## policy for piranha ####################################### ## ## Creates types and rules for a basic ## cluster init daemon domain. ## ## ## ## Prefix for the domain. ## ## # template(`piranha_domain_template',` gen_require(` attribute piranha_domain; ') ############################## # # piranha_$1_t declarations # type piranha_$1_t, piranha_domain; type piranha_$1_exec_t; init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) # tmpfs files type piranha_$1_tmpfs_t, piranha_tmpfs; files_tmpfs_file(piranha_$1_tmpfs_t) # pid files type piranha_$1_var_run_t; files_pid_file(piranha_$1_var_run_t) ############################## # # piranha_$1_t local policy # manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file }) manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) kernel_read_system_state(piranha_$1_t) auth_use_nsswitch(piranha_$1_t) logging_send_syslog_msg(piranha_$1_t) ') ######################################## ## ## Execute a domain transition to run fos. ## ## ## ## Domain allowed to transition. ## ## # interface(`piranha_domtrans_fos',` gen_require(` type piranha_fos_t, piranha_fos_exec_t; ') domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) ') ####################################### ## ## Execute a domain transition to run lvsd. ## ## ## ## Domain allowed to transition. ## ## # interface(`piranha_domtrans_lvs',` gen_require(` type piranha_lvs_t, piranha_lvs_exec_t; ') domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) ') ####################################### ## ## Execute a domain transition to run pulse. ## ## ## ## Domain allowed to transition. ## ## # interface(`piranha_domtrans_pulse',` gen_require(` type piranha_pulse_t, piranha_pulse_exec_t; ') domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) ') ####################################### ## ## Execute pulse server in the pulse domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`piranha_pulse_initrc_domtrans',` gen_require(` type piranha_pulse_initrc_exec_t; ') init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) ') ######################################## ## ## Allow the specified domain to read piranha's log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`piranha_read_log',` gen_require(` type piranha_log_t; ') logging_search_logs($1) read_files_pattern($1, piranha_log_t, piranha_log_t) ') ######################################## ## ## Allow the specified domain to append ## piranha log files. ## ## ## ## Domain allowed access. ## ## # interface(`piranha_append_log',` gen_require(` type piranha_log_t; ') logging_search_logs($1) append_files_pattern($1, piranha_log_t, piranha_log_t) ') ######################################## ## ## Allow domain to manage piranha log files ## ## ## ## Domain allowed access. ## ## # interface(`piranha_manage_log',` gen_require(` type piranha_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, piranha_log_t, piranha_log_t) manage_files_pattern($1, piranha_log_t, piranha_log_t) manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) ')