## cloudform policy
#######################################
##
## Creates types and rules for a basic
## cloudform daemon domain.
##
##
##
## Prefix for the domain.
##
##
#
template(`cloudform_domain_template',`
gen_require(`
attribute cloudform_domain;
')
type $1_t, cloudform_domain;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
kernel_read_system_state($1_t)
')
########################################
##
## Execute a domain transition to run cloud_init.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_init_domtrans',`
gen_require(`
type cloud_init_t, cloud_init_exec_t;
')
domtrans_pattern($1, cloud_init_exec_t, cloud_init_t)
')
########################################
##
## Read and write unnamed cloud-init pipes.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_rw_pipes',`
gen_require(`
type cloud_init_t;
')
allow $1 cloud_init_t:fifo_file rw_fifo_file_perms;
')
########################################
##
## Send a message to cloud-init over a datagram socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_init_dgram_send',`
gen_require(`
type cloud_init_t;
')
allow $1 cloud_init_t:unix_dgram_socket sendto;
')
########################################
##
## Write to cloud-init temporary files.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_init_write_tmp',`
gen_require(`
type cloud_init_tmp_t;
')
files_search_tmp($1)
write_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
')
######################################
##
## Execute mongod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_exec_mongod',`
gen_require(`
type mongod_exec_t;
')
can_exec($1, mongod_exec_t)
')
#######################################
##
## Allow read to cloud lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_read_lib_files',`
gen_require(`
type cloud_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
')
#######################################
##
## Allow read to cloud lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_read_lib_lnk_files',`
gen_require(`
type cloud_var_lib_t;
')
files_search_var_lib($1)
read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t)
')
######################################
##
## Execute mongod in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`cloudform_dontaudit_write_cloud_log',`
gen_require(`
type cloud_log_t;
')
dontaudit $1 cloud_log_t:file write_inherited_file_perms;
')