Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/cfengine.if

167 lines
3.4 KiB
Text
Raw Normal View History

## <summary>System administration tool for networks.</summary>
#######################################
## <summary>
## The template to define a cfengine domain.
## </summary>
## <param name="domain_prefix">
## <summary>
## Domain prefix to be used.
## </summary>
## </param>
#
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
')
########################################
#
# Declarations
#
type cfengine_$1_t, cfengine_domain;
type cfengine_$1_exec_t;
init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
########################################
#
# Policy
#
kernel_read_system_state(cfengine_$1_t)
auth_use_nsswitch(cfengine_$1_t)
logging_send_syslog_msg(cfengine_$1_t)
')
######################################
## <summary>
## Search cfengine lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cfengine_search_lib_files',`
gen_require(`
type cfengine_var_lib_t;
')
allow $1 cfengine_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Read cfengine lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cfengine_read_lib_files',`
gen_require(`
type cfengine_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
')
####################################
## <summary>
## Do not audit attempts to write
## cfengine log files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`cfengine_dontaudit_write_log_files',`
gen_require(`
type cfengine_var_log_t;
')
dontaudit $1 cfengine_var_log_t:file write_file_perms;
')
#####################################
## <summary>
## Allow the specified domain to append cfengine's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cfengine_append_inherited_log',`
gen_require(`
type cfengine_var_log_t;
')
cfengine_search_lib_files($1)
allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
')
####################################
## <summary>
## Dontaudit the specified domain to write cfengine's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cfengine_dontaudit_write_log',`
gen_require(`
type cfengine_var_log_t;
')
dontaudit $1 cfengine_var_log_t:file write;
')
########################################
## <summary>
## All of the rules required to
## administrate an cfengine environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`cfengine_admin',`
gen_require(`
attribute cfengine_domain;
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
allow $1 cfengine_domain:process { signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cfengine_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')