|
 |
1ec3d1a |
policy_module(sge, 1.0.0)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Allow sge to access nfs file systems.
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(sge_use_nfs, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
## <desc>
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## Allow sge to connect to the network using any TCP port
|
|
|
1ec3d1a |
##
|
|
|
1ec3d1a |
## </desc>
|
|
|
1ec3d1a |
gen_tunable(sge_domain_can_network_connect, false)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
attribute sge_domain;
|
|
|
1ec3d1a |
|
|
|
1bafb67 |
sge_basic_types_template(sge_execd)
|
|
|
1ec3d1a |
init_daemon_domain(sge_execd_t, sge_execd_exec_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type sge_spool_t;
|
|
|
1ec3d1a |
files_type(sge_spool_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
type sge_tmp_t;
|
|
|
1ec3d1a |
files_tmp_file(sge_tmp_t)
|
|
|
1ec3d1a |
|
|
|
1bafb67 |
sge_basic_types_template(sge_shepherd)
|
|
|
1ec3d1a |
application_domain(sge_shepherd_t, sge_shepherd_exec_t)
|
|
|
1ec3d1a |
role system_r types sge_shepherd_t;
|
|
|
1ec3d1a |
|
|
|
1bafb67 |
sge_basic_types_template(sge_job)
|
|
|
1ec3d1a |
application_domain(sge_job_t, sge_job_exec_t)
|
|
|
1ec3d1a |
corecmd_shell_entry_type(sge_job_t)
|
|
|
1ec3d1a |
role system_r types sge_job_t;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#######################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# sge_execd local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sge_execd_t self:capability { dac_override setuid chown setgid };
|
|
|
1ec3d1a |
allow sge_execd_t self:process { setsched signal setpgid };
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sge_execd_t sge_shepherd_t:process signal;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_kernel_sysctls(sge_execd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dev_read_sysfs(sge_execd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_exec_usr_files(sge_execd_t)
|
|
|
1ec3d1a |
files_search_spool(sge_execd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
fs_getattr_xattr_fs(sge_execd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
auth_use_nsswitch(sge_execd_t)
|
|
|
1ec3d1a |
|
|
 |
05b4f84 |
logging_send_syslog_msg(sge_execd_t)
|
|
|
05b4f84 |
|
|
|
1ec3d1a |
init_read_utmp(sge_execd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
sendmail_domtrans(sge_execd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
######################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# sge_shepherd local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
|
|
|
1ec3d1a |
allow sge_shepherd_t self:process { setsched setrlimit setpgid };
|
|
|
1ec3d1a |
allow sge_shepherd_t self:process signal_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_sysctl(sge_shepherd_t)
|
|
|
1ec3d1a |
kernel_read_kernel_sysctls(sge_shepherd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dev_read_sysfs(sge_shepherd_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
fs_getattr_all_fs(sge_shepherd_t)
|
|
|
1ec3d1a |
|
|
|
05b4f84 |
logging_send_syslog_msg(sge_shepherd_t)
|
|
|
05b4f84 |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
mta_send_mail(sge_shepherd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
ssh_domtrans(sge_shepherd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
unconfined_domain(sge_shepherd_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#####################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# sge_job local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sge_shepherd_t sge_job_t:process signal_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_kernel_sysctls(sge_job_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
term_use_all_terms(sge_job_t)
|
|
|
1ec3d1a |
|
|
|
05b4f84 |
logging_send_syslog_msg(sge_job_t)
|
|
|
05b4f84 |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
ssh_basic_client_template(sge_job, sge_job_t, system_r)
|
|
|
1ec3d1a |
ssh_domtrans(sge_job_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sge_job_t sge_job_ssh_t:process sigkill;
|
|
|
1ec3d1a |
allow sge_shepherd_t sge_job_ssh_t:process sigkill;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
xserver_exec_xauth(sge_job_ssh_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`sge_use_nfs',`
|
|
|
1ec3d1a |
fs_list_auto_mountpoints(sge_job_ssh_t)
|
|
|
1ec3d1a |
fs_manage_nfs_dirs(sge_job_ssh_t)
|
|
|
1ec3d1a |
fs_manage_nfs_files(sge_job_ssh_t)
|
|
|
1ec3d1a |
fs_read_nfs_symlinks(sge_job_ssh_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
xserver_domtrans_xauth(sge_job_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
unconfined_domain(sge_job_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#####################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# sge_domain local policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow sge_domain self:fifo_file rw_fifo_file_perms;
|
|
|
1ec3d1a |
allow sge_domain self:tcp_socket create_stream_socket_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
|
1ec3d1a |
manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
|
1ec3d1a |
manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
|
1ec3d1a |
manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
|
1ec3d1a |
files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
kernel_read_network_state(sge_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
corecmd_exec_bin(sge_domain)
|
|
|
1ec3d1a |
corecmd_exec_shell(sge_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domain_read_all_domains_state(sge_domain)
|
|
|
1ec3d1a |
|
|
|
4a1862e |
files_read_etc_files(sge_domain)
|
|
|
1ec3d1a |
files_read_usr_files(sge_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dev_read_urand(sge_domain)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`sge_domain_can_network_connect',`
|
|
|
1ec3d1a |
corenet_tcp_connect_all_ports(sge_domain)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`sge_use_nfs',`
|
|
|
1ec3d1a |
fs_list_auto_mountpoints(sge_domain)
|
|
|
1ec3d1a |
fs_manage_nfs_dirs(sge_domain)
|
|
|
1ec3d1a |
fs_manage_nfs_files(sge_domain)
|
|
|
1ec3d1a |
fs_read_nfs_symlinks(sge_domain)
|
|
|
1ec3d1a |
fs_exec_nfs_files(sge_domain)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
sysnet_dns_name_resolve(sge_domain)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
hostname_exec(sge_domain)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
optional_policy(`
|
|
|
1ec3d1a |
nslcd_stream_connect(sge_domain)
|
|
|
1ec3d1a |
')
|