|
|
6eecceb |
|
|
|
6eecceb |
## <summary>policy for mcollective</summary>
|
|
|
6eecceb |
|
|
|
6eecceb |
########################################
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Execute TEMPLATE in the mcollective domin.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## <param name="domain">
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Domain allowed to transition.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## </param>
|
|
|
6eecceb |
#
|
|
|
6eecceb |
interface(`mcollective_domtrans',`
|
|
|
6eecceb |
gen_require(`
|
|
|
6eecceb |
type mcollective_t, mcollective_exec_t;
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
corecmd_search_bin($1)
|
|
|
6eecceb |
domtrans_pattern($1, mcollective_exec_t, mcollective_t)
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
########################################
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Search mcollective conf directories.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## <param name="domain">
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Domain allowed access.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## </param>
|
|
|
6eecceb |
#
|
|
|
6eecceb |
interface(`mcollective_search_conf',`
|
|
|
6eecceb |
gen_require(`
|
|
|
6eecceb |
type mcollective_etc_rw_t;
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
allow $1 mcollective_etc_rw_t:dir search_dir_perms;
|
|
|
6eecceb |
files_search_etc($1)
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
########################################
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Read mcollective conf files.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## <param name="domain">
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Domain allowed access.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## </param>
|
|
|
6eecceb |
#
|
|
|
6eecceb |
interface(`mcollective_read_conf_files',`
|
|
|
6eecceb |
gen_require(`
|
|
|
6eecceb |
type mcollective_etc_rw_t;
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
allow $1 mcollective_etc_rw_t:dir list_dir_perms;
|
|
|
6eecceb |
read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
|
|
|
6eecceb |
files_search_etc($1)
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
########################################
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Manage mcollective conf files.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## <param name="domain">
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Domain allowed access.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## </param>
|
|
|
6eecceb |
#
|
|
|
6eecceb |
interface(`mcollective_manage_conf_files',`
|
|
|
6eecceb |
gen_require(`
|
|
|
6eecceb |
type mcollective_etc_rw_t;
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
|
|
|
6eecceb |
files_search_etc($1)
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
|
|
|
6eecceb |
########################################
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## All of the rules required to administrate
|
|
|
6eecceb |
## an mcollective environment
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## <param name="domain">
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Domain allowed access.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## </param>
|
|
|
6eecceb |
## <param name="role">
|
|
|
6eecceb |
## <summary>
|
|
|
6eecceb |
## Role allowed access.
|
|
|
6eecceb |
## </summary>
|
|
|
6eecceb |
## </param>
|
|
|
6eecceb |
## <rolecap/>
|
|
|
6eecceb |
#
|
|
|
6eecceb |
interface(`mcollective_admin',`
|
|
|
6eecceb |
gen_require(`
|
|
|
6eecceb |
type mcollective_t;
|
|
|
6eecceb |
type mcollective_etc_rw_t;
|
|
|
6eecceb |
')
|
|
|
6eecceb |
|
|
|
6eecceb |
allow $1 mcollective_t:process { ptrace signal_perms };
|
|
|
6eecceb |
ps_process_pattern($1, mcollective_t)
|
|
|
6eecceb |
|
|
|
6eecceb |
files_search_etc($1)
|
|
|
6eecceb |
admin_pattern($1, mcollective_etc_rw_t)
|
|
|
6eecceb |
optional_policy(`
|
|
|
6eecceb |
systemd_passwd_agent_exec($1)
|
|
|
6eecceb |
systemd_read_fifo_file_passwd_run($1)
|
|
|
6eecceb |
')
|
|
|
6eecceb |
')
|