|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <summary>policy for condor</summary>
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#####################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Creates types and rules for a basic
|
|
|
1ec3d1a |
## condor init daemon domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="prefix">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Prefix for the domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
template(`condor_domain_template',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_master_t;
|
|
|
1ec3d1a |
attribute condor_domain;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#############################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type condor_$1_t, condor_domain;
|
|
|
1ec3d1a |
type condor_$1_exec_t;
|
|
|
1ec3d1a |
init_daemon_domain(condor_$1_t, condor_$1_exec_t)
|
|
|
1ec3d1a |
role system_r types condor_$1_t;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
|
|
|
1ec3d1a |
allow condor_master_t condor_$1_exec_t:file ioctl;
|
|
|
05b4f84 |
|
|
|
1bafb67 |
kernel_read_system_state(condor_$1_t)
|
|
|
1bafb67 |
|
|
|
1f86dac |
corenet_all_recvfrom_netlabel(condor_$1_t)
|
|
|
1f86dac |
corenet_all_recvfrom_unlabeled(condor_$1_t)
|
|
|
1f86dac |
|
|
|
05b4f84 |
auth_use_nsswitch(condor_$1_t)
|
|
|
05b4f84 |
|
|
|
05b4f84 |
logging_send_syslog_msg(condor_$1_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Transition to condor.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_domtrans',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_t, condor_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_search_bin($1)
|
|
|
1ec3d1a |
domtrans_pattern($1, condor_exec_t, condor_t)
|
|
|
1ec3d1a |
')
|
|
|
7021500 |
|
|
|
7021500 |
#######################################
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## Allows to start userland processes
|
|
|
7021500 |
## by transitioning to the specified domain,
|
|
|
7021500 |
## with a range transition.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## <param name="domain">
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## The process type entered by condor_startd.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## </param>
|
|
|
7021500 |
## <param name="entrypoint">
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## The executable type for the entrypoint.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## </param>
|
|
|
7021500 |
## <param name="range">
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## Range for the domain.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## </param>
|
|
|
7021500 |
#
|
|
|
7021500 |
interface(`condor_startd_ranged_domtrans_to',`
|
|
|
7021500 |
gen_require(`
|
|
|
7021500 |
type sshd_t;
|
|
|
7021500 |
')
|
|
|
7021500 |
condor_startd_domtrans_to($1, $2)
|
|
|
7021500 |
|
|
|
7021500 |
|
|
|
7021500 |
ifdef(`enable_mcs',`
|
|
|
7021500 |
range_transition condor_startd_t $2:process $3;
|
|
|
7021500 |
')
|
|
|
7021500 |
|
|
|
7021500 |
')
|
|
|
7021500 |
|
|
|
7021500 |
#######################################
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## Allows to start userlandprocesses
|
|
|
7021500 |
## by transitioning to the specified domain.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## <param name="domain">
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## The process type entered by condor_startd.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## </param>
|
|
|
7021500 |
## <param name="entrypoint">
|
|
|
7021500 |
## <summary>
|
|
|
7021500 |
## The executable type for the entrypoint.
|
|
|
7021500 |
## </summary>
|
|
|
7021500 |
## </param>
|
|
|
7021500 |
#
|
|
|
7021500 |
interface(`condor_startd_domtrans_to',`
|
|
|
7021500 |
gen_require(`
|
|
|
7021500 |
type condor_startd_t;
|
|
|
7021500 |
')
|
|
|
7021500 |
|
|
|
7021500 |
domtrans_pattern(condor_startd_t, $2, $1)
|
|
|
7021500 |
')
|
|
|
7021500 |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read condor's log files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_read_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
read_files_pattern($1, condor_log_t, condor_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Append to condor log files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_append_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
append_files_pattern($1, condor_log_t, condor_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage condor log files
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_manage_log',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
manage_dirs_pattern($1, condor_log_t, condor_log_t)
|
|
|
1ec3d1a |
manage_files_pattern($1, condor_log_t, condor_log_t)
|
|
|
1ec3d1a |
manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Search condor lib directories.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_search_lib',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 condor_var_lib_t:dir search_dir_perms;
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read condor lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_read_lib_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read and write condor lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_rw_lib_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage condor lib files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_manage_lib_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Manage condor lib directories.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_manage_lib_dirs',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_var_lib_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read condor PID files.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_read_pid_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_var_run_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
allow $1 condor_var_run_t:file read_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute condor server in the condor domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_systemctl',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_t;
|
|
|
1ec3d1a |
type condor_unit_file_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
systemd_exec_systemctl($1)
|
|
|
1ec3d1a |
systemd_read_fifo_file_passwd_run($1)
|
|
|
1ec3d1a |
allow $1 condor_unit_file_t:file read_file_perms;
|
|
|
1ec3d1a |
allow $1 condor_unit_file_t:service manage_service_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
ps_process_pattern($1, condor_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read and write condor_startd server TCP sockets.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_rw_tcp_sockets_startd',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_startd_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 condor_startd_t:tcp_socket rw_socket_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Read and write condor_schedd server TCP sockets.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_rw_tcp_sockets_schedd',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type condor_schedd_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## All of the rules required to administrate
|
|
|
1ec3d1a |
## an condor environment
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`condor_admin',`
|
|
|
2e739f7 |
gen_require(`
|
|
|
2e739f7 |
attribute condor_domain;
|
|
|
2e739f7 |
type condor_initrc_exec_config_t, condor_log_t;
|
|
|
2e739f7 |
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
|
|
|
2e739f7 |
type condor_var_run_t, condor_startd_tmp_t;
|
|
|
2e739f7 |
type condor_unit_file_t;
|
|
|
2e739f7 |
')
|
|
|
1ec3d1a |
|
|
|
2e739f7 |
allow $1 condor_domain:process { signal_perms };
|
|
Dominick Grift |
d5eddbf |
ps_process_pattern($1, condor_domain)
|
|
Dominick Grift |
d5eddbf |
|
|
|
2e739f7 |
init_labeled_script_domtrans($1, condor_initrc_exec_t)
|
|
|
2e739f7 |
domain_system_change_exemption($1)
|
|
|
2e739f7 |
role_transition $2 condor_initrc_exec_t system_r;
|
|
|
2e739f7 |
allow $2 system_r;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_search_logs($1)
|
|
|
1ec3d1a |
admin_pattern($1, condor_log_t)
|
|
|
1ec3d1a |
|
|
|
2e739f7 |
files_search_locks($1)
|
|
|
2e739f7 |
admin_pattern($1, condor_var_lock_t)
|
|
Dominick Grift |
d5eddbf |
|
|
|
1ec3d1a |
files_search_var_lib($1)
|
|
|
1ec3d1a |
admin_pattern($1, condor_var_lib_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_search_pids($1)
|
|
|
1ec3d1a |
admin_pattern($1, condor_var_run_t)
|
|
|
1ec3d1a |
|
|
Dominick Grift |
d5eddbf |
files_search_tmp($1)
|
|
Dominick Grift |
d5eddbf |
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
|
|
|
2e739f7 |
|
|
|
1ec3d1a |
condor_systemctl($1)
|
|
|
1ec3d1a |
admin_pattern($1, condor_unit_file_t)
|
|
|
1ec3d1a |
allow $1 condor_unit_file_t:service all_service_perms;
|
|
|
2e739f7 |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
systemd_passwd_agent_exec($1)
|
|
|
1ec3d1a |
systemd_read_fifo_file_passwd_run($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|