selinux-policy/policy/modules/services/tftp.if

## <summary>Trivial file transfer protocol daemon</summary>

########################################
## <summary>
##	Read tftp content
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`tftp_read_content',`
	gen_require(`
		type tftpdir_t;
	')

	read_files_pattern($1, tftpdir_t, tftpdir_t)
	read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
')

########################################
## <summary>
##	Search tftp /var/lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`tftp_search_rw_content',`
	gen_require(`
		type tftpdir_rw_t;
	')

	search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
	files_search_var_lib($1)
')

########################################
## <summary>
##	Manage tftp /var/lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`tftp_manage_rw_content',`
	gen_require(`
		type tftpdir_rw_t;
	')

	files_search_var_lib($1)
	manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
	manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
')

########################################
## <summary>
##	Create objects in tftpdir directories
##	with specified types.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="file_type">
##	<summary>
##	Private file type.
##	</summary>
## </param>
## <param name="object_class">
##	<summary>
##	Class of the object being created.
##	</summary>
## </param>
#
interface(`tftp_filetrans_tftpdir',`
	gen_require(`
		type tftpdir_rw_t;
	')

	filetrans_pattern($1, tftpdir_rw_t, $2, $3)
	files_search_var_lib($1)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an tftp environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`tftp_admin',`
	gen_require(`
		type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
	')

	allow $1 tftpd_t:process { ptrace signal_perms };
	ps_process_pattern($1, tftpd_t)

	files_list_var_lib($1)
	admin_pattern($1, tftpdir_rw_t)

	admin_pattern($1, tftpdir_t)

	files_list_pids($1)
	admin_pattern($1, tftpd_var_run_t)
')
add tftp 2005-09-16 15:18:09 +00:00			`## <summary>Trivial file transfer protocol daemon</summary>`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			`########################################`
			`## <summary>`
Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			`## Read tftp content`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			interface(`tftp_read_content',`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			gen_require(`
Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			`type tftpdir_t;`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			`')`

Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			`read_files_pattern($1, tftpdir_t, tftpdir_t)`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)`
			`')`

			`########################################`
			`## <summary>`
			`## Search tftp /var/lib directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`tftp_search_rw_content',`
			gen_require(`
			`type tftpdir_rw_t;`
			`')`

			`search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)`
			`files_search_var_lib($1)`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Manage tftp /var/lib files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			interface(`tftp_manage_rw_content',`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			gen_require(`
			`type tftpdir_rw_t;`
			`')`

			`files_search_var_lib($1)`
Misc fixes for 1031ee6. 2010-02-08 18:38:48 +00:00			`manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)`
Implement cobblerd policy. My previous version had a minor bug in admin_role where it was using cobblerd_var_log_t, and cobblerd_var_lib_t instead of cobbler_var_log_t, and cobbler_var_lib_t. Whilst i was at it, i decided the implement a cobbler_etc_t for cobbler content in /etc. This because you cannot admin a cobbler environment witouth having access to cobbler config files and i dont want to give cobbler_admin access to manage etc_t. As a consequence if this i also removed the files_read_etc_files(cobblerd_t), as i think that cobbler only needed it to read its own files in /etc. However this is not confirmed, and it may need read access to etc_t afteral. Also i would like to underscore my reason for using public_content_rw_t. One of the reasons is that i do not want to give cobbler access to manage httpd_sys_content_rw_t. In general i do not want to depend on apache module at all. Signed-off-by: Dominick Grift <domg472@gmail.com> Signed-off-by: Chris PeBenito <pebenito@gentoo.org> 2010-01-05 15:26:14 +00:00			`manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)`
			`')`

UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`########################################`
			`## <summary>`
			`## Create objects in tftpdir directories`
			`## with specified types.`
			`## </summary>`
			`## <param name="domain">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`## <summary>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## Domain allowed access.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`## </summary>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## </param>`
			`## <param name="file_type">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`## <summary>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## Private file type.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`## </summary>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## </param>`
			`## <param name="object_class">`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`## <summary>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## Class of the object being created.`
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. 2010-09-16 06:24:26 +00:00			`## </summary>`
UPdate for f14 policy 2010-08-26 13:41:21 +00:00			`## </param>`
			`#`
			interface(`tftp_filetrans_tftpdir',`
			gen_require(`
			`type tftpdir_rw_t;`
			`')`

			`filetrans_pattern($1, tftpdir_rw_t, $2, $3)`
			`files_search_var_lib($1)`
			`')`

trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`########################################`
			`## <summary>`
Tftp patch from Dan Walsh. 2010-01-07 14:01:10 +00:00			`## All of the rules required to administrate`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`## an tftp environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`tftp_admin',`
			gen_require(`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`')`

The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. Signed-off-by: Dominick Grift <domg472@gmail.com> The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. The ps_process_pattern includes permission to get attributes of target domain. 2010-09-16 06:40:52 +00:00			`allow $1 tftpd_t:process { ptrace signal_perms };`
trunk: a pile of misc fixes, mainly sync xml docs with interface implementation. 2008-05-15 13:10:34 +00:00			`ps_process_pattern($1, tftpd_t)`
trunk: additional whitespace fixes. 2008-10-17 15:52:39 +00:00
Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Signed-off-by: Dominick Grift <domg472@gmail.com> Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Signed-off-by: Dominick Grift <domg472@gmail.com> Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. Search parent directory to be able to interact with target content. 2010-09-15 19:37:38 +00:00			`files_list_var_lib($1)`
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`admin_pattern($1, tftpdir_rw_t)`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`admin_pattern($1, tftpdir_t)`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00
			`files_list_pids($1)`
trunk: 21 patches from dan. 2008-10-08 15:50:03 +00:00			`admin_pattern($1, tftpd_var_run_t)`
trunk: 12 patches from dan. 2008-02-07 16:37:47 +00:00			`')`