From c4786dd6ff3a8b5e111ea64e7ec721328e252b24 Mon Sep 17 00:00:00 2001
From: Dominick Grift <domg472@gmail.com>
Date: Mon, 20 Sep 2010 14:39:27 +0200
Subject: [PATCH] Implement oident admin.

---
 policy/modules/services/oident.if | 34 +++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/policy/modules/services/oident.if b/policy/modules/services/oident.if
index a3a9a762..8d47116a 100644
--- a/policy/modules/services/oident.if
+++ b/policy/modules/services/oident.if
@@ -66,3 +66,37 @@ interface(`oident_relabel_user_content',`
 	allow $1 oidentd_home_t:file relabel_file_perms;
 	userdom_search_user_home_dirs($1)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an oident environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oident_admin',`
+	gen_require(`
+		type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
+	')
+
+	allow $1 oidentd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, oidentd_t)
+
+	init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 oidentd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, oidentd_config_t)
+')