy/modules/services/rgmanager.te | 212 +++++++++++++++++
policy/modules/services/rhcs.fc | 22 ++
policy/modules/services/rhcs.if | 415 ++++++++++++++++++++++++++++++++++
policy/modules/services/rhcs.te | 247 ++++++++++++++++++++
policy/modules/services/ricci.te | 37 +++-
14 files changed, 1498 insertions(+), 5 deletions(-)
---
diff --git a/policy/modules/services/aisexec.fc b/policy/modules/services/aisexec.fc
new file mode 100644
index 0000000..7b4f4b9
--- /dev/null
+++ b/policy/modules/services/aisexec.fc
@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
+
+/usr/sbin/aisexec -- gen_context(system_u:object_r:aisexec_exec_t,s0)
+
+/var/lib/openais(/.*)? gen_context(system_u:object_r:aisexec_var_lib_t,s0)
+
+/var/log/cluster/aisexec\.log -- gen_context(system_u:object_r:aisexec_var_log_t,s0)
+
+/var/run/aisexec\.pid -- gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff --git a/policy/modules/services/aisexec.if b/policy/modules/services/aisexec.if
new file mode 100644
index 0000000..58acae2
--- /dev/null
+++ b/policy/modules/services/aisexec.if
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run aisexec.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_domtrans',`
+ gen_require(`
+ type aisexec_t, aisexec_exec_t;
+ ')
+
+ domtrans_pattern($1, aisexec_exec_t, aisexec_t)
+')
+
+#####################################
+## <summary>
+## Connect to aisexec over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_stream_connect',`
+ gen_require(`
+ type aisexec_t, aisexec_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read aisexec's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aisexec_read_log',`
+ gen_require(`
+ type aisexec_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+ read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an aisexec environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the aisexecd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`aisexecd_admin',`
+ gen_require(`
+ type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
+ type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
+ type aisexec_initrc_exec_t;
+ ')
+
+ allow $1 aisexec_t:process { ptrace signal_perms };
+ ps_process_pattern($1, aisexec_t)
+
+ init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 aisexec_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_var_lib($1)
+ admin_pattern($1, aisexec_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, aisexec_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, aisexec_var_run_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, aisexec_tmp_t)
+
+ admin_pattern($1, aisexec_tmpfs_t)
+')
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
new file mode 100644
index 0000000..1b0bba7
--- /dev/null
+++ b/policy/modules/services/aisexec.te
@@ -0,0 +1,115 @@
+
+policy_module(aisexec, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aisexec_t;
+type aisexec_exec_t;
+init_daemon_domain(aisexec_t, aisexec_exec_t)
+
+type aisexec_initrc_exec_t;
+init_script_file(aisexec_initrc_exec_t);
+
+# tmp files
+type aisexec_tmp_t;
+files_tmp_file(aisexec_tmp_t)
+
+type aisexec_tmpfs_t;
+files_tmpfs_file(aisexec_tmpfs_t)
+
+# var/lib files
+type aisexec_var_lib_t;
+files_type(aisexec_var_lib_t)
+
+# log files
+type aisexec_var_log_t;
+logging_log_file(aisexec_var_log_t)
+
+# pid files
+type aisexec_var_run_t;
+files_pid_file(aisexec_var_run_t)
+
+########################################
+#
+# aisexec local policy
+#
+
+allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
+allow aisexec_t self:process { setrlimit setsched signal };
+allow aisexec_t self:fifo_file rw_fifo_file_perms;
+allow aisexec_t self:sem create_sem_perms;
+allow aisexec_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow aisexec_t self:unix_dgram_socket create_socket_perms;
+allow aisexec_t self:udp_socket create_socket_perms;
+
+# tmp files
+manage_dirs_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+manage_files_pattern(aisexec_t, aisexec_tmp_t, aisexec_tmp_t)
+files_tmp_filetrans(aisexec_t, aisexec_tmp_t, { file dir })
+
+manage_dirs_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+manage_files_pattern(aisexec_t, aisexec_tmpfs_t, aisexec_tmpfs_t)
+fs_tmpfs_filetrans(aisexec_t, aisexec_tmpfs_t, { dir file })
+
+# var/lib files
+manage_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_dirs_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_lib_t, aisexec_var_lib_t)
+files_var_lib_filetrans(aisexec_t, aisexec_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_log_t, aisexec_var_log_t)
+logging_log_filetrans(aisexec_t,aisexec_var_log_t,{ sock_file file })
+
+# pid file
+manage_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+manage_sock_files_pattern(aisexec_t, aisexec_var_run_t, aisexec_var_run_t)
+files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
+
+kernel_read_system_state(aisexec_t)
+
+corecmd_exec_bin(aisexec_t)
+
+corenet_udp_bind_netsupport_port(aisexec_t)
+corenet_tcp_bind_reserved_port(aisexec_t)
+corenet_udp_bind_cluster_port(aisexec_t)
+
+dev_read_urand(aisexec_t)
+
+files_manage_mounttab(aisexec_t)
+
+auth_use_nsswitch(aisexec_t)
+
+init_rw_script_tmp_files(aisexec_t)
+
+libs_use_ld_so(aisexec_t)
+libs_use_shared_libs(aisexec_t)
+
+logging_send_syslog_msg(aisexec_t)
+
+miscfiles_read_localization(aisexec_t)
+
+optional_policy(`
+ ccs_stream_connect(aisexec_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
+ dlm_controld_manage_tmpfs_files(aisexec_t)
+ dlm_controld_rw_semaphores(aisexec_t)
+
+ fenced_manage_tmpfs_files(aisexec_t)
+ fenced_rw_semaphores(aisexec_t)
+
+ gfs_controld_manage_tmpfs_files(aisexec_t)
+ gfs_controld_rw_semaphores(aisexec_t)
+ gfs_controld_t_rw_shm(aisexec_t)
+
+ groupd_manage_tmpfs_files(aisexec_t)
+ groupd_rw_semaphores(aisexec_t)
+ groupd_rw_shm(aisexec_t)
+')
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index b7e76be..d750656 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -114,5 +114,10 @@ ifdef(`hide_broken_symptoms', `
')
optional_policy(`
+ aisexec_stream_connect(ccs_t)
+ corosync_stream_connect(ccs_t)
+')
+
+optional_policy(`
unconfined_use_fds(ccs_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
new file mode 100644
index 0000000..3a6d7eb
--- /dev/null
+++ b/policy/modules/services/corosync.fc
@@ -0,0 +1,12 @@
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
+
+/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+
+/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0)
+
+/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
new file mode 100644
index 0000000..64f4ff9
--- /dev/null
+++ b/policy/modules/services/corosync.if
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Corosync Cluster Engine</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run corosync.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_domtrans',`
+ gen_require(`
+ type corosync_t, corosync_exec_t;
+ ')
+
+ domtrans_pattern($1, corosync_exec_t, corosync_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to read corosync's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_read_log',`
+ gen_require(`
+ type corosync_var_log_t;
+ ')
+
+ logging_search_logs($1)
+ list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t)
+ read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
+')
+
+#####################################
+## <summary>
+## Connect to corosync over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
+')
+
+######################################
+## <summary>
+## All of the rules required to administrate
+## an corosync environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the corosyncd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`corosyncd_admin',`
+ gen_require(`
+ type corosync_t, corosync_var_lib_t, corosync_var_log_t;
+ type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
+ type corosync_initrc_exec_t;
+ ')
+
+ allow $1 corosync_t:process { ptrace signal_perms };
+ ps_process_pattern($1, corosync_t)
+
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 corosync_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_list_tmp($1)
+ admin_pattern($1, corosync_tmp_t)
+
+ admin_pattern($1, corosync_tmpfs_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, corosync_var_lib_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, corosync_var_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, corosync_var_run_t)
+')
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
new file mode 100644
index 0000000..ddccc21
--- /dev/null
+++ b/policy/modules/services/corosync.te
@@ -0,0 +1,115 @@
+
+policy_module(corosync, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type corosync_t;
+type corosync_exec_t;
+init_daemon_domain(corosync_t, corosync_exec_t)
+
+type corosync_initrc_exec_t;
+init_script_file(corosync_initrc_exec_t);
+
+# tmp files
+type corosync_tmp_t;
+files_tmp_file(corosync_tmp_t)
+
+type corosync_tmpfs_t;
+files_tmpfs_file(corosync_tmpfs_t)
+
+# var/lib files
+type corosync_var_lib_t;
+files_type(corosync_var_lib_t)
+
+# log files
+type corosync_var_log_t;
+logging_log_file(corosync_var_log_t)
+
+# pid files
+type corosync_var_run_t;
+files_pid_file(corosync_var_run_t)
+
+########################################
+#
+# corosync local policy
+#
+
+allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
+allow corosync_t self:process { setrlimit setsched signal };
+
+allow corosync_t self:fifo_file rw_fifo_file_perms;
+allow corosync_t self:sem create_sem_perms;
+allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow corosync_t self:unix_dgram_socket create_socket_perms;
+allow corosync_t self:udp_socket create_socket_perms;
+
+# tmp files
+manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
+files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir })
+
+manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t,{ dir file })
+
+# var/lib files
+manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)
+files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t)
+logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file })
+
+# pid file
+manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t)
+files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file })
+
+kernel_read_system_state(corosync_t)
+
+corecmd_exec_bin(corosync_t)
+
+corenet_udp_bind_netsupport_port(corosync_t)
+
+dev_read_urand(corosync_t)
+
+domain_read_all_domains_state(corosync_t)
+
+files_manage_mounttab(corosync_t)
+
+auth_use_nsswitch(corosync_t)
+
+init_read_script_state(corosync_t)
+init_rw_script_tmp_files(corosync_t)
+
+logging_send_syslog_msg(corosync_t)
+
+miscfiles_read_localization(corosync_t)
+
+userdom_rw_user_tmpfs_files(corosync_t)
+
+optional_policy(`
+ ccs_read_config(corosync_t)
+')
+
+optional_policy(`
+ # to communication with RHCS
+ dlm_controld_manage_tmpfs_files(corosync_t)
+ dlm_controld_rw_semaphores(corosync_t)
+
+ fenced_manage_tmpfs_files(corosync_t)
+ fenced_rw_semaphores(corosync_t)
+
+ gfs_controld_manage_tmpfs_files(corosync_t)
+ gfs_controld_rw_semaphores(corosync_t)
+')
+
+optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+')
diff --git a/policy/modules/services/rgmanager.fc b/policy/modules/services/rgmanager.fc
new file mode 100644
index 0000000..3c97ef0
--- /dev/null
+++ b/policy/modules/services/rgmanager.fc
@@ -0,0 +1,7 @@
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
+
+/var/log/cluster/rgmanager\.log -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
+
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/policy/modules/services/rgmanager.if b/policy/modules/services/rgmanager.if
new file mode 100644
index 0000000..c220b3d
--- /dev/null
+++ b/policy/modules/services/rgmanager.if
@@ -0,0 +1,95 @@
+## <summary>SELinux policy for rgmanager</summary>
+
+#######################################
+## <summary>
+## Execute a domain transition to run rgmanager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_domtrans',`
+ gen_require(`
+ type rgmanager_t, rgmanager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rgmanager_exec_t, rgmanager_t)
+')
+
+#######################################
+## <summary>
+## Allow read and write access to rgmanager semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_rw_semaphores',`
+ gen_require(`
+ type rgmanager_t;
+ ')
+
+ allow $1 rgmanager_t:sem rw_sem_perms;
+')
+
+########################################
+## <summary>
+## Connect to rgmanager over an unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_stream_connect',`
+ gen_require(`
+ type rgmanager_t, rgmanager_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
+')
+
+######################################
+## <summary>
+## Allow manage rgmanager tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_tmp_files',`
+ gen_require(`
+ type rgmanager_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
+')
+
+######################################
+## <summary>
+## Allow manage rgmanager tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rgmanager_manage_tmpfs_files',`
+ gen_require(`
+ type rgmanager_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
new file mode 100644
index 0000000..419da00
--- /dev/null
+++ b/policy/modules/services/rgmanager.te
@@ -0,0 +1,212 @@
+
+policy_module(rgmanager, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow rgmanager domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(rgmanager_can_network_connect, false)
+
+type rgmanager_t;
+type rgmanager_exec_t;
+domain_type(rgmanager_t)
+init_daemon_domain(rgmanager_t, rgmanager_exec_t)
+
+# tmp files
+type rgmanager_tmp_t;
+files_tmp_file(rgmanager_tmp_t)
+
+type rgmanager_tmpfs_t;
+files_tmpfs_file(rgmanager_tmpfs_t)
+
+# log files
+type rgmanager_var_log_t;
+logging_log_file(rgmanager_var_log_t)
+
+# pid files
+type rgmanager_var_run_t;
+files_pid_file(rgmanager_var_run_t)
+
+########################################
+#
+# rgmanager local policy
+#
+
+allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
+dontaudit rgmanager_t self:capability { sys_ptrace };
+allow rgmanager_t self:process { setsched signal };
+dontaudit rgmanager_t self:process { ptrace };
+
+allow rgmanager_t self:fifo_file rw_fifo_file_perms;
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
+
+# tmp files
+manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
+files_tmp_filetrans(rgmanager_t, rgmanager_tmp_t, { file dir })
+
+manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
+fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t,{ dir file })
+
+# log files
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
+
+# pid file
+manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
+
+kernel_read_kernel_sysctls(rgmanager_t)
+kernel_read_system_state(rgmanager_t)
+kernel_rw_rpc_sysctls(rgmanager_t)
+kernel_search_debugfs(rgmanager_t)
+kernel_search_network_state(rgmanager_t)
+
+corecmd_exec_bin(rgmanager_t)
+corecmd_exec_shell(rgmanager_t)
+consoletype_exec(rgmanager_t)
+
+# need to write to /dev/misc/dlm-control
+dev_rw_dlm_control(rgmanager_t)
+dev_setattr_dlm_control(rgmanager_t)
+dev_search_sysfs(rgmanager_t)
+
+domain_read_all_domains_state(rgmanager_t)
+domain_getattr_all_domains(rgmanager_t)
+domain_dontaudit_ptrace_all_domains(rgmanager_t)
+
+files_list_all(rgmanager_t)
+files_getattr_all_symlinks(rgmanager_t)
+files_manage_mnt_dirs(rgmanager_t)
+files_manage_isid_type_dirs(rgmanager_t)
+
+fs_getattr_xattr_fs(rgmanager_t)
+fs_getattr_all_fs(rgmanager_t)
+
+storage_getattr_fixed_disk_dev(rgmanager_t)
+
+term_getattr_pty_fs(rgmanager_t)
+#term_use_ptmx(rgmanager_t)
+
+# needed by resources scripts
+auth_read_all_files_except_shadow(rgmanager_t)
+auth_dontaudit_getattr_shadow(rgmanager_t)
+auth_use_nsswitch(rgmanager_t)
+
+libs_use_ld_so(rgmanager_t)
+libs_use_shared_libs(rgmanager_t)
+
+logging_send_syslog_msg(rgmanager_t)
+
+miscfiles_read_localization(rgmanager_t)
+
+mount_domtrans(rgmanager_t)
+
+tunable_policy(`rgmanager_can_network_connect',`
+ corenet_tcp_connect_all_ports(rgmanager_t)
+')
+
+# rgmanager can run resource scripts
+optional_policy(`
+ aisexec_stream_connect(rgmanager_t)
+ corosync_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ apache_domtrans(rgmanager_t)
+ apache_signal(rgmanager_t)
+')
+
+optional_policy(`
+ fstools_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ groupd_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ hostname_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ccs_manage_config(rgmanager_t)
+ ccs_stream_connect(rgmanager_t)
+ gfs_controld_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ lvm_domtrans(rgmanager_t)
+')
+
+optional_policy(`
+ mysql_domtrans_mysql_safe(rgmanager_t)
+ mysql_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ netutils_domtrans(rgmanager_t)
+ netutils_domtrans_ping(rgmanager_t)
+')
+
+optional_policy(`
+ postgresql_domtrans(rgmanager_t)
+ postgresql_signal(rgmanager_t)
+')
+
+optional_policy(`
+ rdisc_exec(rgmanager_t)
+')
+
+optional_policy(`
+ ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
+')
+
+optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
+ rpc_manage_nfs_state_data(rgmanager_t)
+')
+
+optional_policy(`
+ samba_initrc_domtrans(rgmanager_t)
+ samba_domtrans_smbd(rgmanager_t)
+ samba_domtrans_nmbd(rgmanager_t)
+ samba_manage_var_files(rgmanager_t)
+ samba_rw_config(rgmanager_t)
+ samba_signal_smbd(rgmanager_t)
+ samba_signal_nmbd(rgmanager_t)
+')
+
+optional_policy(`
+ sysnet_domtrans_ifconfig(rgmanager_t)
+')
+
+optional_policy(`
+ udev_read_db(rgmanager_t)
+')
+
+optional_policy(`
+ virt_stream_connect(rgmanager_t)
+')
+
+optional_policy(`
+ unconfined_domain(rgmanager_t)
+')
+
+optional_policy(`
+ xen_domtrans_xm(rgmanager_t)
+')
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
new file mode 100644
index 0000000..c2ba53b
--- /dev/null
+++ b/policy/modules/services/rhcs.fc
@@ -0,0 +1,22 @@
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
+
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
+
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
+
+/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
+/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
new file mode 100644
index 0000000..1516fcd
--- /dev/null
+++ b/policy/modules/services/rhcs.if
@@ -0,0 +1,415 @@
+## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
+
+#######################################
+## <summary>
+## Creates types and rules for a basic
+## rhcs init daemon domain.
+## </summary>
+## <param name="prefix">
+## <summary>
+## Prefix for the domain.
+## </summary>
+## </param>
+#
+template(`rhcs_domain_template',`
+ gen_require(`
+ attribute cluster_domain;
+ ')
+
+ ##############################
+ #
+ # $1_t declarations
+ #
+
+ type $1_t, cluster_domain;
+ type $1_exec_t;
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_tmpfs_t;
+ files_tmpfs_file($1_tmpfs_t)
+
+ # log files
+ type $1_var_log_t;
+ logging_log_file($1_var_log_t)
+
+ # pid files
+ type $1_var_run_t;
+ files_pid_file($1_var_run_t)
+
+ ##############################
+ #
+ # $1_t local policy
+ #
+
+ manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+ fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
+
+ manage_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
+ logging_log_filetrans($1_t, $1_var_log_t, { file sock_file })
+
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
+
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run dlm_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_domtrans',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+## Connect to dlm_controld over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_stream_connect',`
+ gen_require(`
+ type dlm_controld_t, dlm_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to dlm_controld semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_rw_semaphores',`
+ gen_require(`
+ type dlm_controld_t;
+ ')
+
+ allow $1 dlm_controld_t:sem { rw_sem_perms destroy };
+')
+
+#####################################
+## <summary>
+## Manage dlm_controld tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dlm_controld_manage_tmpfs_files',`
+ gen_require(`
+ type dlm_controld_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run fenced.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fenced_domtrans',`
+ gen_require(`
+ type fenced_t, fenced_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, fenced_exec_t, fenced_t)
+')
+
+######################################
+## <summary>
+## Allow read and write access to fenced semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fenced_rw_semaphores',`
+ gen_require(`
+ type fenced_t;
+ ')
+
+ allow $1 fenced_t:sem { rw_sem_perms destroy };
+')
+
+######################################
+## <summary>
+## Connect to fenced over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fenced_stream_connect',`
+ gen_require(`
+ type fenced_var_run_t, fenced_t;
+ ')
+
+ allow $1 fenced_t:unix_stream_socket connectto;
+ allow $1 fenced_var_run_t:sock_file { getattr write };
+ files_search_pids($1)
+')
+
+#####################################
+## <summary>
+## Managed fenced tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fenced_manage_tmpfs_files',`
+ gen_require(`
+ type fenced_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
+')
+
+#####################################
+## <summary>
+## Execute a domain transition to run gfs_controld.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_domtrans',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t)
+')
+
+###################################
+## <summary>
+## Manage gfs_controld tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_manage_tmpfs_files',`
+ gen_require(`
+ type gfs_controld_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
+')
+
+####################################
+## <summary>
+## Allow read and write access to gfs_controld semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_rw_semaphores',`
+ gen_require(`
+ type gfs_controld_t;
+ ')
+
+ allow $1 gfs_controld_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+## Read and write to gfs_controld_t shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_t_rw_shm',`
+ gen_require(`
+ type gfs_controld_t;
+ ')
+
+ allow $1 gfs_controld_t:shm { rw_shm_perms destroy };
+')
+
+#####################################
+## <summary>
+## Connect to gfs_controld_t over an unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gfs_controld_stream_connect',`
+ gen_require(`
+ type gfs_controld_t, gfs_controld_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run groupd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_domtrans',`
+ gen_require(`
+ type groupd_t, groupd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, groupd_exec_t, groupd_t)
+')
+
+#####################################
+## <summary>
+## Connect to groupd over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_stream_connect',`
+ gen_require(`
+ type groupd_t, groupd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
+')
+
+#####################################
+## <summary>
+## Allow read and write access to groupd semaphores.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_rw_semaphores',`
+ gen_require(`
+ type groupd_t;
+ ')
+
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
+')
+
+########################################
+## <summary>
+## Read and write to group shared memory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_rw_shm',`
+ gen_require(`
+ type groupd_t;
+ ')
+
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
+')
+
+#####################################
+## <summary>
+## Manage groupd tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`groupd_manage_tmpfs_files',`
+ gen_require(`
+ type groupd_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
+')
+
+######################################
+## <summary>
+## Execute a domain transition to run qdiskd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qdiskd_domtrans',`
+ gen_require(`
+ type qdiskd_t, qdiskd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
new file mode 100644
index 0000000..3fa9819
--- /dev/null
+++ b/policy/modules/services/rhcs.te
@@ -0,0 +1,247 @@
+
+policy_module(rhcs, 1.1.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow fenced domain to connect to the network using TCP.
+## </p>
+## </desc>
+gen_tunable(fenced_can_network_connect, false)
+
+attribute cluster_domain;
+
+rhcs_domain_template(dlm_controld)
+
+rhcs_domain_template(fenced)
+
+type fenced_lock_t;
+files_lock_file(fenced_lock_t)
+
+# tmp files
+type fenced_tmp_t;
+files_tmp_file(fenced_tmp_t)
+
+rhcs_domain_template(gfs_controld)
+
+rhcs_domain_template(groupd)
+
+rhcs_domain_template(qdiskd)
+
+# var/lib files
+type qdiskd_var_lib_t;
+files_type(qdiskd_var_lib_t)
+
+#####################################
+#
+# dlm_controld local policy
+#
+
+allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
+
+allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(dlm_controld_t)
+
+dev_rw_dlm_control(dlm_controld_t)
+dev_rw_sysfs(dlm_controld_t)
+
+fs_manage_configfs_files(dlm_controld_t)
+fs_manage_configfs_dirs(dlm_controld_t)
+
+init_rw_script_tmp_files(dlm_controld_t)
+
+optional_policy(`
+ ccs_stream_connect(dlm_controld_t)
+')
+
+#######################################
+#
+# fenced local policy
+#
+
+allow fenced_t self:capability { sys_rawio sys_resource };
+allow fenced_t self:process getsched;
+
+allow fenced_t self:tcp_socket create_stream_socket_perms;
+allow fenced_t self:udp_socket create_socket_perms;
+
+can_exec(fenced_t, fenced_exec_t)
+
+manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
+files_lock_filetrans(fenced_t, fenced_lock_t, file)
+
+# tmp files
+manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+
+stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+corecmd_exec_bin(fenced_t)
+
+corenet_tcp_connect_http_port(fenced_t)
+
+dev_read_sysfs(fenced_t)
+dev_read_urand(fenced_t)
+
+files_read_usr_symlinks(fenced_t)
+
+storage_raw_read_fixed_disk(fenced_t)
+storage_raw_write_fixed_disk(fenced_t)
+storage_raw_read_removable_device(fenced_t)
+
+term_getattr_pty_fs(fenced_t)
+term_use_ptmx(fenced_t)
+
+auth_use_nsswitch(fenced_t)
+
+tunable_policy(`fenced_can_network_connect',`
+ corenet_tcp_connect_all_ports(fenced_t)
+')
+
+optional_policy(`
+ ccs_read_config(fenced_t)
+ ccs_stream_connect(fenced_t)
+')
+
+optional_policy(`
+ lvm_domtrans(fenced_t)
+ lvm_read_config(fenced_t)
+')
+
+######################################
+#
+# gfs_controld local policy
+#
+
+allow gfs_controld_t self:capability { net_admin sys_resource };
+
+allow gfs_controld_t self:shm create_shm_perms;
+allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
+stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+
+kernel_read_system_state(gfs_controld_t)
+
+dev_rw_dlm_control(gfs_controld_t)
+dev_setattr_dlm_control(gfs_controld_t)
+dev_rw_sysfs(gfs_controld_t)
+
+storage_getattr_removable_dev(gfs_controld_t)
+
+init_rw_script_tmp_files(gfs_controld_t)
+
+optional_policy(`
+ ccs_stream_connect(gfs_controld_t)
+')
+
+optional_policy(`
+ lvm_exec(gfs_controld_t)
+ dev_rw_lvm_control(gfs_controld_t)
+')
+
+#######################################
+#
+# groupd local policy
+#
+
+allow groupd_t self:capability { sys_nice sys_resource };
+allow groupd_t self:process setsched;
+
+allow groupd_t self:shm create_shm_perms;
+
+dev_list_sysfs(groupd_t)
+
+files_read_etc_files(groupd_t)
+
+init_rw_script_tmp_files(groupd_t)
+
+######################################
+#
+# qdiskd local policy
+#
+
+allow qdiskd_t self:capability ipc_lock;
+
+allow qdiskd_t self:tcp_socket create_stream_socket_perms;
+allow qdiskd_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t, qdiskd_var_lib_t)
+files_var_lib_filetrans(qdiskd_t, qdiskd_var_lib_t, { file dir sock_file })
+
+kernel_read_system_state(qdiskd_t)
+kernel_read_software_raid_state(qdiskd_t)
+kernel_getattr_core_if(qdiskd_t)
+
+corecmd_getattr_bin_files(qdiskd_t)
+corecmd_exec_shell(qdiskd_t)
+
+dev_read_sysfs(qdiskd_t)
+dev_list_all_dev_nodes(qdiskd_t)
+dev_getattr_all_blk_files(qdiskd_t)
+dev_getattr_all_chr_files(qdiskd_t)
+dev_manage_generic_blk_files(qdiskd_t)
+dev_manage_generic_chr_files(qdiskd_t)
+
+domain_dontaudit_getattr_all_pipes(qdiskd_t)
+domain_dontaudit_getattr_all_sockets(qdiskd_t)
+
+files_dontaudit_getattr_all_sockets(qdiskd_t)
+files_dontaudit_getattr_all_pipes(qdiskd_t)
+files_read_etc_files(qdiskd_t)
+
+storage_raw_read_removable_device(qdiskd_t)
+storage_raw_write_removable_device(qdiskd_t)
+storage_raw_read_fixed_disk(qdiskd_t)
+storage_raw_write_fixed_disk(qdiskd_t)
+
+auth_use_nsswitch(qdiskd_t)
+
+optional_policy(`
+ ccs_stream_connect(qdiskd_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(qdiskd_t)
+')
+
+optional_policy(`
+ udev_read_db(qdiskd_t)
+')
+
+#####################################
+#
+# rhcs domains common policy
+#
+
+allow cluster_domain self:capability { sys_nice };
+allow cluster_domain self:process setsched;
+
+allow cluster_domain self:sem create_sem_perms;
+allow cluster_domain self:fifo_file rw_fifo_file_perms;
+allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
+allow cluster_domain self:unix_dgram_socket create_socket_perms;
+
+libs_use_ld_so(cluster_domain)
+libs_use_shared_libs(cluster_domain)
+
+logging_send_syslog_msg(cluster_domain)
+
+miscfiles_read_localization(cluster_domain)
+
+optional_policy(`
+ corosync_stream_connect(cluster_domain)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index cf414fa..c759445 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -194,7 +194,7 @@ optional_policy(`
# ricci_modcluster local policy
#
-allow ricci_modcluster_t self:capability sys_nice;
+allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
allow ricci_modcluster_t self:process setsched;
allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
@@ -204,6 +204,9 @@ kernel_read_system_state(ricci_modcluster_t)
corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+
domain_read_all_domains_state(ricci_modcluster_t)
files_search_locks(ricci_modcluster_t)
@@ -216,17 +219,22 @@ init_domtrans_script(ricci_modcluster_t)
logging_send_syslog_msg(ricci_modcluster_t)
-consoletype_exec(ricci_modcluster_t)
-
miscfiles_read_localization(ricci_modcluster_t)
modutils_domtrans_insmod(ricci_modcluster_t)
mount_domtrans(ricci_modcluster_t)
+consoletype_exec(ricci_modcluster_t)
+
ricci_stream_connect_modclusterd(ricci_modcluster_t)
optional_policy(`
+ aisexec_stream_connect(ricci_modcluster_t)
+ corosync_stream_connect(ricci_modcluster_t)
+')
+
+optional_policy(`
ccs_stream_connect(ricci_modcluster_t)
ccs_domtrans(ricci_modcluster_t)
ccs_manage_config(ricci_modcluster_t)
@@ -245,6 +253,10 @@ optional_policy(`
')
optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
# XXX This has got to go.
unconfined_domain(ricci_modcluster_t)
')
@@ -259,11 +271,11 @@ allow ricci_modclusterd_t self:process { signal sigkill setsched };
allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
-allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
# cjp: this needs to be fixed for a specific socket type:
allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
+allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
# log files
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
@@ -294,6 +306,8 @@ files_read_etc_runtime_files(ricci_modclusterd_t)
fs_getattr_xattr_fs(ricci_modclusterd_t)
+auth_use_nsswitch(ricci_modclusterd_t)
+
init_stream_connect_script(ricci_modclusterd_t)
locallogin_dontaudit_use_fds(ricci_modclusterd_t)
@@ -303,7 +317,11 @@ logging_send_syslog_msg(ricci_modclusterd_t)
miscfiles_read_localization(ricci_modclusterd_t)
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
-sysnet_dns_name_resolve(ricci_modclusterd_t)
+
+optional_policy(`
+ aisexec_stream_connect(ricci_modclusterd_t)
+ corosync_stream_connect(ricci_modclusterd_t)
+')
optional_policy(`
ccs_domtrans(ricci_modclusterd_t)
@@ -312,6 +330,10 @@ optional_policy(`
')
optional_policy(`
+ rgmanager_stream_connect(ricci_modclusterd_t)
+')
+
+optional_policy(`
unconfined_use_fds(ricci_modclusterd_t)
')
@@ -457,6 +479,11 @@ consoletype_exec(ricci_modstorage_t)
mount_domtrans(ricci_modstorage_t)
optional_policy(`
+ aisexec_stream_connect(ricci_modstorage_t)
+ corosync_stream_connect(ricci_modstorage_t)
+')
+
+optional_policy(`
ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
More information about the scm-commits
mailing list