selinux-refpolicy/policy/modules/services/oident.if
2008-10-13 13:36:50 +00:00

86 lines
1.9 KiB
Plaintext

## <summary>SELinux policy for Oident daemon.</summary>
## <desc>
## <p>
## Oident daemon is a server that implements the TCP/IP
## standard IDENT user identification protocol as
## specified in the RFC 1413 document.
## </p>
## </desc>
#######################################
## <summary>
## The per role template for the Oidentd module.
## </summary>
## <desc>
## <p>
## This template creates derived domains which are used
## for Oident daemon.
## </p>
## <p>
## This template is invoked automatically for each user, and
## generally does not need to be invoked directly
## by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
#
template(`oident_per_role_template', `
########################################
#
# Oident daemon shared declarations
#
gen_require(`
attribute oidentd_user_content_type;
')
type $1_oidentd_home_t, oidentd_user_content_type;
userdom_user_home_content($1, $1_oidentd_home_t)
typeattribute $1_oidentd_home_t oidentd_user_content_type;
########################################
#
# Oident daemon shared policy
#
allow $2 $1_oidentd_home_t:file manage_file_perms;
allow $2 $1_oidentd_home_t:file relabel_file_perms;
')
########################################
## <summary>
## Allow the specified domain to read
## Oidentd personal configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`oident_read_all_user_content', `
gen_require(`
attribute oidentd_user_content_type;
')
allow $1 oidentd_user_content_type:file read_file_perms;
userdom_search_all_users_home_dirs($1)
')