Commit | Line | Data |
---|---|---|
fe185d88 MG |
1 | policy_module(gruntmasterd, 1.0) |
2 | ||
3 | define(`read_file_perms', `{ getattr ioctl read lock open }') | |
4 | define(`read_dir_perms', `{ getattr ioctl read lock open search}') | |
5 | define(`everything_file_perms', `{ getattr ioctl read lock open unlink setattr write create rename link }') | |
6 | define(`everything_dir_perms', `{ getattr ioctl read lock open search unlink setattr write create rename link rmdir remove_name reparent add_name }') | |
7 | define(`gruntmaster_read', `allow gruntmasterd_t $1 : dir read_dir_perms; allow gruntmasterd_t $1 : file read_file_perms; allow gruntmasterd_t $1 : lnk_file read_file_perms;') | |
8 | define(`gruntmaster_everything', `allow gruntmasterd_t $1 : dir everything_dir_perms; allow gruntmasterd_t $1 : file everything_file_perms; allow gruntmasterd_t $1 : lnk_file everything_file_perms;') | |
9 | ||
10 | require{ | |
11 | type bin_t; | |
12 | type httpd_sys_content_rw_t; | |
13 | type httpd_sys_content_t; | |
14 | type httpd_t; | |
15 | type httpd_tmp_t; | |
16 | type proc_t; | |
17 | type urandom_device_t; | |
18 | } | |
5c5cd38a MG |
19 | |
20 | type gruntmasterd_t; | |
21 | type gruntmasterd_exec_t; | |
22 | init_daemon_domain(gruntmasterd_t, gruntmasterd_exec_t); | |
23 | ||
24 | type gruntmasterd_log_t; | |
25 | logging_log_file(gruntmasterd_log_t); | |
26 | ||
27 | type gruntmaster_job_t; | |
28 | type gruntmaster_job_exec_t; | |
29 | init_daemon_domain(gruntmaster_job_t, gruntmaster_job_exec_t); | |
fe185d88 MG |
30 | type_transition gruntmasterd_t gruntmaster_job_exec_t : process gruntmaster_job_t; |
31 | allow gruntmasterd_t gruntmaster_job_t:process transition; | |
32 | dontaudit gruntmasterd_t gruntmaster_job_t:process noatsecure; | |
33 | allow gruntmaster_job_t gruntmasterd_t:fd use; | |
34 | allow gruntmaster_job_t gruntmasterd_t:process sigchld; | |
35 | allow gruntmaster_job_t gruntmaster_job_exec_t:file write; | |
36 | allow httpd_t gruntmaster_job_exec_t:file { read getattr open }; | |
37 | ||
38 | type_transition gruntmasterd_t httpd_tmp_t : file gruntmaster_job_exec_t; | |
39 | ||
40 | allow gruntmasterd_t self : process { fork setrlimit }; | |
41 | allow gruntmasterd_t gruntmaster_job_t : process { sigkill siginh rlimitinh }; | |
5c5cd38a | 42 | |
fe185d88 MG |
43 | gruntmaster_read(httpd_sys_content_t) |
44 | gruntmaster_read(proc_t) | |
45 | gruntmaster_read(bin_t) | |
46 | gruntmaster_read(lib_t) | |
47 | gruntmaster_read(usr_t) | |
48 | allow gruntmasterd_t urandom_device_t:chr_file read_file_perms; | |
49 | allow gruntmasterd_t { gruntmaster_job_exec_t } : file execute; | |
50 | allow gruntmasterd_t { bin_t lib_t } : file { execute execute_no_trans }; | |
51 | ||
52 | gruntmaster_everything(gruntmasterd_log_t) | |
53 | gruntmaster_everything(gruntmaster_job_exec_t) | |
54 | gruntmaster_everything(httpd_sys_content_rw_t) | |
55 | gruntmaster_everything(httpd_tmp_t) | |
56 | gruntmaster_everything(tmp_t) | |
57 | ||
58 | allow gruntmasterd_t self:fifo_file everything_file_perms; | |
5c5cd38a | 59 | |
5c5cd38a MG |
60 | logging_log_filetrans(gruntmasterd_t, gruntmasterd_log_t, file) |
61 | logging_search_logs(gruntmasterd_t) | |
62 | ||
63 | libs_use_ld_so(gruntmasterd_t) | |
fe185d88 | 64 | libs_use_ld_so(gruntmaster_job_t) |
5c5cd38a | 65 | libs_use_shared_libs(gruntmasterd_t) |
fe185d88 MG |
66 | libs_use_shared_libs(gruntmaster_job_t) |
67 | ||
68 | miscfiles_read_localization(gruntmasterd_t) | |
69 | miscfiles_read_localization(gruntmaster_job_t) | |
70 | ||
71 | files_search_etc(gruntmasterd_t) | |
72 | files_read_etc_files(gruntmasterd_t) |