opensm: initial policy

Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>

3 files changed, 141 insertions, 0 deletions

diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc
new file mode 100644
index 00000000..6d9566bb
--- /dev/null
+++ b/policy/modules/services/opensm.fc
@@ -0,0 +1,10 @@
+/usr/bin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/usr/sbin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/etc/opensm(/.*)?		gen_context(system_u:object_r:opensm_conf_t,s0)
+
+/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm\.log	--	gen_context(system_u:object_r:opensm_log_t,s0)
+/var/log/opensm-subnet\.lst	--	gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if
new file mode 100644
index 00000000..47664ce1
--- /dev/null
+++ b/policy/modules/services/opensm.if
@@ -0,0 +1,86 @@
+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary>
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`opensm_domtrans',`
+	gen_require(`
+		type opensm_t, opensm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain, and
+##	allow the specified role the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_run',`
+	gen_require(`
+		type opensm_t;
+	')
+
+	opensm_domtrans($1)
+	role $2 types opensm_t;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an opensm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_admin',`
+	gen_require(`
+		type opensm_t;
+		type opensm_conf_t, opensm_cache_t;
+		type opensm_log_t;
+	')
+
+	opensm_run($1, $2)
+
+	allow $1 opensm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, opensm_t)
+
+	files_search_etc($1)
+	admin_pattern($1, opensm_conf_t)
+
+	files_search_var($1)
+	admin_pattern($1, opensm_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, opensm_log_t)
+')
diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te
new file mode 100644
index 00000000..1d5c2f57
--- /dev/null
+++ b/policy/modules/services/opensm.te
@@ -0,0 +1,45 @@
+policy_module(opensm)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_conf_t;
+files_config_file(opensm_conf_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+########################################
+#
+# opensm local policy
+#
+
+allow opensm_t self:process { getsched signal };
+allow opensm_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, dir)
+
+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
+
+miscfiles_read_localization(opensm_t)