## policy for openshift
########################################
##
## Execute openshift server in the openshift domain.
##
##
##
## The type of the process performing this action.
##
##
#
interface(`openshift_initrc_domtrans',`
gen_require(`
type openshift_initrc_t;
type openshift_initrc_exec_t;
')
domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
')
########################################
##
## Send a null signal to openshift init scripts.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_initrc_signull',`
gen_require(`
type openshift_initrc_t;
')
allow $1 openshift_initrc_t:process signull;
')
#######################################
##
## Send a signal to openshift init scripts.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_initrc_signal',`
gen_require(`
type openshift_initrc_t;
')
allow $1 openshift_initrc_t:process signal;
')
########################################
##
## Send a signal to openshift init scripts.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_initrc_signl',`
gen_require(`
type openshift_initrc_t;
')
allow $1 openshift_initrc_t:process signal;
')
########################################
##
## Search openshift cache directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_search_cache',`
gen_require(`
type openshift_cache_t;
')
allow $1 openshift_cache_t:dir search_dir_perms;
files_search_var($1)
')
########################################
##
## Read openshift cache files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_read_cache_files',`
gen_require(`
type openshift_cache_t;
')
files_search_var($1)
read_files_pattern($1, openshift_cache_t, openshift_cache_t)
')
########################################
##
## Create, read, write, and delete
## openshift cache files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_manage_cache_files',`
gen_require(`
type openshift_cache_t;
')
files_search_var($1)
manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
')
########################################
##
## Create, read, write, and delete
## openshift cache dirs.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_manage_cache_dirs',`
gen_require(`
type openshift_cache_t;
')
files_search_var($1)
manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
')
########################################
##
## Allow the specified domain to read openshift's log files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`openshift_read_log',`
gen_require(`
type openshift_log_t;
')
logging_search_logs($1)
read_files_pattern($1, openshift_log_t, openshift_log_t)
')
########################################
##
## Allow the specified domain to append
## openshift log files.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`openshift_append_log',`
gen_require(`
type openshift_log_t;
')
logging_search_logs($1)
append_files_pattern($1, openshift_log_t, openshift_log_t)
')
########################################
##
## Allow domain to manage openshift log files
##
##
##
## Domain to not audit.
##
##
#
interface(`openshift_manage_log',`
gen_require(`
type openshift_log_t;
')
logging_search_logs($1)
manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
manage_files_pattern($1, openshift_log_t, openshift_log_t)
manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
')
########################################
##
## Search openshift lib directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_search_lib',`
gen_require(`
type openshift_var_lib_t;
')
allow $1 openshift_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
##
## Read openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_read_lib_files',`
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
')
########################################
##
## Read openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_append_lib_files',`
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
')
########################################
##
## Create, read, write, and delete
## openshift lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_manage_lib_files',`
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
')
########################################
##
## Manage openshift lib dirs files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_manage_lib_dirs',`
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
')
#######################################
##
## Create private objects in the
## mail lib directory.
##
##
##
## Domain allowed access.
##
##
##
##
## The type of the object to be created.
##
##
##
##
## The object class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`openshift_lib_filetrans',`
gen_require(`
type openshift_var_lib_t;
')
files_search_var_lib($1)
filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
')
########################################
##
## Read openshift PID files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_read_pid_files',`
gen_require(`
type openshift_var_run_t;
')
files_search_pids($1)
allow $1 openshift_var_run_t:file read_file_perms;
')
########################################
##
## All of the rules required to administrate
## an openshift environment
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`openshift_admin',`
gen_require(`
type openshift_t;
type openshift_initrc_exec_t;
type openshift_cache_t;
type openshift_log_t;
type openshift_var_lib_t;
type openshift_var_run_t;
')
allow $1 openshift_t:process { ptrace signal_perms };
ps_process_pattern($1, openshift_t)
openshift_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 openshift_initrc_exec_t system_r;
allow $2 system_r;
files_search_var($1)
admin_pattern($1, openshift_cache_t)
logging_search_logs($1)
admin_pattern($1, openshift_log_t)
files_search_var_lib($1)
admin_pattern($1, openshift_var_lib_t)
files_search_pids($1)
admin_pattern($1, openshift_var_run_t)
')
########################################
##
## Make the specified type usable as a openshift domain.
##
##
##
## The prefix of the domain (e.g., openshift
## is the prefix for openshift_t).
##
##
#
template(`openshift_service_domain_template',`
gen_require(`
attribute openshift_domain;
attribute openshift_user_domain;
')
type $1_t;
typeattribute $1_t openshift_domain, openshift_user_domain;
domain_type($1_t)
role system_r types $1_t;
mcs_constrained($1_t)
domain_user_exemption_target($1_t)
auth_use_nsswitch($1_t)
domain_subj_id_change_exemption($1_t)
domain_obj_id_change_exemption($1_t)
domain_dyntrans_type($1_t)
kernel_read_system_state($1_t)
logging_send_syslog_msg($1_t)
type $1_app_t;
typeattribute $1_app_t openshift_domain;
domain_type($1_app_t)
role system_r types $1_app_t;
mcs_constrained($1_app_t)
domain_user_exemption_target($1_app_t)
domain_obj_id_change_exemption($1_app_t)
domain_dyntrans_type($1_app_t)
kernel_read_system_state($1_app_t)
logging_send_syslog_msg($1_app_t)
')
########################################
##
## Make the specified type usable as a openshift domain.
##
##
##
## Type to be used as a openshift domain type.
##
##
#
template(`openshift_net_type',`
gen_require(`
attribute openshift_net_domain;
')
typeattribute $1 openshift_net_domain;
')
########################################
##
## Read and write inherited openshift files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_rw_inherited_content',`
gen_require(`
attribute openshift_file_type;
')
allow $1 openshift_file_type:file rw_inherited_file_perms;
')
########################################
##
## Manage openshift tmp files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_manage_tmp_files',`
gen_require(`
type openshift_tmp_t;
')
manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
')
########################################
##
## Manage openshift tmp sockets.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_manage_tmp_sockets',`
gen_require(`
type openshift_tmp_t;
')
manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
')
########################################
##
## Mounton openshift tmp directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_mounton_tmp',`
gen_require(`
type openshift_tmp_t;
')
allow $1 openshift_tmp_t:dir mounton;
')
########################################
##
## Dontaudit Read and write inherited script fifo files.
##
##
##
## Domain allowed access.
##
##
#
interface(`openshift_dontaudit_rw_inherited_fifo_files',`
gen_require(`
type openshift_initrc_t;
')
dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
## Allow calling app to transition to an openshift domain
##
##
##
## Domain allowed access
##
##
##
#
interface(`openshift_transition',`
gen_require(`
attribute openshift_user_domain;
')
allow $1 openshift_user_domain:process transition;
dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
allow openshift_user_domain $1:fd use;
allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
allow openshift_user_domain $1:process sigchld;
dontaudit $1 openshift_user_domain:socket_class_set { read write };
')
########################################
##
## Allow calling app to transition to an openshift domain
##
##
##
## Domain allowed access
##
##
##
#
interface(`openshift_dyntransition',`
gen_require(`
attribute openshift_domain;
attribute openshift_user_domain;
')
allow $1 openshift_user_domain:process dyntransition;
dontaudit openshift_user_domain $1:key view;
allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
allow $1 openshift_user_domain:process { rlimitinh signal };
dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
')
########################################
##
## Execute openshift in the openshift domain, and
## allow the specified role the openshift domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
interface(`openshift_run',`
gen_require(`
type openshift_initrc_exec_t;
')
openshift_initrc_domtrans($1)
role_transition $2 openshift_initrc_exec_t system_r;
openshift_transition($1)
')