diff options
Diffstat (limited to 'policy/modules/services/cobbler.if')
-rw-r--r-- | policy/modules/services/cobbler.if | 180 |
1 files changed, 180 insertions, 0 deletions
diff --git a/policy/modules/services/cobbler.if b/policy/modules/services/cobbler.if new file mode 100644 index 000000000..6c6b57574 --- /dev/null +++ b/policy/modules/services/cobbler.if @@ -0,0 +1,180 @@ +## <summary>Cobbler installation server.</summary> + +######################################## +## <summary> +## Execute a domain transition to run cobblerd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cobblerd_domtrans',` + gen_require(` + type cobblerd_t, cobblerd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) +') + +######################################## +## <summary> +## Execute cobblerd init scripts in +## the init script domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`cobblerd_initrc_domtrans',` + gen_require(` + type cobblerd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) +') + +######################################## +## <summary> +## Read cobbler configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_read_config',` + gen_require(` + type cobbler_etc_t; + ') + + read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) + files_search_etc($1) +') + +######################################## +## <summary> +## Do not audit attempts to read and write +## cobbler log files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`cobbler_dontaudit_rw_log',` + gen_require(` + type cobbler_var_log_t; + ') + + dontaudit $1 cobbler_var_log_t:file rw_file_perms; +') + +######################################## +## <summary> +## Search cobbler lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_search_lib',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## <summary> +## Read cobbler lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_read_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## cobbler lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`cobbler_manage_lib_files',` + gen_require(` + type cobbler_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an cobbler environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`cobbler_admin',` + gen_require(` + type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; + type cobbler_etc_t, cobblerd_initrc_exec_t, cobbler_content_t; + type cobbler_tmp_t; + ') + + allow $1 cobblerd_t:process { ptrace signal_perms }; + ps_process_pattern($1, cobblerd_t) + + init_startstop_service($1, $2, cobblerd_t, cobblerd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, cobbler_etc_t) + + files_search_tmp($1) + admin_pattern($1, cobbler_tmp_t) + + files_search_var_lib($1) + admin_pattern($1, cobbler_var_lib_t) + + logging_search_logs($1) + admin_pattern($1, cobbler_var_log_t) + + apache_search_sys_content($1) + admin_pattern($1, cobbler_content_t) +') |