|
|
1ec3d1a |
## <summary>Caching web proxy.</summary>
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role access for polipo session.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
template(`polipo_role',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_session_t, polipo_exec_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Declarations
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
role $1 types polipo_session_t;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
# Policy
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $2 polipo_session_t:process signal_perms;
|
|
|
1ec3d1a |
ps_process_pattern($2, polipo_session_t)
|
|
|
1ec3d1a |
tunable_policy(`deny_ptrace',`',`
|
|
|
1ec3d1a |
allow $2 polipo_session_t:process ptrace;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
tunable_policy(`polipo_session_users',`
|
|
|
1ec3d1a |
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
|
|
|
1ec3d1a |
',`
|
|
|
1ec3d1a |
can_exec($2, polipo_exec_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create configuration files in user
|
|
|
1ec3d1a |
## home directories with a named file
|
|
|
1ec3d1a |
## type transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_named_filetrans_config_home_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_config_home_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create cache directories in user
|
|
|
1ec3d1a |
## home directories with a named file
|
|
|
1ec3d1a |
## type transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_named_filetrans_cache_home_dirs',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_cache_home_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create configuration files in admin
|
|
|
1ec3d1a |
## home directories with a named file
|
|
|
1ec3d1a |
## type transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_named_filetrans_admin_config_home_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_config_home_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create cache directories in admin
|
|
|
1ec3d1a |
## home directories with a named file
|
|
|
1ec3d1a |
## type transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_named_filetrans_admin_cache_home_dirs',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_cache_home_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Create log files with a named file
|
|
|
1ec3d1a |
## type transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_named_filetrans_log_files',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_log_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Execute polipo server in the polipo domain.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed to transition.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_systemctl',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_t;
|
|
|
1ec3d1a |
type polipo_unit_file_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
systemd_exec_systemctl($1)
|
|
|
1ec3d1a |
allow $1 polipo_unit_file_t:file read_file_perms;
|
|
|
1ec3d1a |
allow $1 polipo_unit_file_t:service manage_service_perms;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
ps_process_pattern($1, polipo_t)
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
########################################
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Administrate an polipo environment.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## <param name="domain">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Domain allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <param name="role">
|
|
|
1ec3d1a |
## <summary>
|
|
|
1ec3d1a |
## Role allowed access.
|
|
|
1ec3d1a |
## </summary>
|
|
|
1ec3d1a |
## </param>
|
|
|
1ec3d1a |
## <rolecap/>
|
|
|
1ec3d1a |
#
|
|
|
1ec3d1a |
interface(`polipo_admin',`
|
|
|
1ec3d1a |
gen_require(`
|
|
|
1ec3d1a |
type polipo_t, polipo_pid_t, polipo_cache_t;
|
|
|
1ec3d1a |
type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
|
|
|
1ec3d1a |
type polipo_unit_file_t;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
allow $1 polipo_t:process signal_perms;
|
|
|
1ec3d1a |
ps_process_pattern($1, polipo_t)
|
|
|
1ec3d1a |
tunable_policy(`deny_ptrace',`',`
|
|
|
1ec3d1a |
allow $1 polipo_t:process ptrace;
|
|
|
1ec3d1a |
')
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
init_labeled_script_domtrans($1, polipo_initrc_exec_t)
|
|
|
1ec3d1a |
domain_system_change_exemption($1)
|
|
|
1ec3d1a |
role_transition $2 polipo_initrc_exec_t system_r;
|
|
|
1ec3d1a |
allow $2 system_r;
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_list_etc($1)
|
|
|
1ec3d1a |
admin_pattern($1, polipo_etc_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
logging_list_logs($1)
|
|
|
1ec3d1a |
admin_pattern($1, polipo_log_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_list_var($1)
|
|
|
1ec3d1a |
admin_pattern($1, polipo_cache_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
files_list_pids($1)
|
|
|
1ec3d1a |
admin_pattern($1, polipo_pid_t)
|
|
|
1ec3d1a |
|
|
|
1ec3d1a |
polipo_systemctl($1)
|
|
|
1ec3d1a |
admin_pattern($1, polipo_unit_file_t)
|
|
|
1ec3d1a |
allow $1 polipo_unit_file_t:service all_service_perms;
|
|
|
1ec3d1a |
')
|