psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   cfengine.if
Blob Blame History Raw 
## <summary>System administration tool for networks.</summary>

#######################################
## <summary>
##	The template to define a cfengine domain.
## </summary>
## <param name="domain_prefix">
##	<summary>
##	Domain prefix to be used.
##	</summary>
## </param>
#
template(`cfengine_domain_template',`
	gen_require(`
		attribute cfengine_domain;
	')

	########################################
	#
	# Declarations
	#

	type cfengine_$1_t, cfengine_domain;
	type cfengine_$1_exec_t;
	init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)

	########################################
	#
	# Policy
	#

	kernel_read_system_state(cfengine_$1_t)

	auth_use_nsswitch(cfengine_$1_t)

	logging_send_syslog_msg(cfengine_$1_t)
')

######################################
## <summary>
##  Search cfengine lib files.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`cfengine_search_lib_files',`
	gen_require(`
		type cfengine_var_lib_t;
	')

	allow $1 cfengine_var_lib_t:dir search_dir_perms;
')

########################################
## <summary>
##	Read cfengine lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cfengine_read_lib_files',`
	gen_require(`
		type cfengine_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
')

####################################
## <summary>
##	Do not audit attempts to write
##	cfengine log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`cfengine_dontaudit_write_log_files',`
	gen_require(`
		type cfengine_var_log_t;
	')

	dontaudit $1 cfengine_var_log_t:file write_file_perms;
')

#####################################
## <summary>
##      Allow the specified domain to append cfengine's log files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`cfengine_append_inherited_log',`
        gen_require(`
                type cfengine_var_log_t;
        ')

        cfengine_search_lib_files($1)
		allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
')

####################################
## <summary>
##      Dontaudit the specified domain to write cfengine's log files.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`cfengine_dontaudit_write_log',`
        gen_require(`
                type cfengine_var_log_t;
        ')

		dontaudit $1 cfengine_var_log_t:file write;
')

########################################
## <summary>
##	All of the rules required to
##	administrate an cfengine environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`cfengine_admin',`
	gen_require(`
		attribute cfengine_domain;
		type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
	')

	allow $1 cfengine_domain:process { signal_perms };
	ps_process_pattern($1, cfengine_domain)

	init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 cfengine_initrc_exec_t system_r;
	allow $2 system_r;

	files_search_var_lib($1)
	admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.