|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Oddjob provides a mechanism by which unprivileged applications can
|
|
|
1ec3d1a |
## request that specified privileged operations be performed on their
|
|
|
1ec3d1a |
## behalf.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute a domain transition to run oddjob.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
Chris PeBenito |
9401ae1 |
## <summary>
|
|
Chris PeBenito |
9401ae1 |
## Domain allowed to transition.
|
|
Chris PeBenito |
9401ae1 |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_domtrans',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_t, oddjob_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
#####################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Do not audit attempts to read and write
|
|
|
1ec3d1a |
## oddjob fifo file.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain to not audit.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_dontaudit_rw_fifo_file',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Make the specified program domain accessable
|
|
|
1ec3d1a |
## from the oddjob.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## The type of the process to transition to.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="entrypoint">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## The type of the file used as an entrypoint to this domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_system_entry',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern(oddjob_t, $2, $1)
|
|
|
1ec3d1a |
domain_user_exemption_target($1)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Send and receive messages from
|
|
|
1ec3d1a |
## oddjob over dbus.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_dbus_chat',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_t;
|
|
|
1ec3d1a |
class dbus send_msg;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 oddjob_t:dbus send_msg;
|
|
|
1ec3d1a |
allow oddjob_t $1:dbus send_msg;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
######################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Send a SIGCHLD signal to oddjob.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_sigchld',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 oddjob_t:process sigchld;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute a domain transition to run oddjob_mkhomedir.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_domtrans_mkhomedir',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`oddjob_run_mkhomedir',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type oddjob_mkhomedir_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
oddjob_domtrans_mkhomedir($1)
|
|
|
1ec3d1a |
role $2 types oddjob_mkhomedir_t;
|
|
|
1ec3d1a |
')
|
|
|
71b6a99 |
|
|
|
71b6a99 |
########################################
|
|
|
71b6a99 |
## <summary>
|
|
|
71b6a99 |
## Create a domain which can be started by init,
|
|
|
71b6a99 |
## with a range transition.
|
|
|
71b6a99 |
## </summary>
|
|
|
71b6a99 |
## <param name="domain">
|
|
|
71b6a99 |
## <summary>
|
|
|
71b6a99 |
## Type to be used as a domain.
|
|
|
71b6a99 |
## </summary>
|
|
|
71b6a99 |
## </param>
|
|
|
71b6a99 |
## <param name="entry_point">
|
|
|
71b6a99 |
## <summary>
|
|
|
71b6a99 |
## Type of the program to be used as an entry point to this domain.
|
|
|
71b6a99 |
## </summary>
|
|
|
71b6a99 |
## </param>
|
|
|
71b6a99 |
## <param name="range">
|
|
|
71b6a99 |
## <summary>
|
|
|
71b6a99 |
## Range for the domain.
|
|
|
71b6a99 |
## </summary>
|
|
|
71b6a99 |
## </param>
|
|
|
71b6a99 |
#
|
|
|
71b6a99 |
interface(`oddjob_ranged_domain',`
|
|
|
71b6a99 |
gen_require(`
|
|
|
71b6a99 |
type oddjob_t;
|
|
|
71b6a99 |
')
|
|
|
71b6a99 |
|
|
|
71b6a99 |
oddjob_system_entry($1, $2)
|
|
|
71b6a99 |
|
|
|
71b6a99 |
ifdef(`enable_mcs',`
|
|
|
71b6a99 |
range_transition oddjob_t $2:process $3;
|
|
|
71b6a99 |
')
|
|
|
71b6a99 |
|
|
|
71b6a99 |
ifdef(`enable_mls',`
|
|
|
71b6a99 |
range_transition oddjob_t $2:process $3;
|
|
|
71b6a99 |
mls_rangetrans_target($1)
|
|
|
71b6a99 |
')
|
|
|
71b6a99 |
')
|