# $Id: daemontools.te,v 1.6 2003/12/12 09:01:40 peter Exp $
#
# author Petre Rodan <petre.rodan@ravantivirus.com>
# with the help of Russell Coker and Tad Glines
# 

#
# selinux policy for daemontools
# http://cr.yp.to/daemontools.html
#
# thanks for D. J. Bernstein and the NSA team for the great software
# they provide
#

##############################################################
# type definitions

type svc_conf_t, file_type, sysadmfile;
type svc_log_t, file_type, sysadmfile;
type svc_svc_t, file_type, sysadmfile;


##############################################################
# the domains

define(`svc_sub_domain', `
daemon_sub_domain(svc_t, svc_$1)
')

define(`svc_filedir_domain', `
create_dir_file($1, svc_svc_t)
file_type_auto_trans($1, svc_svc_t, svc_svc_t);
')

define(`svc_confdir_domain', `
r_dir_file($1, svc_conf_t)
')

# svc_script_t is a domain controled by sysadm
#application_domain(svc_script)
daemon_base_domain(svc_script)
svc_filedir_domain(svc_script_t)

# part started by initrc_t
daemon_base_domain(svc_start)
svc_filedir_domain(svc_start_t)

# also get here from svc_script_t
domain_auto_trans(svc_script_t, svc_start_exec_t, svc_start_t)

# the domain for /service/*/run and /service/*/log/run
daemon_sub_domain(svc_start_t, svc_run)
svc_confdir_domain(svc_run_t)

# the logger
daemon_sub_domain(svc_run_t, svc_multilog)
file_type_auto_trans(svc_multilog_t, svc_log_t, svc_log_t, file);

######
# rules for all those domains

# svc_start_t
allow svc_start_t self:fifo_file rw_file_perms;
allow svc_start_t self:capability { kill };

allow svc_start_t { bin_t sbin_t etc_t }:dir r_dir_perms;
allow svc_start_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
can_exec(svc_start_t, shell_exec_t)
allow svc_start_t svc_start_exec_t:file { rx_file_perms execute_no_trans };
allow svc_start_t svc_run_t:process { signal };

# svc_run_t
allow svc_run_t self:capability { setgid setuid chown fsetid };
allow svc_run_t self:fifo_file rw_file_perms;
allow svc_run_t self:file r_file_perms;
allow svc_run_t self:process { fork };
allow svc_run_t svc_svc_t:dir r_dir_perms;
allow svc_run_t svc_run_exec_t:file { rx_file_perms execute_no_trans };
allow svc_run_t { bin_t sbin_t etc_t }:dir r_dir_perms;
allow svc_run_t { bin_t sbin_t etc_t }:lnk_file r_file_perms;
can_exec(svc_run_t, etc_t)
can_exec(svc_run_t, lib_t)
can_exec(svc_run_t, bin_t)
can_exec(svc_run_t, sbin_t)
can_exec(svc_run_t, ls_exec_t)
can_exec(svc_run_t, shell_exec_t)
allow svc_run_t devtty_t:chr_file rw_file_perms;
allow svc_run_t etc_runtime_t:file r_file_perms;
allow svc_run_t exec_type:{ file lnk_file } getattr;
allow svc_run_t init_t:fd { use };
allow svc_run_t initrc_t:fd { use };
allow svc_run_t proc_t:file r_file_perms;
allow svc_run_t sysctl_kernel_t:dir r_dir_perms;
allow svc_run_t sysctl_kernel_t:file r_file_perms;
allow svc_run_t var_lib_t:dir r_dir_perms;


# multilog creates /service/*/log/status
allow svc_multilog_t svc_svc_t:dir { read search };
allow svc_multilog_t svc_svc_t:file { append write };
# writes to /var/log/*/*
allow svc_multilog_t var_log_t:dir create_dir_perms;
allow svc_multilog_t var_log_t:file create_file_perms;
# misc
allow svc_multilog_t init_t:fd { use };
allow svc_start_t svc_multilog_t:process { signal };
svc_ipc_domain(svc_multilog_t)

# svc-script_t
# temporary until a run_init will be created for daemontools
role sysadm_r types svc_script_t;
role sysadm_r types svc_start_t;
allow sysadm_t svc_script_exec_t:file { rx_file_perms execute_no_trans };
domain_auto_trans(sysadm_t, svc_script_exec_t, svc_script_t)

allow svc_script_t sysadm_tty_device_t:chr_file { getattr ioctl };
allow svc_script_t sysadm_devpts_t:chr_file rw_file_perms;
allow svc_start_t sysadm_devpts_t:chr_file rw_file_perms;


allow svc_script_t self:fifo_file { getattr read write };
allow svc_script_t bin_t:dir r_dir_perms;
allow svc_script_t bin_t:lnk_file r_file_perms;
can_exec(svc_script_t, bin_t)
can_exec(svc_script_t, shell_exec_t)
allow svc_script_t proc_t:file r_file_perms;
allow svc_script_t shell_exec_t:file rx_file_perms;
allow svc_script_t devtty_t:chr_file rw_file_perms;
allow svc_script_t etc_runtime_t:file r_file_perms;
allow svc_script_t svc_run_exec_t:file r_file_perms;
allow svc_script_t svc_script_exec_t:file { execute_no_trans };
# sleep
allow svc_script_t sysctl_kernel_t:dir r_dir_perms;
allow svc_script_t sysctl_kernel_t:file r_file_perms;
allow svc_script_t var_t:dir r_dir_perms;


################################################################
# scripts that can be started by daemontools

ifdef(`ucspi-tcp.te', `
domain_auto_trans(svc_run_t, utcpserver_exec_t, utcpserver_t)
allow svc_run_t utcpserver_t:process { signal };
allow svc_start_t utcpserver_t:process { signal };
svc_ipc_domain(utcpserver_t)
')

ifdef(`ssh.te', `
domain_auto_trans(svc_run_t, sshd_exec_t, sshd_t)
svc_ipc_domain(sshd_t)
')

ifdef(`qmail.te', `
allow svc_run_t qmail_start_exec_t:file rx_file_perms;
domain_auto_trans(svc_run_t, qmail_start_exec_t, qmail_start_t)
# r qmail configs from /var/qmail/control/*
allow svc_run_t etc_qmail_t:dir r_dir_perms;
allow svc_run_t etc_qmail_t:file r_file_perms;

allow svc_start_t qmail_send_t:process { signal };
svc_ipc_domain(qmail_send_t)
svc_ipc_domain(qmail_start_t)
svc_ipc_domain(qmail_queue_t)
svc_ipc_domain(qmail_smtpd_t)
')

ifdef(`publicfile.te', `
svc_ipc_domain(publicfile_t)
')
##############################################################