# $Id$
#
# SELinux Policy to run osgi-runner in RHEL8
#
# Probably not complete yet, particularily rg. calls to external tools
#
# Test and extension notes see https://confluence.iteg.at/x/64RCAw (ITEG staff only)

policy_module(osgirunner,3.1.1.0)

require {
	type httpd_t;
	type init_t;
	type proc_t;
	type tmp_t;
	class dir *;
	class file *;
	class process execmem;
	class tcp_socket *;
	class udp_socket *;
	class unix_stream_socket *;
}


# Declarations

# base type
type osgirunner_t;

# binaries
type osgirunner_exec_t;
domain_type(osgirunner_t)
init_daemon_domain(osgirunner_t, osgirunner_exec_t)

# cache 
type osgirunner_cache_t;
files_type(osgirunner_cache_t)

# etc files
type osgirunner_etc_t;
files_type(osgirunner_etc_t)

# lib files
type osgirunner_lib_t;
files_type(osgirunner_lib_t)

# log files
type osgirunner_log_t;
#files_type(osgirunner_log_t)
logging_log_file(osgirunner_log_t)

# tcp ports
type osgirunner_port_t;
corenet_port(osgirunner_port_t);
allow osgirunner_t osgirunner_port_t:tcp_socket name_bind;

# allow 8081 too?
#corenet_tcp_bind_transproxy_port(osgirunner_t)


# tmp stuff
type osgirunner_tmp_t;
files_type(osgirunner_tmp_t)

# Tunables

gen_tunable(osgirunner_bind_all_ports, false)
tunable_policy(`osgirunner_bind_all_ports',`
    corenet_tcp_bind_all_ports(osgirunner_t)
')

# for MSSQL clouds, who even might use random UDP ports
gen_tunable(osgirunner_connect_all, false)
# no comments in the tunable block!
tunable_policy(`osgirunner_connect_all',`
    corenet_tcp_sendrecv_generic_if(osgirunner_t)
    corenet_tcp_sendrecv_generic_node(osgirunner_t)
    corenet_tcp_sendrecv_all_ports(osgirunner_t)
    corenet_tcp_connect_all_ports(osgirunner_t)
    corenet_udp_sendrecv_generic_if(osgirunner_t)
    corenet_udp_sendrecv_generic_node(osgirunner_t)
    corenet_udp_sendrecv_all_ports(osgirunner_t)
')
    # unlabeled stuff too?
    #corenet_all_recvfrom_unlabeled(osgirunner_t)
    #allow osgirunner_t self:tcp_socket create_stream_socket_perms;


# osgirunner itself

# proposed somewhere
## internal communication is often done using fifo and unix sockets.
#allow osgirunner_t self:fifo_file { read write };
#allow osgirunner_t self:unix_stream_socket create_stream_socket_perms;

# uncategorized
fs_getattr_xattr_fs(osgirunner_t)
# triggers installation failure in RHEL 8.4:
#ipa_filetrans_named_content(osgirunner_t)
miscfiles_map_generic_certs(osgirunner_t)
#miscfiles_read_certs(osgirunner_t)
miscfiles_read_generic_certs(osgirunner_t)
miscfiles_read_localization(osgirunner_t)

# bin
corecmd_exec_bin(osgirunner_t) 

# cache
allow osgirunner_t osgirunner_cache_t:dir { add_name create getattr open read remove_name rmdir search write };
allow osgirunner_t osgirunner_cache_t:file { create getattr lock open read rename unlink write };

# cgroup
fs_read_cgroup_files(osgirunner_t) 
fs_search_cgroup_dirs(osgirunner_t) 

# dev
dev_read_rand(osgirunner_t)
dev_read_sysfs(osgirunner_t)

# dbus
dbus_system_bus_client(osgirunner_t)

# etc files
allow osgirunner_t osgirunner_etc_t:dir { add_name getattr open read remove_name search setattr write };
allow osgirunner_t osgirunner_etc_t:file { create getattr open read unlink write };
auth_read_passwd(osgirunner_t) 
files_read_etc_files(osgirunner_t)

# GPG, sic!
gpg_entry_type(osgirunner_t)
gpg_exec(osgirunner_t)

# lib files, ro
allow osgirunner_t osgirunner_lib_t:dir  { add_name create getattr open read remove_name rmdir search setattr write };
allow osgirunner_t osgirunner_lib_t:file { create execute getattr link map open read rename unlink write };
libs_manage_lib_dirs(osgirunner_t)
libs_use_ld_so(osgirunner_t)
libs_use_shared_libs(osgirunner_t)
sssd_search_lib(osgirunner_t) 

# log stuff
allow osgirunner_t osgirunner_log_t:dir { add_name create getattr open read remove_name search setattr write };
allow osgirunner_t osgirunner_log_t:file { create getattr lock open read rename unlink write };

# proc
allow osgirunner_t proc_t:file { getattr open read };
allow osgirunner_t osgirunner_t:process execmem;

# sysfs
dev_list_sysfs(osgirunner_t) 

# tmp
allow osgirunner_t tmp_t:sock_file create;
files_list_tmp(osgirunner_t)
files_manage_generic_tmp_dirs(osgirunner_t)
files_manage_generic_tmp_files(osgirunner_t)
files_map_generic_tmp_files(osgirunner_t)
userdom_manage_tmp_dirs(osgirunner_t)
userdom_manage_tmp_files(osgirunner_t)
userdom_map_tmp_files(osgirunner_t)


# Init script handling

init_use_fds(osgirunner_t)
#init_use_fds(osgirunner_lib_t)
init_use_script_ptys(osgirunner_t)
domain_use_interactive_fds(osgirunner_t)

allow init_t osgirunner_etc_t:dir read;
allow init_t osgirunner_etc_t:file getattr;
allow init_t osgirunner_lib_t:dir read;
allow init_t osgirunner_lib_t:file execute;
allow init_t osgirunner_lib_t:file execute_no_trans;
allow init_t osgirunner_lib_t:file { getattr ioctl open read };

# for parsing service user & group
systemd_exec_systemctl(osgirunner_t)
systemd_config_generic_services(osgirunner_t)
dbus_read_pid_sock_files(osgirunner_t)

# for sudo from root to osgi. should not be necessary if configuration is correct
#sudo_exec(osgirunner_t)


# Networking stuff 

# some of those only showed up in ausearch after semodule -DB
allow osgirunner_t self:tcp_socket *;
allow osgirunner_t self:netlink_route_socket *;
allow osgirunner_t self:udp_socket *; 
allow osgirunner_t self:unix_stream_socket *;

allow osgirunner_t osgirunner_port_t:tcp_socket name_connect;

corenet_tcp_bind_generic_node(osgirunner_t) 
#corenet_tcp_bind_generic_port(osgirunner_t) 

corenet_tcp_connect_ldap_port(osgirunner_t)

corenet_tcp_connect_mssql_port(osgirunner_t)
#corenet_udp_send_mssql_port(osgirunner_t)
#corenet_udp_sendrecv_mssql_port(osgirunner_t)
#corenet_send_mssql_client_packets(osgirunner_t)
#corenet_send_mssql_server_packets(osgirunner_t)
#corenet_sendrecv_mssql_client_packets(osgirunner_t)
#corenet_sendrecv_mssql_server_packets(osgirunner_t)

corenet_tcp_connect_mysqld_port(osgirunner_t)
corenet_tcp_connect_oracle_port(osgirunner_t)
corenet_tcp_connect_postgresql_port(osgirunner_t)
corenet_tcp_connect_transproxy_port(osgirunner_t)

#corenet_tcp_connect_all_ports(osgirunner_t)
#corenet_udp_sendrecv_all_ports(osgirunner_t)

corenet_udp_bind_generic_node(osgirunner_t)

kernel_read_network_state(osgirunner_t)

sysnet_read_config(osgirunner_t)

allow osgirunner_t tmp_t:sock_file { unlink write };


# Apache to OSGi-Runner
allow httpd_t osgirunner_port_t:tcp_socket name_connect;