## cloudform policy ####################################### ## ## Creates types and rules for a basic ## cloudform daemon domain. ## ## ## ## Prefix for the domain. ## ## # template(`cloudform_domain_template',` gen_require(` attribute cloudform_domain; ') type $1_t, cloudform_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) kernel_read_system_state($1_t) ') ######################################## ## ## Execute a domain transition to run cloud_init. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_init_domtrans',` gen_require(` type cloud_init_t, cloud_init_exec_t; ') domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) ') ######################################## ## ## Read and write unnamed cloud-init pipes. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_rw_pipes',` gen_require(` type cloud_init_t; ') allow $1 cloud_init_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Send a message to cloud-init over a datagram socket. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_init_dgram_send',` gen_require(` type cloud_init_t; ') allow $1 cloud_init_t:unix_dgram_socket sendto; ') ######################################## ## ## Write to cloud-init temporary files. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_init_write_tmp',` gen_require(` type cloud_init_tmp_t; ') files_search_tmp($1) write_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t) ') ###################################### ## ## Execute mongod in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_exec_mongod',` gen_require(` type mongod_exec_t; ') can_exec($1, mongod_exec_t) ') ####################################### ## ## Allow read to cloud lib files. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_read_lib_files',` gen_require(` type cloud_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) ') ####################################### ## ## Allow read to cloud lib files. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_read_lib_lnk_files',` gen_require(` type cloud_var_lib_t; ') files_search_var_lib($1) read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) ') ###################################### ## ## Execute mongod in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`cloudform_dontaudit_write_cloud_log',` gen_require(` type cloud_log_t; ') dontaudit $1 cloud_log_t:file write_inherited_file_perms; ')