policy_module(cloudform, 1.0)
########################################
#
# Declarations
#
attribute cloudform_domain;
cloudform_domain_template(deltacloudd)
cloudform_domain_template(iwhd)
cloudform_domain_template(mongod)
cloudform_domain_template(thin)
type deltacloudd_log_t;
logging_log_file(deltacloudd_log_t)
type deltacloudd_var_run_t;
files_pid_file(deltacloudd_var_run_t)
type deltacloudd_tmp_t;
files_tmp_file(deltacloudd_tmp_t)
type iwhd_initrc_exec_t;
init_script_file(iwhd_initrc_exec_t)
type iwhd_var_lib_t;
files_type(iwhd_var_lib_t)
type iwhd_var_run_t;
files_pid_file(iwhd_var_run_t)
type mongod_initrc_exec_t;
init_script_file(mongod_initrc_exec_t)
type mongod_log_t;
logging_log_file(mongod_log_t)
type mongod_var_lib_t;
files_type(mongod_var_lib_t)
type mongod_tmp_t;
files_tmp_file(mongod_tmp_t)
type mongod_var_run_t;
files_pid_file(mongod_var_run_t)
type thin_var_run_t;
files_pid_file(thin_var_run_t)
type iwhd_log_t;
logging_log_file(iwhd_log_t)
########################################
#
# cloudform_domain local policy
#
allow cloudform_domain self:fifo_file rw_fifo_file_perms;
allow cloudform_domain self:tcp_socket create_stream_socket_perms;
dev_read_urand(cloudform_domain)
files_read_etc_files(cloudform_domain)
miscfiles_read_certs(cloudform_domain)
miscfiles_read_localization(cloudform_domain)
########################################
#
# deltacloudd local policy
#
allow deltacloudd_t self:capability { dac_override setuid setgid };
allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
allow deltacloudd_t self:udp_socket create_socket_perms;
allow deltacloudd_t self:process signal;
allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
kernel_read_kernel_sysctls(deltacloudd_t)
kernel_read_system_state(deltacloudd_t)
corecmd_exec_bin(deltacloudd_t)
corenet_tcp_bind_generic_node(deltacloudd_t)
corenet_tcp_bind_generic_port(deltacloudd_t)
files_read_usr_files(deltacloudd_t)
logging_send_syslog_msg(deltacloudd_t)
optional_policy(`
sysnet_read_config(deltacloudd_t)
')
########################################
#
# iwhd local policy
#
allow iwhd_t self:capability { chown kill };
allow iwhd_t self:process { fork };
allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
kernel_read_system_state(iwhd_t)
corenet_tcp_bind_generic_node(iwhd_t)
corenet_tcp_bind_websm_port(iwhd_t)
corenet_tcp_connect_all_ports(iwhd_t)
dev_read_rand(iwhd_t)
dev_read_urand(iwhd_t)
userdom_home_manager(iwhd_t)
########################################
#
# mongod local policy
#
allow mongod_t self:process { execmem setsched signal };
allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
allow mongod_t self:unix_stream_socket create_stream_socket_perms;
allow mongod_t self:udp_socket create_socket_perms;
manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
#needed by dbomatic
files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
corenet_tcp_bind_generic_node(mongod_t)
corenet_tcp_bind_mongod_port(mongod_t)
kernel_read_vm_sysctls(mongod_t)
kernel_read_system_state(mongod_t)
files_read_usr_files(mongod_t)
optional_policy(`
mysql_stream_connect(mongod_t)
')
optional_policy(`
postgresql_stream_connect(mongod_t)
')
optional_policy(`
sysnet_dns_name_resolve(mongod_t)
')
########################################
#
# thin local policy
#
allow thin_t self:capability { setuid kill setgid dac_override };
allow thin_t self:netlink_route_socket r_netlink_socket_perms;
allow thin_t self:udp_socket create_socket_perms;
allow thin_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
files_pid_filetrans(thin_t, thin_var_run_t, { file })
corecmd_exec_bin(thin_t)
corenet_tcp_bind_generic_node(thin_t)
corenet_tcp_bind_ntop_port(thin_t)
corenet_tcp_connect_postgresql_port(thin_t)
corenet_tcp_connect_all_ports(iwhd_t)
files_read_usr_files(thin_t)
fs_search_auto_mountpoints(thin_t)
init_read_utmp(thin_t)
kernel_read_kernel_sysctls(thin_t)
optional_policy(`
sysnet_read_config(thin_t)
')