1 |
commit: 7833917670767f7c534363c93f0e22a06394ea90 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 2 12:23:04 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:09:11 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78339176 |
7 |
|
8 |
Initial glusterfs policy module |
9 |
|
10 |
Glusterfs binary, the glusterfsd daemon and the gluster command line, |
11 |
libglusterfs and glusterfs translator modules common to both GlusterFS |
12 |
server and client framework. |
13 |
|
14 |
Ported from Fedora with changes |
15 |
|
16 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
17 |
|
18 |
--- |
19 |
glusterfs.fc | 16 +++++++++ |
20 |
glusterfs.if | 49 ++++++++++++++++++++++++++++ |
21 |
glusterfs.te | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
22 |
3 files changed, 167 insertions(+), 0 deletions(-) |
23 |
|
24 |
diff --git a/glusterfs.fc b/glusterfs.fc |
25 |
new file mode 100644 |
26 |
index 0000000..4bd6ade |
27 |
--- /dev/null |
28 |
+++ b/glusterfs.fc |
29 |
@@ -0,0 +1,16 @@ |
30 |
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
31 |
+ |
32 |
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
33 |
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
34 |
+ |
35 |
+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
36 |
+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
37 |
+ |
38 |
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
39 |
+ |
40 |
+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
41 |
+ |
42 |
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
43 |
+ |
44 |
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0) |
45 |
+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0) |
46 |
|
47 |
diff --git a/glusterfs.if b/glusterfs.if |
48 |
new file mode 100644 |
49 |
index 0000000..bb2101d |
50 |
--- /dev/null |
51 |
+++ b/glusterfs.if |
52 |
@@ -0,0 +1,49 @@ |
53 |
+## <summary>Cluster File System binary, daemon and command line.</summary> |
54 |
+ |
55 |
+######################################## |
56 |
+## <summary> |
57 |
+## All of the rules required to |
58 |
+## administrate an glusterd environment. |
59 |
+## </summary> |
60 |
+## <param name="domain"> |
61 |
+## <summary> |
62 |
+## Domain allowed access. |
63 |
+## </summary> |
64 |
+## </param> |
65 |
+## <param name="role"> |
66 |
+## <summary> |
67 |
+## Role allowed access. |
68 |
+## </summary> |
69 |
+## </param> |
70 |
+## <rolecap/> |
71 |
+# |
72 |
+interface(`glusterd_admin',` |
73 |
+ gen_require(` |
74 |
+ type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; |
75 |
+ type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; |
76 |
+ type glusterd_var_run_t; |
77 |
+ ') |
78 |
+ |
79 |
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t) |
80 |
+ domain_system_change_exemption($1) |
81 |
+ role_transition $2 glusterd_initrc_exec_t system_r; |
82 |
+ allow $2 system_r; |
83 |
+ |
84 |
+ allow $1 glusterd_t:process { ptrace signal_perms }; |
85 |
+ ps_process_pattern($1, glusterd_t) |
86 |
+ |
87 |
+ files_search_etc($1) |
88 |
+ admin_pattern($1, glusterd_conf_t) |
89 |
+ |
90 |
+ logging_search_logs($1) |
91 |
+ admin_pattern($1, glusterd_log_t) |
92 |
+ |
93 |
+ files_search_tmp($1) |
94 |
+ admin_pattern($1, glusterd_tmp_t) |
95 |
+ |
96 |
+ files_search_var_lib($1) |
97 |
+ admin_pattern($1, glusterd_var_lib_t) |
98 |
+ |
99 |
+ files_search_pids($1) |
100 |
+ admin_pattern($1, glusterd_var_run_t) |
101 |
+') |
102 |
|
103 |
diff --git a/glusterfs.te b/glusterfs.te |
104 |
new file mode 100644 |
105 |
index 0000000..6c815e1 |
106 |
--- /dev/null |
107 |
+++ b/glusterfs.te |
108 |
@@ -0,0 +1,102 @@ |
109 |
+policy_module(glusterfs, 1.0.0) |
110 |
+ |
111 |
+######################################## |
112 |
+# |
113 |
+# Declarations |
114 |
+# |
115 |
+ |
116 |
+type glusterd_t; |
117 |
+type glusterd_exec_t; |
118 |
+init_daemon_domain(glusterd_t, glusterd_exec_t) |
119 |
+ |
120 |
+type glusterd_conf_t; |
121 |
+files_type(glusterd_conf_t) |
122 |
+ |
123 |
+type glusterd_initrc_exec_t; |
124 |
+init_script_file(glusterd_initrc_exec_t) |
125 |
+ |
126 |
+type glusterd_tmp_t; |
127 |
+files_tmp_file(glusterd_tmp_t) |
128 |
+ |
129 |
+type glusterd_log_t; |
130 |
+logging_log_file(glusterd_log_t) |
131 |
+ |
132 |
+type glusterd_var_run_t; |
133 |
+files_pid_file(glusterd_var_run_t) |
134 |
+ |
135 |
+type glusterd_var_lib_t; |
136 |
+files_type(glusterd_var_lib_t); |
137 |
+ |
138 |
+######################################## |
139 |
+# |
140 |
+# Local policy |
141 |
+# |
142 |
+ |
143 |
+allow glusterd_t self:capability { net_bind_service sys_admin sys_resource dac_override chown dac_read_search fowner }; |
144 |
+allow glusterd_t self:process { setrlimit signal }; |
145 |
+allow glusterd_t self:fifo_file rw_fifo_file_perms; |
146 |
+allow glusterd_t self:tcp_socket { accept listen }; |
147 |
+allow glusterd_t self:unix_stream_socket { accept listen }; |
148 |
+ |
149 |
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) |
150 |
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) |
151 |
+files_etc_filetrans(glusterd_t, glusterd_conf_t, dir) |
152 |
+ |
153 |
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) |
154 |
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) |
155 |
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t) |
156 |
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) |
157 |
+ |
158 |
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
159 |
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
160 |
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
161 |
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t) |
162 |
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir) |
163 |
+ |
164 |
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) |
165 |
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t) |
166 |
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file }) |
167 |
+ |
168 |
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
169 |
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
170 |
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) |
171 |
+ |
172 |
+can_exec(glusterd_t, glusterd_exec_t) |
173 |
+ |
174 |
+kernel_read_system_state(glusterd_t) |
175 |
+ |
176 |
+corecmd_exec_bin(glusterd_t) |
177 |
+corecmd_exec_shell(glusterd_t) |
178 |
+ |
179 |
+corenet_all_recvfrom_unlabeled(glusterd_t) |
180 |
+corenet_all_recvfrom_netlabel(glusterd_t) |
181 |
+corenet_tcp_sendrecv_generic_if(glusterd_t) |
182 |
+corenet_udp_sendrecv_generic_if(glusterd_t) |
183 |
+corenet_tcp_sendrecv_generic_node(glusterd_t) |
184 |
+corenet_udp_sendrecv_generic_node(glusterd_t) |
185 |
+corenet_tcp_sendrecv_all_ports(glusterd_t) |
186 |
+corenet_udp_sendrecv_all_ports(glusterd_t) |
187 |
+corenet_tcp_bind_generic_node(glusterd_t) |
188 |
+corenet_udp_bind_generic_node(glusterd_t) |
189 |
+ |
190 |
+# Too coarse? |
191 |
+corenet_sendrecv_all_server_packets(glusterd_t) |
192 |
+corenet_tcp_bind_all_reserved_ports(glusterd_t) |
193 |
+corenet_udp_bind_all_rpc_ports(glusterd_t) |
194 |
+corenet_udp_bind_ipp_port(glusterd_t) |
195 |
+ |
196 |
+corenet_sendrecv_all_client_packets(glusterd_t) |
197 |
+corenet_tcp_connect_all_unreserved_ports(glusterd_t) |
198 |
+ |
199 |
+dev_read_sysfs(glusterd_t) |
200 |
+dev_read_urand(glusterd_t) |
201 |
+ |
202 |
+domain_use_interactive_fds(glusterd_t) |
203 |
+ |
204 |
+files_read_usr_files(glusterd_t) |
205 |
+ |
206 |
+auth_use_nsswitch(glusterd_t) |
207 |
+ |
208 |
+logging_send_syslog_msg(glusterd_t) |
209 |
+ |
210 |
+miscfiles_read_localization(glusterd_t) |