selinux-policy/policy/modules/services/aisexec.if

## <summary>Aisexec Cluster Engine</summary>

########################################
## <summary>
##	Execute a domain transition to run aisexec.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`aisexec_domtrans',`
	gen_require(`
		type aisexec_t, aisexec_exec_t;
	')

	domtrans_pattern($1, aisexec_exec_t, aisexec_t)
')

#####################################
## <summary>
##	Connect to aisexec over a unix domain
##	stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`aisexec_stream_connect',`
	gen_require(`
		type aisexec_t, aisexec_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)
')

#######################################
## <summary>
##	Allow the specified domain to read aisexec's log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`aisexec_read_log',`
	gen_require(`
		type aisexec_var_log_t;
	')

	logging_search_logs($1)
	list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
	read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)
')

######################################
## <summary>
##	All of the rules required to administrate
##	an aisexec environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the aisexecd domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`aisexecd_admin',`
	gen_require(`
		type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;
		type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;
		type aisexec_initrc_exec_t;
	')

	allow $1 aisexec_t:process { ptrace signal_perms };
	ps_process_pattern($1, aisexec_t)

	init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 aisexec_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_var_lib($1)
	admin_pattern($1, aisexec_var_lib_t)

	logging_list_logs($1)
	admin_pattern($1, aisexec_var_log_t)

	files_list_pids($1)
	admin_pattern($1, aisexec_var_run_t)

	files_list_tmp($1)
	admin_pattern($1, aisexec_tmp_t)

	admin_pattern($1, aisexec_tmpfs_t)
')
Removed unnecessary comments Removed 'SELinux policy for' from policy summaries Removed rgmanager interface for semaphores (doesn't appear to be needed or used) Removed redundant calls to libs_use_ld_so and libs_use_shared_libs Fixed rhcs interface names to match naming rules Merged tmpfs and semaphore/shm interfaces 2010-05-21 19:59:16 +00:00			`## <summary>Aisexec Cluster Engine</summary>`
Redhat Cluster Suite Policy from Dan Walsh Edits: - Style and whitespace fixes - Removed interfaces for default_t from ricci.te - this didn't seem right - Removed link files from rgmanager_manage_tmpfs_files - Removed rdisc.if patch. it was previously committed - Not including kernel_kill interface call for rgmanager - Not including ldap interfaces in rgmanager.te (currently not in refpolicy) - Not including files_create_var_run_dirs call for rgmanager (not in refpolicy) 2010-05-06 17:13:41 +00:00
			`########################################`
			`## <summary>`
			`## Execute a domain transition to run aisexec.`
			`## </summary>`
			`## <param name="domain">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-17 06:54:12 +00:00			`## <summary>`
Services layer xml files. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 13:03:19 +00:00			`## Domain allowed to transition.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-17 06:54:12 +00:00			`## </summary>`
Redhat Cluster Suite Policy from Dan Walsh Edits: - Style and whitespace fixes - Removed interfaces for default_t from ricci.te - this didn't seem right - Removed link files from rgmanager_manage_tmpfs_files - Removed rdisc.if patch. it was previously committed - Not including kernel_kill interface call for rgmanager - Not including ldap interfaces in rgmanager.te (currently not in refpolicy) - Not including files_create_var_run_dirs call for rgmanager (not in refpolicy) 2010-05-06 17:13:41 +00:00			`## </param>`
			`#`
			interface(`aisexec_domtrans',`
			gen_require(`
			`type aisexec_t, aisexec_exec_t;`
			`')`

			`domtrans_pattern($1, aisexec_exec_t, aisexec_t)`
			`')`

			`#####################################`
			`## <summary>`
			`## Connect to aisexec over a unix domain`
			`## stream socket.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`aisexec_stream_connect',`
			gen_require(`
			`type aisexec_t, aisexec_var_run_t;`
			`')`

			`files_search_pids($1)`
			`stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t)`
			`')`

			`#######################################`
			`## <summary>`
			`## Allow the specified domain to read aisexec's log files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`aisexec_read_log',`
			gen_require(`
			`type aisexec_var_log_t;`
			`')`

			`logging_search_logs($1)`
			`list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t)`
			`read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t)`
			`')`

			`######################################`
			`## <summary>`
whitespace fixes for cluster suite patch 2010-05-21 20:40:12 +00:00			`## All of the rules required to administrate`
Redhat Cluster Suite Policy from Dan Walsh Edits: - Style and whitespace fixes - Removed interfaces for default_t from ricci.te - this didn't seem right - Removed link files from rgmanager_manage_tmpfs_files - Removed rdisc.if patch. it was previously committed - Not including kernel_kill interface call for rgmanager - Not including ldap interfaces in rgmanager.te (currently not in refpolicy) - Not including files_create_var_run_dirs call for rgmanager (not in refpolicy) 2010-05-06 17:13:41 +00:00			`## an aisexec environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed to manage the aisexecd domain.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`aisexecd_admin',`
			gen_require(`
			`type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t;`
			`type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t;`
			`type aisexec_initrc_exec_t;`
			`')`

			`allow $1 aisexec_t:process { ptrace signal_perms };`
			`ps_process_pattern($1, aisexec_t)`

			`init_labeled_script_domtrans($1, aisexec_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 aisexec_initrc_exec_t system_r;`
			`allow $2 system_r;`

			`files_list_var_lib($1)`
			`admin_pattern($1, aisexec_var_lib_t)`

			`logging_list_logs($1)`
			`admin_pattern($1, aisexec_var_log_t)`

			`files_list_pids($1)`
			`admin_pattern($1, aisexec_var_run_t)`

			`files_list_tmp($1)`
			`admin_pattern($1, aisexec_tmp_t)`

			`admin_pattern($1, aisexec_tmpfs_t)`
			`')`