selinux/bluechi.te

policy_module(bluechi, 1.0.0)

########################################
#
# Declarations
#

# Allow bluechi_t to bind to any port instead of one labelled with bluechi_port_t.
gen_tunable(bluechi_controller_port_bind_any, true)

# Allow bluechi_agent_t to connect to any port instead of labelled ones.
gen_tunable(bluechi_agent_port_connect_any, true)

type bluechi_t alias hirte_t;
type bluechi_exec_t  alias hirte_exec_t;
init_daemon_domain(bluechi_t, bluechi_exec_t)

type bluechi_agent_t alias hirte_agent_t;
type bluechi_agent_exec_t alias hirte_agent_exec_t;
init_daemon_domain(bluechi_agent_t, bluechi_agent_exec_t)

type bluechi_port_t alias hirte_port_t;
corenet_port(bluechi_port_t)

type bluechi_agent_port_t;
corenet_port(bluechi_agent_port_t)


########################################
#
# bluechi local policy
#
allow bluechi_t self:fifo_file rw_fifo_file_perms;
allow bluechi_t self:unix_stream_socket create_stream_socket_perms;

domain_use_interactive_fds(bluechi_t)

files_read_etc_files(bluechi_t)

miscfiles_read_localization(bluechi_t)

allow bluechi_t self:capability net_bind_service;
allow bluechi_t self:tcp_socket create_stream_socket_perms;
allow bluechi_t self:unix_dgram_socket create_socket_perms;
tunable_policy(`bluechi_controller_port_bind_any',`
	corenet_tcp_bind_all_ports(bluechi_t)
',`
	allow bluechi_t bluechi_port_t:tcp_socket name_bind;
')

corenet_tcp_bind_generic_node(bluechi_t)

dbus_acquire_svc_system_dbusd(bluechi_t)
dbus_system_bus_client(bluechi_t)

kernel_dgram_send(bluechi_t)

logging_send_syslog_msg(bluechi_t)
logging_read_syslog_pid(bluechi_t)

unconfined_dbus_chat(bluechi_t)

########################################
#
# bluechi_agent local policy
#
allow bluechi_agent_t self:fifo_file rw_fifo_file_perms;
allow bluechi_agent_t self:unix_stream_socket create_stream_socket_perms;
allow bluechi_agent_t self:unix_dgram_socket create_socket_perms;

systemd_start_all_services(bluechi_agent_t)
systemd_start_systemd_services(bluechi_agent_t)
systemd_stop_systemd_services(bluechi_agent_t)
systemd_status_systemd_services(bluechi_agent_t)
systemd_reload_all_services(bluechi_agent_t)
systemd_reload_systemd_services(bluechi_agent_t)
init_reload_services(bluechi_agent_t)

kernel_dgram_send(bluechi_agent_t)

domain_use_interactive_fds(bluechi_agent_t)

files_read_etc_files(bluechi_agent_t)

miscfiles_read_localization(bluechi_agent_t)

logging_send_syslog_msg(bluechi_agent_t)
logging_read_syslog_pid(bluechi_agent_t)

allow bluechi_agent_t self:tcp_socket create_stream_socket_perms;
tunable_policy(`bluechi_agent_port_connect_any',`
	corenet_tcp_connect_all_ports(bluechi_agent_t)
',`
	allow bluechi_agent_t bluechi_agent_port_t:tcp_socket name_connect;
')

dbus_acquire_svc_system_dbusd(bluechi_agent_t)
dbus_system_bus_client(bluechi_agent_t)

init_status(bluechi_agent_t)


########################################
#
# bluechi policy for unix domain sockets
#
type bluechi_var_run_t;
files_pid_file(bluechi_var_run_t)
init_sock_file(bluechi_var_run_t)
mls_trusted_object(bluechi_var_run_t)

manage_sock_files_pattern(bluechi_t, bluechi_var_run_t, bluechi_var_run_t)
stream_connect_pattern(bluechi_agent_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
unconfined_server_stream_connectto(bluechi_agent_t)

########################################
#
# bluechi policy with haproxy
#
allow haproxy_t bluechi_t:unix_stream_socket connectto;

rhcs_stream_connect_haproxy(bluechi_agent_t)

gen_require(`
       type haproxy_t, haproxy_var_lib_t;
       type haproxy_var_run_t;
       type init_t;
')
stream_connect_pattern(bluechi_agent_t, haproxy_var_lib_t, haproxy_var_lib_t, haproxy_t)

manage_sock_files_pattern(init_t, haproxy_var_lib_t, haproxy_var_lib_t)
manage_sock_files_pattern(init_t, haproxy_var_run_t, haproxy_var_run_t)