os-octavia.te

policy_module(os-octavia,0.1)

gen_require(`
	type keepalived_t;
	type haproxy_t;
	type ifconfig_t;
	type user_tmp_t;
	type var_run_t;
	type ifconfig_exec_t;
	type sysfs_t;
	type var_lib_t;
	type bin_t;
	type root_t;
	type sysctl_fs_t;
	type proc_security_t;
	type sysctl_kernel_t;
	type etc_t;
	type usermodehelper_t;
	type keepalived_exec_t;
	type unconfined_service_t;
	type NetworkManager_t;
	type tmpfs_t;
	type nsfs_t;
	type shell_exec_t;
	type ping_exec_t;
	class sock_file { create link rename setattr unlink write };
	class capability { sys_ptrace sys_admin };
	class file { create entrypoint execute execute_no_trans getattr ioctl open read write };
	class dir { add_name mounton write };
	class filesystem { mount unmount };
')

# bind mount capabilities
allow ifconfig_t etc_t:dir mounton;
allow ifconfig_t user_tmp_t:dir mounton;
allow ifconfig_t var_run_t:dir mounton;
allow ifconfig_t self:capability sys_ptrace;
allow ifconfig_t proc_security_t:file manage_file_perms;
allow ifconfig_t sysctl_fs_t:file manage_file_perms;
allow ifconfig_t sysctl_kernel_t:file manage_file_perms;
allow ifconfig_t usermodehelper_t:file { getattr open write };

#
# XXX Future work: need to set /var/lib/octavia to something
#     haproxy_t / keepalived_t can access, rather than giving
#     these two contexts blanket access to var_lib_t. Need to
#     work with upstream selinux-policy-contrib developers
#     to sort this out.  Until then, this set of rules is
#     better than using unconfined_domain()
#
# /var/lib/octavia/vrrp (directory)
allow keepalived_t var_lib_t:dir { add_name write remove_name };

# /var/lib/octavia/vrrp/octavia-keepalived.pid
# /var/lib/octavia/vrrp/check_script.sh
allow keepalived_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink };

# /var/lib/octavia/[uuid].sock
allow keepalived_t var_lib_t:sock_file { create link rename setattr unlink write };

# These are needed during boot when setting up the netns
allow keepalived_t bin_t:file { entrypoint };
allow keepalived_t etc_t:dir mounton;
allow keepalived_t keepalived_exec_t:file execute_no_trans;
allow keepalived_t root_t:dir mounton;
allow keepalived_t sysfs_t:filesystem { mount unmount };
allow keepalived_t user_tmp_t:dir mounton;
allow keepalived_t var_run_t:dir { create mounton rmdir };
allow keepalived_t sysfs_t:dir mounton;
allow keepalived_t tmpfs_t:filesystem unmount;

# Same access for haproxy_t
allow haproxy_t bin_t:file { entrypoint execute };
allow haproxy_t unconfined_service_t:file { open read };
allow haproxy_t var_lib_t:dir { add_name write remove_name };
allow haproxy_t var_lib_t:file { create execute execute_no_trans getattr ioctl open read write unlink };
allow haproxy_t var_lib_t:sock_file { create link rename setattr unlink write };
allow haproxy_t self:capability { sys_admin };

gen_tunable(os_haproxy_dac_override, false)
tunable_policy(`os_haproxy_dac_override',`
        allow haproxy_t self:capability dac_override;
')

# These are needed during boot when setting up the netns
allow haproxy_t etc_t:dir mounton;
allow haproxy_t root_t:dir mounton;
allow haproxy_t sysfs_t:filesystem { mount unmount };
allow haproxy_t user_tmp_t:dir mounton;
allow haproxy_t NetworkManager_t:file { open read };
allow haproxy_t sysfs_t:dir mounton;
gen_tunable(os_haproxy_enable_nsfs, false)
tunable_policy(`os_haproxy_enable_nsfs', `
    allow haproxy_t nsfs_t:file { open read };
')
gen_tunable(os_haproxy_ping, false)
tunable_policy(`os_haproxy_ping', `
    allow haproxy_t ping_exec_t:file { execute execute_no_trans open read };
    allow haproxy_t self:rawip_socket { create getopt setopt write read };
    allow haproxy_t self:icmp_socket { create getopt setopt write read };
    allow haproxy_t self:process setcap;
    allow haproxy_t shell_exec_t:file execute;
')

kernel_read_fs_sysctls(ifconfig_t)