summaryrefslogtreecommitdiff
path: root/policy/modules/system/daemontools.te
blob: 1e5740414993a28c0fdea55830b885bc540bd5f6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

policy_module(daemontools, 1.2.0)

########################################
#
# Declarations
#

type svc_conf_t;
files_type(svc_conf_t)

type svc_log_t;
files_type(svc_log_t)

type svc_multilog_t;
type svc_multilog_exec_t;
application_domain(svc_multilog_t, svc_multilog_exec_t)
role system_r types svc_multilog_t;

type svc_run_t;
type svc_run_exec_t;
application_domain(svc_run_t, svc_run_exec_t)
role system_r types svc_run_t;

type svc_start_t;
type svc_start_exec_t;
init_domain(svc_start_t, svc_start_exec_t)
init_system_domain(svc_start_t, svc_start_exec_t)
role system_r types svc_start_t;

type svc_svc_t;
files_type(svc_svc_t)

########################################
#
# multilog local policy
#

# multilog creates /service/*/log/status
manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)

init_use_fds(svc_multilog_t)

# writes to /var/log/*/*
logging_manage_generic_logs(svc_multilog_t)

daemontools_ipc_domain(svc_multilog_t)

########################################
#
# local policy for binaries that impose 
# a given environment to supervised daemons
# ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
#

allow svc_run_t self:capability { setgid setuid chown fsetid };
allow svc_run_t self:process setrlimit;
allow svc_run_t self:fifo_file rw_fifo_file_perms;
allow svc_run_t self:unix_stream_socket create_stream_socket_perms;

allow svc_run_t svc_conf_t:dir list_dir_perms;
allow svc_run_t svc_conf_t:file read_file_perms;

can_exec(svc_run_t, svc_run_exec_t)

kernel_read_system_state(svc_run_t)

corecmd_exec_bin(svc_run_t)
corecmd_exec_shell(svc_run_t)

files_read_etc_files(svc_run_t)
files_read_etc_runtime_files(svc_run_t)
files_search_pids(svc_run_t)
files_search_var_lib(svc_run_t)

init_use_script_fds(svc_run_t)
init_use_fds(svc_run_t)

daemontools_domtrans_multilog(svc_run_t)
daemontools_read_svc(svc_run_t)

optional_policy(`
	qmail_read_config(svc_run_t)
')

########################################
#
# local policy for service monitoring programs
# ie svc, svscan, supervise ...
#

allow svc_start_t svc_run_t:process signal;

allow svc_start_t self:fifo_file rw_fifo_file_perms;
allow svc_start_t self:capability kill;
allow svc_start_t self:unix_stream_socket create_socket_perms;

can_exec(svc_start_t, svc_start_exec_t)

corecmd_exec_bin(svc_start_t)
corecmd_exec_shell(svc_start_t)

files_read_etc_files(svc_start_t)
files_read_etc_runtime_files(svc_start_t)
files_search_var(svc_start_t)
files_search_pids(svc_start_t)

daemontools_domtrans_run(svc_start_t)
daemontools_manage_svc(svc_start_t)