policy_module(cloudform, 1.0)

########################################

#

# Declarations

#

attribute cloudform_domain;

cloudform_domain_template(deltacloudd)

cloudform_domain_template(iwhd)

cloudform_domain_template(mongod)

type deltacloudd_log_t;

logging_log_file(deltacloudd_log_t)

type deltacloudd_var_run_t;

files_pid_file(deltacloudd_var_run_t)

type deltacloudd_tmp_t;

files_tmp_file(deltacloudd_tmp_t)

type iwhd_initrc_exec_t;

init_script_file(iwhd_initrc_exec_t)

type iwhd_var_lib_t;

files_type(iwhd_var_lib_t)

type iwhd_var_run_t;

files_pid_file(iwhd_var_run_t)

type mongod_initrc_exec_t;

init_script_file(mongod_initrc_exec_t)

type mongod_log_t;

logging_log_file(mongod_log_t)

type mongod_var_lib_t;

files_type(mongod_var_lib_t)

type mongod_tmp_t;

files_tmp_file(mongod_tmp_t)

type mongod_var_run_t;

files_pid_file(mongod_var_run_t)

type iwhd_log_t;

logging_log_file(iwhd_log_t)

########################################

#

# cloudform_domain local policy

#

allow cloudform_domain self:fifo_file rw_fifo_file_perms;

allow cloudform_domain self:tcp_socket create_stream_socket_perms;

dev_read_rand(cloudform_domain)

dev_read_urand(cloudform_domain)

dev_read_sysfs(cloudform_domain)

auth_read_passwd(cloudform_domain)

miscfiles_read_certs(cloudform_domain)

########################################

#

# deltacloudd local policy

#

allow deltacloudd_t self:capability { dac_override setuid setgid };

allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;

allow deltacloudd_t self:udp_socket create_socket_perms;

allow deltacloudd_t self:process signal;

allow deltacloudd_t self:fifo_file rw_fifo_file_perms;

allow deltacloudd_t self:tcp_socket create_stream_socket_perms;

allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)

manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)

files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })

manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)

manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)

manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)

files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })

manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)

manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)

logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })

kernel_read_kernel_sysctls(deltacloudd_t)

kernel_read_system_state(deltacloudd_t)

corecmd_exec_bin(deltacloudd_t)

corenet_tcp_bind_generic_node(deltacloudd_t)

corenet_tcp_bind_generic_port(deltacloudd_t)

corenet_tcp_connect_http_port(deltacloudd_t)

corenet_tcp_connect_keystone_port(deltacloudd_t)

auth_use_nsswitch(deltacloudd_t)

logging_send_syslog_msg(deltacloudd_t)

optional_policy(`

	sysnet_read_config(deltacloudd_t)

')

########################################

#

# iwhd local policy

#

allow iwhd_t self:capability { chown kill };

allow iwhd_t self:process { fork };

allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;

allow iwhd_t self:unix_stream_socket create_stream_socket_perms;

manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)

manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)

manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)

logging_log_filetrans(iwhd_t, iwhd_log_t, { file })

manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)

manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)

files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })

kernel_read_system_state(iwhd_t)

corenet_tcp_bind_generic_node(iwhd_t)

corenet_tcp_bind_websm_port(iwhd_t)

corenet_tcp_connect_all_ports(iwhd_t)

dev_read_rand(iwhd_t)

dev_read_urand(iwhd_t)

userdom_home_manager(iwhd_t)

########################################

#

# mongod local policy

#

allow mongod_t self:process { execmem setsched signal };

allow mongod_t self:netlink_route_socket r_netlink_socket_perms;

allow mongod_t self:unix_stream_socket create_stream_socket_perms;

allow mongod_t self:udp_socket create_socket_perms;

manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)

manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)

logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")

logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")

manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)

manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)

manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)

manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)

manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)

files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })

manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)

manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)

#needed by dbomatic

files_pid_filetrans(mongod_t, mongod_var_run_t, { file })

corecmd_exec_bin(mongod_t)

corecmd_exec_shell(mongod_t)

corenet_tcp_bind_generic_node(mongod_t)

corenet_tcp_bind_mongod_port(mongod_t)

corenet_tcp_connect_postgresql_port(mongod_t)

kernel_read_vm_sysctls(mongod_t)

kernel_read_system_state(mongod_t)

fs_getattr_all_fs(mongod_t)

optional_policy(`

	mysql_stream_connect(mongod_t)

')

optional_policy(`

	postgresql_stream_connect(mongod_t)

')

optional_policy(`

	sysnet_dns_name_resolve(mongod_t)

')