## Collection of tools for managing UNIX services.
########################################
##
## An ipc channel between the
## supervised domain and svc_start_t.
##
##
##
## Domain allowed access.
##
##
#
interface(`daemontools_ipc_domain',`
gen_require(`
type svc_start_t;
')
allow $1 svc_start_t:process sigchld;
allow $1 svc_start_t:fd use;
allow $1 svc_start_t:fifo_file rw_fifo_file_perms;
allow svc_start_t $1:process signal;
')
########################################
##
## Create a domain which can be
## started by daemontools.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
#
interface(`daemontools_service_domain',`
gen_require(`
type svc_run_t;
')
domain_auto_transition_pattern(svc_run_t, $2, $1)
daemontools_ipc_domain($1)
allow svc_run_t $1:process signal;
allow $1 svc_run_t:fd use;
')
########################################
##
## Execute svc start in the svc
## start domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`daemontools_domtrans_start',`
gen_require(`
type svc_start_t, svc_start_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svc_start_exec_t, svc_start_t)
')
######################################
##
## Execute svc start in the svc
## start domain, and allow the
## specified role the svc start domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`daemonstools_run_start',`
gen_require(`
attribute_role svc_start_roles;
')
daemontools_domtrans_start($1)
roleattribute $2 svc_start_roles;
')
########################################
##
## Execute avc run in the svc run domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`daemontools_domtrans_run',`
gen_require(`
type svc_run_t, svc_run_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svc_run_exec_t, svc_run_t)
')
######################################
##
## Send child terminated signals
## to svc run.
##
##
##
## Domain allowed access.
##
##
#
interface(`daemontools_sigchld_run',`
gen_require(`
type svc_run_t;
')
allow $1 svc_run_t:process sigchld;
')
########################################
##
## Execute avc multilog in the svc
## multilog domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`daemontools_domtrans_multilog',`
gen_require(`
type svc_multilog_t, svc_multilog_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t)
')
######################################
##
## Search svc svc directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`daemontools_search_svc_dir',`
gen_require(`
type svc_svc_t;
')
files_search_var($1)
allow $1 svc_svc_t:dir search_dir_perms;
')
########################################
##
## Read svc avc files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`daemontools_read_svc',`
gen_require(`
type svc_svc_t;
')
files_search_var($1)
allow $1 svc_svc_t:dir list_dir_perms;
allow $1 svc_svc_t:file read_file_perms;
')
########################################
##
## Create, read, write and delete
## svc svc content.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`daemontools_manage_svc',`
gen_require(`
type svc_svc_t;
')
files_search_var($1)
allow $1 svc_svc_t:dir manage_dir_perms;
allow $1 svc_svc_t:fifo_file manage_fifo_file_perms;
allow $1 svc_svc_t:file manage_file_perms;
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
')