summaryrefslogtreecommitdiffstats
path: root/redhat/selinux/bcfg2.if
diff options
context:
space:
mode:
Diffstat (limited to 'redhat/selinux/bcfg2.if')
-rw-r--r--redhat/selinux/bcfg2.if220
1 files changed, 220 insertions, 0 deletions
diff --git a/redhat/selinux/bcfg2.if b/redhat/selinux/bcfg2.if
new file mode 100644
index 000000000..9ee23dd4b
--- /dev/null
+++ b/redhat/selinux/bcfg2.if
@@ -0,0 +1,220 @@
+## <summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository</summary>
+
+########################################
+## <summary>
+## Execute bcfg2-server in the bcfg2 server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_server_domtrans',`
+ gen_require(`
+ type bcfg2_server_t, bcfg2_server_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bcfg2_server_exec_t, bcfg2_server_t)
+')
+
+########################################
+## <summary>
+## Execute bcfg2-server server in the bcfg2-server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bcfg2_server_initrc_domtrans',`
+ gen_require(`
+ type bcfg2_server_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, bcfg2_server_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Search bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bcfg2_search_lib',`
+ gen_require(`
+ type bcfg2_var_lib_t;
+ ')
+
+ allow $1 bcfg2_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read bcfg2 lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bcfg2_read_lib_files',`
+ gen_require(`
+ type bcfg2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage bcfg2 lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_files',`
+ gen_require(`
+ type bcfg2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_dirs',`
+ gen_require(`
+ type bcfg2_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administer
+## a bcfg2-server environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_server_admin',`
+ gen_require(`
+ type bcfg2_server_t;
+ type bcfg2_server_initrc_exec_t;
+ type bcfg2_server_var_lib_t;
+ ')
+
+ allow $1 bcfg2_server_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bcfg2_server_t)
+
+ bcfg2_server_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 bcfg2_server_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_var_lib($1)
+ admin_pattern($1, bcfg2_server_var_lib_t)
+')
+
+########################################
+## <summary>
+## Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_domtrans',`
+ gen_require(`
+ type bcfg2_t, bcfg2_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
+')
+
+########################################
+## <summary>
+## Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`bcfg2_initrc_domtrans',`
+ gen_require(`
+ type bcfg2_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administer
+## a bcfg2 client
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_client_admin',`
+ gen_require(`
+ type bcfg2_t;
+ type bcfg2_initrc_exec_t;
+ type bcfg2_var_lib_t;
+ ')
+
+ allow $1 bcfg2_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bcfg2_t)
+
+ bcfg2_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 bcfg2_initrc_exec_t system_r;
+ allow $2 system_r;
+')