diff --git a/policy/modules/contrib/sap.fc b/policy/modules/contrib/sap.fc new file mode 100644 index 0000000000..d090733f68 --- /dev/null +++ b/policy/modules/contrib/sap.fc @@ -0,0 +1,20 @@ +### primary executables +/usr/sap/hostctrl/exe/.+ -- gen_context(system_u:object_r:sap_exec_t,s0) +/usr/sap/H4C/HDB96/exe/.+ -- gen_context(system_u:object_r:sap_exec_t,s0) + +### additional executables +#/hana/shared/H66/HDB33/.+ -- gen_context(system_u:object_r:sap_exec_t,s0) +#/hana/shared/H66/exe(/.*)? -- gen_context(system_u:object_r:sap_exec_t,s0) + +### temporary files +#/usr/sap/tmp(/.*)? gen_context(system_u:object_r:sap_tmp_t,s0) + +### work data +#/usr/sap/hostctrl/work(/.*)? gen_context(system_u:object_r:sap_var_lib_t,s0) + +### hana logs +#/hana/log/H66(/.*)? gen_context(system_u:object_r:sap_log_t,s0) + +### work data +#/hana/data/H66(/.*)? gen_context(system_u:object_r:sap_var_lib_t,s0) + diff --git a/policy/modules/contrib/sap.if b/policy/modules/contrib/sap.if new file mode 100644 index 0000000000..d1bcf739d3 --- /dev/null +++ b/policy/modules/contrib/sap.if @@ -0,0 +1,39 @@ +## SAP policy + +###################################### +## +## Execute sap in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`sap_exec',` + gen_require(` + type sap_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, sap_exec_t) +') + +######################################## +## +## Execute sap in sap unconfined domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`sap_unconfined_domtrans',` + gen_require(` + type sap_unconfined_t, sap_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, sap_exec_t, sap_unconfined_t) +') diff --git a/policy/modules/contrib/sap.te b/policy/modules/contrib/sap.te new file mode 100644 index 0000000000..8c400da86c --- /dev/null +++ b/policy/modules/contrib/sap.te @@ -0,0 +1,16 @@ +policy_module(sap, 1.0) + +type sap_unconfined_t; +type sap_exec_t; +files_type(sap_exec_t); +init_daemon_domain(sap_unconfined_t, sap_exec_t) + +#type sap_tmp_t; +#files_tmp_file(sap_tmp_t); +#manage_dirs_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t) +#manage_files_pattern(sap_unconfined_t, sap_tmp_t, sap_tmp_t) +#files_tmp_filetrans(sap_unconfined_t, sap_tmp_t, { dir file }) + +optional_policy(` + unconfined_domain(sap_unconfined_t) +')