1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
policy_module(ccs, 1.5.2)
########################################
#
# Declarations
#
type ccs_t;
type ccs_exec_t;
init_daemon_domain(ccs_t, ccs_exec_t)
type ccs_initrc_exec_t;
init_script_file(ccs_initrc_exec_t)
type cluster_conf_t;
files_config_file(cluster_conf_t)
type ccs_tmp_t;
files_tmp_file(ccs_tmp_t)
type ccs_tmpfs_t;
files_tmpfs_file(ccs_tmpfs_t)
type ccs_var_lib_t;
logging_log_file(ccs_var_lib_t)
type ccs_var_log_t;
logging_log_file(ccs_var_log_t)
type ccs_var_run_t;
files_pid_file(ccs_var_run_t)
########################################
#
# Local policy
#
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
allow ccs_t self:process { signal setrlimit setsched };
dontaudit ccs_t self:process ptrace;
allow ccs_t self:fifo_file rw_fifo_file_perms;
allow ccs_t self:unix_stream_socket { accept connectto listen };
allow ccs_t self:tcp_socket { accept listen };
allow ccs_t self:udp_socket { accept listen recv_msg send_msg };
allow ccs_t self:socket create_socket_perms;
manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)
allow ccs_t ccs_tmp_t:dir manage_dir_perms;
manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
files_tmp_filetrans(ccs_t, ccs_tmp_t, { dir file })
manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { dir file })
allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
append_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
create_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file })
manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
files_pid_filetrans(ccs_t, ccs_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
corenet_all_recvfrom_unlabeled(ccs_t)
corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_generic_if(ccs_t)
corenet_udp_sendrecv_generic_if(ccs_t)
corenet_tcp_sendrecv_generic_node(ccs_t)
corenet_udp_sendrecv_generic_node(ccs_t)
corenet_tcp_bind_generic_node(ccs_t)
corenet_udp_bind_generic_node(ccs_t)
corenet_sendrecv_cluster_server_packets(ccs_t)
corenet_tcp_bind_cluster_port(ccs_t)
corenet_tcp_sendrecv_cluster_port(ccs_t)
corenet_udp_bind_cluster_port(ccs_t)
corenet_udp_sendrecv_cluster_port(ccs_t)
corenet_sendrecv_netsupport_server_packets(ccs_t)
corenet_udp_bind_netsupport_port(ccs_t)
dev_read_urand(ccs_t)
files_read_etc_files(ccs_t)
files_read_etc_runtime_files(ccs_t)
init_rw_script_tmp_files(ccs_t)
logging_send_syslog_msg(ccs_t)
miscfiles_read_localization(ccs_t)
sysnet_dns_name_resolve(ccs_t)
userdom_manage_unpriv_user_shared_mem(ccs_t)
userdom_manage_unpriv_user_semaphores(ccs_t)
ifdef(`hide_broken_symptoms',`
corecmd_dontaudit_write_bin_dirs(ccs_t)
files_manage_isid_type_files(ccs_t)
')
optional_policy(`
aisexec_stream_connect(ccs_t)
corosync_stream_connect(ccs_t)
')
optional_policy(`
qpidd_rw_semaphores(ccs_t)
qpidd_rw_shm(ccs_t)
')
optional_policy(`
unconfined_use_fds(ccs_t)
')
|
GitWeb