selinux-refpolicy/policy/modules/roles/webadm.te
2018-06-23 10:38:58 -04:00

58 lines
1.1 KiB
Plaintext

policy_module(webadm, 1.2.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Determine whether webadm can
## manage generic user files.
## </p>
## </desc>
gen_tunable(webadm_manage_user_files, false)
## <desc>
## <p>
## Determine whether webadm can
## read generic user files.
## </p>
## </desc>
gen_tunable(webadm_read_user_files, false)
role webadm_r;
userdom_base_user_template(webadm)
########################################
#
# Local policy
#
allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
files_dontaudit_search_all_dirs(webadm_t)
files_list_var(webadm_t)
selinux_get_enforce_mode(webadm_t)
seutil_domtrans_setfiles(webadm_t)
logging_send_audit_msgs(webadm_t)
logging_send_syslog_msg(webadm_t)
userdom_dontaudit_search_user_home_dirs(webadm_t)
apache_admin(webadm_t, webadm_r)
tunable_policy(`webadm_manage_user_files',`
userdom_manage_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
userdom_write_user_tmp_files(webadm_t)
')
tunable_policy(`webadm_read_user_files',`
userdom_read_user_home_content_files(webadm_t)
userdom_read_user_tmp_files(webadm_t)
')