Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- policy_module(myapp,1.0.0)
- # Import some things we will need from other modules/default policy
- require {
- sensitivity s0;
- category c0, c1, c2, c3, c4, c5, c6, c7, c8, c9, c10;
- category c1023;
- role unconfined_r;
- type unconfined_t;
- type initrc_t;
- type shell_exec_t;
- }
- # Role and type for our app
- role myapp_r;
- type myapp_t;
- # Glide file context
- type myapp_bin_t;
- type myapp_api_t;
- type myapp_conf_t;
- type myapp_release_t;
- type myapp_incoming_t;
- type myapp_lib_t;
- type myapp_logs_t;
- type myapp_scripts_t;
- type myapp_tmp_t;
- type myapp_tomcat_t;
- type myapp_util_t;
- type myapp_var_t;
- type myapp_exec_t;
- type myapp_webapps_t;
- # Assign type attributes
- corecmd_executable_file(myapp_bin_t)
- files_type(myapp_api_t)
- files_type(myapp_conf_t)
- files_type(myapp_release_t)
- files_type(myapp_incoming_t)
- files_type(myapp_lib_t)
- logging_log_file(myapp_logs_t)
- files_type(myapp_scripts_t)
- files_type(myapp_tmp_t)
- files_type(myapp_tomcat_t)
- files_type(myapp_util_t)
- files_type(myapp_var_t)
- corecmd_executable_file(myapp_exec_t)
- files_type(myapp_webapps_t)
- allow myapp_tmp_t myapp_logs_t: filesystem associate;
- # Allow transition so things can get started
- #type_transition unconfined_t myapp_exec_t:process myapp_t;
- #allow unconfined_t myapp_exec_t:process transition;
- #allow myapp_t myapp_exec_t:file entrypoint;
- #allow unconfined_t myapp_exec_t:file entrypoint;
- #allow initrc_t myapp_exec_t:file execute;
- #allow initrc_t myapp_t:process transition;
- gen_require(` type unconfined_t, myapp_t, myapp_exec_t; role unconfined_r, myapp_r; ')
- allow myapp_t shell_exec_t:file entrypoint;
- domtrans_pattern(unconfined_t, myapp_exec_t, myapp_t)
- type_transition unconfined_t myapp_exec_t:process myapp_t;
- allow unconfined_t myapp_exec_t:file execute;
- allow myapp_t myapp_exec_t:file entrypoint;
- allow unconfined_t myapp_t:process transition;
- allow unconfined_r myapp_r;
- # Generate one user per myapp instance with user and category matching the port
- # it will bind to, only as convention, they don't technically have to match.
- #user myapp_u roles { myapp_r } level s0 range s0:c0.c1023;
- gen_user(myapp_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0.c1023)
- gen_user(p16000_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c0)
- gen_user(p16001_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c1)
- gen_user(p16002_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c2)
- gen_user(p16003_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c3)
- gen_user(p16004_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c4)
- gen_user(p16005_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c5)
- gen_user(p16006_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c6)
- gen_user(p16007_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c7)
- gen_user(p16008_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c8)
- gen_user(p16009_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c9)
- gen_user(p16010_u, myapp_t, myapp_r, s0, s0 - mls_systemhigh, c10)
- And then file contexts in myapp.fc:
- /myapp/nodes/.*/api -- gen_context(myapp_u:object_r:myapp_api_t,s0)
- /myapp/nodes/.*/bin -- gen_context(myapp_u:object_r:myapp_bin_t,s0)
- /myapp/nodes/.*/clog.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
- /myapp/nodes/.*/conf -- gen_context(myapp_u:object_r:myapp_conf_t,s0)
- /myapp/nodes/.*/myapp-release -- gen_context(myapp_u:object_r:myapp_release_t,s0)
- /myapp/nodes/.*/incoming-dist -- gen_context(myapp_u:object_r:myapp_incoming_t,s0)
- /myapp/nodes/.*/lib -- gen_context(myapp_u:object_r:myapp_lib_t,s0)
- /myapp/nodes/.*/logs -- gen_context(myapp_u:object_r:myapp_logs_t,s0)
- /myapp/nodes/.*/scripts -- gen_context(myapp_u:object_r:myapp_scripts_t,s0)
- /myapp/nodes/.*/shutdown.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
- /myapp/nodes/.*/startup.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
- /myapp/nodes/.*/tlog.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
- /myapp/nodes/.*/tmp -- gen_context(myapp_u:object_r:myapp_tmp_t,s0)
- /myapp/nodes/.*/tomcat -- gen_context(myapp_u:object_r:myapp_tomcat_t,s0)
- /myapp/nodes/.*/util -- gen_context(myapp_u:object_r:myapp_util_t,s0)
- /myapp/nodes/.*/var -- gen_context(myapp_u:object_r:myapp_var_t,s0)
- /myapp/nodes/.*/vlog.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
- /myapp/nodes/.*/webapps -- gen_context(myapp_u:object_r:myapp_webapps_t,s0)
- /myapp/bin/command.sh -- gen_context(myapp_u:object_r:myapp_exec_t,s0)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement