policy_module(sge, 1.0.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow sge to access nfs file systems.
## </p>
## </desc>
gen_tunable(sge_use_nfs, false)
## <desc>
## <p>
## Allow sge to connect to the network using any TCP port
## </p>
## </desc>
gen_tunable(sge_domain_can_network_connect, false)
attribute sge_domain;
sge_basic_types_template(sge_execd)
init_daemon_domain(sge_execd_t, sge_execd_exec_t)
type sge_spool_t;
files_type(sge_spool_t)
type sge_tmp_t;
files_tmp_file(sge_tmp_t)
sge_basic_types_template(sge_shepherd)
application_domain(sge_shepherd_t, sge_shepherd_exec_t)
role system_r types sge_shepherd_t;
sge_basic_types_template(sge_job)
application_domain(sge_job_t, sge_job_exec_t)
corecmd_shell_entry_type(sge_job_t)
role system_r types sge_job_t;
#######################################
#
# sge_execd local policy
#
allow sge_execd_t self:capability { dac_override setuid chown setgid };
allow sge_execd_t self:process { setsched signal setpgid };
allow sge_execd_t sge_shepherd_t:process signal;
kernel_read_kernel_sysctls(sge_execd_t)
dev_read_sysfs(sge_execd_t)
files_exec_usr_files(sge_execd_t)
files_search_spool(sge_execd_t)
fs_getattr_xattr_fs(sge_execd_t)
auth_use_nsswitch(sge_execd_t)
logging_send_syslog_msg(sge_execd_t)
init_read_utmp(sge_execd_t)
optional_policy(`
sendmail_domtrans(sge_execd_t)
')
######################################
#
# sge_shepherd local policy
#
allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
allow sge_shepherd_t self:process { setsched setrlimit setpgid };
allow sge_shepherd_t self:process signal_perms;
domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
kernel_read_sysctl(sge_shepherd_t)
kernel_read_kernel_sysctls(sge_shepherd_t)
dev_read_sysfs(sge_shepherd_t)
fs_getattr_all_fs(sge_shepherd_t)
logging_send_syslog_msg(sge_shepherd_t)
optional_policy(`
mta_send_mail(sge_shepherd_t)
')
optional_policy(`
ssh_domtrans(sge_shepherd_t)
')
optional_policy(`
unconfined_domain(sge_shepherd_t)
')
#####################################
#
# sge_job local policy
#
allow sge_shepherd_t sge_job_t:process signal_perms;
corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
kernel_read_kernel_sysctls(sge_job_t)
term_use_all_terms(sge_job_t)
logging_send_syslog_msg(sge_job_t)
optional_policy(`
ssh_basic_client_template(sge_job, sge_job_t, system_r)
ssh_domtrans(sge_job_t)
allow sge_job_t sge_job_ssh_t:process sigkill;
allow sge_shepherd_t sge_job_ssh_t:process sigkill;
xserver_exec_xauth(sge_job_ssh_t)
tunable_policy(`sge_use_nfs',`
fs_list_auto_mountpoints(sge_job_ssh_t)
fs_manage_nfs_dirs(sge_job_ssh_t)
fs_manage_nfs_files(sge_job_ssh_t)
fs_read_nfs_symlinks(sge_job_ssh_t)
')
')
optional_policy(`
xserver_domtrans_xauth(sge_job_t)
')
optional_policy(`
unconfined_domain(sge_job_t)
')
#####################################
#
# sge_domain local policy
#
allow sge_domain self:fifo_file rw_fifo_file_perms;
allow sge_domain self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
kernel_read_network_state(sge_domain)
corecmd_exec_bin(sge_domain)
corecmd_exec_shell(sge_domain)
domain_read_all_domains_state(sge_domain)
dev_read_urand(sge_domain)
tunable_policy(`sge_domain_can_network_connect',`
corenet_tcp_connect_all_ports(sge_domain)
')
tunable_policy(`sge_use_nfs',`
fs_list_auto_mountpoints(sge_domain)
fs_manage_nfs_dirs(sge_domain)
fs_manage_nfs_files(sge_domain)
fs_read_nfs_symlinks(sge_domain)
fs_exec_nfs_files(sge_domain)
')
optional_policy(`
sysnet_dns_name_resolve(sge_domain)
')
optional_policy(`
hostname_exec(sge_domain)
')
optional_policy(`
nslcd_stream_connect(sge_domain)
')