## System administration tool for networks. ####################################### ## ## The template to define a cfengine domain. ## ## ## ## Domain prefix to be used. ## ## # template(`cfengine_domain_template',` gen_require(` attribute cfengine_domain; type cfengine_log_t, cfengine_var_lib_t; ') ######################################## # # Declarations # type cfengine_$1_t, cfengine_domain; type cfengine_$1_exec_t; init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) ######################################## # # Policy # auth_use_nsswitch(cfengine_$1_t) ') ######################################## ## ## Read cfengine lib files. ## ## ## ## Domain allowed access. ## ## # interface(`cfengine_read_lib_files',` gen_require(` type cfengine_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) ') #################################### ## ## Do not audit attempts to write ## cfengine log files. ## ## ## ## Domain to not audit. ## ## # interface(`cfengine_dontaudit_write_log_files',` gen_require(` type cfengine_log_t; ') dontaudit $1 cfengine_log_t:file write_file_perms; ') ######################################## ## ## All of the rules required to ## administrate an cfengine environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`cfengine_admin',` gen_require(` attribute cfengine_domain; type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; ') allow $1 cfengine_domain:process { ptrace signal_perms }; ps_process_pattern($1, cfengine_domain) init_startstop_service($1, $2, cfengine_domain, cfengine_initrc_exec_t) files_search_var_lib($1) admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) ')