Changes to the ccs policy module

Ported from Fedora with changes

Add missing file contexts to the best of my ability. This package is no
longer available since a long time. Also these cluster directories are
shared so try to keep them generic. Since they are installed that may be
possible

Add init script file
Add ccs_admin()

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

ccs.fc

@@ -1,6 +1,14 @@
-/etc/cluster(/.*)?		gen_context(system_u:object_r:cluster_conf_t,s0)
+/etc/cluster(/.*)?	gen_context(system_u:object_r:cluster_conf_t,s0)
 
-/sbin/ccsd		--	gen_context(system_u:object_r:ccs_exec_t,s0)
+/etc/rc\.d/init\.d/((ccs)|(ccsd))	--	gen_context(system_u:object_r:ccs_initrc_exec_t,s0)
 
-/var/run/cluster/ccsd\.pid --	gen_context(system_u:object_r:ccs_var_run_t,s0)
-/var/run/cluster/ccsd\.sock -s	gen_context(system_u:object_r:ccs_var_run_t,s0)
+/sbin/ccsd	--	gen_context(system_u:object_r:ccs_exec_t,s0)
+
+/usr/sbin/ccsd	--	gen_context(system_u:object_r:ccs_exec_t,s0)
+
+/var/lib/cluster/((ccs)|(ccsd)).*	gen_context(system_u:object_r:ccs_var_lib_t,s0)
+
+/var/log/cluster/((ccs)|(ccsd)).*	gen_context(system_u:object_r:ccs_var_log_t,s0)
+
+/var/run/cluster/((ccs)|(ccsd))\.pid	--	gen_context(system_u:object_r:ccs_var_run_t,s0)
+/var/run/cluster/((ccs)|(ccsd))\.sock	-s	gen_context(system_u:object_r:ccs_var_run_t,s0)

ccs.if

@@ -1,4 +1,4 @@
-## <summary>Cluster Configuration System</summary>
+## <summary>Cluster Configuration System.</summary>
 
 ########################################
 ## <summary>
@@ -15,6 +15,7 @@ interface(`ccs_domtrans',`
 		type ccs_t, ccs_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, ccs_exec_t, ccs_t)
 ')
 
@@ -52,12 +53,14 @@ interface(`ccs_read_config',`
 		type cluster_conf_t;
 	')
 
+	files_search_etc($1)
 	read_files_pattern($1, cluster_conf_t, cluster_conf_t)
 ')
 
 ########################################
 ## <summary>
-##	Manage cluster configuration files.
+##	Create, read, write, and delete
+##	cluster configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -70,6 +73,55 @@ interface(`ccs_manage_config',`
 		type cluster_conf_t;
 	')
 
+	files_search_etc($1)
 	manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t)
 	manage_files_pattern($1, cluster_conf_t, cluster_conf_t)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an ccs environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ccs_admin',`
+	gen_require(`
+		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
+		type ccs_var_lib_t_t, ccs_var_log_t;
+		type ccs_var_run_t, ccs_tmp_t;
+	')
+
+	allow $1 ccs_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ccs_t)
+
+	init_labeled_script_domtrans($1, ccs_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 ccs_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, ccs_conf_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, ccs_var_lib_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, ccs_var_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, ccs_var_run_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, ccs_tmp_t)
+')

ccs.te

@@ -1,4 +1,4 @@
-policy_module(ccs, 1.5.0)
+policy_module(ccs, 1.5.1)
 
 ########################################
 #
@@ -9,8 +9,11 @@ type ccs_t;
 type ccs_exec_t;
 init_daemon_domain(ccs_t, ccs_exec_t)
 
+type ccs_initrc_exec_t;
+init_script_file(ccs_initrc_exec_t)
+
 type cluster_conf_t;
-files_type(cluster_conf_t)
+files_config_file(cluster_conf_t)
 
 type ccs_tmp_t;
 files_tmp_file(ccs_tmp_t)
@@ -29,48 +32,44 @@ files_pid_file(ccs_var_run_t)
 
 ########################################
 #
-# ccs local policy
+# Local policy
 #
 
 allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
 allow ccs_t self:process { signal setrlimit setsched };
 dontaudit ccs_t self:process ptrace;
 allow ccs_t self:fifo_file rw_fifo_file_perms;
-allow ccs_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow ccs_t self:unix_dgram_socket create_socket_perms;
+allow ccs_t self:unix_stream_socket { accept connectto listen };
 allow ccs_t self:netlink_route_socket r_netlink_socket_perms;
 allow ccs_t self:tcp_socket create_stream_socket_perms;
 allow ccs_t self:udp_socket { create_socket_perms listen recv_msg send_msg };
-# cjp: this needs to be fixed to be specific
 allow ccs_t self:socket create_socket_perms;
 
 manage_files_pattern(ccs_t, cluster_conf_t, cluster_conf_t)
 
-# tmp file
 allow ccs_t ccs_tmp_t:dir manage_dir_perms;
 manage_dirs_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
 manage_files_pattern(ccs_t, ccs_tmp_t, ccs_tmp_t)
-files_tmp_filetrans(ccs_t, ccs_tmp_t, { file dir })
+files_tmp_filetrans(ccs_t, ccs_tmp_t, { dir file })
 
 manage_dirs_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
 manage_files_pattern(ccs_t, ccs_tmpfs_t, ccs_tmpfs_t)
 fs_tmpfs_filetrans(ccs_t, ccs_tmpfs_t, { dir file })
 
-# var lib files
 manage_dirs_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
 manage_files_pattern(ccs_t, ccs_var_lib_t, ccs_var_lib_t)
-files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { file dir })
+files_var_lib_filetrans(ccs_t, ccs_var_lib_t, { dir file })
 
-allow ccs_t ccs_var_log_t:dir setattr;
-manage_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+allow ccs_t ccs_var_log_t:dir setattr_dir_perms;
+append_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+create_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
+setattr_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
 manage_sock_files_pattern(ccs_t, ccs_var_log_t, ccs_var_log_t)
-logging_log_filetrans(ccs_t, ccs_var_log_t, { sock_file file dir })
+logging_log_filetrans(ccs_t, ccs_var_log_t, { file sock_file })
 
-# pid file
-manage_dirs_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
 manage_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
 manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
-files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
+files_pid_filetrans(ccs_t, ccs_var_run_t, { file sock_file })
 
 kernel_read_kernel_sysctls(ccs_t)
 
@@ -87,8 +86,12 @@ corenet_tcp_sendrecv_all_ports(ccs_t)
 corenet_udp_sendrecv_all_ports(ccs_t)
 corenet_tcp_bind_generic_node(ccs_t)
 corenet_udp_bind_generic_node(ccs_t)
+
+corenet_sendrecv_cluster_server_packets(ccs_t)
 corenet_tcp_bind_cluster_port(ccs_t)
 corenet_udp_bind_cluster_port(ccs_t)
+
+corenet_sendrecv_netsupport_server_packets(ccs_t)
 corenet_udp_bind_netsupport_port(ccs_t)
 
 dev_read_urand(ccs_t)
@@ -107,7 +110,7 @@ sysnet_dns_name_resolve(ccs_t)
 userdom_manage_unpriv_user_shared_mem(ccs_t)
 userdom_manage_unpriv_user_semaphores(ccs_t)
 
-ifdef(`hide_broken_symptoms', `
+ifdef(`hide_broken_symptoms',`
 	corecmd_dontaudit_write_bin_dirs(ccs_t)
 	files_manage_isid_type_files(ccs_t)
 ')
@@ -117,6 +120,11 @@ optional_policy(`
 	corosync_stream_connect(ccs_t)
 ')
 
+optional_policy(`
+	qpidd_rw_semaphores(ccs_t)
+	qpidd_rw_shm(ccs_t)
+')
+
 optional_policy(`
 	unconfined_use_fds(ccs_t)
 ')