Introduce setrans_admin interface

2015-07-11 13:15:46 +04:00 · 2015-07-11 13:15:46 +04:00 · 0023b30946
parent e1f2a8b9d6
commit 0023b30946
2 changed files with 35 additions and 0 deletions
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@ -951,6 +951,10 @@ optional_policy(`
 	sensord_admin(sysadm_t, sysadm_r)
 ')

+optional_policy(`
+	setrans_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	setroubleshoot_admin(sysadm_t, sysadm_r)
 ')
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@ -40,3 +40,34 @@ interface(`setrans_translate_context',`
 	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
 	files_list_pids($1)
 ')
+
+######################################
+## <summary>
+##	All of the rules required to
+##	administrate an setrans environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`setrans_admin',`
+	gen_require(`
+		type setrans_t, setrans_initrc_exec_t;
+		type setrans_var_run_t;
+	')
+
+	allow $1 setrans_t:process { ptrace signal_perms };
+	ps_process_pattern($1, setrans_t)
+
+	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+
+	files_search_pids($1)
+	admin_pattern($1, setrans_var_run_t)
+')