203 lines
4.4 KiB
Text
203 lines
4.4 KiB
Text
policy_module(sge, 1.0.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sge to access nfs file systems.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sge_use_nfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sge to connect to the network using any TCP port
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sge_domain_can_network_connect, false)
|
|
|
|
attribute sge_domain;
|
|
|
|
sge_basic_types_template(sge_execd)
|
|
init_daemon_domain(sge_execd_t, sge_execd_exec_t)
|
|
|
|
type sge_spool_t;
|
|
files_type(sge_spool_t)
|
|
|
|
type sge_tmp_t;
|
|
files_tmp_file(sge_tmp_t)
|
|
|
|
sge_basic_types_template(sge_shepherd)
|
|
application_domain(sge_shepherd_t, sge_shepherd_exec_t)
|
|
role system_r types sge_shepherd_t;
|
|
|
|
sge_basic_types_template(sge_job)
|
|
application_domain(sge_job_t, sge_job_exec_t)
|
|
corecmd_shell_entry_type(sge_job_t)
|
|
role system_r types sge_job_t;
|
|
|
|
#######################################
|
|
#
|
|
# sge_execd local policy
|
|
#
|
|
|
|
allow sge_execd_t self:capability { dac_read_search kill setuid chown setgid };
|
|
allow sge_execd_t self:process { setsched signal setpgid };
|
|
|
|
allow sge_execd_t sge_shepherd_t:process signal;
|
|
|
|
|
|
relabelfrom_files_pattern(sge_execd_t, sge_tmp_t, sge_tmp_t)
|
|
|
|
kernel_read_kernel_sysctls(sge_execd_t)
|
|
|
|
corenet_tcp_bind_sge_port(sge_execd_t)
|
|
corenet_tcp_connect_sge_port(sge_execd_t)
|
|
|
|
dev_read_sysfs(sge_execd_t)
|
|
|
|
files_exec_usr_files(sge_execd_t)
|
|
files_search_spool(sge_execd_t)
|
|
|
|
fs_getattr_xattr_fs(sge_execd_t)
|
|
fs_read_cgroup_files(sge_execd_t)
|
|
|
|
auth_use_nsswitch(sge_execd_t)
|
|
|
|
libs_exec_ld_so(sge_execd_t)
|
|
|
|
logging_send_syslog_msg(sge_execd_t)
|
|
|
|
init_read_utmp(sge_execd_t)
|
|
|
|
userdom_relabel_user_tmp_files(sge_execd_t)
|
|
|
|
optional_policy(`
|
|
sendmail_domtrans(sge_execd_t)
|
|
')
|
|
|
|
######################################
|
|
#
|
|
# sge_shepherd local policy
|
|
#
|
|
|
|
allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search };
|
|
allow sge_shepherd_t self:process { setsched setrlimit setpgid };
|
|
allow sge_shepherd_t self:process signal_perms;
|
|
|
|
domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
|
|
|
|
kernel_read_sysctl(sge_shepherd_t)
|
|
kernel_read_kernel_sysctls(sge_shepherd_t)
|
|
|
|
dev_read_sysfs(sge_shepherd_t)
|
|
|
|
fs_getattr_all_fs(sge_shepherd_t)
|
|
|
|
logging_send_syslog_msg(sge_shepherd_t)
|
|
|
|
optional_policy(`
|
|
mta_send_mail(sge_shepherd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_domtrans(sge_shepherd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(sge_shepherd_t)
|
|
')
|
|
|
|
#####################################
|
|
#
|
|
# sge_job local policy
|
|
#
|
|
|
|
allow sge_shepherd_t sge_job_t:process signal_perms;
|
|
|
|
corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
|
|
|
|
kernel_read_kernel_sysctls(sge_job_t)
|
|
|
|
term_use_all_terms(sge_job_t)
|
|
|
|
logging_send_syslog_msg(sge_job_t)
|
|
|
|
optional_policy(`
|
|
ssh_basic_client_template(sge_job, sge_job_t, system_r)
|
|
ssh_domtrans(sge_job_t)
|
|
|
|
allow sge_job_t sge_job_ssh_t:process sigkill;
|
|
allow sge_shepherd_t sge_job_ssh_t:process sigkill;
|
|
|
|
xserver_exec_xauth(sge_job_ssh_t)
|
|
|
|
tunable_policy(`sge_use_nfs',`
|
|
fs_list_auto_mountpoints(sge_job_ssh_t)
|
|
fs_manage_nfs_dirs(sge_job_ssh_t)
|
|
fs_manage_nfs_files(sge_job_ssh_t)
|
|
fs_read_nfs_symlinks(sge_job_ssh_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_domtrans_xauth(sge_job_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(sge_job_t)
|
|
')
|
|
|
|
#####################################
|
|
#
|
|
# sge_domain local policy
|
|
#
|
|
|
|
allow sge_domain self:fifo_file rw_fifo_file_perms;
|
|
allow sge_domain self:tcp_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
|
|
manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
manage_lnk_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
|
|
|
|
kernel_read_network_state(sge_domain)
|
|
|
|
corecmd_exec_bin(sge_domain)
|
|
corecmd_exec_shell(sge_domain)
|
|
|
|
domain_read_all_domains_state(sge_domain)
|
|
|
|
|
|
dev_read_urand(sge_domain)
|
|
|
|
tunable_policy(`sge_domain_can_network_connect',`
|
|
corenet_tcp_connect_all_ports(sge_domain)
|
|
')
|
|
|
|
tunable_policy(`sge_use_nfs',`
|
|
fs_list_auto_mountpoints(sge_domain)
|
|
fs_manage_nfs_dirs(sge_domain)
|
|
fs_manage_nfs_files(sge_domain)
|
|
fs_read_nfs_symlinks(sge_domain)
|
|
fs_exec_nfs_files(sge_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_dns_name_resolve(sge_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(sge_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
nslcd_stream_connect(sge_domain)
|
|
')
|