selinux-refpolicy/policy/modules/services/oident.if

120 lines
2.4 KiB
Plaintext
Raw Normal View History

## <summary>An ident daemon with IP masq/NAT support and the ability to specify responses.</summary>
########################################
## <summary>
## Read oidentd user home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`oident_read_user_content', `
gen_require(`
type oidentd_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 oidentd_home_t:file read_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## oidentd user home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`oident_manage_user_content', `
gen_require(`
type oidentd_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 oidentd_home_t:file manage_file_perms;
')
########################################
## <summary>
## Relabel oidentd user home content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`oident_relabel_user_content', `
gen_require(`
type oidentd_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 oidentd_home_t:file relabel_file_perms;
')
########################################
## <summary>
## Create objects in user home
## directories with the oidentd home type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="object_class">
## <summary>
## Class of the object being created.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`oident_home_filetrans_oidentd_home',`
gen_require(`
type oidentd_home_t;
')
userdom_user_home_dir_filetrans($1, oidentd_home_t, $2, $3)
')
########################################
## <summary>
## All of the rules required to
## administrate an oident environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`oident_admin',`
gen_require(`
type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
')
allow $1 oidentd_t:process { ptrace signal_perms };
ps_process_pattern($1, oidentd_t)
init_startstop_service($1, $2, oidentd_t, oidentd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, oidentd_config_t)
')