selinux-policy/policy/modules/services/avahi.if
2008-11-19 15:24:10 +00:00

150 lines
2.9 KiB
Plaintext

## <summary>mDNS/DNS-SD daemon implementing Apple ZeroConf architecture</summary>
########################################
## <summary>
## Execute avahi server in the avahi domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`avahi_domtrans',`
gen_require(`
type avahi_exec_t, avahi_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, avahi_exec_t, avahi_t)
')
########################################
## <summary>
## Send avahi a signal
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`avahi_signal',`
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process signal;
')
########################################
## <summary>
## Send avahi a kill signal.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`avahi_kill',`
gen_require(`
type avahi_t;
')
allow $1 avahi_t:process sigkill;
')
########################################
## <summary>
## Send and receive messages from
## avahi over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`avahi_dbus_chat',`
gen_require(`
type avahi_t;
class dbus send_msg;
')
allow $1 avahi_t:dbus send_msg;
allow avahi_t $1:dbus send_msg;
')
########################################
## <summary>
## Connect to avahi using a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`avahi_stream_connect',`
gen_require(`
type avahi_t, avahi_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t)
')
########################################
## <summary>
## Do not audit attempts to search the avahi pid directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`avahi_dontaudit_search_pid',`
gen_require(`
type avahi_var_run_t;
')
dontaudit $1 avahi_var_run_t:dir search_dir_perms;
')
########################################
## <summary>
## All of the rules required to administrate
## an avahi environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the avahi domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`avahi_admin',`
gen_require(`
type avahi_t, avahi_var_run_t;
type avahi_initrc_exec_t;
')
allow $1 avahi_t:process { ptrace signal_perms };
ps_process_pattern($1, avahi_t)
init_labeled_script_domtrans($1, avahi_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 avahi_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, avahi_var_run_t)
')