## Ruby on rails deployment for Apache and Nginx servers. ###################################### ## ## Execute passenger in the passenger domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`passenger_domtrans',` gen_require(` type passenger_t, passenger_exec_t; ') domtrans_pattern($1, passenger_exec_t, passenger_t) allow passenger_t $1:unix_stream_socket { accept getattr read write }; ') ###################################### ## ## Execute passenger in the current domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`passenger_exec',` gen_require(` type passenger_exec_t; ') can_exec($1, passenger_exec_t) ') ####################################### ## ## Getattr passenger log files ## ## ## ## Domain allowed access. ## ## # interface(`passenger_getattr_log_files',` gen_require(` type passenger_log_t; ') getattr_files_pattern($1, passenger_log_t, passenger_log_t) ') ######################################## ## ## Read passenger lib files ## ## ## ## Domain allowed access. ## ## # interface(`passenger_read_lib_files',` gen_require(` type passenger_var_lib_t; ') read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) files_search_var_lib($1) ') ######################################## ## ## Manage passenger lib files ## ## ## ## Domain allowed access. ## ## # interface(`passenger_manage_lib_files',` gen_require(` type passenger_var_lib_t; ') manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) files_search_var_lib($1) ') ##################################### ## ## Manage passenger var_run content. ## ## ## ## Domain allowed access. ## ## # interface(`passenger_manage_pid_content',` gen_require(` type passenger_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) ') ######################################## ## ## Connect to passenger unix stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`passenger_stream_connect',` gen_require(` type passenger_t; type passenger_tmp_t; type passenger_var_run_t; ') stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t) stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t) ') ####################################### ## ## Allow to manage passenger tmp files/dirs. ## ## ## ## Domain allowed access. ## ## # interface(`passenger_manage_tmp_files',` gen_require(` type passenger_tmp_t; ') files_search_tmp($1) manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) ') ######################################## ## ## Send kill signals to passenger. ## ## ## ## Domain allowed access. ## ## # interface(`passenger_kill',` gen_require(` type passenger_t; ') allow $1 passenger_t:process sigkill; ')