os-glance.te

policy_module(os-glance,0.1)

gen_require(`
	type glance_api_t;
	type glance_registry_t;
	type glance_var_lib_t;
	type glance_tmp_t;
	type fixed_disk_device_t;
	type init_t;
	type sysfs_t;
	type var_lib_t;
	type nfs_t;
	type httpd_t;
	class dir { write getattr remove_name create add_name };
	class file { write getattr unlink open create read};
	class lnk_file read;
	type sudo_exec_t;
	class file { execute };
	attribute glance_domain;
')

# Bugzilla 1362609
corenet_tcp_connect_memcache_port(glance_registry_t)

# Bugzilla 1219406
allow glance_api_t nfs_t:dir { search getattr write remove_name create add_name };
allow glance_api_t nfs_t:file { write getattr unlink open create read };
allow glance_registry_t nfs_t:dir search;

# Bugzilla 1210271
allow glance_registry_t glance_var_lib_t:lnk_file read;
allow glance_api_t glance_var_lib_t:lnk_file read;
allow glance_api_t var_lib_t:lnk_file read;
allow glance_registry_t var_lib_t:lnk_file read;

# Bugzilla 1145802
allow glance_api_t nfs_t:dir getattr;

# Bugzilla 1306525
corenet_tcp_connect_commplex_main_port(glance_registry_t)

# Bugzilla 1313617
fs_getattr_tmpfs(glance_api_t)

# Bugzilla 1395240
manage_sock_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
allow glance_api_t sudo_exec_t:file { execute };

optional_policy(`
	gen_require(`
		type elasticsearch_port_t;
	')
	# bugzilla 1192644
	allow glance_api_t elasticsearch_port_t:tcp_socket name_bind;
')

# Bug 1430402
optional_policy(`
	mysql_read_config(glance_api_t)
')

#
# Bug 1475378
# Bug 1447779
# XXX
# Stolen from the Nova base policy. Broken sudo support for glance.
#
gen_tunable(os_glance_use_sudo, false)
tunable_policy(`os_glance_use_sudo',`
	sudo_exec(glance_api_t)
	logging_send_audit_msgs(glance_api_t)
	iscsid_domtrans(glance_api_t)
	fstools_domtrans(glance_api_t)
	allow glance_api_t fixed_disk_device_t:blk_file { getattr ioctl open read setattr write };
	allow glance_api_t init_t:file { getattr open read };
	allow glance_api_t self:capability { setuid setgid };
	allow glance_api_t self:capability { audit_write setuid setgid chown sys_rawio sys_resource };
	allow glance_api_t self:netlink_audit_socket { create nlmsg_relay };
	allow glance_api_t self:process { setcap setrlimit setsched };
	allow glance_api_t sysfs_t:file append;
')

gen_tunable(os_glance_dac_override, false)
tunable_policy(`os_glance_dac_override',`
	allow glance_api_t self:capability dac_override;
')

# Bugzilla 1653640
gen_tunable(os_glance_use_nfs, false)
tunable_policy(`os_glance_use_nfs',`
	fs_manage_nfs_dirs(glance_domain)
	fs_manage_nfs_files(glance_domain)
	fs_manage_nfs_symlinks(glance_domain)
	fs_exec_nfs_files(glance_domain)
')

# Bugzilla 1789710
allow glance_api_t glance_var_lib_t:filesystem getattr;

# RDO-310 Allow httpd to handle files in statedir
manage_dirs_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t);
manage_files_pattern(httpd_t, glance_var_lib_t, glance_var_lib_t);