supervisor: add policy module

supervisor.fc

@@ -0,0 +1,18 @@
+/etc/rc\.d/init\.d/supervisor	--	gen_context(system_u:object_r:supervisor_initrc_exec_t,s0)
+
+/etc/default/supervisor	--	gen_context(system_u:object_r:supervisor_etc_t,s0)
+/etc/supervisor(/.*)?		gen_context(system_u:object_r:supervisor_etc_t,s0)
+
+/usr/share/pyshared/supervisor(/.*)?		gen_context(system_u:object_r:supervisor_usr_t,s0)
+/usr/share/pyshared/supervisor.*	--	gen_context(system_u:object_r:supervisor_usr_t,s0)
+
+/var/log/supervisor(/.*)?		gen_context(system_u:object_r:supervisor_var_log_t,s0)
+
+/usr/lib64/python3.7/dist-packages/supervisor/(/.*)?		gen_context(system_u:object_r:supervisor_usr_lib_t,s0)
+
+/usr/bin/supervisord	--	gen_context(system_u:object_r:supervisord_exec_t,s0)
+/usr/lib/python-exec/python3.6/supervisord	--	gen_context(system_u:object_r:supervisord_exec_t,s0)
+
+/usr/bin/supervisorctl	--	gen_context(system_u:object_r:supervisorctl_exec_t,s0)
+
+/run/supervisor.*		gen_context(system_u:object_r:supervisor_var_run_t,s0)

supervisor.if

@@ -0,0 +1,30 @@
+## <summary>Process supervisor written in python.</summary>
+
+########################################
+## <summary>
+##	Create a domain which can be
+##	started by supervisord.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`supervisor_service_domain',`
+	gen_require(`
+		type supervisor_t;
+	')
+
+	domain_auto_trans(supervisor_t, $2, $1)
+
+	allow $1 supervisor_t:fd use;
+        allow $1 supervisor_t:fifo_file { read write ioctl getattr };
+        allow $1 supervisor_t:process sigchld;
+        allow supervisor_t $1:process { signal siginh rlimitinh noatsecure };
+')

supervisor.te

@@ -0,0 +1,77 @@
+policy_module(supervisor, 0.1.15)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role supervisor_roles;
+
+type supervisor_t;
+type supervisord_exec_t;
+init_daemon_domain(supervisor_t, supervisord_exec_t)
+role supervisor_roles types supervisor_t;
+
+type supervisor_etc_t;
+files_config_file(supervisor_etc_t)
+
+type supervisor_initrc_exec_t;
+init_script_file(supervisor_initrc_exec_t);
+
+type supervisor_var_log_t;
+logging_log_file(supervisor_var_log_t)
+
+type supervisor_var_run_t;
+files_pid_file(supervisor_var_run_t)
+
+type supervisor_usr_t;
+files_type(supervisor_usr_t)
+
+type supervisor_usr_lib_t;
+files_type(supervisor_usr_lib_t)
+
+type supervisor_tmp_t;
+files_tmp_file(supervisor_tmp_t)
+
+type supervisorctl_t;
+
+type supervisorctl_exec_t;
+init_system_domain(supervisorctl_t,supervisorctl_exec_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow supervisor_t self:capability sys_tty_config;
+allow supervisor_t self:fifo_file { ioctl read write getattr };
+allow supervisor_t self:process setpgid;
+allow supervisor_t self:capability { setuid setgid };
+allow supervisor_t self:capability kill;
+
+corecmd_exec_bin(supervisor_t)
+corecmd_exec_shell(supervisor_t)
+auth_use_nsswitch(supervisor_t)
+miscfiles_read_localization(supervisor_t)
+dev_read_urand(supervisor_t)
+kernel_read_system_state(supervisor_t)
+
+read_files_pattern(supervisor_t,supervisor_etc_t,supervisor_etc_t)
+search_dirs_pattern(supervisor_t,supervisor_etc_t,supervisor_etc_t)
+allow supervisor_t supervisor_etc_t:dir read;
+
+read_files_pattern(supervisor_t,supervisor_usr_t,supervisor_usr_t)
+
+manage_dirs_pattern(supervisor_t,supervisor_var_log_t,supervisor_var_log_t)
+manage_files_pattern(supervisor_t,supervisor_var_log_t,supervisor_var_log_t)
+logging_log_filetrans(supervisor_t,supervisor_var_log_t, file)
+
+manage_dirs_pattern(supervisor_t,supervisor_tmp_t,supervisor_tmp_t)
+manage_files_pattern(supervisor_t,supervisor_tmp_t,supervisor_tmp_t)
+files_tmp_filetrans(supervisor_t,supervisor_tmp_t, file)
+
+
+manage_files_pattern(supervisor_t,supervisor_var_run_t,supervisor_var_run_t)
+manage_sock_files_pattern(supervisor_t,supervisor_var_run_t,supervisor_var_run_t)
+files_pid_filetrans(supervisor_t,supervisor_var_run_t, { file sock_file })