9461b60657
Remove permissive domain from cmirrord and dontaudit sys_tty_config Split out unconfined_domain() calls from other unconfined_ calls so we can disable unconfined.pp and leave unconfineduser virt needs to be able to read processes to clearance for MLS
57 lines
1.2 KiB
Plaintext
57 lines
1.2 KiB
Plaintext
policy_module(webadm, 1.1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow webadm to manage files in users home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(webadm_manage_user_files, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow webadm to read files in users home directories
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(webadm_read_user_files, false)
|
|
|
|
role webadm_r;
|
|
|
|
userdom_base_user_template(webadm)
|
|
|
|
########################################
|
|
#
|
|
# webadmin local policy
|
|
#
|
|
|
|
allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
|
|
|
|
files_dontaudit_search_all_dirs(webadm_t)
|
|
files_manage_generic_locks(webadm_t)
|
|
files_list_var(webadm_t)
|
|
|
|
selinux_get_enforce_mode(webadm_t)
|
|
seutil_domtrans_setfiles(webadm_t)
|
|
|
|
logging_send_syslog_msg(webadm_t)
|
|
logging_send_audit_msgs(webadm_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(webadm_t)
|
|
|
|
apache_admin(webadm_t, webadm_r)
|
|
|
|
tunable_policy(`webadm_manage_user_files',`
|
|
userdom_manage_user_home_content_files(webadm_t)
|
|
userdom_read_user_tmp_files(webadm_t)
|
|
userdom_write_user_tmp_files(webadm_t)
|
|
')
|
|
|
|
tunable_policy(`webadm_read_user_files',`
|
|
userdom_read_user_home_content_files(webadm_t)
|
|
userdom_read_user_tmp_files(webadm_t)
|
|
')
|