## Lightweight forwarding and caching proxy server. ######################################## ## ## Role access for Polipo session. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # template(`polipo_role',` gen_require(` type polipo_session_t, polipo_exec_t, polipo_config_home_t; type polipo_cache_home_t; ') ######################################## # # Declarations # role $1 types polipo_session_t; ######################################## # # Policy # allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms }; userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden") userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo") userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache") allow $2 polipo_session_t:process { ptrace signal_perms }; ps_process_pattern($2, polipo_session_t) tunable_policy(`polipo_session_users',` domtrans_pattern($2, polipo_exec_t, polipo_session_t) ',` can_exec($2, polipo_exec_t) ') ') ######################################## ## ## Execute Polipo in the Polipo ## system domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`polipo_initrc_domtrans',` gen_require(` type polipo_initrc_exec_t; ') init_labeled_script_domtrans($1, polipo_initrc_exec_t) ') ######################################## ## ## Create specified objects in generic ## log directories with the polipo ## log file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`polipo_log_filetrans_log',` gen_require(` type polipo_log_t; ') logging_log_filetrans($1, polipo_log_t, $2, $3) ') ######################################## ## ## All of the rules required to ## administrate an polipo environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`polipo_admin',` gen_require(` type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t; type polipo_conf_t, polipo_log_t, polipo_runtime_t; ') allow $1 polipo_system_t:process { ptrace signal_perms }; ps_process_pattern($1, polipo_system_t) init_startstop_service($1, $2, polipo_t, polipo_initrc_exec_t) files_search_var($1) admin_pattern($1, polipo_cache_t) files_search_etc($1) admin_pattern($1, polipo_conf_t) logging_search_logs($1) admin_pattern($1, polipo_log_t) files_search_pids($1) admin_pattern($1, polipo_runtime_t) ')