From 8fa17a93d70ef103db3d8f6a128dd41bbc9bccca Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Fri, 14 Sep 2012 15:52:52 -0400
Subject: initial selinux configs

---
 redhat/selinux/bcfg2.if | 220 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 220 insertions(+)
 create mode 100644 redhat/selinux/bcfg2.if

(limited to 'redhat/selinux/bcfg2.if')

diff --git a/redhat/selinux/bcfg2.if b/redhat/selinux/bcfg2.if
new file mode 100644
index 000000000..9ee23dd4b
--- /dev/null
+++ b/redhat/selinux/bcfg2.if
@@ -0,0 +1,220 @@
+## <summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository</summary>
+
+########################################
+## <summary>
+##	Execute bcfg2-server in the bcfg2 server domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_server_domtrans',`
+	gen_require(`
+		type bcfg2_server_t, bcfg2_server_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bcfg2_server_exec_t, bcfg2_server_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2-server server in the bcfg2-server domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_server_initrc_domtrans',`
+	gen_require(`
+		type bcfg2_server_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, bcfg2_server_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Search bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_search_lib',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	allow $1 bcfg2_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read bcfg2 lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_read_lib_files',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage bcfg2 lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_files',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage bcfg2 lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_manage_lib_dirs',`
+	gen_require(`
+		type bcfg2_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administer
+##	a bcfg2-server environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_server_admin',`
+	gen_require(`
+		type bcfg2_server_t;
+		type bcfg2_server_initrc_exec_t;
+		type bcfg2_server_var_lib_t;
+	')
+
+	allow $1 bcfg2_server_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bcfg2_server_t)
+
+	bcfg2_server_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 bcfg2_server_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, bcfg2_server_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bcfg2_domtrans',`
+	gen_require(`
+		type bcfg2_t, bcfg2_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
+')
+
+########################################
+## <summary>
+##	Execute bcfg2 in the bcfg2 domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bcfg2_initrc_domtrans',`
+	gen_require(`
+		type bcfg2_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administer
+##	a bcfg2 client
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bcfg2_client_admin',`
+	gen_require(`
+		type bcfg2_t;
+		type bcfg2_initrc_exec_t;
+		type bcfg2_var_lib_t;
+	')
+
+	allow $1 bcfg2_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bcfg2_t)
+
+	bcfg2_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 bcfg2_initrc_exec_t system_r;
+	allow $2 system_r;
+')
-- 
cgit v1.2.3-1-g7c22