## policy for frr
########################################
##
## Execute frr_exec_t in the frr domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`frr_domtrans',`
gen_require(`
type frr_t, frr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, frr_exec_t, frr_t)
')
######################################
##
## Execute frr in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`frr_exec',`
gen_require(`
type frr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, frr_exec_t)
')
########################################
##
## Read frr's log files.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`frr_read_log',`
gen_require(`
type frr_log_t;
')
read_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
##
## Append to frr log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`frr_append_log',`
gen_require(`
type frr_log_t;
')
append_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
##
## Manage frr log files
##
##
##
## Domain allowed access.
##
##
#
interface(`frr_manage_log',`
gen_require(`
type frr_log_t;
')
manage_dirs_pattern($1, frr_log_t, frr_log_t)
manage_files_pattern($1, frr_log_t, frr_log_t)
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
##
## Read frr PID files.
##
##
##
## Domain allowed access.
##
##
#
interface(`frr_read_pid_files',`
gen_require(`
type frr_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
')
########################################
##
## All of the rules required to administrate
## an frr environment
##
##
##
## Domain allowed access.
##
##
#
interface(`frr_admin',`
gen_require(`
type frr_t;
type frr_log_t;
type frr_var_run_t;
')
allow $1 frr_t:process { signal_perms };
ps_process_pattern($1, frr_t)
tunable_policy(`deny_ptrace',`',`
allow $1 frr_t:process ptrace;
')
admin_pattern($1, frr_log_t)
files_search_pids($1)
admin_pattern($1, frr_var_run_t)
optional_policy(`
logging_search_logs($1)
')
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')
########################################
#
# Interface compatibility blocks
#
# The following definitions ensure compatibility with distribution policy
# versions that do not contain given interfaces (epel, or older Fedora
# releases).
# Each block tests for existence of given interface and defines it if needed.
#
######################################
##
## Watch ifconfig_var_run_t directories
##
##
##
## Domain allowed access.
##
##
#
ifndef(`sysnet_watch_ifconfig_run_dirs',`
interface(`sysnet_watch_ifconfig_run_dirs',`
gen_require(`
type ifconfig_var_run_t;
')
watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
')
########################################
##
## Read ifconfig_var_run_t files and link files
##
##
##
## Domain allowed access.
##
##
#
ifndef(`sysnet_read_ifconfig_run_files',`
interface(`sysnet_read_ifconfig_run_files',`
gen_require(`
type ifconfig_var_run_t;
')
list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
')
')