2022-01-06 13:55:54 +00:00
|
|
|
policy_module(pacemaker)
|
2018-06-23 13:00:56 +00:00
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# Declarations
|
|
|
|
|
#
|
|
|
|
|
|
2020-09-27 02:07:21 +00:00
|
|
|
## <desc>
|
|
|
|
|
## <p>
|
|
|
|
|
## Allow pacemaker to start/stop services
|
|
|
|
|
## </p>
|
|
|
|
|
## </desc>
|
|
|
|
|
gen_tunable(pacemaker_startstop_all_services, false)
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
type pacemaker_t;
|
|
|
|
|
type pacemaker_exec_t;
|
|
|
|
|
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
|
|
|
|
|
|
|
|
|
|
type pacemaker_initrc_exec_t;
|
|
|
|
|
init_script_file(pacemaker_initrc_exec_t)
|
|
|
|
|
|
2020-09-27 00:43:44 +00:00
|
|
|
type pacemaker_log_t;
|
|
|
|
|
logging_log_file(pacemaker_log_t)
|
|
|
|
|
|
2019-09-11 00:05:46 +00:00
|
|
|
type pacemaker_runtime_t alias pacemaker_var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(pacemaker_runtime_t)
|
2019-09-11 00:05:46 +00:00
|
|
|
|
2020-09-27 02:07:21 +00:00
|
|
|
type pacemaker_runtime_unit_t;
|
|
|
|
|
init_unit_file(pacemaker_runtime_unit_t)
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
type pacemaker_tmp_t;
|
|
|
|
|
files_tmp_file(pacemaker_tmp_t)
|
|
|
|
|
|
|
|
|
|
type pacemaker_tmpfs_t;
|
|
|
|
|
files_tmpfs_file(pacemaker_tmpfs_t)
|
|
|
|
|
|
|
|
|
|
type pacemaker_var_lib_t;
|
|
|
|
|
files_type(pacemaker_var_lib_t)
|
|
|
|
|
|
2021-01-04 23:06:32 +00:00
|
|
|
type pcs_snmp_agent_t;
|
|
|
|
|
type pcs_snmp_agent_exec_t;
|
|
|
|
|
init_daemon_domain(pcs_snmp_agent_t, pcs_snmp_agent_exec_t)
|
|
|
|
|
|
|
|
|
|
type pcs_snmp_agent_log_t;
|
|
|
|
|
logging_log_file(pcs_snmp_agent_log_t)
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
########################################
|
|
|
|
|
#
|
2021-01-04 23:06:32 +00:00
|
|
|
# Pacemaker policy
|
2018-06-23 13:00:56 +00:00
|
|
|
#
|
|
|
|
|
|
2020-09-27 00:43:44 +00:00
|
|
|
allow pacemaker_t self:capability { chown dac_override fowner fsetid kill net_raw setgid setuid };
|
|
|
|
|
allow pacemaker_t self:process { getsched getcap setcap setpgid setrlimit setsched signal signull };
|
2018-06-23 13:00:56 +00:00
|
|
|
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
|
2020-09-27 00:43:44 +00:00
|
|
|
allow pacemaker_t self:packet_socket { bind create getattr read write };
|
2018-06-23 13:00:56 +00:00
|
|
|
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
|
|
|
|
|
|
2020-09-27 00:43:44 +00:00
|
|
|
create_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
|
|
|
|
|
append_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
|
|
|
|
|
setattr_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
|
|
|
|
|
read_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
|
|
|
|
|
logging_log_filetrans(pacemaker_t, pacemaker_log_t, file)
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
|
|
|
|
|
manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
|
|
|
|
|
files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
|
|
|
|
|
|
2020-09-27 00:43:44 +00:00
|
|
|
mmap_rw_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
|
2018-06-23 13:00:56 +00:00
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
|
|
|
|
|
manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
|
|
|
|
|
fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
|
|
|
|
|
|
|
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
|
|
|
|
|
manage_files_pattern(pacemaker_t, pacemaker_var_lib_t, pacemaker_var_lib_t)
|
|
|
|
|
files_var_lib_filetrans(pacemaker_t, pacemaker_var_lib_t, { dir file })
|
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
|
|
|
|
|
manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file })
|
2018-06-23 13:00:56 +00:00
|
|
|
|
2020-09-27 02:07:21 +00:00
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
|
|
|
|
|
manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
|
|
|
|
|
init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file })
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
kernel_getattr_core_if(pacemaker_t)
|
|
|
|
|
kernel_read_all_sysctls(pacemaker_t)
|
|
|
|
|
kernel_read_messages(pacemaker_t)
|
|
|
|
|
kernel_read_network_state(pacemaker_t)
|
|
|
|
|
kernel_read_software_raid_state(pacemaker_t)
|
|
|
|
|
kernel_read_system_state(pacemaker_t)
|
|
|
|
|
|
|
|
|
|
corecmd_exec_bin(pacemaker_t)
|
|
|
|
|
corecmd_exec_shell(pacemaker_t)
|
|
|
|
|
|
2020-09-27 00:43:44 +00:00
|
|
|
corenet_udp_bind_generic_node(pacemaker_t)
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
dev_getattr_mtrr_dev(pacemaker_t)
|
|
|
|
|
dev_read_rand(pacemaker_t)
|
|
|
|
|
dev_read_urand(pacemaker_t)
|
|
|
|
|
|
|
|
|
|
domain_read_all_domains_state(pacemaker_t)
|
|
|
|
|
domain_use_interactive_fds(pacemaker_t)
|
|
|
|
|
|
|
|
|
|
files_read_kernel_symbol_table(pacemaker_t)
|
2020-09-27 00:43:44 +00:00
|
|
|
files_read_usr_files(pacemaker_t)
|
2018-06-23 13:00:56 +00:00
|
|
|
|
|
|
|
|
fs_getattr_all_fs(pacemaker_t)
|
|
|
|
|
|
|
|
|
|
auth_use_nsswitch(pacemaker_t)
|
|
|
|
|
|
2020-09-27 00:43:44 +00:00
|
|
|
init_dbus_chat(pacemaker_t)
|
|
|
|
|
|
|
|
|
|
libs_exec_lib_files(pacemaker_t)
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
logging_send_syslog_msg(pacemaker_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(pacemaker_t)
|
|
|
|
|
|
2020-09-27 02:07:21 +00:00
|
|
|
ifdef(`init_systemd',`
|
|
|
|
|
init_get_all_units_status(pacemaker_t)
|
|
|
|
|
init_reload(pacemaker_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
tunable_policy(`pacemaker_startstop_all_services',`
|
|
|
|
|
init_start_all_units(pacemaker_t)
|
|
|
|
|
init_stop_all_units(pacemaker_t)
|
|
|
|
|
')
|
|
|
|
|
|
2018-06-23 13:00:56 +00:00
|
|
|
optional_policy(`
|
|
|
|
|
corosync_read_log(pacemaker_t)
|
2020-09-26 19:07:30 +00:00
|
|
|
corosync_mmap_rw_tmpfs(pacemaker_t)
|
2018-06-23 13:00:56 +00:00
|
|
|
corosync_stream_connect(pacemaker_t)
|
|
|
|
|
')
|
2020-09-27 00:43:44 +00:00
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
dbus_system_bus_client(pacemaker_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
netutils_exec(pacemaker_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
sysnet_domtrans_ifconfig(pacemaker_t)
|
|
|
|
|
')
|
2021-01-04 23:06:32 +00:00
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
#
|
|
|
|
|
# pcs_snmp_agent policy
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
allow pcs_snmp_agent_t self:capability { dac_override sys_resource };
|
|
|
|
|
allow pcs_snmp_agent_t self:fifo_file { rw_inherited_fifo_file_perms };
|
|
|
|
|
allow pcs_snmp_agent_t self:process { execmem setsched getsched setrlimit };
|
|
|
|
|
allow pcs_snmp_agent_t self:unix_stream_socket { create_socket_perms };
|
|
|
|
|
|
|
|
|
|
create_files_pattern(pcs_snmp_agent_t, pcs_snmp_agent_log_t, pcs_snmp_agent_log_t)
|
|
|
|
|
append_files_pattern(pcs_snmp_agent_t, pcs_snmp_agent_log_t, pcs_snmp_agent_log_t)
|
|
|
|
|
logging_log_filetrans(pcs_snmp_agent_t, pcs_snmp_agent_log_t, file)
|
|
|
|
|
|
|
|
|
|
read_files_pattern(pcs_snmp_agent_t, pacemaker_t, pacemaker_t)
|
|
|
|
|
stream_connect_pattern(pcs_snmp_agent_t, pacemaker_t, pacemaker_t, pacemaker_t)
|
2021-01-27 18:29:36 +00:00
|
|
|
mmap_rw_files_pattern(pcs_snmp_agent_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
|
2021-01-04 23:06:32 +00:00
|
|
|
|
|
|
|
|
corecmd_exec_bin(pcs_snmp_agent_t)
|
|
|
|
|
|
|
|
|
|
files_read_usr_files(pcs_snmp_agent_t)
|
|
|
|
|
|
2021-01-27 18:29:36 +00:00
|
|
|
fs_getattr_tmpfs(pcs_snmp_agent_t)
|
2021-01-04 23:06:32 +00:00
|
|
|
fs_list_cgroup_dirs(pcs_snmp_agent_t)
|
|
|
|
|
fs_read_cgroup_files(pcs_snmp_agent_t)
|
|
|
|
|
|
|
|
|
|
kernel_read_kernel_sysctls(pcs_snmp_agent_t)
|
|
|
|
|
kernel_read_system_state(pcs_snmp_agent_t)
|
|
|
|
|
kernel_read_crypto_sysctls(pcs_snmp_agent_t)
|
|
|
|
|
|
|
|
|
|
init_search_runtime(pcs_snmp_agent_t)
|
|
|
|
|
init_read_state(pcs_snmp_agent_t)
|
|
|
|
|
init_unix_stream_socket_connectto(pcs_snmp_agent_t)
|
|
|
|
|
|
|
|
|
|
auth_use_nsswitch(pcs_snmp_agent_t)
|
|
|
|
|
|
|
|
|
|
miscfiles_read_localization(pcs_snmp_agent_t)
|
|
|
|
|
miscfiles_read_generic_certs(pcs_snmp_agent_t)
|
|
|
|
|
|
|
|
|
|
ifdef(`init_systemd',`
|
|
|
|
|
init_get_generic_units_status(pcs_snmp_agent_t)
|
|
|
|
|
init_get_system_status(pcs_snmp_agent_t)
|
|
|
|
|
init_list_unit_dirs(pcs_snmp_agent_t)
|
|
|
|
|
init_service_status(pcs_snmp_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
corosync_domtrans(pcs_snmp_agent_t)
|
|
|
|
|
corosync_read_state(pcs_snmp_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
hostname_domtrans(pcs_snmp_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
snmp_stream_connect(pcs_snmp_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
|
systemd_read_journal_files(pcs_snmp_agent_t)
|
|
|
|
|
')
|
|
|
|
|
|
