policy/modules/services/varnishd.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

policy_module(varnishd, 1.6.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether varnishd can
##	use the full TCP network.
## </p>
## </desc>
gen_tunable(varnishd_connect_any, false)

type varnishd_t;
type varnishd_exec_t;
init_daemon_domain(varnishd_t, varnishd_exec_t)

type varnishd_initrc_exec_t;
init_script_file(varnishd_initrc_exec_t)

type varnishd_etc_t;
files_type(varnishd_etc_t)

type varnishd_tmp_t;
files_tmp_file(varnishd_tmp_t)

type varnishd_var_lib_t;
files_type(varnishd_var_lib_t)

type varnishd_var_run_t;
files_pid_file(varnishd_var_run_t)

type varnishlog_t;
type varnishlog_exec_t;
init_daemon_domain(varnishlog_t, varnishlog_exec_t)

type varnishlog_initrc_exec_t;
init_script_file(varnishlog_initrc_exec_t)

type varnishlog_var_run_t;
files_pid_file(varnishlog_var_run_t)

type varnishlog_log_t;
files_type(varnishlog_log_t)

########################################
#
# Local policy
#

allow varnishd_t self:capability { dac_override ipc_lock kill setgid setuid };
dontaudit varnishd_t self:capability sys_tty_config;
allow varnishd_t self:process signal;
allow varnishd_t self:fifo_file rw_fifo_file_perms;
allow varnishd_t self:tcp_socket { accept listen };

allow varnishd_t varnishd_etc_t:dir list_dir_perms;
allow varnishd_t varnishd_etc_t:file read_file_perms;
allow varnishd_t varnishd_etc_t:lnk_file read_lnk_file_perms;

manage_dirs_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
manage_files_pattern(varnishd_t, varnishd_tmp_t, varnishd_tmp_t)
files_tmp_filetrans(varnishd_t, varnishd_tmp_t, { file dir })

manage_dirs_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
manage_files_pattern(varnishd_t, varnishd_var_lib_t, varnishd_var_lib_t)
files_var_lib_filetrans(varnishd_t, varnishd_var_lib_t, { dir file })

manage_files_pattern(varnishd_t, varnishd_var_run_t, varnishd_var_run_t)
files_pid_filetrans(varnishd_t, varnishd_var_run_t, file)

can_exec(varnishd_t, varnishd_var_lib_t)

kernel_read_system_state(varnishd_t)

corecmd_exec_bin(varnishd_t)
corecmd_exec_shell(varnishd_t)

corenet_all_recvfrom_unlabeled(varnishd_t)
corenet_all_recvfrom_netlabel(varnishd_t)
corenet_tcp_sendrecv_generic_if(varnishd_t)
corenet_tcp_sendrecv_generic_node(varnishd_t)
corenet_tcp_sendrecv_all_ports(varnishd_t)
corenet_tcp_bind_generic_node(varnishd_t)

corenet_sendrecv_http_server_packets(varnishd_t)
corenet_tcp_bind_http_port(varnishd_t)
corenet_sendrecv_http_client_packets(varnishd_t)
corenet_tcp_connect_http_port(varnishd_t)
corenet_tcp_sendrecv_http_port(varnishd_t)

corenet_sendrecv_http_cache_server_packets(varnishd_t)
corenet_tcp_bind_http_cache_port(varnishd_t)
corenet_sendrecv_http_cache_client_packets(varnishd_t)
corenet_tcp_connect_http_cache_port(varnishd_t)
corenet_tcp_sendrecv_http_cache_port(varnishd_t)

corenet_sendrecv_varnishd_server_packets(varnishd_t)
corenet_tcp_bind_varnishd_port(varnishd_t)
corenet_tcp_sendrecv_varnishd_port(varnishd_t)

dev_read_urand(varnishd_t)

files_read_usr_files(varnishd_t)

fs_getattr_all_fs(varnishd_t)

auth_use_nsswitch(varnishd_t)

logging_send_syslog_msg(varnishd_t)

miscfiles_read_localization(varnishd_t)

tunable_policy(`varnishd_connect_any',`
	corenet_sendrecv_all_client_packets(varnishd_t)
	corenet_tcp_connect_all_ports(varnishd_t)
	corenet_sendrecv_all_server_packets(varnishd_t)
	corenet_tcp_bind_all_ports(varnishd_t)
	corenet_tcp_sendrecv_all_ports(varnishd_t)
')

#######################################
#
# Log local policy
#

manage_files_pattern(varnishlog_t, varnishlog_var_run_t, varnishlog_var_run_t)
files_pid_filetrans(varnishlog_t, varnishlog_var_run_t, file)

manage_dirs_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
append_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
create_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
setattr_files_pattern(varnishlog_t, varnishlog_log_t, varnishlog_log_t)
logging_log_filetrans(varnishlog_t, varnishlog_log_t, { file dir })

read_files_pattern(varnishlog_t, varnishd_var_lib_t, varnishd_var_lib_t)

files_search_var_lib(varnishlog_t)

miscfiles_read_localization(varnishlog_t)