Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/quantum.te

189 lines
5 KiB
Text

policy_module(quantum, 1.1.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether neutron can
## connect to all TCP ports
## </p>
## </desc>
gen_tunable(neutron_can_network, false)
type neutron_t alias quantum_t;
type neutron_exec_t alias quantum_exec_t;
init_daemon_domain(neutron_t, neutron_exec_t)
type neutron_initrc_exec_t alias quantum_initrc_exec_t;
init_script_file(neutron_initrc_exec_t)
type neutron_log_t alias quantum_log_t;
logging_log_file(neutron_log_t)
type neutron_tmp_t alias quantum_tmp_t;
files_tmp_file(neutron_tmp_t)
type neutron_var_lib_t alias quantum_var_lib_t;
files_type(neutron_var_lib_t)
type neutron_var_run_t alias quantum_var_run_t;
files_pid_file(neutron_var_run_t)
type neutron_unit_file_t alias quantum_unit_file_t;
systemd_unit_file(neutron_unit_file_t)
########################################
#
# Local policy
#
allow neutron_t self:capability { chown dac_read_search sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
allow neutron_t self:capability2 block_suspend;
allow neutron_t self:process { setsched setrlimit setcap signal_perms };
allow neutron_t self:fifo_file rw_fifo_file_perms;
allow neutron_t self:key manage_key_perms;
allow neutron_t self:tcp_socket { accept listen };
allow neutron_t self:unix_stream_socket { accept listen connectto };
allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
allow neutron_t self:rawip_socket create_socket_perms;
allow neutron_t self:packet_socket create_socket_perms;
manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
logging_log_filetrans(neutron_t, neutron_log_t, dir)
manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
manage_dirs_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
files_tmp_filetrans(neutron_t, neutron_tmp_t, { file dir })
manage_files_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
manage_dirs_pattern(neutron_t, neutron_var_run_t, neutron_var_run_t)
files_pid_filetrans(neutron_t, neutron_var_run_t, { file dir })
manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
manage_sock_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
can_exec(neutron_t, neutron_tmp_t)
kernel_rw_kernel_sysctl(neutron_t)
kernel_rw_net_sysctls(neutron_t)
kernel_read_system_state(neutron_t)
kernel_read_network_state(neutron_t)
kernel_request_load_module(neutron_t)
corecmd_exec_shell(neutron_t)
corecmd_exec_bin(neutron_t)
corenet_all_recvfrom_unlabeled(neutron_t)
corenet_all_recvfrom_netlabel(neutron_t)
corenet_tcp_sendrecv_generic_if(neutron_t)
corenet_tcp_sendrecv_generic_node(neutron_t)
corenet_tcp_sendrecv_all_ports(neutron_t)
corenet_tcp_bind_generic_node(neutron_t)
corenet_tcp_bind_neutron_port(neutron_t)
corenet_tcp_connect_neutron_port(neutron_t)
corenet_tcp_connect_keystone_port(neutron_t)
corenet_tcp_connect_amqp_port(neutron_t)
corenet_tcp_connect_mysqld_port(neutron_t)
corenet_tcp_connect_osapi_compute_port(neutron_t)
domain_read_all_domains_state(neutron_t)
domain_named_filetrans(neutron_t)
dev_read_sysfs(neutron_t)
dev_read_urand(neutron_t)
dev_mounton_sysfs(neutron_t)
dev_mount_sysfs_fs(neutron_t)
dev_unmount_sysfs_fs(neutron_t)
files_mounton_non_security(neutron_t)
auth_use_pam(neutron_t)
init_rw_utmp(neutron_t)
libs_exec_ldconfig(neutron_t)
logging_send_audit_msgs(neutron_t)
logging_send_syslog_msg(neutron_t)
netutils_exec(neutron_t)
# need to stay in neutron
sysnet_exec_ifconfig(neutron_t)
sysnet_manage_ifconfig_run(neutron_t)
sysnet_filetrans_named_content_ifconfig(neutron_t)
tunable_policy(`neutron_can_network',`
corenet_sendrecv_all_client_packets(neutron_t)
corenet_tcp_connect_all_ports(neutron_t)
corenet_tcp_sendrecv_all_ports(neutron_t)
')
optional_policy(`
dbus_system_bus_client(neutron_t)
')
optional_policy(`
brctl_domtrans(neutron_t)
')
optional_policy(`
dnsmasq_domtrans(neutron_t)
dnsmasq_signal(neutron_t)
dnsmasq_kill(neutron_t)
dnsmasq_read_state(neutron_t)
')
optional_policy(`
rhcs_domtrans_haproxy(neutron_t)
rhcs_stream_connect_haproxy(neutron_t)
')
optional_policy(`
iptables_domtrans(neutron_t)
')
optional_policy(`
modutils_domtrans_kmod(neutron_t)
')
optional_policy(`
mysql_stream_connect(neutron_t)
mysql_read_db_lnk_files(neutron_t)
mysql_read_config(neutron_t)
mysql_tcp_connect(neutron_t)
')
optional_policy(`
postgresql_stream_connect(neutron_t)
postgresql_unpriv_client(neutron_t)
postgresql_tcp_connect(neutron_t)
')
optional_policy(`
openvswitch_domtrans(neutron_t)
openvswitch_stream_connect(neutron_t)
')
optional_policy(`
rpm_exec(neutron_t)
rpm_read_db(neutron_t)
')
optional_policy(`
sudo_exec(neutron_t)
')
optional_policy(`
udev_domtrans(neutron_t)
')