From 550fedd88230d1f065e656d212edfdc47d637247 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Oct 05 2012 10:44:40 +0000
Subject: Initial mandb policy module


man-db is an implementation of the standard Unix documentation system
accessed using the man command. It uses a Berkeley DB database in place
of the traditional flat-text whatis databases.

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

---

diff --git a/mandb.fc b/mandb.fc
new file mode 100644
index 0000000..e4864f3
--- /dev/null
+++ b/mandb.fc
@@ -0,0 +1,4 @@
+/etc/cron.daily/man-db\.cron	--	gen_context(system_u:object_r:mandb_exec_t,s0)
+
+# file context conflict with spec in miscfiles. remove comment when the spec in miscfiles is removed
+# /var/cache/man(/.*)?	gen_context(system_u:object_r:mandb_cache_t,s0)
diff --git a/mandb.if b/mandb.if
new file mode 100644
index 0000000..56306c6
--- /dev/null
+++ b/mandb.if
@@ -0,0 +1,78 @@
+## <summary>On-line manual database.</summary>
+
+########################################
+## <summary>
+##	Execute the mandb program in
+##	the mandb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`mandb_domtrans',`
+	gen_require(`
+		type mandb_t, mandb_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, mandb_exec_t, mandb_t)
+')
+
+########################################
+## <summary>
+##	Execute mandb in the mandb
+##	domain, and allow the specified
+##	role the mandb domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`mandb_run',`
+	gen_require(`
+		attribute_role mandb_roles;
+	')
+
+	lightsquid_domtrans($1)
+	roleattribute $2 mandb_roles;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an mandb environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mandb_admin',`
+	gen_require(`
+		type mandb_t, mandb_cache_t;
+	')
+
+	allow $1 mandb_t:process { ptrace signal_perms };
+	ps_process_pattern($1, mandb_t)
+
+	mandb_run($1, $2)
+
+	files_search_var($1)
+	admin_pattern($1, mandb_cache_t)
+')
diff --git a/mandb.te b/mandb.te
new file mode 100644
index 0000000..3009005
--- /dev/null
+++ b/mandb.te
@@ -0,0 +1,42 @@
+policy_module(mandb, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role mandb_roles;
+roleattribute system_r mandb_roles;
+
+type mandb_t;
+type mandb_exec_t;
+application_domain(mandb_t, mandb_exec_t)
+role mandb_roles types mandb_t;
+
+type mandb_cache_t;
+files_type(mandb_cache_t)
+
+########################################
+#
+# Local policy
+#
+
+allow mandb_t self:process signal;
+allow mandb_t self:fifo_file rw_fifo_file_perms;
+allow mandb_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
+
+kernel_read_system_state(mandb_t)
+
+corecmd_exec_bin(mandb_t)
+
+domain_use_interactive_fds(mandb_t)
+
+files_read_etc_files(mandb_t)
+
+optional_policy(`
+	cron_system_entry(mandb_t, mandb_exec_t)
+')