diff options
Diffstat (limited to 'policy/modules/contrib/aisexec.if')
-rw-r--r-- | policy/modules/contrib/aisexec.if | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/policy/modules/contrib/aisexec.if b/policy/modules/contrib/aisexec.if new file mode 100644 index 00000000..0370dba1 --- /dev/null +++ b/policy/modules/contrib/aisexec.if @@ -0,0 +1,106 @@ +## <summary>Aisexec Cluster Engine</summary> + +######################################## +## <summary> +## Execute a domain transition to run aisexec. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`aisexec_domtrans',` + gen_require(` + type aisexec_t, aisexec_exec_t; + ') + + domtrans_pattern($1, aisexec_exec_t, aisexec_t) +') + +##################################### +## <summary> +## Connect to aisexec over a unix domain +## stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aisexec_stream_connect',` + gen_require(` + type aisexec_t, aisexec_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) +') + +####################################### +## <summary> +## Allow the specified domain to read aisexec's log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aisexec_read_log',` + gen_require(` + type aisexec_var_log_t; + ') + + logging_search_logs($1) + list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) + read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) +') + +###################################### +## <summary> +## All of the rules required to administrate +## an aisexec environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the aisexecd domain. +## </summary> +## </param> +## <rolecap/> +# +interface(`aisexecd_admin',` + gen_require(` + type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; + type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; + type aisexec_initrc_exec_t; + ') + + allow $1 aisexec_t:process { ptrace signal_perms }; + ps_process_pattern($1, aisexec_t) + + init_labeled_script_domtrans($1, aisexec_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 aisexec_initrc_exec_t system_r; + allow $2 system_r; + + files_list_var_lib($1) + admin_pattern($1, aisexec_var_lib_t) + + logging_list_logs($1) + admin_pattern($1, aisexec_var_log_t) + + files_list_pids($1) + admin_pattern($1, aisexec_var_run_t) + + files_list_tmp($1) + admin_pattern($1, aisexec_tmp_t) + + admin_pattern($1, aisexec_tmpfs_t) +') |