nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
242e371ac2
selinux-refpolicy/policy/modules/services/sssd.if
Markus Linnala 9127219358 policy: interfaces: doc: indent param blocks consistently 
There is more than 5000 parameter documentations. Only about 300 are
differently done. Change them to be consistently indented.

param with one space
and content inside with one tab

This was done with:

sed -ri '
/^##[[:space:]]*<param/,/^##[[:space:]]*<[/]param>/{
	s/^##[[:space:]]*/##\t/;
	s/^##[[:space:]]*(<[/]?summary)/##\t\1/;
	s/^##[[:space:]]*(<[/]?param)/## \1/;
}' policy/modules/*/*.if

Signed-off-by: Markus Linnala <Markus.Linnala@cybercom.com>
2021-07-02 12:19:25 +03:00

368 lines
7.0 KiB
Plaintext
Raw Blame History

## <summary>System Security Services Daemon.</summary>
#######################################
## <summary>
## Get attributes of sssd executable files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_getattr_exec',`
gen_require(`
type sssd_exec_t;
')
allow $1 sssd_exec_t:file getattr_file_perms;
')
########################################
## <summary>
## Execute a domain transition to run sssd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`sssd_domtrans',`
gen_require(`
type sssd_t, sssd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, sssd_exec_t, sssd_t)
')
########################################
## <summary>
## Execute sssd init scripts in
## the initrc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`sssd_initrc_domtrans',`
gen_require(`
type sssd_initrc_exec_t;
')
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
#######################################
## <summary>
## Read sssd configuration content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_read_config',`
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
read_files_pattern($1, sssd_conf_t, sssd_conf_t)
')
######################################
## <summary>
## Write sssd configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_write_config',`
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
write_files_pattern($1, sssd_conf_t, sssd_conf_t)
')
####################################
## <summary>
## Create, read, write, and delete
## sssd configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_manage_config',`
gen_require(`
type sssd_conf_t;
')
files_search_etc($1)
manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
')
########################################
## <summary>
## Read sssd public files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_read_public_files',`
gen_require(`
type sssd_public_t;
')
sssd_search_lib($1)
allow $1 sssd_public_t:dir list_dir_perms;
read_files_pattern($1, sssd_public_t, sssd_public_t)
')
#######################################
## <summary>
## Create, read, write, and delete
## sssd public files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_manage_public_files',`
gen_require(`
type sssd_public_t;
')
sssd_search_lib($1)
manage_files_pattern($1, sssd_public_t, sssd_public_t)
')
########################################
## <summary>
## Read sssd pid files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_read_pid_files',`
refpolicywarn(`$0($*) has been deprecated, please use sssd_read_runtime_files() instead.')
sssd_read_runtime_files($1)
')
########################################
## <summary>
## Create, read, write, and delete
## sssd pid content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_manage_pids',`
refpolicywarn(`$0($*) has been deprecated.')
')
########################################
## <summary>
## Read sssd runtime files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_read_runtime_files',`
gen_require(`
type sssd_runtime_t;
')
files_search_runtime($1)
allow $1 sssd_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Search sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_search_lib',`
gen_require(`
type sssd_var_lib_t;
')
allow $1 sssd_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Do not audit attempts to search
## sssd lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`sssd_dontaudit_search_lib',`
gen_require(`
type sssd_var_lib_t;
')
dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Read sssd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_read_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## sssd lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_manage_lib_files',`
gen_require(`
type sssd_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
')
########################################
## <summary>
## Send and receive messages from
## sssd over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_dbus_chat',`
gen_require(`
type sssd_t;
class dbus send_msg;
')
allow $1 sssd_t:dbus send_msg;
allow sssd_t $1:dbus send_msg;
')
########################################
## <summary>
## Connect to sssd with a unix
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sssd_stream_connect',`
gen_require(`
type sssd_t, sssd_var_lib_t;
')
files_search_runtime($1)
stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
')
########################################
## <summary>
## All of the rules required to
## administrate an sssd environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sssd_admin',`
gen_require(`
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
type sssd_var_lib_t, sssd_runtime_t, sssd_conf_t;
type sssd_var_log_t;
')
allow $1 sssd_t:process { ptrace signal_perms };
ps_process_pattern($1, sssd_t)
init_startstop_service($1, $2, sssd_t, sssd_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, sssd_conf_t)
files_search_var_lib($1)
admin_pattern($1, { sssd_var_lib_t sssd_public_t })
files_search_runtime($1)
admin_pattern($1, sssd_runtime_t)
logging_search_logs($1)
admin_pattern($1, sssd_var_log_t)
')
Reference in New Issue View Git Blame Copy Permalink