policy for frr

######################################## ##

## Execute frr_exec_t in the frr domain. ##

## ##

## Domain allowed to transition. ##

## # interface(`frr_domtrans',` gen_require(` type frr_t, frr_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, frr_exec_t, frr_t) ') ###################################### ##

## Execute frr in the caller domain. ##

## ##

## Domain allowed access. ##

## # interface(`frr_exec',` gen_require(` type frr_exec_t; ') corecmd_search_bin($1) can_exec($1, frr_exec_t) ') ######################################## ##

## Read frr's log files. ##

## ##

## Domain allowed access. ##

## ## # interface(`frr_read_log',` gen_require(` type frr_log_t; ') read_files_pattern($1, frr_log_t, frr_log_t) optional_policy(` logging_search_logs($1) ') ') ######################################## ##

## Append to frr log files. ##

## ##

## Domain allowed access. ##

## # interface(`frr_append_log',` gen_require(` type frr_log_t; ') append_files_pattern($1, frr_log_t, frr_log_t) optional_policy(` logging_search_logs($1) ') ') ######################################## ##

## Manage frr log files ##

## ##

## Domain allowed access. ##

## # interface(`frr_manage_log',` gen_require(` type frr_log_t; ') manage_dirs_pattern($1, frr_log_t, frr_log_t) manage_files_pattern($1, frr_log_t, frr_log_t) manage_lnk_files_pattern($1, frr_log_t, frr_log_t) optional_policy(` logging_search_logs($1) ') ') ######################################## ##

## Read frr PID files. ##

## ##

## Domain allowed access. ##

## # interface(`frr_read_pid_files',` gen_require(` type frr_var_run_t; ') files_search_pids($1) read_files_pattern($1, frr_var_run_t, frr_var_run_t) ') ######################################## ##

## All of the rules required to administrate ## an frr environment ##

## ##

## Domain allowed access. ##

## # interface(`frr_admin',` gen_require(` type frr_t; type frr_log_t; type frr_var_run_t; ') allow $1 frr_t:process { signal_perms }; ps_process_pattern($1, frr_t) tunable_policy(`deny_ptrace',`',` allow $1 frr_t:process ptrace; ') admin_pattern($1, frr_log_t) files_search_pids($1) admin_pattern($1, frr_var_run_t) optional_policy(` logging_search_logs($1) ') optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') ') ######################################## # # Interface compatibility blocks # # The following definitions ensure compatibility with distribution policy # versions that do not contain given interfaces (epel, or older Fedora # releases). # Each block tests for existence of given interface and defines it if needed. # ###################################### ##

## Watch ifconfig_var_run_t directories ##

## ##

## Domain allowed access. ##

## # ifndef(`sysnet_watch_ifconfig_run',` interface(`sysnet_watch_ifconfig_run',` gen_require(` type ifconfig_var_run_t; ') watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ') ######################################## ##

## Read ifconfig_var_run_t files and link files ##

## ##

## Domain allowed access. ##

## # ifndef(`sysnet_read_ifconfig_run',` interface(`sysnet_read_ifconfig_run',` gen_require(` type ifconfig_var_run_t; ') list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) ') ')