selinux-policy/policy/modules/services/apcupsd.if
2008-10-20 16:10:42 +00:00

144 lines
3.0 KiB
Plaintext

## <summary>APC UPS monitoring daemon</summary>
########################################
## <summary>
## Execute a domain transition to run apcupsd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apcupsd_domtrans',`
gen_require(`
type apcupsd_t, apcupsd_exec_t;
')
domtrans_pattern($1, apcupsd_exec_t, apcupsd_t)
')
########################################
## <summary>
## Read apcupsd PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apcupsd_read_pid_files',`
gen_require(`
type apcupsd_var_run_t;
')
files_search_pids($1)
allow $1 apcupsd_var_run_t:file read_file_perms;
')
########################################
## <summary>
## Allow the specified domain to read apcupsd's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`apcupsd_read_log',`
gen_require(`
type apcupsd_log_t;
')
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file read_file_perms;
')
########################################
## <summary>
## Allow the specified domain to append
## apcupsd log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apcupsd_append_log',`
gen_require(`
type apcupsd_log_t;
')
logging_search_logs($1)
allow $1 apcupsd_log_t:dir list_dir_perms;
allow $1 apcupsd_log_t:file append_file_perms;
')
########################################
## <summary>
## Execute a domain transition to run httpd_apcupsd_cgi_script.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apcupsd_cgi_script_domtrans',`
gen_require(`
type httpd_apcupsd_cgi_script_t, httpd_apcupsd_cgi_script_exec_t;
')
domtrans_pattern($1, httpd_apcupsd_cgi_script_exec_t, httpd_apcupsd_cgi_script_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an apcupsd environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the apcupsd domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`apcupsd_admin',`
gen_require(`
type apcupsd_t, apcupsd_tmp_t;
type apcupsd_log_t, apcupsd_lock_t;
type apcupsd_var_run_t, apcupsd_initrc_exec_t;
')
allow $1 apcupsd_t:process { ptrace signal_perms };
ps_process_pattern($1, apcupsd_t)
init_labeled_script_domtrans($1, apcupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 apcupsd_initrc_exec_t system_r;
allow $2 system_r;
files_list_var($1)
admin_pattern($1, apcupsd_lock_t)
logging_list_logs($1)
admin_pattern($1, apcupsd_log_t)
files_list_tmp($1)
admin_pattern($1, apcupsd_tmp_t)
files_list_pids($1)
admin_pattern($1, apcupsd_var_run_t)
')