[rubygem-openshift-origin-common/f18] Initial Fedora 18 import
Brenton Leanhardt
brenton at fedoraproject.org
Tue Aug 21 12:29:49 UTC 2012
commit 1d86a01b76fc53f26d34f2ed5fd39d5ccc760f50
Author: Brenton Leanhardt <bleanhar at redhat.com>
Date: Tue Aug 21 08:29:19 2012 -0400
Initial Fedora 18 import
.gitignore | 1 +
openshift-origin-common_gemspec_fixes.patch | 20 +
rubygem-openshift-origin-common.spec | 164 ++++++++
sources | 1 +
stickshift.fc | 15 +
stickshift.if | 20 +
stickshift.te | 581 +++++++++++++++++++++++++++
7 files changed, 802 insertions(+), 0 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e69de29..24d1f5d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/openshift-origin-common-0.13.3.gem
diff --git a/openshift-origin-common_gemspec_fixes.patch b/openshift-origin-common_gemspec_fixes.patch
new file mode 100644
index 0000000..9816afa
--- /dev/null
+++ b/openshift-origin-common_gemspec_fixes.patch
@@ -0,0 +1,20 @@
+diff -ru openshift-origin-common-0.13.3/openshift-origin-common.gemspec openshift-origin-common-0.13.3.new/openshift-origin-common.gemspec
+--- openshift-origin-common-0.13.3/openshift-origin-common.gemspec 2012-08-10 08:23:17.655787793 -0400
++++ openshift-origin-common-0.13.3.new/openshift-origin-common.gemspec 2012-08-10 08:25:09.228926811 -0400
+@@ -8,7 +8,7 @@
+ s.license = 'ASL 2.0'
+ s.authors = ["Krishna Raman"]
+ s.email = ["kraman at gmail.com"]
+- s.homepage = "http://www.openshift.com"
++ s.homepage = "http://openshift.redhat.com"
+ s.summary = %q{Cloud Development Common}
+ s.description = %q{Cloud Development Common}
+
+@@ -19,7 +19,6 @@
+
+ s.add_dependency("json")
+ s.add_dependency("activemodel")
+- s.add_dependency("mongo")
+
+ s.add_development_dependency('rcov')
+ end
diff --git a/rubygem-openshift-origin-common.spec b/rubygem-openshift-origin-common.spec
new file mode 100644
index 0000000..1e5ee39
--- /dev/null
+++ b/rubygem-openshift-origin-common.spec
@@ -0,0 +1,164 @@
+%global gem_name openshift-origin-common
+
+# Conditionally set required macros for distros without rubygems-devel This can
+# be removed once https://bugzilla.redhat.com/show_bug.cgi?id=788001 is
+# resolved.
+%if 0%{?el6}%{?fc16}
+%global rubyabi 1.8
+%global gem_dir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null)
+%global gem_cache %{gem_dir}/cache/%{gem_name}-%{version}.gem
+%global gem_docdir %{gem_dir}/doc/%{gem_name}-%{version}
+%global gem_instdir %{gem_dir}/gems/%{gem_name}-%{version}
+%global gem_libdir %{gem_instdir}/lib
+%global gem_spec %{gem_dir}/specifications/%{gem_name}-%{version}.gemspec
+%endif
+
+%global selinux_variants mls strict targeted
+
+Summary: Common library code for OpenShift subsystem
+Name: rubygem-%{gem_name}
+Version: 0.13.3
+Release: 7%{?dist}
+Group: Development/Tools
+License: ASL 2.0
+URL: http://openshift.redhat.com
+Source0: http://mirror.openshift.com/pub/openshift-origin/source/rubygem-%{gem_name}/%{gem_name}-%{version}.gem
+Source1: stickshift.fc
+Source2: stickshift.if
+Source3: stickshift.te
+# https://github.com/openshift/crankcase/pull/357
+Patch0: openshift-origin-common_gemspec_fixes.patch
+Requires: ruby(abi) >= 1.8
+Requires: rubygems
+Requires: rubygem(activemodel)
+Requires: rubygem(json)
+Requires: selinux-policy
+
+BuildRequires: ruby-devel
+%if 0%{?rhel} == 6
+BuildRequires: rubygems
+%else
+BuildRequires: rubygems-devel
+%endif
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+BuildRequires: hardlink
+BuildArch: noarch
+Provides: rubygem(%{gem_name}) = %version
+
+%description
+This packages contains common library code for the OpenShift
+subsystem.
+
+%prep
+gem unpack %{SOURCE0}
+%setup -q -D -T -n %{gem_name}-%{version}
+%patch0 -p1
+
+mkdir SELinux
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} SELinux
+
+%build
+mkdir -p .%{gem_dir}
+
+# Create the gem as gem install only works on a gem file
+gem build %{gem_name}.gemspec
+
+export CONFIGURE_ARGS="--with-cflags='%{optflags}'"
+# gem install compiles any C extensions and installs into a directory
+# We set that to be a local directory so that we can move it into the
+# buildroot in %%install
+gem install -V \
+ --local \
+ --install-dir ./%{gem_dir} \
+ --bindir ./%{_bindir} \
+ --force \
+ --rdoc \
+ %{gem_name}-%{version}.gem
+
+%install
+mkdir -p %{buildroot}%{gem_dir}
+cp -a ./%{gem_dir}/* %{buildroot}%{gem_dir}/
+
+mkdir -p %{buildroot}/usr/share/selinux/packages/%{name}
+cd SELinux
+make -f %{_datadir}/selinux/devel/Makefile
+install -p -m 644 -D stickshift.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/stickshift.pp
+make -f %{_datadir}/selinux/devel/Makefile clean
+cd -
+
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
+%files
+%dir %{gem_instdir}
+%doc %{gem_instdir}/LICENSE
+%doc %{gem_instdir}/COPYRIGHT
+%doc %{gem_docdir}
+%doc %{gem_instdir}/Gemfile
+%doc %{gem_instdir}/Rakefile
+%doc %{gem_instdir}/README.md
+%doc %{gem_instdir}/%{gem_name}.gemspec
+%{gem_spec}
+%{_datadir}/selinux/packages/%{name}/
+%exclude %{gem_cache}
+%exclude %{gem_libdir}
+%exclude %{gem_instdir}/%{name}.spec
+
+%post
+if [ "$1" -le "1" ] ; then # First install
+semodule -i %{_datadir}/selinux/packages/%{name}/stickshift.pp 2>/dev/null || :
+fixfiles -R rubygem-stickshift-common restore
+fi
+
+%preun
+if [ "$1" -lt "1" ] ; then # Final removal
+semodule -r stickshift 2>/dev/null || :
+fi
+
+%postun
+if [ "$1" -ge "1" ] ; then # Upgrade
+semodule -i %{_datadir}/selinux/packages/%{name}/stickshift.pp 2>/dev/null || :
+# TODO
+# What other packages should be added here? Probably anything that could be
+# affected by stickshift.fc, right?
+fixfiles -R rubygem-stickshift-common restore
+fi
+
+%changelog
+* Thu Aug 16 2012 Brenton Leanhardt <bleanhar at redhat.com> - 0.13.3-7
+- Using rubygem-devel macros and the exclude macro
+- Removed SELinux dir from package
+
+* Wed Aug 15 2012 Brenton Leanhardt <bleanhar at redhat.com> - 0.13.3-6
+- Keeping the LICENSE and COPYRIGHT file in their original locations
+
+* Fri Aug 10 2012 Brenton Leanhardt <bleanhar at redhat.com> 0.13.3-5
+- Added patch to remove unneeded rubygem-mongo from gemspec and fix project homepage
+- Removed uneeded policycoreutils-python require
+
+* Mon Aug 06 2012 Brenton Leanhardt <bleanhar at redhat.com> 0.13.3-4
+- Removed unneeded rubygem-mongo dependency
+- Removed unneeded make BuildRequire
+- Removed unneeded BuildRoot tag
+- Removed unneeded defattr usage
+- Removed unneeded clean section
+- Removed unneeded cached gem
+- Changed RPM_BUILD_ROOT to buildroot for consistency
+
+* Thu Aug 02 2012 Troy Dawson <tdawson at redhat.com> 0.13.3-1
+- Renamed package to openshift-origin-node
+- Updated to the latest upstream stable release
+- Added LICENSE and COPYRIGHT to doc
+
+* Fri Jul 20 2012 Brenton Leanhardt <bleanhar at redhat.com> 0.13.1-3
+- Switched Source0 to gem
+
+* Wed Jul 18 2012 Brenton Leanhardt <bleanhar at redhat.com> 0.13.1-2
+- Added ruby-devel and rubygem-devel build requires and replaced the
+ ruby_sitelib and geminstdir macros with the standard macros.
+- Renamed %%gemname to %%gem_name so %%geminstdir will work correctly.
+- Fixed several file mode problems with libraries
+
+* Mon Jul 09 2012 Brenton Leanhardt <bleanhar at redhat.com> 0.13.1-1
+- Initial package creation for Fedora
+- Removed rcov
diff --git a/sources b/sources
index e69de29..8e9ac71 100644
--- a/sources
+++ b/sources
@@ -0,0 +1 @@
+e8c3b740b2bf8f6cd2149c4928766d14 openshift-origin-common-0.13.3.gem
diff --git a/stickshift.fc b/stickshift.fc
new file mode 100644
index 0000000..fcc9961
--- /dev/null
+++ b/stickshift.fc
@@ -0,0 +1,15 @@
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:stickshift_file_t,s0)
+
+/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
+
+/etc/httpd/conf.d/stickshift gen_context(system_u:object_r:httpd_config_t,s0)
+
+/usr/sbin/mcollectived -- gen_context(system_u:object_r:mcollectived_exec_t,s0)
+
+/var/lock/ss-create -- gen_context(system_u:object_r:mcollectived_lock_t,s0)
+
+/var/log/mcollective\.log -- gen_context(system_u:object_r:mcollectived_log_t,s0)
+
+/var/run/mcollective\.pid -- gen_context(system_u:object_r:mcollectived_var_run_t,s0)
+
+/var/log/stickshift/user_action\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
diff --git a/stickshift.if b/stickshift.if
new file mode 100644
index 0000000..928d9b4
--- /dev/null
+++ b/stickshift.if
@@ -0,0 +1,20 @@
+## <summary></summary>
+########################################
+## <summary>
+## Transition to mcollectived.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`stickshift_domtrans_mcollectived',`
+ gen_require(`
+ type mcollectived_t, mcollectived_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, mcollectived_exec_t, mcollectived_t)
+')
+
diff --git a/stickshift.te b/stickshift.te
new file mode 100644
index 0000000..153a12d
--- /dev/null
+++ b/stickshift.te
@@ -0,0 +1,581 @@
+policy_module(stickshift, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type mcollectived_t;
+type mcollectived_exec_t;
+init_daemon_domain(mcollectived_t, mcollectived_exec_t)
+init_ranged_daemon_domain(mcollectived_t, mcollectived_exec_t, s0 - mcs_systemhigh)
+
+type mcollectived_log_t;
+logging_log_file(mcollectived_log_t)
+
+type mcollectived_tmp_t;
+files_tmp_file(mcollectived_tmp_t)
+
+type mcollectived_var_run_t;
+files_pid_file(mcollectived_var_run_t)
+
+type mcollectived_lock_t;
+files_lock_file(mcollectived_lock_t)
+
+type stickshift_t;
+type stickshift_exec_t;
+application_domain(stickshift_t, stickshift_exec_t)
+role system_r types stickshift_t;
+
+type stickshift_tmp_t;
+files_tmp_file(stickshift_tmp_t)
+
+mcs_process_set_categories(stickshift_t)
+
+type stickshift_file_t;
+files_type(stickshift_file_t)
+
+########################################
+#
+# mcollectived local policy
+#
+#permissive stickshift_t;
+unconfined_domain(stickshift_t)
+
+allow stickshift_t self:capability { setuid audit_write dac_override sys_nice chown fsetid setgid fowner sys_ptrace };
+allow stickshift_t self:process { execmem getcap setpgid setsched signal_perms setexec setfscreate };
+allow stickshift_t self:fifo_file rw_fifo_file_perms;
+allow stickshift_t self:key write;
+allow stickshift_t self:netlink_audit_socket { nlmsg_relay create };
+allow stickshift_t self:sem create_sem_perms;
+allow stickshift_t self:shm create_shm_perms;
+allow stickshift_t self:tcp_socket create_stream_socket_perms;
+allow stickshift_t self:udp_socket create_socket_perms;
+allow stickshift_t self:unix_dgram_socket create_socket_perms;
+allow stickshift_t self:unix_stream_socket { connectto create_stream_socket_perms};
+
+kernel_read_kernel_sysctls(stickshift_t)
+kernel_read_system_state(stickshift_t)
+
+manage_dirs_pattern(stickshift_t, stickshift_tmp_t, stickshift_tmp_t)
+manage_files_pattern(stickshift_t, stickshift_tmp_t, stickshift_tmp_t)
+manage_sock_files_pattern(stickshift_t, stickshift_tmp_t, stickshift_tmp_t)
+manage_lnk_files_pattern(stickshift_t, stickshift_tmp_t, stickshift_tmp_t)
+files_tmp_filetrans(stickshift_t, stickshift_tmp_t, { file dir sock_file })
+can_exec(stickshift_t, stickshift_tmp_t)
+
+manage_files_pattern(stickshift_t, stickshift_file_t, stickshift_file_t)
+manage_sock_files_pattern(stickshift_t, stickshift_file_t, stickshift_file_t)
+manage_dirs_pattern(stickshift_t, stickshift_file_t, stickshift_file_t)
+manage_lnk_files_pattern(stickshift_t, stickshift_file_t, stickshift_file_t)
+can_exec(stickshift_t, stickshift_file_t)
+
+corecmd_exec_bin(stickshift_t)
+corecmd_exec_shell(stickshift_t)
+corecmd_exec_all_executables(stickshift_t)
+
+corenet_tcp_bind_all_ports(stickshift_t)
+corenet_tcp_connect_all_ports(stickshift_t)
+
+dev_read_kmsg(stickshift_t)
+dev_read_rand(stickshift_t)
+dev_read_raw_memory(stickshift_t)
+dev_read_urand(stickshift_t)
+dev_getattr_all_blk_files(stickshift_t)
+dev_getattr_all_chr_files(stickshift_t)
+
+term_getattr_all_ptys(stickshift_t)
+term_getattr_all_ttys(stickshift_t)
+
+domain_read_all_domains_state(stickshift_t)
+domain_getattr_all_sockets(stickshift_t)
+domain_getattr_all_pipes(stickshift_t)
+
+files_getattr_all_sockets(stickshift_t)
+files_getattr_all_files(stickshift_t)
+files_getattr_all_pipes(stickshift_t)
+files_read_etc_files(stickshift_t)
+files_read_etc_runtime_files(stickshift_t)
+files_read_usr_files(stickshift_t)
+files_read_var_lib_files(stickshift_t)
+
+application_exec_all(stickshift_t)
+
+auth_use_nsswitch(stickshift_t)
+
+logging_send_syslog_msg(stickshift_t)
+
+init_stream_connect(stickshift_t)
+
+miscfiles_read_localization(stickshift_t)
+miscfiles_read_fonts(stickshift_t)
+
+selinux_compute_access_vector(stickshift_t)
+
+optional_policy(`
+ abrt_stream_connect(stickshift_t)
+')
+
+ifdef(`colord_read_lib_files',`
+ optional_policy(`
+ colord_read_lib_files(stickshift_t)
+ ')
+')
+
+optional_policy(`
+ apache_exec_modules(stickshift_t)
+ apache_list_modules(stickshift_t)
+ apache_read_config(stickshift_t)
+')
+
+optional_policy(`
+ cups_stream_connect(stickshift_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(stickshift_t)
+')
+
+optional_policy(`
+ mysql_read_config(stickshift_t)
+')
+
+optional_policy(`
+ setroubleshoot_stream_connect(stickshift_t)
+')
+
+ifdef(`systemd_dbus_chat_logind',`
+ optional_policy(`
+ systemd_dbus_chat_logind(stickshift_t)
+ systemd_write_inherited_logind_sessions_pipes(stickshift_t)
+ ')
+')
+
+########################################
+#
+# stickshift local policy
+#
+permissive mcollectived_t;
+allow mcollectived_t self:capability { chown dac_override fsetid kill };
+allow mcollectived_t self:process { signal_perms setcap setexec };
+allow mcollectived_t self:fifo_file rw_fifo_file_perms;
+allow mcollectived_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow mcollectived_t self:tcp_socket create_stream_socket_perms;
+allow mcollectived_t self:udp_socket create_socket_perms;
+
+#for testing
+domtrans_pattern(unconfined_t, stickshift_exec_t, stickshift_t)
+allow unconfined_t stickshift_t:process { signull signal sigkill };
+
+domtrans_pattern(mcollectived_t, stickshift_exec_t, stickshift_t)
+allow mcollectived_t stickshift_t:process { signull signal sigkill };
+
+manage_dirs_pattern(mcollectived_t, stickshift_file_t, stickshift_file_t)
+manage_files_pattern(mcollectived_t, stickshift_file_t, stickshift_file_t)
+manage_lnk_files_pattern(mcollectived_t, stickshift_file_t, stickshift_file_t)
+manage_sock_files_pattern(mcollectived_t, stickshift_file_t, stickshift_file_t)
+
+manage_files_pattern(mcollectived_t, mcollectived_log_t, mcollectived_log_t)
+manage_dirs_pattern(mcollectived_t, mcollectived_log_t, mcollectived_log_t)
+manage_lnk_files_pattern(mcollectived_t, mcollectived_log_t, mcollectived_log_t)
+logging_log_filetrans(mcollectived_t, mcollectived_log_t, { file dir })
+
+manage_files_pattern(mcollectived_t, mcollectived_tmp_t, mcollectived_tmp_t)
+manage_dirs_pattern(mcollectived_t, mcollectived_tmp_t, mcollectived_tmp_t)
+manage_lnk_files_pattern(mcollectived_t, mcollectived_tmp_t, mcollectived_tmp_t)
+files_tmp_filetrans(mcollectived_t, mcollectived_tmp_t, { file dir })
+
+manage_files_pattern(mcollectived_t, mcollectived_lock_t, mcollectived_lock_t)
+manage_dirs_pattern(mcollectived_t, mcollectived_lock_t, mcollectived_lock_t)
+manage_lnk_files_pattern(mcollectived_t, mcollectived_lock_t, mcollectived_lock_t)
+files_lock_filetrans(mcollectived_t, mcollectived_lock_t, { file dir })
+
+manage_files_pattern(mcollectived_t, mcollectived_var_run_t, mcollectived_var_run_t)
+manage_dirs_pattern(mcollectived_t, mcollectived_var_run_t, mcollectived_var_run_t)
+manage_lnk_files_pattern(mcollectived_t, mcollectived_var_run_t, mcollectived_var_run_t)
+files_pid_filetrans(mcollectived_t, mcollectived_var_run_t, { file dir })
+
+kernel_getattr_message_if(stickshift_t)
+kernel_read_network_state(stickshift_t)
+kernel_read_software_raid_state(stickshift_t)
+kernel_read_kernel_sysctls(mcollectived_t)
+kernel_read_system_state(mcollectived_t)
+
+corecmd_exec_bin(mcollectived_t)
+corecmd_exec_shell(mcollectived_t)
+
+corecmd_bin_entry_type(stickshift_t)
+
+corenet_tcp_connect_amqp_port(mcollectived_t)
+
+dev_read_urand(mcollectived_t)
+
+domain_use_interactive_fds(mcollectived_t)
+
+files_read_etc_files(mcollectived_t)
+files_read_etc_runtime_files(mcollectived_t)
+
+miscfiles_read_localization(mcollectived_t)
+
+selinux_set_parameters(mcollectived_t)
+selinux_validate_context(mcollectived_t)
+
+usermanage_domtrans_useradd(mcollectived_t)
+
+logging_send_syslog_msg(mcollectived_t)
+
+sysnet_read_config(mcollectived_t)
+
+domain_read_all_domains_state(mcollectived_t)
+
+require {
+ type useradd_t;
+}
+
+manage_dirs_pattern(useradd_t, stickshift_file_t, stickshift_file_t)
+manage_files_pattern(useradd_t, stickshift_file_t, stickshift_file_t)
+manage_lnk_files_pattern(useradd_t, stickshift_file_t, stickshift_file_t)
+
+optional_policy(`
+ gen_require(`
+ type dontdoit_t;
+ type httpd_passenger_helper_t;
+ type http_cache_port_t;
+ type httpd_t;
+ ')
+
+ allow httpd_passenger_helper_t self:capability dac_override;
+ allow httpd_passenger_helper_t http_cache_port_t:tcp_socket name_connect;
+ manage_dirs_pattern(httpd_t, stickshift_file_t, stickshift_file_t)
+ manage_files_pattern(httpd_t, stickshift_file_t, stickshift_file_t)
+ manage_lnk_files_pattern(httpd_t, stickshift_file_t, stickshift_file_t)
+')
+
+gen_require(`
+ type sshd_t;
+')
+read_files_pattern(sshd_t, stickshift_file_t, stickshift_file_t)
+
+#for proxy server to find applications to serve
+gen_require(`
+ type httpd_t;
+ class dir search;
+')
+
+allow httpd_t stickshift_file_t:dir search;
+
+#for ssh login
+require {
+ type unconfined_t;
+ type stickshift_t;
+ class process transition;
+}
+
+#============= unconfined_t ==============
+allow unconfined_t stickshift_t:process transition;
+
+#DHCP networking==========================
+optional{
+ require {
+ type ephemeral_port_t;
+ type dhcpc_t;
+ class udp_socket name_bind;
+ }
+
+ allow dhcpc_t ephemeral_port_t:udp_socket name_bind;
+}
+
+#============= mcollectived_t ==============
+
+require {
+ type fs_t;
+ type cert_t;
+ type usr_t;
+ type httpd_config_t;
+ type mcollectived_t;
+ type stickshift_file_t;
+ type httpd_suexec_exec_t;
+ type httpd_modules_t;
+ type httpd_initrc_exec_t;
+ type httpd_exec_t;
+ type initrc_exec_t;
+ type httpd_t;
+ type httpd_var_run_t;
+ class process { signal signull };
+ class capability fowner;
+ class file { execute read create ioctl execute_no_trans write getattr open };
+ class filesystem getattr;
+ class netlink_route_socket { bind create getattr nlmsg_read setopt };
+ class lnk_file read;
+ class dir { write getattr read search create open add_name };
+ type mcollectived_t;
+ type file_context_t;
+ type usr_t;
+ type gpg_exec_t;
+ class key write;
+ class process { setsched setfscreate };
+ class capability { setuid sys_nice audit_write setgid };
+ class file { read getattr execute open ioctl };
+ class netlink_audit_socket { nlmsg_relay create };
+ class lnk_file read;
+ class dir search;
+ type bin_t;
+ type mysqld_etc_t;
+ type mcollectived_t;
+ type stickshift_t;
+ type mysqld_exec_t;
+ type hostname_exec_t;
+ class unix_stream_socket connectto;
+ class file { execute setattr read execute_no_trans getattr open };
+ type mcollectived_t;
+ type bin_t;
+ class lnk_file { create unlink };
+ class dir { setattr relabelfrom create write rmdir remove_name relabelto add_name };
+ class file { rename relabelfrom create write link relabelto unlink append };
+ class process execmem;
+ class tcp_socket name_connect;
+ class dir { write remove_name add_name };
+ class file { write create unlink };
+ type java_exec_t;
+ type ssh_keygen_exec_t;
+ type bin_t;
+ type cert_t;
+ type ifconfig_exec_t;
+ type proc_net_t;
+ type random_device_t;
+ type consoletype_exec_t;
+ class lnk_file { read setattr };
+ class chr_file { read open };
+ class file { execute read lock create execute_no_trans write getattr unlink open };
+ class dir { write read add_name remove_name };
+ type http_port_t;
+ class tcp_socket name_connect;
+ type mcollectived_t;
+ type lib_t;
+ type root_t;
+ class dir create;
+ class file { rename setattr };
+ type var_lock_t;
+ class process transition;
+ type tmpfs_t;
+ type http_cache_port_t;
+ type mcollectived_t;
+ type node_t;
+ type initrc_var_run_t;
+ type initrc_t;
+ type var_lib_t;
+ class process { signal setrlimit };
+ class capability { sys_chroot sys_resource };
+ class tcp_socket { name_bind name_connect node_bind };
+ class file { read unlink open };
+ class sock_file { rename create unlink link };
+ class dir { write remove_name add_name };
+ type httpd_log_t;
+ type httpd_var_run_t;
+ type mcollectived_t;
+ type http_port_t;
+ type mcollectived_tmp_t;
+ class process setpgid;
+ class capability net_bind_service;
+ class tcp_socket name_bind;
+ class file { write create open };
+ class sock_file { write create unlink setattr };
+ class sem { write read create unix_write setattr };
+ class lnk_file read;
+ class dir { write add_name };
+ type mcollectived_t;
+ class process getpgid;
+ class sem destroy;
+}
+
+# missing in RHEL 6.3's policy
+optional {
+ require {
+ type unreserved_port_t;
+ type ephemeral_port_t;
+ }
+}
+
+#============= mcollectived_t ==============
+allow mcollectived_t stickshift_t:process transition;
+allow mcollectived_t var_lock_t:file { read write open lock };
+
+optional{
+ require {
+ type httpd_passwd_exec_t;
+ }
+ allow mcollectived_t httpd_passwd_exec_t:file getattr;
+}
+
+#stickshift-proxy
+allow mcollectived_t ifconfig_exec_t:file { read execute open execute_no_trans };
+allow mcollectived_t proc_net_t:file { read getattr open };
+allow mcollectived_t http_port_t:tcp_socket name_connect;
+
+#jenkins
+allow mcollectived_t java_exec_t:file { read execute open execute_no_trans };
+allow mcollectived_t random_device_t:chr_file { read open };
+allow mcollectived_t ssh_keygen_exec_t:file { read execute open execute_no_trans };
+
+#runcon
+allow initrc_t stickshift_t:process transition;
+
+#Allow cartridges to write http proxy configs and restart http as mcollecitve
+allow mcollectived_t cert_t:file getattr;
+allow mcollectived_t fs_t:filesystem getattr;
+allow mcollectived_t tmpfs_t:filesystem getattr;
+allow mcollectived_t httpd_config_t:dir { write getattr read create open add_name };
+allow mcollectived_t httpd_config_t:file { write read create open getattr };
+allow mcollectived_t httpd_config_t:lnk_file read;
+allow mcollectived_t httpd_exec_t:file { read execute open execute_no_trans };
+allow mcollectived_t httpd_initrc_exec_t:file { ioctl execute read open getattr execute_no_trans };
+allow mcollectived_t httpd_modules_t:dir search;
+allow mcollectived_t httpd_modules_t:file { read getattr open execute };
+allow mcollectived_t httpd_modules_t:lnk_file read;
+allow mcollectived_t httpd_suexec_exec_t:file { read getattr execute };
+allow mcollectived_t httpd_t:process { signal signull };
+allow mcollectived_t httpd_var_run_t:dir search;
+allow mcollectived_t httpd_var_run_t:file { read open };
+allow mcollectived_t initrc_exec_t:file { ioctl execute read open getattr execute_no_trans };
+allow mcollectived_t self:capability fowner;
+allow mcollectived_t self:netlink_route_socket { bind create getattr nlmsg_read setopt };
+allow mcollectived_t stickshift_file_t:file execute;
+allow mcollectived_t httpd_config_t:dir { remove_name rmdir };
+allow mcollectived_t httpd_config_t:file unlink;
+
+#lookup file contexts
+allow mcollectived_t file_context_t:dir search;
+allow mcollectived_t file_context_t:file { read getattr open };
+
+#runuser
+allow mcollectived_t gpg_exec_t:file execute;
+allow mcollectived_t self:capability { setuid sys_nice setgid audit_write };
+allow mcollectived_t self:key write;
+allow mcollectived_t self:netlink_audit_socket { nlmsg_relay create };
+
+#renice
+allow mcollectived_t self:process { setsched setfscreate };
+
+#mysql
+require {
+ type mysqld_t;
+ type anon_inodefs_t;
+ type stickshift_file_t;
+ class dir { write search read remove_name open getattr add_name };
+ class file { read create write getattr unlink open };
+}
+allow mcollectived_t bin_t:file setattr;
+allow mcollectived_t hostname_exec_t:file { read getattr open execute execute_no_trans };
+allow mcollectived_t mysqld_etc_t:file { read getattr open };
+allow mcollectived_t mysqld_exec_t:file { read execute open execute_no_trans };
+allow mcollectived_t stickshift_t:unix_stream_socket connectto;
+allow mysqld_t anon_inodefs_t:file { read write };
+allow mysqld_t stickshift_file_t:dir { write search read remove_name open getattr add_name };
+allow mysqld_t stickshift_file_t:file { write getattr read create unlink open };
+
+#mongo
+optional{
+ require {
+ type mongod_port_t;
+ }
+ allow mcollectived_t mongod_port_t:tcp_socket name_connect;
+}
+allow mcollectived_t self:process execmem;
+
+#misc
+allow mcollectived_t usr_t:file { read getattr open };
+allow mcollectived_t usr_t:file ioctl;
+allow mcollectived_t usr_t:lnk_file read;
+allow mcollectived_t cert_t:file { write read lock create unlink open };
+allow mcollectived_t cert_t:lnk_file read;
+allow mcollectived_t consoletype_exec_t:file { read execute open execute_no_trans };
+allow mcollectived_t bin_t:lnk_file setattr;
+allow mcollectived_t cert_t:dir { write read add_name remove_name };
+
+#jboss
+allow mcollectived_t bin_t:dir { setattr relabelfrom create write rmdir relabelto remove_name add_name };
+allow mcollectived_t bin_t:file { rename relabelfrom create write link relabelto unlink append };
+allow mcollectived_t bin_t:lnk_file { create unlink };
+
+#python executed when setting up nodejs
+allow mcollectived_t lib_t:dir { write remove_name add_name };
+allow mcollectived_t lib_t:file { write create unlink };
+
+#python
+allow mcollectived_t lib_t:dir create;
+allow mcollectived_t lib_t:file { rename setattr };
+allow mcollectived_t root_t:dir create;
+
+#haproxy
+allow mcollectived_t http_cache_port_t:tcp_socket name_connect;
+allow mcollectived_t initrc_t:process signal;
+allow mcollectived_t initrc_var_run_t:file { read unlink open };
+allow mcollectived_t node_t:tcp_socket node_bind;
+allow mcollectived_t self:capability { sys_chroot sys_resource };
+allow mcollectived_t self:process setrlimit;
+allow mcollectived_t var_lib_t:dir { write remove_name add_name };
+allow mcollectived_t var_lib_t:sock_file { rename create unlink link };
+allow mcollectived_t http_port_t:tcp_socket name_bind;
+allow mcollectived_t httpd_log_t:dir { write add_name };
+allow mcollectived_t httpd_log_t:file { create open };
+allow mcollectived_t httpd_log_t:lnk_file read;
+allow mcollectived_t httpd_var_run_t:dir { write add_name };
+allow mcollectived_t httpd_var_run_t:file { write create };
+allow mcollectived_t mcollectived_tmp_t:sock_file { write create unlink setattr };
+allow mcollectived_t self:capability net_bind_service;
+allow mcollectived_t self:process setpgid;
+allow mcollectived_t self:sem { write read create unix_write setattr };
+allow mcollectived_t self:process getpgid;
+allow mcollectived_t self:sem destroy;
+# missing in RHEL 6.3's policy
+ifdef(`unreserved_port_t',`
+ allow mcollectived_t unreserved_port_t:tcp_socket name_bind;
+')
+ifdef(`ephemeral_port_t',`
+ allow mcollectived_t ephemeral_port_t:tcp_socket name_bind;
+')
+
+#============ dont audits ================
+
+require {
+ type proc_mdstat_t;
+ type configfs_t;
+ type mtrr_device_t;
+ type krb5_conf_t;
+ type stickshift_file_t;
+ type pulseaudio_home_t;
+ type mcollectived_t;
+ type root_t;
+ type sysctl_net_t;
+ type http_port_t;
+ type proc_kmsg_t;
+ class capability sys_ptrace;
+ class tcp_socket name_connect;
+ class lnk_file read;
+ class dir { getattr search setattr };
+ class file { read getattr open create };
+}
+
+#============= mcollectived_t ==============
+dontaudit mcollectived_t configfs_t:dir getattr;
+dontaudit mcollectived_t http_port_t:tcp_socket name_connect;
+dontaudit mcollectived_t krb5_conf_t:file { read open };
+dontaudit mcollectived_t mtrr_device_t:file getattr;
+dontaudit mcollectived_t proc_kmsg_t:file getattr;
+dontaudit mcollectived_t proc_mdstat_t:file getattr;
+dontaudit mcollectived_t pulseaudio_home_t:lnk_file read;
+dontaudit mcollectived_t root_t:dir setattr;
+dontaudit mcollectived_t self:capability sys_ptrace;
+dontaudit mcollectived_t stickshift_file_t:file create;
+dontaudit mcollectived_t sysctl_net_t:dir search;
+
+domain_dontaudit_getattr_all_sockets(mcollectived_t)
+domain_dontaudit_getattr_all_pipes(mcollectived_t)
+files_dontaudit_getattr_all_sockets(mcollectived_t)
+files_dontaudit_getattr_all_files(mcollectived_t)
+files_dontaudit_getattr_all_pipes(mcollectived_t)
+dev_dontaudit_getattr_all_blk_files(mcollectived_t)
+dev_dontaudit_getattr_all_chr_files(mcollectived_t)
+files_dontaudit_search_all_dirs(mcollectived_t)
+
+domain_dontaudit_read_all_domains_state(httpd_t)
More information about the scm-commits
mailing list