|
| 1 | +require { |
| 2 | + type cfengine_reactor_t; |
| 3 | + type cfengine_postgres_t; |
| 4 | + type sysfs_t; |
| 5 | + type proc_t; |
| 6 | + type devpts_t; |
| 7 | + type hugetlbfs_t; |
| 8 | + type cfengine_hub_t; |
| 9 | + type cfengine_execd_t; |
| 10 | + type cfengine_apachectl_t; |
| 11 | + type tty_device_t; |
| 12 | + type user_devpts_t; |
| 13 | + type cfengine_httpd_t; |
| 14 | + type http_port_t; |
| 15 | + type cfengine_httpd_exec_t; |
| 16 | + type cfengine_serverd_t; |
| 17 | + type systemd_userdbd_runtime_t; |
| 18 | + type systemd_userdbd_t; |
| 19 | + type kernel_t; |
| 20 | + class tcp_socket name_connect; |
| 21 | + class dir { getattr open read search }; |
| 22 | + class file { getattr open read write }; |
| 23 | + class capability { dac_override dac_read_search sys_ptrace }; |
| 24 | + class chr_file getattr; |
| 25 | + class lnk_file read; |
| 26 | + class sock_file write; |
| 27 | + class unix_stream_socket connectto; |
| 28 | +} |
| 29 | + |
| 30 | +#============= cfengine_apachectl_t ============== |
| 31 | +allow cfengine_apachectl_t devpts_t:dir { getattr search }; |
| 32 | +allow cfengine_apachectl_t proc_t:file getattr; |
| 33 | +allow cfengine_apachectl_t self:capability { dac_override dac_read_search sys_ptrace }; |
| 34 | +allow cfengine_apachectl_t sysfs_t:dir read; |
| 35 | +allow cfengine_apachectl_t sysfs_t:file { open read }; |
| 36 | +allow cfengine_apachectl_t tty_device_t:chr_file getattr; |
| 37 | +allow cfengine_apachectl_t user_devpts_t:chr_file getattr; |
| 38 | + |
| 39 | +# The cfe_autorun_inventory_aws_ec2_metadata_data bundle needs HTTP access |
| 40 | +# to query AWS EC2 metadata API. |
| 41 | +#============= cfengine_execd_t ============== |
| 42 | +allow cfengine_execd_t http_port_t:tcp_socket name_connect; |
| 43 | + |
| 44 | +#============= cfengine_httpd_t ============== |
| 45 | +allow cfengine_httpd_t hugetlbfs_t:file { read write }; |
| 46 | +allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { open read getattr search }; |
| 47 | +allow cfengine_httpd_t systemd_userdbd_runtime_t:lnk_file read; |
| 48 | +allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write; |
| 49 | +allow cfengine_httpd_t systemd_userdbd_t:unix_stream_socket connectto; |
| 50 | +allow cfengine_httpd_t kernel_t:unix_stream_socket connectto; |
| 51 | + |
| 52 | +#============= cfengine_hub_t ============== |
| 53 | +allow cfengine_hub_t cfengine_httpd_exec_t:file getattr; |
| 54 | +allow cfengine_hub_t sysfs_t:lnk_file read; |
| 55 | + |
| 56 | +#============= cfengine_postgres_t ============== |
| 57 | +allow cfengine_postgres_t systemd_userdbd_runtime_t:dir { open read getattr search }; |
| 58 | +allow cfengine_postgres_t systemd_userdbd_runtime_t:lnk_file read; |
| 59 | +allow cfengine_postgres_t systemd_userdbd_runtime_t:sock_file write; |
| 60 | +allow cfengine_postgres_t systemd_userdbd_t:unix_stream_socket connectto; |
| 61 | +allow cfengine_postgres_t kernel_t:unix_stream_socket connectto; |
| 62 | + |
| 63 | +#============= cfengine_reactor_t ============== |
| 64 | +allow cfengine_reactor_t systemd_userdbd_runtime_t:dir { open read getattr search }; |
| 65 | +allow cfengine_reactor_t systemd_userdbd_runtime_t:lnk_file read; |
| 66 | +allow cfengine_reactor_t systemd_userdbd_runtime_t:sock_file write; |
| 67 | +allow cfengine_reactor_t systemd_userdbd_t:unix_stream_socket connectto; |
| 68 | +allow cfengine_reactor_t kernel_t:unix_stream_socket connectto; |
| 69 | + |
| 70 | +#============= cfengine_serverd_t ============== |
| 71 | +allow cfengine_serverd_t http_port_t:tcp_socket name_connect; |
0 commit comments