policy_module(thin, 1.0) ######################################## # # Declarations # attribute thin_domain; thin_domain_template(thin) type thin_log_t; logging_log_file(thin_log_t) type thin_var_run_t; files_pid_file(thin_var_run_t) thin_domain_template(thin_aeolus_configserver) type thin_aeolus_configserver_lib_t; files_type(thin_aeolus_configserver_lib_t) type thin_aeolus_configserver_log_t; logging_log_file(thin_aeolus_configserver_log_t) type thin_aeolus_configserver_var_run_t; files_pid_file(thin_aeolus_configserver_var_run_t) ######################################## # # thin_domain local policy # allow thin_domain self:process signal; allow thin_domain self:fifo_file rw_fifo_file_perms; allow thin_domain self:tcp_socket create_stream_socket_perms; # we want to stay in a new thin domain if we call thin binary from a script # # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t can_exec(thin_domain, thin_exec_t) corecmd_exec_bin(thin_domain) corecmd_exec_shell(thin_domain) corenet_tcp_bind_generic_node(thin_domain) dev_read_rand(thin_domain) dev_read_urand(thin_domain) auth_read_passwd(thin_domain) miscfiles_read_certs(thin_domain) fs_search_auto_mountpoints(thin_domain) init_read_utmp(thin_domain) kernel_read_kernel_sysctls(thin_domain) optional_policy(` apache_read_sys_content(thin_domain) ') optional_policy(` sysnet_read_config(thin_domain) ') ######################################## # # thin local policy # allow thin_t self:capability { setuid kill setgid dac_read_search }; allow thin_t self:capability2 block_suspend; allow thin_t self:netlink_route_socket r_netlink_socket_perms; allow thin_t self:udp_socket create_socket_perms; allow thin_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(thin_t, thin_log_t, thin_log_t) manage_dirs_pattern(thin_t, thin_log_t, thin_log_t) logging_log_filetrans(thin_t, thin_log_t, { file dir }) manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t) manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t) files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file }) corenet_tcp_bind_ntop_port(thin_t) corenet_tcp_connect_postgresql_port(thin_t) ####################################### # # thin aeolus configserver local policy # allow thin_aeolus_configserver_t self:capability { setuid setgid }; corenet_tcp_bind_tram_port(thin_aeolus_configserver_t) manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t) files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir }) manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t) logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir }) manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t) files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })