API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 30th, 2015
421
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.60 KB | None | 0 0
raw download clone embed print report
  1. policy_module(myapp,1.0.0)
  2.  
  3. # Import some things we will need from other modules/default policy
  4. require {
  5. sensitivity s0;
  6. category c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10;
  7. category c1023;
  8.  
  9. role unconfined_r;
  10. type unconfined_t;
  11. type initrc_t;
  12. type shell_exec_t;
  13.  
  14. }
  15.  
  16. # Role and type for our app
  17. role myapp_r;
  18. type myapp_t;
  19.  
  20. # Glide file context
  21. type myapp_bin_t;
  22. type myapp_api_t;
  23. type myapp_conf_t;
  24. type myapp_release_t;
  25. type myapp_incoming_t;
  26. type myapp_lib_t;
  27. type myapp_logs_t;
  28. type myapp_scripts_t;
  29. type myapp_tmp_t;
  30. type myapp_tomcat_t;
  31. type myapp_util_t;
  32. type myapp_var_t;
  33. type myapp_exec_t;
  34. type myapp_webapps_t;
  35.  
  36. # Assign type attributes
  37. corecmd_executable_file(myapp_bin_t)
  38. files_type(myapp_api_t)
  39. files_type(myapp_conf_t)
  40. files_type(myapp_release_t)
  41. files_type(myapp_incoming_t)
  42. files_type(myapp_lib_t)
  43. logging_log_file(myapp_logs_t)
  44. files_type(myapp_scripts_t)
  45. files_type(myapp_tmp_t)
  46. files_type(myapp_tomcat_t)
  47. files_type(myapp_util_t)
  48. files_type(myapp_var_t)
  49. corecmd_executable_file(myapp_exec_t)
  50. files_type(myapp_webapps_t)
  51.  
  52. allow myapp_tmp_t myapp_logs_t: filesystem associate;
  53.  
  54. # Allow transition so things can get started
  55. #type_transition unconfined_t myapp_exec_t:process myapp_t;
  56. #allow unconfined_t myapp_exec_t:process transition;
  57. #allow myapp_t myapp_exec_t:file entrypoint;
  58. #allow unconfined_t myapp_exec_t:file entrypoint;
  59. #allow initrc_t myapp_exec_t:file execute;
  60. #allow initrc_t myapp_t:process transition;
  61.  
  62. gen_require(` type unconfined_t, myapp_t, myapp_exec_t; role unconfined_r, myapp_r; ')
  63. allow myapp_t shell_exec_t:file entrypoint;
  64. domtrans_pattern(unconfined_t, myapp_exec_t, myapp_t)
  65.  
  66. type_transition unconfined_t myapp_exec_t:process myapp_t;
  67. allow unconfined_t myapp_exec_t:file execute;
  68. allow myapp_t myapp_exec_t:file entrypoint;
  69. allow unconfined_t myapp_t:process transition;
  70.  
  71. allow unconfined_r myapp_r;
  72.  
  73. # Generate one user per myapp instance with user and category matching the port
  74. # it will bind to, only as convention, they don't technically have to match.
  75. #user myapp_u roles { myapp_r } level s0 range s0:c0.c1023;
  76. gen_user(myapp_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0.c1023)
  77. gen_user(p16000_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0)
  78. gen_user(p16001_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c1)
  79. gen_user(p16002_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c2)
  80. gen_user(p16003_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c3)
  81. gen_user(p16004_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c4)
  82. gen_user(p16005_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c5)
  83. gen_user(p16006_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c6)
  84. gen_user(p16007_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c7)
  85. gen_user(p16008_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c8)
  86. gen_user(p16009_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c9)
  87. gen_user(p16010_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c10)
  88.  
  89.  
  90. And then file contexts in myapp.fc:
  91.  
  92. /myapp/nodes/.*/api -- gen_context(myapp_u:object_r:myapp_api_t,s0)
  93. /myapp/nodes/.*/bin -- gen_context(myapp_u:object_r:myapp_bin_t,s0)
  94. /myapp/nodes/.*/clog.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
  95. /myapp/nodes/.*/conf -- gen_context(myapp_u:object_r:myapp_conf_t,s0)
  96. /myapp/nodes/.*/myapp-release -- gen_context(myapp_u:object_r:myapp_release_t,s0)
  97. /myapp/nodes/.*/incoming-dist -- gen_context(myapp_u:object_r:myapp_incoming_t,s0)
  98. /myapp/nodes/.*/lib -- gen_context(myapp_u:object_r:myapp_lib_t,s0)
  99. /myapp/nodes/.*/logs -- gen_context(myapp_u:object_r:myapp_logs_t,s0)
  100. /myapp/nodes/.*/scripts -- gen_context(myapp_u:object_r:myapp_scripts_t,s0)
  101. /myapp/nodes/.*/shutdown.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
  102. /myapp/nodes/.*/startup.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
  103. /myapp/nodes/.*/tlog.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
  104. /myapp/nodes/.*/tmp -- gen_context(myapp_u:object_r:myapp_tmp_t,s0)
  105. /myapp/nodes/.*/tomcat -- gen_context(myapp_u:object_r:myapp_tomcat_t,s0)
  106. /myapp/nodes/.*/util -- gen_context(myapp_u:object_r:myapp_util_t,s0)
  107. /myapp/nodes/.*/var -- gen_context(myapp_u:object_r:myapp_var_t,s0)
  108. /myapp/nodes/.*/vlog.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
  109. /myapp/nodes/.*/webapps -- gen_context(myapp_u:object_r:myapp_webapps_t,s0)
  110. /myapp/bin/command.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!