selinux-policy/policy/modules/services/oident.if

## <summary>SELinux policy for Oident daemon.</summary>
## <desc>
##	<p>
##	Oident daemon is a server that implements the TCP/IP
##	standard IDENT user identification protocol as
##	specified in the RFC 1413 document.
##	</p>
## </desc>

#######################################
## <summary>
##  The per role template for the Oidentd module.
## </summary>
## <desc>
## 	<p>
## 	This template creates derived domains which are used
## 	for Oident daemon.
## 	</p>
## 	<p>
## 	This template is invoked automatically for each user, and
## 	generally does not need to be invoked directly
## 	by policy writers.
## 	</p>
## </desc>
## <param name="userdomain_prefix">
## 	<summary>
## 	The prefix of the user domain (e.g., user
## 	is the prefix for user_t).
## 	</summary>
## </param>
## <param name="user_domain">
## 	<summary>
## 	The type of the user domain.
## 	</summary>
## 	</param>
## 	<param name="user_role">
## 	<summary>
## 	The role associated with the user domain.
## 	</summary>
## </param>
#
template(`oident_per_role_template', `

	########################################
	#
	#  Oident daemon shared declarations
	#

	gen_require(`
		attribute oidentd_user_content_type;
	')

	type $1_oidentd_home_t, oidentd_user_content_type;
	userdom_user_home_content($1, $1_oidentd_home_t)

	typeattribute $1_oidentd_home_t oidentd_user_content_type;

	########################################
	#
	#  Oident daemon shared policy
	#

	allow $2 $1_oidentd_home_t:file manage_file_perms; 
	allow $2 $1_oidentd_home_t:file relabel_file_perms;
')

########################################
## <summary>
##	Allow the specified domain to read
##	Oidentd personal configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`oident_read_all_user_content', `
	gen_require(`
		attribute oidentd_user_content_type;
	')

	allow $1 oidentd_user_content_type:file read_file_perms;
	userdom_search_all_users_home_dirs($1)
')