18f2a72d7f
Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes. Whitespace, newline and tab fixes.
103 lines
2.8 KiB
Plaintext
103 lines
2.8 KiB
Plaintext
policy_module(oddjob, 1.7.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type oddjob_t;
|
|
type oddjob_exec_t;
|
|
init_daemon_domain(oddjob_t, oddjob_exec_t)
|
|
domain_obj_id_change_exemption(oddjob_t)
|
|
domain_role_change_exemption(oddjob_t)
|
|
domain_subj_id_change_exemption(oddjob_t)
|
|
|
|
type oddjob_mkhomedir_t;
|
|
type oddjob_mkhomedir_exec_t;
|
|
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
|
|
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
|
|
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
|
|
|
|
# pid files
|
|
type oddjob_var_run_t;
|
|
files_pid_file(oddjob_var_run_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# oddjob local policy
|
|
#
|
|
|
|
allow oddjob_t self:capability setgid;
|
|
allow oddjob_t self:process { setexec signal };
|
|
allow oddjob_t self:fifo_file rw_fifo_file_perms;
|
|
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
|
|
manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
|
|
files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
|
|
|
|
kernel_read_system_state(oddjob_t)
|
|
|
|
corecmd_exec_bin(oddjob_t)
|
|
corecmd_exec_shell(oddjob_t)
|
|
|
|
mcs_process_set_categories(oddjob_t)
|
|
|
|
selinux_compute_create_context(oddjob_t)
|
|
|
|
files_read_etc_files(oddjob_t)
|
|
|
|
miscfiles_read_localization(oddjob_t)
|
|
|
|
locallogin_dontaudit_use_fds(oddjob_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(oddjob_t)
|
|
dbus_connect_system_bus(oddjob_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domtrans(oddjob_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# oddjob_mkhomedir local policy
|
|
#
|
|
|
|
allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
|
|
allow oddjob_mkhomedir_t self:process setfscreate;
|
|
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
|
|
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
kernel_read_system_state(oddjob_mkhomedir_t)
|
|
|
|
files_read_etc_files(oddjob_mkhomedir_t)
|
|
|
|
auth_use_nsswitch(oddjob_mkhomedir_t)
|
|
|
|
logging_send_syslog_msg(oddjob_mkhomedir_t)
|
|
|
|
miscfiles_read_localization(oddjob_mkhomedir_t)
|
|
|
|
selinux_get_fs_mount(oddjob_mkhomedir_t)
|
|
selinux_validate_context(oddjob_mkhomedir_t)
|
|
selinux_compute_access_vector(oddjob_mkhomedir_t)
|
|
selinux_compute_create_context(oddjob_mkhomedir_t)
|
|
selinux_compute_relabel_context(oddjob_mkhomedir_t)
|
|
selinux_compute_user_contexts(oddjob_mkhomedir_t)
|
|
|
|
seutil_read_config(oddjob_mkhomedir_t)
|
|
seutil_read_file_contexts(oddjob_mkhomedir_t)
|
|
seutil_read_default_contexts(oddjob_mkhomedir_t)
|
|
|
|
# Add/remove user home directories
|
|
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
|
|
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
|
|
userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
|
|
userdom_manage_user_home_content(oddjob_mkhomedir_t)
|