1
policy_module(haproxy,1.0.0)
3
########################################
11
init_daemon_domain(haproxy_t, haproxy_exec_t)
13
type haproxy_var_run_t;
14
files_pid_file(haproxy_var_run_t)
17
files_config_file(haproxy_conf_t)
19
########################################
24
# Configuration files - read
25
allow haproxy_t haproxy_conf_t : dir list_dir_perms;
26
allow haproxy_t haproxy_conf_t : file read_file_perms;
27
allow haproxy_t haproxy_conf_t : lnk_file read_file_perms;
29
# PID and socket file - create, read, and write
30
files_pid_filetrans(haproxy_t, haproxy_var_run_t, { file sock_file })
31
allow haproxy_t haproxy_var_run_t:file manage_file_perms;
32
allow haproxy_t haproxy_var_run_t:sock_file { create rename link setattr unlink };
34
allow haproxy_t self : tcp_socket create_stream_socket_perms;
35
allow haproxy_t self: udp_socket create_socket_perms;
36
allow haproxy_t self: capability { setgid setuid sys_chroot sys_resource kill };
37
allow haproxy_t self: process { setrlimit signal };
40
logging_send_syslog_msg(haproxy_t)
42
corenet_tcp_bind_all_ports(haproxy_t)
43
corenet_tcp_connect_all_ports(haproxy_t)
44
corenet_tcp_bind_all_nodes(haproxy_t)
45
corenet_tcp_sendrecv_all_ports(haproxy_t)
46
corenet_tcp_recvfrom_unlabeled(haproxy_t)
48
# use shared libraries
49
libs_use_ld_so(haproxy_t)
50
libs_use_shared_libs(haproxy_t)
52
# Read /etc/localtime:
53
miscfiles_read_localization(haproxy_t)
54
# Read /etc/passwd and more.
55
files_read_etc_files(haproxy_t)
65
allow haproxy_t unlabeled_t:packet { send recv };