499b35eac9
Signed-off-by: Kenton Groombridge <me@concord.sh>
103 lines
2.5 KiB
Plaintext
103 lines
2.5 KiB
Plaintext
policy_module(sanlock)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sanlock can use
|
|
## nfs file systems.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sanlock_use_nfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Determine whether sanlock can use
|
|
## cifs file systems.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sanlock_use_samba, false)
|
|
|
|
type sanlock_t;
|
|
type sanlock_exec_t;
|
|
init_daemon_domain(sanlock_t, sanlock_exec_t)
|
|
|
|
type sanlock_initrc_exec_t;
|
|
init_script_file(sanlock_initrc_exec_t)
|
|
|
|
type sanlock_log_t;
|
|
logging_log_file(sanlock_log_t)
|
|
|
|
type sanlock_runtime_t alias sanlock_var_run_t;
|
|
files_runtime_file(sanlock_runtime_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
|
|
allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
|
|
allow sanlock_t self:fifo_file rw_fifo_file_perms;
|
|
allow sanlock_t self:unix_stream_socket { accept listen };
|
|
|
|
append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
|
|
|
|
manage_dirs_pattern(sanlock_t, sanlock_runtime_t, sanlock_runtime_t)
|
|
manage_files_pattern(sanlock_t, sanlock_runtime_t, sanlock_runtime_t)
|
|
manage_sock_files_pattern(sanlock_t, sanlock_runtime_t, sanlock_runtime_t)
|
|
files_runtime_filetrans(sanlock_t, sanlock_runtime_t, { file dir sock_file })
|
|
|
|
kernel_read_system_state(sanlock_t)
|
|
kernel_read_kernel_sysctls(sanlock_t)
|
|
|
|
dev_read_rand(sanlock_t)
|
|
dev_read_urand(sanlock_t)
|
|
|
|
domain_use_interactive_fds(sanlock_t)
|
|
|
|
storage_raw_rw_fixed_disk(sanlock_t)
|
|
|
|
auth_use_nsswitch(sanlock_t)
|
|
|
|
init_read_utmp(sanlock_t)
|
|
init_dontaudit_write_utmp(sanlock_t)
|
|
|
|
logging_send_syslog_msg(sanlock_t)
|
|
|
|
miscfiles_read_localization(sanlock_t)
|
|
|
|
tunable_policy(`sanlock_use_nfs',`
|
|
fs_manage_nfs_dirs(sanlock_t)
|
|
fs_manage_nfs_files(sanlock_t)
|
|
fs_manage_nfs_named_sockets(sanlock_t)
|
|
fs_read_nfs_symlinks(sanlock_t)
|
|
')
|
|
|
|
tunable_policy(`sanlock_use_samba',`
|
|
fs_manage_cifs_dirs(sanlock_t)
|
|
fs_manage_cifs_files(sanlock_t)
|
|
fs_manage_cifs_named_sockets(sanlock_t)
|
|
fs_read_cifs_symlinks(sanlock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
wdmd_stream_connect(sanlock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
virt_kill_all_virt_domains(sanlock_t)
|
|
virt_manage_lib_files(sanlock_t)
|
|
virt_signal_all_virt_domains(sanlock_t)
|
|
')
|