psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   daemontools.te
Blob Blame History Raw 
policy_module(daemontools, 1.2.1)

########################################
#
# Declarations
#

attribute_role svc_start_roles;
roleattribute system_r svc_start_roles;

type svc_conf_t;
files_config_file(svc_conf_t)

type svc_log_t;
files_type(svc_log_t)

type svc_multilog_t;
type svc_multilog_exec_t;
application_domain(svc_multilog_t, svc_multilog_exec_t)
role system_r types svc_multilog_t;

type svc_run_t;
type svc_run_exec_t;
application_domain(svc_run_t, svc_run_exec_t)
role system_r types svc_run_t;

type svc_start_t;
type svc_start_exec_t;
init_domain(svc_start_t, svc_start_exec_t)
init_system_domain(svc_start_t, svc_start_exec_t)
role svc_start_roles types svc_start_t;

type svc_svc_t;
files_type(svc_svc_t)

########################################
#
# Multilog local policy
#

manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)

allow svc_multilog_t svc_start_t:process sigchld;
allow svc_multilog_t svc_start_t:fd use;
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;

term_write_console(svc_multilog_t)

init_use_fds(svc_multilog_t)
init_dontaudit_use_script_fds(svc_multilog_t)

logging_manage_generic_logs(svc_multilog_t)

########################################
#
# local policy for binaries that impose 
# a given environment to supervised daemons
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
#

allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
allow svc_run_t self:process setrlimit;
allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;

allow svc_run_t svc_conf_t:dir list_dir_perms;
allow svc_run_t svc_conf_t:file read_file_perms;

allow svc_run_t svc_svc_t:dir list_dir_perms;
allow svc_run_t svc_svc_t:file read_file_perms;

can_exec(svc_run_t, svc_run_exec_t)

domtrans_pattern(svc_run_t, svc_multilog_exec_t, svc_multilog_t)

kernel_read_system_state(svc_run_t)

dev_read_urand(svc_run_t)

corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)

term_write_console(svc_run_t)

files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
files_search_var_lib(svc_run_t)

init_use_script_fds(svc_run_t)
init_use_fds(svc_run_t)

optional_policy(`
	qmail_read_config(svc_run_t)
')

########################################
#
# local policy for service monitoring programs
# ie svc, svscan, supervise ...
#

allow svc_start_t self:capability kill;
allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:tcp_socket create_stream_socket_perms;

allow svc_start_t svc_svc_t:dir manage_dir_perms;
allow svc_start_t svc_svc_t:fifo_file manage_fifo_file_perms;
allow svc_start_t svc_svc_t:file manage_file_perms;
allow svc_start_t svc_svc_t:lnk_file manage_lnk_file_perms;

allow svc_start_t svc_multilog_t:process signal;
allow svc_start_t svc_run_t:process { signal setrlimit };

can_exec(svc_start_t, svc_start_exec_t)

mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)

kernel_read_kernel_sysctls(svc_start_t)
kernel_read_system_state(svc_start_t)

corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)

corenet_tcp_bind_generic_node(svc_start_t)
corenet_tcp_bind_generic_port(svc_start_t)

term_write_console(svc_start_t)

files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)

logging_send_syslog_msg(svc_start_t)
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.