61f4064286
Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces. Use list instead of search in admin interfaces.
219 lines
4.8 KiB
Plaintext
219 lines
4.8 KiB
Plaintext
## <summary>Cobbler installation server.</summary>
|
|
## <desc>
|
|
## <p>
|
|
## Cobbler is a Linux installation server that allows for
|
|
## rapid setup of network installation environments. It
|
|
## glues together and automates many associated Linux
|
|
## tasks so you do not have to hop between lots of various
|
|
## commands and applications when rolling out new systems,
|
|
## and, in some cases, changing existing ones.
|
|
## </p>
|
|
## </desc>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run cobblerd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobblerd_domtrans',`
|
|
gen_require(`
|
|
type cobblerd_t, cobblerd_exec_t;
|
|
')
|
|
|
|
domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
|
|
corecmd_search_bin($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute cobblerd server in the cobblerd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobblerd_initrc_domtrans',`
|
|
gen_require(`
|
|
type cobblerd_initrc_exec_t;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List Cobbler configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobbler_list_config',`
|
|
gen_require(`
|
|
type cobbler_etc_t;
|
|
')
|
|
|
|
list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read Cobbler configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobbler_read_config',`
|
|
gen_require(`
|
|
type cobbler_etc_t;
|
|
')
|
|
|
|
read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
|
|
files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search cobbler dirs in /var/lib
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobbler_search_lib',`
|
|
gen_require(`
|
|
type cobbler_var_lib_t;
|
|
')
|
|
|
|
search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read cobbler files in /var/lib
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobbler_read_lib_files',`
|
|
gen_require(`
|
|
type cobbler_var_lib_t;
|
|
')
|
|
|
|
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage cobbler files in /var/lib
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobbler_manage_lib_files',`
|
|
gen_require(`
|
|
type cobbler_var_lib_t;
|
|
')
|
|
|
|
manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write
|
|
## Cobbler log files (leaked fd).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`cobbler_dontaudit_rw_log',`
|
|
gen_require(`
|
|
type cobbler_var_log_t;
|
|
')
|
|
|
|
dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an cobblerd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`cobblerd_admin',`
|
|
gen_require(`
|
|
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
|
|
type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
|
|
type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;
|
|
')
|
|
|
|
allow $1 cobblerd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, cobblerd_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, cobbler_etc_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, cobbler_var_lib_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, cobbler_var_log_t)
|
|
|
|
apache_list_sys_content($1)
|
|
admin_pattern($1, httpd_cobbler_content_t)
|
|
admin_pattern($1, httpd_cobbler_content_ra_t)
|
|
admin_pattern($1, httpd_cobbler_content_rw_t)
|
|
|
|
cobblerd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cobblerd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
optional_policy(`
|
|
# traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
|
|
tftp_search_rw_content($1)
|
|
')
|
|
')
|