]>
Commit | Line | Data |
---|---|---|
fe185d88 MG |
1 | policy_module(gruntmasterd, 1.0) |
2 | ||
da905f9e MG |
3 | define(`read_file_perms', `{ getattr ioctl read lock open }') |
4 | define(`read_dir_perms', `{ getattr ioctl read lock open search}') | |
5 | define(`everything_file_perms', `{ getattr ioctl read lock open unlink setattr append write create rename link }') | |
6 | define(`everything_dir_perms', `{ getattr ioctl read lock open search unlink setattr write create rename link rmdir remove_name reparent add_name }') | |
7 | define(`domain_read_files', `allow $1 $2 : dir read_dir_perms; allow $1 $2 : file read_file_perms; allow $1 $2 : lnk_file read_file_perms;') | |
8 | define(`domain_everything_files', `allow $1 $2 : dir everything_dir_perms; allow $1 $2 : file everything_file_perms; allow $1 $2 : lnk_file everything_file_perms;') | |
9 | define(`gruntmaster_read', `domain_read_files(gruntmasterd_t, $1)') | |
10 | define(`gruntmaster_everything', `domain_everything_files(gruntmasterd_t, $1)') | |
fe185d88 MG |
11 | |
12 | require{ | |
13 | type bin_t; | |
14 | type httpd_sys_content_rw_t; | |
15 | type httpd_sys_content_t; | |
16 | type httpd_t; | |
17 | type httpd_tmp_t; | |
18 | type proc_t; | |
19 | type urandom_device_t; | |
20 | } | |
5c5cd38a | 21 | |
da905f9e | 22 | # Types |
5c5cd38a MG |
23 | type gruntmasterd_t; |
24 | type gruntmasterd_exec_t; | |
5c5cd38a | 25 | type gruntmasterd_log_t; |
5c5cd38a MG |
26 | type gruntmaster_job_t; |
27 | type gruntmaster_job_exec_t; | |
da905f9e MG |
28 | type gruntmaster_compile_t; |
29 | type gruntmaster_compile_exec_t; | |
30 | ||
31 | domain_type(gruntmaster_job_t) | |
32 | domain_entry_file(gruntmaster_job_t, gruntmaster_job_exec_t) | |
33 | role system_r types gruntmaster_job_t; | |
fe185d88 | 34 | type_transition gruntmasterd_t gruntmaster_job_exec_t : process gruntmaster_job_t; |
fe185d88 | 35 | |
da905f9e MG |
36 | domain_type(gruntmaster_compile_t) |
37 | domain_entry_file(gruntmaster_compile_t, gruntmaster_compile_exec_t) | |
38 | role system_r types gruntmaster_compile_t; | |
39 | type_transition gruntmasterd_t gruntmaster_compile_exec_t : process gruntmaster_compile_t; | |
40 | type_transition gruntmaster_compile_t httpd_tmp_t : file gruntmaster_job_exec_t; | |
fe185d88 | 41 | |
da905f9e MG |
42 | init_daemon_domain(gruntmasterd_t, gruntmasterd_exec_t) |
43 | logging_log_file(gruntmasterd_log_t) | |
44 | logging_log_filetrans(gruntmasterd_t, gruntmasterd_log_t, file) | |
45 | logging_search_logs(gruntmasterd_t) | |
46 | ||
47 | # Daemon permissions | |
48 | allow gruntmasterd_t { gruntmaster_compile_t gruntmaster_job_t } : process { sigkill siginh rlimitinh transition }; | |
49 | allow gruntmasterd_t bin_t : file { execute execute_no_trans }; | |
50 | allow gruntmasterd_t self : process fork; | |
51 | allow gruntmasterd_t self:fifo_file everything_file_perms; | |
52 | allow gruntmasterd_t urandom_device_t:chr_file read_file_perms; | |
53 | allow gruntmasterd_t { gruntmaster_compile_exec_t gruntmaster_job_exec_t } : file execute; | |
54 | dontaudit gruntmasterd_t { gruntmaster_compile_t gruntmaster_job_t } : process noatsecure; | |
5c5cd38a | 55 | |
fe185d88 | 56 | gruntmaster_read(bin_t) |
da905f9e MG |
57 | gruntmaster_read(gruntmaster_compile_exec_t) |
58 | gruntmaster_read(httpd_sys_content_t) | |
fe185d88 | 59 | gruntmaster_read(lib_t) |
da905f9e | 60 | gruntmaster_read(proc_t) |
fe185d88 | 61 | gruntmaster_read(usr_t) |
fe185d88 | 62 | |
fe185d88 | 63 | gruntmaster_everything(gruntmaster_job_exec_t) |
da905f9e | 64 | gruntmaster_everything(gruntmasterd_log_t) |
fe185d88 MG |
65 | gruntmaster_everything(httpd_sys_content_rw_t) |
66 | gruntmaster_everything(httpd_tmp_t) | |
67 | gruntmaster_everything(tmp_t) | |
68 | ||
da905f9e MG |
69 | files_read_etc_files(gruntmasterd_t) |
70 | files_search_etc(gruntmasterd_t) | |
71 | libs_use_ld_so(gruntmasterd_t) | |
72 | libs_use_shared_libs(gruntmasterd_t) | |
73 | miscfiles_read_localization(gruntmasterd_t) | |
5c5cd38a | 74 | |
da905f9e MG |
75 | # Executor and job permissions |
76 | domain_read_files(gruntmaster_job_t, bin_t) | |
77 | domain_read_files(gruntmaster_job_t, usr_t) | |
78 | allow gruntmaster_job_t gruntmaster_job_exec_t : file { execute execute_no_trans }; | |
79 | allow gruntmaster_job_t gruntmasterd_t:fd use; | |
80 | allow gruntmaster_job_t gruntmasterd_t:process sigchld; | |
81 | allow gruntmaster_job_t httpd_tmp_t : dir read_dir_perms; | |
82 | allow gruntmaster_job_t httpd_tmp_t : file { getattr ioctl read write }; | |
83 | allow gruntmaster_job_t init_t:fd use; | |
84 | allow gruntmaster_job_t self:process setrlimit; | |
85 | allow gruntmaster_job_t urandom_device_t:chr_file read_file_perms; | |
5c5cd38a | 86 | |
fe185d88 | 87 | libs_use_ld_so(gruntmaster_job_t) |
fe185d88 | 88 | libs_use_shared_libs(gruntmaster_job_t) |
fe185d88 MG |
89 | miscfiles_read_localization(gruntmaster_job_t) |
90 | ||
da905f9e MG |
91 | # Compile permissions |
92 | domain_everything_files(gruntmaster_compile_t, gruntmaster_job_exec_t) | |
93 | domain_everything_files(gruntmaster_compile_t, tmp_t) | |
94 | domain_read_files(gruntmaster_compile_t, bin_t) | |
95 | domain_read_files(gruntmaster_compile_t, httpd_sys_content_rw_t) | |
96 | domain_read_files(gruntmaster_compile_t, httpd_tmp_t) | |
97 | domain_read_files(gruntmaster_compile_t, lib_t) | |
98 | domain_read_files(gruntmaster_compile_t, proc_t) | |
99 | domain_read_files(gruntmaster_compile_t, proc_t) | |
100 | domain_read_files(gruntmaster_compile_t, usr_t) | |
101 | allow gruntmaster_compile_t gruntmasterd_t : fifo_file { read write ioctl }; | |
102 | allow gruntmaster_compile_t gruntmasterd_t:fd use; | |
103 | allow gruntmaster_compile_t gruntmasterd_t:process sigchld; | |
104 | allow gruntmaster_compile_t httpd_tmp_t:dir { write add_name }; | |
105 | allow gruntmaster_compile_t self : fifo_file { read write ioctl }; | |
106 | allow gruntmaster_compile_t self:process signal; | |
107 | allow gruntmaster_compile_t urandom_device_t:chr_file read_file_perms; | |
108 | allow gruntmaster_compile_t { bin_t lib_t } : file { execute execute_no_trans }; | |
109 | ||
110 | libs_use_ld_so(gruntmaster_compile_t) | |
111 | libs_use_shared_libs(gruntmaster_compile_t) | |
112 | miscfiles_read_localization(gruntmaster_compile_t) |