## ## Oddjob provides a mechanism by which unprivileged applications can ## request that specified privileged operations be performed on their ## behalf. ## ######################################## ## ## Execute a domain transition to run oddjob. ## ## ## ## Domain allowed to transition. ## ## # interface(`oddjob_domtrans',` gen_require(` type oddjob_t, oddjob_exec_t; ') domtrans_pattern($1, oddjob_exec_t, oddjob_t) ') ##################################### ## ## Do not audit attempts to read and write ## oddjob fifo file. ## ## ## ## Domain to not audit. ## ## # interface(`oddjob_dontaudit_rw_fifo_file',` gen_require(` type oddjob_t; ') dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; ') ######################################## ## ## Make the specified program domain accessable ## from the oddjob. ## ## ## ## The type of the process to transition to. ## ## ## ## ## The type of the file used as an entrypoint to this domain. ## ## # interface(`oddjob_system_entry',` gen_require(` type oddjob_t; ') domtrans_pattern(oddjob_t, $2, $1) domain_user_exemption_target($1) ') ######################################## ## ## Send and receive messages from ## oddjob over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`oddjob_dbus_chat',` gen_require(` type oddjob_t; class dbus send_msg; ') allow $1 oddjob_t:dbus send_msg; allow oddjob_t $1:dbus send_msg; ') ###################################### ## ## Send a SIGCHLD signal to oddjob. ## ## ## ## Domain allowed access. ## ## # interface(`oddjob_sigchld',` gen_require(` type oddjob_t; ') allow $1 oddjob_t:process sigchld; ') ######################################## ## ## Execute a domain transition to run oddjob_mkhomedir. ## ## ## ## Domain allowed to transition. ## ## # interface(`oddjob_domtrans_mkhomedir',` gen_require(` type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; ') domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) ') ######################################## ## ## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`oddjob_run_mkhomedir',` gen_require(` type oddjob_mkhomedir_t; ') oddjob_domtrans_mkhomedir($1) role $2 types oddjob_mkhomedir_t; ') ######################################## ## ## Execute the oddjob program in the oddjob domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`oddjob_run',` gen_require(` type oddjob_t; ') oddjob_domtrans($1) role $2 types oddjob_t; ') ####################################### ## ## Execute oddjob in the oddjob domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`oddjob_systemctl',` gen_require(` type oddjob_unit_file_t; type oddjob_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 oddjob_unit_file_t:file read_file_perms; allow $1 oddjob_unit_file_t:service manage_service_perms; ps_process_pattern($1, oddjob_t) ') ######################################## ## ## Create a domain which can be started by init, ## with a range transition. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## # interface(`oddjob_ranged_domain',` gen_require(` type oddjob_t; ') oddjob_system_entry($1, $2) ifdef(`enable_mcs',` range_transition oddjob_t $2:process $3; ') ifdef(`enable_mls',` range_transition oddjob_t $2:process $3; mls_rangetrans_target($1) ') ') ######################################## ## ## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # interface(`oddjob_mkhomedir_entrypoint',` gen_require(` type oddjob_mkhomedir_exec_t; ') allow $1 oddjob_mkhomedir_exec_t:file entrypoint; ')