Skip to content
This repository has been archived by the owner on Jul 2, 2018. It is now read-only.

Commit

Permalink
Changes to the daemontools policy module
Browse files Browse the repository at this point in the history 
Module clean up

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
  • Loading branch information
@mypublicrepositories
mypublicrepositories committed Sep 26, 2012
1 parent f8c9422 commit b0b07ad
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 94 deletions.
54 changes: 21 additions & 33 deletions daemontools.fc
View file
@@ -1,53 +1,41 @@
#
# /service
#
/service -d gen_context(system_u:object_r:svc_svc_t,s0)
/service/.* gen_context(system_u:object_r:svc_svc_t,s0)

/service -d gen_context(system_u:object_r:svc_svc_t,s0)
/service/.* gen_context(system_u:object_r:svc_svc_t,s0)

#
# /usr
#

/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/envdir -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/envuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/fghack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/multilog -- gen_context(system_u:object_r:svc_multilog_exec_t,s0)
/usr/bin/pgrphack -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/setlock -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/setuidgid -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/softlimit -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/svc -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/svok -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/svscan -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/svscanboot -- gen_context(system_u:object_r:svc_start_exec_t,s0)
/usr/bin/supervise -- gen_context(system_u:object_r:svc_start_exec_t,s0)

#
# /var
#

/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/axfrdns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/axfrdns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/axfrdns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
/var/axfrdns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)

/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
/var/dnscache(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/dnscache/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
/var/dnscache/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/dnscache/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)

/var/qmail/supervise(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/qmail/supervise/.*/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)

/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
/var/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
/var/service/.*/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
/var/service/.*/log/main(/.*)? gen_context(system_u:object_r:svc_log_t,s0)
/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/service/.*/log/run gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/service/.*/run.* gen_context(system_u:object_r:svc_run_exec_t,s0)

/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/tinydns(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
/var/tinydns/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/tinydns/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
/var/tinydns/env(/.*)? gen_context(system_u:object_r:svc_conf_t,s0)
96 changes: 52 additions & 44 deletions daemontools.if
View file
@@ -1,13 +1,9 @@
## <summary>Collection of tools for managing UNIX services</summary>
## <desc>
## <p>
## Policy for DJB's daemontools
## </p>
## </desc>
## <summary>Collection of tools for managing UNIX services.</summary>

########################################
## <summary>
## An ipc channel between the supervised domain and svc_start_t
## An ipc channel between the
## supervised domain and svc_start_t.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -22,22 +18,23 @@ interface(`daemontools_ipc_domain',`

allow $1 svc_start_t:process sigchld;
allow $1 svc_start_t:fd use;
allow $1 svc_start_t:fifo_file { read write getattr };
allow $1 svc_start_t:fifo_file rw_fifo_file_perms;
allow svc_start_t $1:process signal;
')

########################################
## <summary>
## Define a specified domain as a supervised service.
## Create a domain which can be
## started by daemontools.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## Type to be used as a domain.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type associated with the process program.
## Type of the program to be used as an entry point to this domain.
## </summary>
## </param>
#
Expand All @@ -55,7 +52,8 @@ interface(`daemontools_service_domain',`

########################################
## <summary>
## Execute in the svc_start_t domain.
## Execute svc start in the svc
## start domain.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -68,38 +66,40 @@ interface(`daemontools_domtrans_start',`
type svc_start_t, svc_start_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')

######################################
## <summary>
## Execute svc_start in the svc_start domain, and
## allow the specified role the svc_start domain.
## Execute svc start in the svc
## start domain, and allow the
## specified role the svc start domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the svc_start domain.
## </summary>
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`daemonstools_run_start',`
gen_require(`
type svc_start_t;
')
gen_require(`
attribute_role svc_start_roles;
')

daemontools_domtrans_start($1)
role $2 types svc_start_t;
daemontools_domtrans_start($1)
roleattribute $2 svc_start_roles;
')

########################################
## <summary>
## Execute in the svc_run_t domain.
## Execute avc run in the svc run domain.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -112,30 +112,33 @@ interface(`daemontools_domtrans_run',`
type svc_run_t, svc_run_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, svc_run_exec_t, svc_run_t)
')

######################################
## <summary>
## Send a SIGCHLD signal to svc_run domain.
## Send child terminated signals
## to svc run.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`daemontools_sigchld_run',`
gen_require(`
gen_require(`
type svc_run_t;
')
')

allow $1 svc_run_t:process sigchld;
allow $1 svc_run_t:process sigchld;
')

########################################
## <summary>
## Execute in the svc_multilog_t domain.
## Execute avc multilog in the svc
## multilog domain.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -148,30 +151,32 @@ interface(`daemontools_domtrans_multilog',`
type svc_multilog_t, svc_multilog_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
')

######################################
## <summary>
## Search svc_svc_t directory.
## Search svc svc directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`daemontools_search_svc_dir',`
gen_require(`
gen_require(`
type svc_svc_t;
')
')

allow $1 svc_svc_t:dir search_dir_perms;
files_search_var($1)
allow $1 svc_svc_t:dir search_dir_perms;
')

########################################
## <summary>
## Allow a domain to read svc_svc_t files.
## Read svc avc files.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -185,13 +190,15 @@ interface(`daemontools_read_svc',`
type svc_svc_t;
')

files_search_var($1)
allow $1 svc_svc_t:dir list_dir_perms;
allow $1 svc_svc_t:file read_file_perms;
')

########################################
## <summary>
## Allow a domain to create svc_svc_t files.
## Create, read, write and delete
## svc svc content.
## </summary>
## <param name="domain">
## <summary>
Expand All @@ -205,8 +212,9 @@ interface(`daemontools_manage_svc',`
type svc_svc_t;
')

files_search_var($1)
allow $1 svc_svc_t:dir manage_dir_perms;
allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file { read create };
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
')

0 comments on commit b0b07ad

Please sign in to comment.