selinux-refpolicy/policy/modules/admin/cfengine.if

104 lines
2.1 KiB
Plaintext
Raw Normal View History

## <summary>System administration tool for networks.</summary>
#######################################
## <summary>
## The template to define a cfengine domain.
## </summary>
## <param name="domain_prefix">
## <summary>
## Domain prefix to be used.
## </summary>
## </param>
#
template(`cfengine_domain_template',`
gen_require(`
attribute cfengine_domain;
')
########################################
#
# Declarations
#
type cfengine_$1_t, cfengine_domain;
type cfengine_$1_exec_t;
init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t)
########################################
#
# Policy
#
auth_use_nsswitch(cfengine_$1_t)
')
########################################
## <summary>
## Read cfengine lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`cfengine_read_lib_files',`
gen_require(`
type cfengine_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t)
')
####################################
## <summary>
## Do not audit attempts to write
## cfengine log files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`cfengine_dontaudit_write_log_files',`
gen_require(`
type cfengine_log_t;
')
dontaudit $1 cfengine_log_t:file write_file_perms;
')
########################################
## <summary>
## All of the rules required to
## administrate an cfengine environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`cfengine_admin',`
gen_require(`
attribute cfengine_domain;
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
')
allow $1 cfengine_domain:process { ptrace signal_perms };
ps_process_pattern($1, cfengine_domain)
init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t)
files_search_var_lib($1)
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
')