Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/inn.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/inn.if')
-rw-r--r--policy/modules/services/inn.if252
1 files changed, 252 insertions, 0 deletions
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
new file mode 100644
index 00000000..8e24feb9
--- /dev/null
+++ b/policy/modules/services/inn.if
@@ -0,0 +1,252 @@
+## <summary>Internet News NNTP server.</summary>
+
+########################################
+## <summary>
+## Execute innd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_exec',`
+ gen_require(`
+ type innd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, innd_exec_t)
+')
+
+########################################
+## <summary>
+## Execute inn configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_exec_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ files_search_etc($1)
+ exec_files_pattern($1, innd_etc_t, innd_etc_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## innd log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_manage_log',`
+ gen_require(`
+ type innd_log_t;
+ ')
+
+ manage_files_pattern($1, innd_log_t, innd_log_t)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## log directories with the innd log file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`inn_generic_log_filetrans_innd_log',`
+ gen_require(`
+ type innd_log_t;
+ ')
+
+ logging_log_filetrans($1, innd_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## innd pid content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_manage_pid',`
+ gen_require(`
+ type innd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 innd_var_run_t:dir manage_dir_perms;
+ allow $1 innd_var_run_t:file manage_file_perms;
+ allow $1 innd_var_run_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Read innd configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+
+#
+interface(`inn_read_config',`
+ gen_require(`
+ type innd_etc_t;
+ ')
+
+ allow $1 innd_etc_t:dir list_dir_perms;
+ allow $1 innd_etc_t:file read_file_perms;
+ allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Read innd news library content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_news_lib',`
+ gen_require(`
+ type innd_var_lib_t;
+ ')
+
+ allow $1 innd_var_lib_t:dir list_dir_perms;
+ allow $1 innd_var_lib_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Read innd news spool content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_read_news_spool',`
+ gen_require(`
+ type news_spool_t;
+ ')
+
+ allow $1 news_spool_t:dir list_dir_perms;
+ allow $1 news_spool_t:file read_file_perms;
+ allow $1 news_spool_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## Send to a innd unix dgram socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`inn_dgram_send',`
+ gen_require(`
+ type innd_t, innd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ dgram_send_pattern($1, innd_var_run_t, innd_var_run_t, innd_t)
+')
+
+########################################
+## <summary>
+## Execute innd in the innd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`inn_domtrans',`
+ gen_require(`
+ type innd_t, innd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, innd_exec_t, innd_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an inn environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`inn_admin',`
+ gen_require(`
+ type innd_t, innd_etc_t, innd_log_t;
+ type news_spool_t, innd_var_lib_t;
+ type innd_var_run_t, innd_initrc_exec_t;
+ ')
+
+ init_startstop_service($1, $2, innd_t, innd_initrc_exec_t)
+
+ allow $1 innd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, innd_t)
+
+ files_list_etc($1)
+ admin_pattern($1, innd_etc_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, innd_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, innd_var_lib_t)
+
+ files_list_pids($1)
+ admin_pattern($1, innd_var_run_t)
+
+ files_list_spool($1)
+ admin_pattern($1, news_spool_t)
+')