##
## Oddjob provides a mechanism by which unprivileged applications can
## request that specified privileged operations be performed on their
## behalf.
##
########################################
##
## Execute a domain transition to run oddjob.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`oddjob_domtrans',`
gen_require(`
type oddjob_t, oddjob_exec_t;
')
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
#####################################
##
## Do not audit attempts to read and write
## oddjob fifo file.
##
##
##
## Domain to not audit.
##
##
#
interface(`oddjob_dontaudit_rw_fifo_file',`
gen_require(`
type oddjob_t;
')
dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
##
## Make the specified program domain accessable
## from the oddjob.
##
##
##
## The type of the process to transition to.
##
##
##
##
## The type of the file used as an entrypoint to this domain.
##
##
#
interface(`oddjob_system_entry',`
gen_require(`
type oddjob_t;
')
domtrans_pattern(oddjob_t, $2, $1)
domain_user_exemption_target($1)
')
########################################
##
## Send and receive messages from
## oddjob over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`oddjob_dbus_chat',`
gen_require(`
type oddjob_t;
class dbus send_msg;
')
allow $1 oddjob_t:dbus send_msg;
allow oddjob_t $1:dbus send_msg;
')
######################################
##
## Send a SIGCHLD signal to oddjob.
##
##
##
## Domain allowed access.
##
##
#
interface(`oddjob_sigchld',`
gen_require(`
type oddjob_t;
')
allow $1 oddjob_t:process sigchld;
')
########################################
##
## Execute a domain transition to run oddjob_mkhomedir.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
########################################
##
## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t;
')
oddjob_domtrans_mkhomedir($1)
role $2 types oddjob_mkhomedir_t;
')
########################################
##
## Execute the oddjob program in the oddjob domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`oddjob_run',`
gen_require(`
type oddjob_t;
')
oddjob_domtrans($1)
role $2 types oddjob_t;
')
#######################################
##
## Execute oddjob in the oddjob domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`oddjob_systemctl',`
gen_require(`
type oddjob_unit_file_t;
type oddjob_t;
')
systemd_exec_systemctl($1)
init_reload_services($1)
allow $1 oddjob_unit_file_t:file read_file_perms;
allow $1 oddjob_unit_file_t:service manage_service_perms;
ps_process_pattern($1, oddjob_t)
')
########################################
##
## Create a domain which can be started by init,
## with a range transition.
##
##
##
## Type to be used as a domain.
##
##
##
##
## Type of the program to be used as an entry point to this domain.
##
##
##
##
## Range for the domain.
##
##
#
interface(`oddjob_ranged_domain',`
gen_require(`
type oddjob_t;
')
oddjob_system_entry($1, $2)
ifdef(`enable_mcs',`
range_transition oddjob_t $2:process $3;
')
ifdef(`enable_mls',`
range_transition oddjob_t $2:process $3;
mls_rangetrans_target($1)
')
')
########################################
##
## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain
##
##
##
## Domain allowed access.
##
##
##
#
interface(`oddjob_mkhomedir_entrypoint',`
gen_require(`
type oddjob_mkhomedir_exec_t;
')
allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
')