|
# vim: sw=4:ts=4:et
|
|
#
|
|
# Copyright 2013 Red Hat, Inc.
|
|
#
|
|
# This program and entire repository is free software: you can redistribute it
|
|
# and/or modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the License,
|
|
# or any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful, but WITHOUT
|
|
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
# details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License along with
|
|
# this program. If not, see http://www.gnu.org/licenses/.
|
|
#
|
|
|
|
policy_module(foreman, @@VERSION@@)
|
|
|
|
#######################################
|
|
#
|
|
# Declarations
|
|
#
|
|
# Note: Some mod_passanger 4.0+ processes are running under httpd_t domain,
|
|
# therefore we need to keep two domains: passenger_t and httpd_t.
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow passenger to run foreman.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(passenger_run_foreman, true)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow passenger (httpd_t domain) to run foreman.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_run_foreman, true)
|
|
|
|
# define types for foreman scripts
|
|
apache_content_template(foreman)
|
|
|
|
# Some basic aliases for different aspects of the filesystem to make things
|
|
# more clear.
|
|
require{
|
|
type etc_t;
|
|
}
|
|
typealias etc_t alias foreman_config_t;
|
|
|
|
type foreman_db_t;
|
|
files_type(foreman_db_t)
|
|
|
|
type foreman_lib_t;
|
|
files_type(foreman_lib_t)
|
|
|
|
type foreman_log_t;
|
|
typealias foreman_log_t alias httpd_foreman_script_log_t;
|
|
logging_log_file(foreman_log_t)
|
|
|
|
type foreman_var_run_t;
|
|
files_pid_file(foreman_var_run_t)
|
|
|
|
require{
|
|
type httpd_t;
|
|
type passenger_t;
|
|
type passenger_tmp_t;
|
|
type puppetmaster_exec_t;
|
|
type puppetmaster_t;
|
|
}
|
|
|
|
#######################################
|
|
#
|
|
# Foreman local policy
|
|
#
|
|
|
|
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
|
|
manage_dirs_pattern(httpd_foreman_script_t, foreman_lib_t , foreman_lib_t)
|
|
|
|
manage_files_pattern(httpd_foreman_script_t, foreman_log_t , foreman_log_t)
|
|
|
|
manage_files_pattern(httpd_foreman_script_t, foreman_var_run_t , foreman_var_run_t)
|
|
|
|
files_read_etc_files(httpd_foreman_script_t)
|
|
|
|
logging_send_syslog_msg(httpd_foreman_script_t)
|
|
|
|
miscfiles_read_localization(httpd_foreman_script_t)
|
|
|
|
#######################################
|
|
#
|
|
# Passanger/httpd local policy
|
|
#
|
|
|
|
allow passenger_t self:capability sys_resource;
|
|
allow passenger_t self:process signull;
|
|
allow passenger_t self:tcp_socket listen;
|
|
|
|
miscfiles_read_localization(passenger_t)
|
|
|
|
corenet_tcp_connect_postgresql_port(passenger_t)
|
|
corenet_tcp_connect_ssh_port(passenger_t)
|
|
|
|
# The read the code (and potentially modules) from /usr/share.
|
|
files_read_usr_files(passenger_t)
|
|
|
|
# Allow access to pseudo terminal devices to connect to local virt.
|
|
term_search_ptys(passenger_t)
|
|
|
|
# For memory-statistics script which executes /usr/bin/free
|
|
files_exec_usr_files(passenger_t)
|
|
|
|
optional_policy(`
|
|
tunable_policy(`passenger_run_foreman', `
|
|
read_files_pattern(httpd_t, foreman_lib_t, foreman_lib_t)
|
|
manage_files_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
|
|
manage_dirs_pattern(passenger_t, foreman_lib_t, foreman_lib_t)
|
|
manage_files_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)
|
|
manage_dirs_pattern(passenger_t, foreman_var_run_t, foreman_var_run_t)
|
|
# Allow Foreman to write to the SQlite databases
|
|
read_files_pattern(passenger_t, foreman_db_t, foreman_db_t)
|
|
write_files_pattern(passenger_t, foreman_db_t, foreman_db_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`passenger_run_foreman', `
|
|
read_files_pattern(passenger_t, httpd_foreman_script_exec_t, httpd_foreman_script_exec_t)
|
|
read_lnk_files_pattern(passenger_t, httpd_foreman_script_exec_t, httpd_foreman_script_exec_t)
|
|
append_files_pattern(passenger_t, foreman_log_t, foreman_log_t)
|
|
')
|
|
')
|
|
|
|
|
|
optional_policy(`
|
|
tunable_policy(`passenger_run_foreman', `
|
|
allow passenger_t self:process getsession;
|
|
fs_rw_anon_inodefs_files(passenger_t)
|
|
allow passenger_t httpd_t:unix_stream_socket getattr;
|
|
')
|
|
')
|
|
|
|
tunable_policy(`httpd_run_foreman', `
|
|
allow httpd_t passenger_tmp_t:sock_file write;
|
|
')
|
|
|
|
optional_policy(`
|
|
# Allow sending of email reports.
|
|
mta_send_mail(passenger_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(passenger_t)
|
|
mysql_list_db(passenger_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(passenger_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# Transition to puppet_master
|
|
corecmd_search_bin(passenger_t)
|
|
domtrans_pattern(passenger_t, puppetmaster_exec_t, puppetmaster_t)
|
|
')
|
|
|