selinux-policy/policy/modules/services/oddjob.if

150 lines
2.9 KiB
Plaintext
Raw Normal View History

## <summary>
## Oddjob provides a mechanism by which unprivileged applications can
## request that specified privileged operations be performed on their
## behalf.
## </summary>
########################################
## <summary>
## Execute a domain transition to run oddjob.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`oddjob_domtrans',`
gen_require(`
type oddjob_t, oddjob_exec_t;
')
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')
2010-08-26 13:41:21 +00:00
#####################################
## <summary>
## Do not audit attempts to read and write
## oddjob fifo file.
2010-08-26 13:41:21 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
2010-08-26 13:41:21 +00:00
## </param>
#
interface(`oddjob_dontaudit_rw_fifo_file',`
gen_require(`
type shutdown_t;
')
2010-08-26 13:41:21 +00:00
dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
2010-08-26 13:41:21 +00:00
')
########################################
## <summary>
## Make the specified program domain accessable
## from the oddjob.
## </summary>
## <param name="domain">
## <summary>
## The type of the process to transition to.
## </summary>
## </param>
## <param name="entrypoint">
## <summary>
## The type of the file used as an entrypoint to this domain.
## </summary>
## </param>
#
interface(`oddjob_system_entry',`
gen_require(`
type oddjob_t;
')
2006-12-12 20:08:08 +00:00
domtrans_pattern(oddjob_t, $2, $1)
2010-08-26 13:41:21 +00:00
domain_user_exemption_target($1)
')
########################################
## <summary>
## Send and receive messages from
## oddjob over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`oddjob_dbus_chat',`
gen_require(`
type oddjob_t;
class dbus send_msg;
')
allow $1 oddjob_t:dbus send_msg;
allow oddjob_t $1:dbus send_msg;
')
2010-08-26 13:41:21 +00:00
######################################
## <summary>
## Send a SIGCHLD signal to oddjob.
2010-08-26 13:41:21 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2010-08-26 13:41:21 +00:00
## </param>
#
interface(`oddjob_sigchld',`
gen_require(`
type oddjob_t;
')
2010-08-26 13:41:21 +00:00
allow $1 oddjob_t:process sigchld;
2010-08-26 13:41:21 +00:00
')
########################################
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`oddjob_domtrans_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
')
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')
2009-07-27 14:52:20 +00:00
########################################
## <summary>
## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
2009-07-27 14:52:20 +00:00
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`oddjob_run_mkhomedir',`
gen_require(`
type oddjob_mkhomedir_t;
')
oddjob_domtrans_mkhomedir($1)
role $2 types oddjob_mkhomedir_t;
')