eucalyptus.te

# Copyright (c) 2016-2017 Ent. Services Development Corporation LP
#
# Permission to use, copy, modify, and/or distribute this software for
# any purpose with or without fee is hereby granted, provided that the
# above copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
# OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

policy_module(eucalyptus, 0.2.3)

gen_require(`
    attribute fixed_disk_raw_read;
    attribute fixed_disk_raw_write;
    type device_t;
    type fixed_disk_device_t;
    type tmp_t;
')

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow eucalyptus-node to run mkfs on paravirtual instances' disks.
## </p>
## </desc>
gen_tunable(eucalyptus_run_mkfs, true)

## <desc>
## <p>
## Allow eucalyptus-cloud to run as a storage controller
## </p>
## </desc>
gen_tunable(eucalyptus_storage_controller, false)

attribute eucalyptus_domain;
attribute eucalyptus_unit_file;

eucalyptus_domain_template(cloud)
typeattribute eucalyptus_cloud_t fixed_disk_raw_read;  # storage controller
typeattribute eucalyptus_cloud_t fixed_disk_raw_write;  # storage controller

eucalyptus_domain_template(cluster)

eucalyptus_domain_template(node)
typeattribute eucalyptus_node_t fixed_disk_raw_read;  # for mkswap:  https://eucalyptus.atlassian.net/browse/EUCA-12492
typeattribute eucalyptus_node_t fixed_disk_raw_write;  # for mkswap:  https://eucalyptus.atlassian.net/browse/EUCA-12492

eucalyptus_domain_template(eucanetd)

type eucalyptus_conf_t;
files_config_file(eucalyptus_conf_t)

type eucalyptus_log_t;
logging_log_file(eucalyptus_log_t)

type eucalyptus_tmp_t;
files_tmp_file(eucalyptus_tmp_t)

type eucalyptus_tmpfs_t;
files_tmpfs_file(eucalyptus_tmpfs_t)

type eucalyptus_var_lib_t;
files_type(eucalyptus_var_lib_t)

type eucalyptus_var_run_t;
files_pid_file(eucalyptus_var_run_t)

########################################
#
# eucalyptus_cloud local policy
#

allow eucalyptus_cloud_t self:capability { chown fowner kill net_raw setgid setuid sys_resource };
allow eucalyptus_cloud_t self:capability { dac_override dac_read_search };  # log files written as root
dontaudit eucalyptus_cloud_t self:capability fsetid;

allow eucalyptus_cloud_t self:process { execmem setcap setpgid setrlimit };  # execmem is for java

allow eucalyptus_cloud_t self:netlink_route_socket create_netlink_socket_perms;
allow eucalyptus_cloud_t self:rawip_socket create_socket_perms;
allow eucalyptus_cloud_t self:tcp_socket create_stream_socket_perms;
allow eucalyptus_cloud_t self:udp_socket create_socket_perms;
allow eucalyptus_cloud_t self:unix_stream_socket connectto;  # pg_ctl

list_dirs_pattern(eucalyptus_cloud_t, eucalyptus_conf_t, eucalyptus_conf_t)
read_files_pattern(eucalyptus_cloud_t, eucalyptus_conf_t, eucalyptus_conf_t)

manage_files_pattern(eucalyptus_cloud_t, eucalyptus_log_t, eucalyptus_log_t)
logging_log_filetrans(eucalyptus_cloud_t, eucalyptus_log_t, { dir file lnk_file })

manage_dirs_pattern(eucalyptus_cloud_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_files_pattern(eucalyptus_cloud_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_lnk_files_pattern(eucalyptus_cloud_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_sock_files_pattern(eucalyptus_cloud_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)  # postgres

manage_dirs_pattern(eucalyptus_cloud_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
manage_files_pattern(eucalyptus_cloud_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
files_pid_filetrans(eucalyptus_cloud_t, eucalyptus_var_run_t, file)

files_tmp_filetrans(eucalyptus_cloud_t, eucalyptus_tmp_t, { dir file })
manage_files_pattern(eucalyptus_cloud_t, tmp_t, eucalyptus_tmp_t)
manage_dirs_pattern(eucalyptus_cloud_t, eucalyptus_tmp_t, eucalyptus_tmp_t)
manage_files_pattern(eucalyptus_cloud_t, eucalyptus_tmp_t, eucalyptus_tmp_t)

manage_files_pattern(eucalyptus_cloud_t, tmpfs_t, eucalyptus_tmpfs_t)
fs_tmpfs_filetrans(eucalyptus_cloud_t, eucalyptus_tmpfs_t, { dir file lnk_file sock_file fifo_file })

kernel_read_network_state(eucalyptus_cloud_t)  # /proc/net/if_inet6
kernel_read_system_state(eucalyptus_cloud_t)

corecmd_exec_bin(eucalyptus_cloud_t)

corenet_tcp_sendrecv_generic_port(eucalyptus_cloud_t)
corenet_udp_sendrecv_generic_port(eucalyptus_cloud_t)
corenet_tcp_connect_generic_port(eucalyptus_cloud_t)
corenet_raw_bind_generic_node(eucalyptus_cloud_t)
corenet_tcp_bind_generic_node(eucalyptus_cloud_t)
corenet_tcp_bind_generic_port(eucalyptus_cloud_t)
corenet_udp_bind_generic_node(eucalyptus_cloud_t)
corenet_udp_bind_generic_port(eucalyptus_cloud_t)
corenet_tcp_connect_echo_port(eucalyptus_cloud_t)  # InetAddress.isReachable falls back to this when ICMP doesn't work
corenet_tcp_bind_dns_port(eucalyptus_cloud_t)
corenet_udp_bind_dns_port(eucalyptus_cloud_t)
corenet_tcp_connect_http_port(eucalyptus_cloud_t)  # for riak
corenet_tcp_connect_ldap_port(eucalyptus_cloud_t)
corenet_tcp_connect_osapi_compute_port(eucalyptus_cloud_t)  # port 8774

dev_read_rand(eucalyptus_cloud_t)
dev_read_sysfs(eucalyptus_cloud_t)  # /sys/device/system/cpu

domain_use_interactive_fds(eucalyptus_cloud_t)  # get output from clcadmin-initialize-cloud

files_dontaudit_write_root_dirs(eucalyptus_cloud_t)

fs_getattr_tmpfs(eucalyptus_cloud_t)
fs_getattr_xattr_fs(eucalyptus_cloud_t)

term_use_all_inherited_ptys(eucalyptus_cloud_t)  # get output from clcadmin-initialize-cloud
term_use_all_inherited_ttys(eucalyptus_cloud_t)  # get output from clcadmin-initialize-cloud

auth_read_passwd(eucalyptus_cloud_t)

miscfiles_read_generic_certs(eucalyptus_cloud_t)  # /etc/pki/tls/openssl.cnf for postgres

sysnet_domtrans_ifconfig(eucalyptus_cloud_t)  # Internets.java uses /sbin/ip to find the default route
sysnet_dns_name_resolve(eucalyptus_cloud_t)
sysnet_read_config(eucalyptus_cloud_t)

# /tmp/hsperfdata_root is explicitly labeled as user_tmp_t by the base
# policy, so we can't just give it a transition to eucalyptus_tmp_t like
# we can with other things.
userdom_manage_user_tmp_dirs(eucalyptus_cloud_t)
userdom_manage_user_tmp_files(eucalyptus_cloud_t)

ifdef(`hide_broken_symptoms',`
    dontaudit eucalyptus_cloud_t eucalyptus_conf_t:dir manage_dir_perms;  # https://eucalyptus.atlassian.net/browse/EUCA-12391
')

tunable_policy(`eucalyptus_storage_controller', `
    can_exec(eucalyptus_cloud_t, eucalyptus_tmp_t)  # JNA wants to mmap a temp copy of librbd

    rw_blk_files_pattern(eucalyptus_cloud_t, device_t, fixed_disk_device_t)

    corenet_tcp_connect_ssh_port(eucalyptus_cloud_t)  # port 22, equallogic
    corenet_tcp_connect_http_cache_port(eucalyptus_cloud_t)  # port 8080, 3par
    corenet_tcp_connect_cyphesis_port(eucalyptus_cloud_t)  # port 6789, ceph-mon

    dev_list_all_dev_nodes(eucalyptus_cloud_t)
    dev_rw_sysfs(eucalyptus_cloud_t)  # disconnect_iscsitarget_main.pl LUN deletion

    fstools_domtrans(eucalyptus_cloud_t)  # overlaymanager

    lvm_domtrans(eucalyptus_cloud_t)  # dasmanager
    lvm_read_metadata(eucalyptus_cloud_t)  # dasmanager, mainly so audit2why yields results

    udev_domtrans(eucalyptus_cloud_t)
')

optional_policy(`
    tunable_policy(`eucalyptus_storage_controller', `
        iscsid_domtrans(eucalyptus_cloud_t)
    ')
')

optional_policy(`
    tunable_policy(`eucalyptus_storage_controller', `
        tgtd_stream_connect(eucalyptus_cloud_t)  # dasmanager, overlaymanager
    ')
')

optional_policy(`
    gen_require(`
        type unconfined_service_t;
    ')

    # This happens at startup in VPCMIDO mode.  No one seems to know why.
    dontaudit eucalyptus_cloud_t unconfined_service_t:process signull;
')

optional_policy(`
    postgresql_exec(eucalyptus_cloud_t)
')

########################################
#
# eucalyptus_cluster local policy
#

allow eucalyptus_cluster_t self:capability { dac_override kill setgid setuid };

allow eucalyptus_cluster_t self:process { getpgid setpgid };
dontaudit eucalyptus_cluster_t self:process setfscreate;  # sed wants to unnecessarily relabel httpd.conf

allow eucalyptus_cluster_t self:fifo_file rw_fifo_file_perms;
allow eucalyptus_cluster_t self:netlink_route_socket create_netlink_socket_perms;
allow eucalyptus_cluster_t self:sem create_sem_perms;
allow eucalyptus_cluster_t self:tcp_socket create_stream_socket_perms;
allow eucalyptus_cluster_t self:udp_socket create_socket_perms;

list_dirs_pattern(eucalyptus_cluster_t, eucalyptus_conf_t, eucalyptus_conf_t)
read_files_pattern(eucalyptus_cluster_t, eucalyptus_conf_t, eucalyptus_conf_t)

manage_files_pattern(eucalyptus_cluster_t, eucalyptus_log_t, eucalyptus_log_t)
logging_log_filetrans(eucalyptus_cluster_t, eucalyptus_log_t, { dir file lnk_file })

manage_dirs_pattern(eucalyptus_cluster_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_files_pattern(eucalyptus_cluster_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_lnk_files_pattern(eucalyptus_cluster_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)

manage_dirs_pattern(eucalyptus_cluster_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
manage_files_pattern(eucalyptus_cluster_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
files_pid_filetrans(eucalyptus_cluster_t, eucalyptus_var_run_t, file)

manage_files_pattern(eucalyptus_cluster_t, tmp_t, eucalyptus_tmp_t)
files_tmp_filetrans(eucalyptus_cluster_t, eucalyptus_tmp_t, file)

manage_files_pattern(eucalyptus_cluster_t, tmpfs_t, eucalyptus_tmpfs_t)
fs_tmpfs_filetrans(eucalyptus_cluster_t, eucalyptus_tmpfs_t, file)

kernel_read_network_state(eucalyptus_cluster_t)  # /proc/net/arp
kernel_read_system_state(eucalyptus_cluster_t)

corecmd_exec_bin(eucalyptus_cluster_t)

corenet_tcp_sendrecv_generic_port(eucalyptus_cluster_t)
corenet_tcp_connect_generic_port(eucalyptus_cluster_t)
corenet_tcp_bind_generic_node(eucalyptus_cluster_t)
corenet_tcp_connect_osapi_compute_port(eucalyptus_cluster_t)  # port 8774
corenet_tcp_bind_osapi_compute_port(eucalyptus_cluster_t)  # port 8774
corenet_tcp_connect_neutron_port(eucalyptus_cluster_t)  # port 8775

dev_read_rand(eucalyptus_cluster_t)  # uuidgen
dev_read_sysfs(eucalyptus_cluster_t)

fs_getattr_tmpfs(eucalyptus_cluster_t)  # semaphores

auth_read_passwd(eucalyptus_cluster_t)

miscfiles_read_localization(eucalyptus_cluster_t)

sysnet_domtrans_ifconfig(eucalyptus_cluster_t)

optional_policy(`
    apache_exec(eucalyptus_cluster_t)
    apache_exec_modules(eucalyptus_cluster_t)
    apache_exec_suexec(eucalyptus_cluster_t)
    apache_search_config(eucalyptus_cluster_t)
')

optional_policy(`
    iptables_domtrans(eucalyptus_cluster_t)  # sensors, managed mode
')

########################################
#
# eucalyptus_node local policy
#

allow eucalyptus_node_t self:capability { chown dac_override fowner kill setgid setuid };
dontaudit eucalyptus_node_t self:capability fsetid;

allow eucalyptus_node_t self:process { getpgid setpgid };
dontaudit eucalyptus_node_t self:process setfscreate;  # sed wants to unnecessarily relabel httpd.conf

allow eucalyptus_node_t self:fifo_file rw_fifo_file_perms;
allow eucalyptus_node_t self:msgq create_msgq_perms;  # /usr/bin/pv
allow eucalyptus_node_t self:shm create_shm_perms;  # bundle-instance
allow eucalyptus_node_t self:tcp_socket rw_stream_socket_perms;
allow eucalyptus_node_t self:unix_stream_socket create_stream_socket_perms;

ps_process_pattern(eucalyptus_node_t, eucalyptus_eucanetd_t)

append_files_pattern(eucalyptus_node_t, etc_t, etc_t)  # adding --listen in /etc/sysconfig/libvirtd

list_dirs_pattern(eucalyptus_node_t, eucalyptus_conf_t, eucalyptus_conf_t)
read_files_pattern(eucalyptus_node_t, eucalyptus_conf_t, eucalyptus_conf_t)

manage_files_pattern(eucalyptus_node_t, eucalyptus_log_t, eucalyptus_log_t)
logging_log_filetrans(eucalyptus_node_t, eucalyptus_log_t, { dir file lnk_file })

manage_dirs_pattern(eucalyptus_node_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_files_pattern(eucalyptus_node_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
manage_lnk_files_pattern(eucalyptus_node_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)
files_var_lib_filetrans(eucalyptus_node_t, eucalyptus_var_lib_t, { dir file lnk_file sock_file })

manage_dirs_pattern(eucalyptus_node_t, tmp_t, eucalyptus_tmp_t)
manage_files_pattern(eucalyptus_node_t, tmp_t, eucalyptus_tmp_t)
files_tmp_filetrans(eucalyptus_node_t, eucalyptus_tmp_t, { dir file })

manage_files_pattern(eucalyptus_node_t, tmpfs_t, eucalyptus_tmpfs_t)
fs_tmpfs_filetrans(eucalyptus_node_t, eucalyptus_tmpfs_t, file)

manage_dirs_pattern(eucalyptus_node_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
manage_files_pattern(eucalyptus_node_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
files_pid_filetrans(eucalyptus_node_t, eucalyptus_var_run_t, file)

kernel_read_network_state(eucalyptus_node_t)
kernel_read_system_state(eucalyptus_node_t)

corecmd_exec_bin(eucalyptus_node_t)
corecmd_exec_shell(eucalyptus_node_t)  # https://eucalyptus.atlassian.net/browse/EUCA-11568

corenet_tcp_sendrecv_generic_port(eucalyptus_node_t)
corenet_tcp_connect_generic_port(eucalyptus_node_t)
corenet_tcp_bind_generic_node(eucalyptus_node_t)
corenet_tcp_bind_neutron_port(eucalyptus_node_t)  # port 8775
corenet_tcp_connect_neutron_port(eucalyptus_node_t)  # port 8775, for migration
corenet_tcp_connect_virt_port(eucalyptus_node_t)  # for migration

dev_read_generic_blk_files(eucalyptus_node_t)  # bundle-instance
dev_read_rand(eucalyptus_node_t)  # mkswap UUID generation
dev_rw_sysfs(eucalyptus_node_t)  # disconnect_iscsitarget_main.pl LUN deletion

fs_getattr_tmpfs(eucalyptus_node_t)  # bundle-instance
fs_getattr_xattr_fs(eucalyptus_node_t)
fs_manage_tmpfs_sockets(eucalyptus_node_t)  # bundle-instance

storage_raw_read_fixed_disk(eucalyptus_node_t)  # bundle-instance
storage_setattr_fixed_disk_dev(eucalyptus_node_t)  # bundle-instance

auth_read_passwd(eucalyptus_node_t)

fstools_domtrans(eucalyptus_node_t)  # blkid

libs_exec_ldconfig(eucalyptus_node_t)  # bundle-instance; no idea why

lvm_domtrans(eucalyptus_node_t)

miscfiles_manage_generic_cert_dirs(eucalyptus_node_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12485
miscfiles_manage_generic_cert_files(eucalyptus_node_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12496
miscfiles_read_localization(eucalyptus_node_t)

sysnet_dns_name_resolve(eucalyptus_node_t)

udev_domtrans(eucalyptus_node_t)  # use udevadm to obtain EBS volume /dev/disk/by-path/*

# https://eucalyptus.atlassian.net/browse/EUCA-12492
tunable_policy(`eucalyptus_run_mkfs', `
    rw_blk_files_pattern(eucalyptus_node_t, device_t, fixed_disk_device_t)

    dev_list_all_dev_nodes(eucalyptus_node_t)
')

optional_policy(`
    apache_exec(eucalyptus_node_t)
    apache_exec_modules(eucalyptus_node_t)
    apache_exec_suexec(eucalyptus_node_t)
    apache_search_config(eucalyptus_node_t)
')

optional_policy(`
    brctl_domtrans(eucalyptus_node_t)  # managed mode

    eucalyptus_dontaudit_leaks(brctl_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12393
')

optional_policy(`
    gen_require(`
        type dhcp_etc_t;
        type dhcpd_state_t;
    ')

    read_files_pattern(eucalyptus_node_t, dhcpd_state_t, dhcp_etc_t)  # Edge NC gates instance launches on dhcp config
    read_files_pattern(eucalyptus_node_t, dhcpd_state_t, dhcpd_state_t)  # allow NC to access external net stats (eucanetd_getstats_net.out)
')

optional_policy(`
    eucalyptus_dontaudit_leaks(iscsid_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12393

    iscsid_domtrans(eucalyptus_node_t)  # connect to EBS
')

optional_policy(`
    # We more or less have to use virt_image_t rather than our own type
    # because libvirtd applies that label when it shuts VMs off.
    # See /etc/selinux/*/contexts/virtual_image_context.
    gen_require(`
        type var_lib_t;
        type virsh_t;
        type virsh_exec_t;
        type virt_image_t;
    ')

    delete_files_pattern(eucalyptus_node_t, virt_image_t, var_lib_t)  # libvirtd console.log relabeling
    manage_lnk_files_pattern(eucalyptus_node_t, virt_image_t, virt_image_t)

    filetrans_pattern(eucalyptus_node_t, eucalyptus_var_lib_t, virt_image_t, dir, "instances")

    read_fifo_files_pattern(virsh_t, device_t, eucalyptus_node_t)  # connect_iscsitarget_main.pl reads /dev/stdin for ceph
    domtrans_pattern(eucalyptus_node_t, virsh_exec_t, virsh_t)  # connect_iscsitarget_main.pl for ceph

    eucalyptus_dontaudit_leaks(virsh_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12393

    virt_manage_config(eucalyptus_node_t)  # migration
    virt_manage_images(eucalyptus_node_t)
    virt_stream_connect(eucalyptus_node_t)
    virt_systemctl(eucalyptus_node_t)  # migration
')

########################################
#
# eucanetd local policy
#

allow eucalyptus_eucanetd_t self:capability { setgid setuid };
allow eucalyptus_eucanetd_t self:capability net_admin;  # vconfig in managed mode
allow eucalyptus_eucanetd_t self:capability sys_admin;  # nsenter in VPCMIDO mode
dontaudit eucalyptus_eucanetd_t self:capability sys_resource;  # https://bugzilla.redhat.com/show_bug.cgi?id=1184712#c38

allow eucalyptus_eucanetd_t self:process { fork setpgid signal_perms };

allow eucalyptus_eucanetd_t self:fifo_file rw_fifo_file_perms;
allow eucalyptus_eucanetd_t self:unix_stream_socket create_stream_socket_perms;

read_files_pattern(eucalyptus_eucanetd_t, eucalyptus_conf_t, eucalyptus_conf_t)

manage_files_pattern(eucalyptus_eucanetd_t, eucalyptus_log_t, eucalyptus_log_t)
logging_log_filetrans(eucalyptus_eucanetd_t, eucalyptus_log_t, { dir file lnk_file })

read_files_pattern(eucalyptus_eucanetd_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)

manage_dirs_pattern(eucalyptus_eucanetd_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
manage_files_pattern(eucalyptus_eucanetd_t, eucalyptus_var_run_t, eucalyptus_var_run_t)
files_pid_filetrans(eucalyptus_eucanetd_t, eucalyptus_var_run_t, file)

manage_files_pattern(eucalyptus_eucanetd_t, eucalyptus_tmp_t, eucalyptus_tmp_t)
files_tmp_filetrans(eucalyptus_eucanetd_t, eucalyptus_tmp_t, { dir file })

kernel_read_net_sysctls(eucalyptus_eucanetd_t)  # warn on wrong sysctl values
kernel_read_network_state(eucalyptus_eucanetd_t)  # vconfig in managed mode
kernel_read_system_state(eucalyptus_eucanetd_t)

corecmd_exec_bin(eucalyptus_eucanetd_t)

corenet_udp_bind_generic_node(eucalyptus_eucanetd_t)
corenet_udp_bind_generic_port(eucalyptus_eucanetd_t)
corenet_tcp_connect_http_cache_port(eucalyptus_eucanetd_t)  # port 8080, midonet-api
corenet_tcp_connect_intermapper_port(eucalyptus_eucanetd_t) # port 8181, midonet-api

dev_read_sysfs(eucalyptus_eucanetd_t)

auth_read_passwd(eucalyptus_eucanetd_t)

sysnet_dns_name_resolve(eucalyptus_eucanetd_t)

optional_policy(`
    ps_process_pattern(eucalyptus_eucanetd_t, httpd_t)  # VPC metadata

    create_files_pattern(httpd_t, eucalyptus_var_run_t, eucalyptus_var_run_t)  # nginx PID files
    delete_files_pattern(httpd_t, eucalyptus_var_run_t, eucalyptus_var_run_t)  # nginx PID files
    rw_files_pattern(httpd_t, eucalyptus_var_run_t, eucalyptus_var_run_t)  # nginx PID files

    apache_systemctl(eucalyptus_eucanetd_t)

    eucalyptus_dontaudit_leaks(httpd_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12084
')

optional_policy(`
    brctl_domtrans(eucalyptus_eucanetd_t)  # managed mode

    eucalyptus_dontaudit_leaks(brctl_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12084
')

optional_policy(`
    gen_require(`
        type dhcp_etc_t;
        type dhcpd_state_t;
    ')

    allow eucalyptus_eucanetd_t dhcpd_t:process sigkill;

    ps_process_pattern(eucalyptus_eucanetd_t, dhcpd_t)

    manage_files_pattern(eucalyptus_eucanetd_t, dhcpd_state_t, dhcpd_state_t)
    sysnet_dhcp_state_filetrans(eucalyptus_eucanetd_t, dhcpd_state_t, file)

    manage_files_pattern(eucalyptus_eucanetd_t, dhcpd_state_t, dhcp_etc_t)
    filetrans_pattern(eucalyptus_eucanetd_t, dhcpd_state_t, dhcp_etc_t, file, "euca-dhcp.conf")

    dhcpd_systemctl(eucalyptus_eucanetd_t)

    eucalyptus_dontaudit_leaks(dhcpd_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12084
')

optional_policy(`
    gen_require(`
        type iptables_t;
    ')

    read_files_pattern(iptables_t, eucalyptus_tmp_t, eucalyptus_tmp_t)

    eucalyptus_dontaudit_leaks(iptables_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12084

    iptables_domtrans(eucalyptus_eucanetd_t)  # iptables, ebtables
')

optional_policy(`
    eucalyptus_dontaudit_leaks(netutils_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12084

    netutils_domtrans(eucalyptus_eucanetd_t)  # arping
')

optional_policy(`
    gen_require(`
        type ifconfig_t;
    ')

    sysnet_domtrans_ifconfig(eucalyptus_eucanetd_t)  # ifconfig, ip

    eucalyptus_dontaudit_leaks(ifconfig_t)  # https://eucalyptus.atlassian.net/browse/EUCA-12084
')

optional_policy(`
  gen_require(`
    type virtd_t;
    type virtlogd_t;
    type virt_image_t;
    type virt_log_t;
  ')

  # libvirtd creates console.log, then virtlogd opens it
  filetrans_pattern(virtd_t, virt_image_t, virt_log_t, file, "console.log")

  # allow NC to unlink and rename console.log (EUCA-13138 related fix)
  delete_files_pattern(eucalyptus_node_t, virt_image_t, virt_log_t)
  rename_files_pattern(eucalyptus_node_t, virt_image_t, virt_log_t)

  search_dirs_pattern(virtlogd_t, eucalyptus_var_lib_t, eucalyptus_var_lib_t)

  append_files_pattern(virtlogd_t, virt_image_t, virt_log_t)
')