## policy for frr ######################################## ## ## Execute frr_exec_t in the frr domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`frr_domtrans',` gen_require(` type frr_t, frr_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, frr_exec_t, frr_t) ') ###################################### ## ## Execute frr in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`frr_exec',` gen_require(` type frr_exec_t; ') corecmd_search_bin($1) can_exec($1, frr_exec_t) ') ######################################## ## ## Read frr's log files. ## ## ## ## Domain allowed access. ## ## ## # interface(`frr_read_log',` gen_require(` type frr_log_t; ') read_files_pattern($1, frr_log_t, frr_log_t) optional_policy(` logging_search_logs($1) ') ') ######################################## ## ## Append to frr log files. ## ## ## ## Domain allowed access. ## ## # interface(`frr_append_log',` gen_require(` type frr_log_t; ') append_files_pattern($1, frr_log_t, frr_log_t) optional_policy(` logging_search_logs($1) ') ') ######################################## ## ## Manage frr log files ## ## ## ## Domain allowed access. ## ## # interface(`frr_manage_log',` gen_require(` type frr_log_t; ') manage_dirs_pattern($1, frr_log_t, frr_log_t) manage_files_pattern($1, frr_log_t, frr_log_t) manage_lnk_files_pattern($1, frr_log_t, frr_log_t) optional_policy(` logging_search_logs($1) ') ') ######################################## ## ## Read frr PID files. ## ## ## ## Domain allowed access. ## ## # interface(`frr_read_pid_files',` gen_require(` type frr_var_run_t; ') files_search_pids($1) read_files_pattern($1, frr_var_run_t, frr_var_run_t) ') ######################################## ## ## All of the rules required to administrate ## an frr environment ## ## ## ## Domain allowed access. ## ## # interface(`frr_admin',` gen_require(` type frr_t; type frr_log_t; type frr_var_run_t; ') allow $1 frr_t:process { signal_perms }; ps_process_pattern($1, frr_t) tunable_policy(`deny_ptrace',`',` allow $1 frr_t:process ptrace; ') admin_pattern($1, frr_log_t) files_search_pids($1) admin_pattern($1, frr_var_run_t) optional_policy(` logging_search_logs($1) ') optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') ') ######################################## # # Interface compatibility blocks # # The following definitions ensure compatibility with distribution policy # versions that do not contain given interfaces (epel, or older Fedora # releases). # Each block tests for existence of given interface and defines it if needed. # ###################################### ## ## Watch ifconfig_var_run_t directories ## ## ## ## Domain allowed access. ## ## # ifndef(`sysnet_watch_ifconfig_run_dirs',` interface(`sysnet_watch_ifconfig_run_dirs',` gen_require(` type ifconfig_var_run_t; ') watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ') ######################################## ## ## Read ifconfig_var_run_t files and link files ## ## ## ## Domain allowed access. ## ## # ifndef(`sysnet_read_ifconfig_run_files',` interface(`sysnet_read_ifconfig_run_files',` gen_require(` type ifconfig_var_run_t; ') list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ')