## System administration tool for networks.
#######################################
##
## The template to define a cfengine domain.
##
##
##
## Domain prefix to be used.
##
##
#
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
type cfengine_log_t, cfengine_var_lib_t;
')
########################################
#
# Declarations
#
type cfengine_$1_t, cfengine_domain;
type cfengine_$1_exec_t;
init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
########################################
#
# Policy
#
auth_use_nsswitch(cfengine_$1_t)
')
########################################
##
## Read cfengine lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`cfengine_read_lib_files',`
gen_require(`
type cfengine_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
')
####################################
##
## Do not audit attempts to write
## cfengine log files.
##
##
##
## Domain to not audit.
##
##
#
interface(`cfengine_dontaudit_write_log_files',`
gen_require(`
type cfengine_var_log_t;
')
dontaudit $1 cfengine_var_log_t:file write_file_perms;
')
########################################
##
## All of the rules required to
## administrate an cfengine environment.
##
##
##
## Domain allowed access.
##
##
##
##
## Role allowed access.
##
##
##
#
interface(`cfengine_admin',`
gen_require(`
attribute cfengine_domain;
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cfengine_initrc_exec_t system_r;
allow $2 system_r;
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')