projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 48b1d0b0 | 1 | ## <summary>Andrew Filesystem server</summary> |
| 13306f56 CP |
2 | |
| 3 | ######################################## | |
| 4 | ## <summary> | |
| 5 | ## Execute a domain transition to run the | |
| 6 | ## afs client. | |
| 7 | ## </summary> | |
| 8 | ## <param name="domain"> | |
| 9 | ## <summary> | |
| 10 | ## Domain allowed to transition. | |
| 11 | ## </summary> | |
| 12 | ## </param> | |
| 13 | # | |
| 14 | interface(`afs_domtrans',` | |
| 15 | gen_require(` | |
| 16 | type afs_t, afs_exec_t; | |
| 17 | ') | |
| 18 | ||
| 534e57b7 | 19 | corecmd_search_bin($1) |
| 13306f56 CP |
20 | domtrans_pattern($1, afs_exec_t, afs_t) |
| 21 | ') | |
| 22 | ||
| 23 | ######################################## | |
| 24 | ## <summary> | |
| 25 | ## Read and write afs client UDP sockets. | |
| 26 | ## </summary> | |
| 27 | ## <param name="domain"> | |
| 28 | ## <summary> | |
| 29 | ## Domain allowed access. | |
| 30 | ## </summary> | |
| 31 | ## </param> | |
| 32 | # | |
| 33 | interface(`afs_rw_udp_sockets',` | |
| 34 | gen_require(` | |
| 35 | type afs_t; | |
| 36 | ') | |
| 37 | ||
| 38 | allow $1 afs_t:udp_socket { read write }; | |
| 39 | ') | |
| 40 | ||
| 41 | ######################################## | |
| 42 | ## <summary> | |
| 43 | ## read/write afs cache files | |
| 44 | ## </summary> | |
| 45 | ## <param name="domain"> | |
| 46 | ## <summary> | |
| 288845a6 | 47 | ## Domain allowed access. |
| 13306f56 CP |
48 | ## </summary> |
| 49 | ## </param> | |
| 50 | # | |
| 51 | interface(`afs_rw_cache',` | |
| 52 | gen_require(` | |
| 53 | type afs_cache_t; | |
| 54 | ') | |
| 55 | ||
| 534e57b7 | 56 | files_search_var($1) |
| 13306f56 CP |
57 | allow $1 afs_cache_t:file { read write }; |
| 58 | ') | |
| 59 | ||
| 60 | ######################################## | |
| 61 | ## <summary> | |
| 62 | ## Execute afs server in the afs domain. | |
| 63 | ## </summary> | |
| 64 | ## <param name="domain"> | |
| 65 | ## <summary> | |
| 288845a6 | 66 | ## Domain allowed to transition. |
| 13306f56 CP |
67 | ## </summary> |
| 68 | ## </param> | |
| 69 | # | |
| 70 | interface(`afs_initrc_domtrans',` | |
| 71 | gen_require(` | |
| 72 | type afs_initrc_exec_t; | |
| 73 | ') | |
| 74 | ||
| 534e57b7 | 75 | init_labeled_script_domtrans($1, afs_initrc_exec_t) |
| 13306f56 CP |
76 | ') |
| 77 | ||
| 78 | ######################################## | |
| 79 | ## <summary> | |
| 80 | ## All of the rules required to administrate | |
| 81 | ## an afs environment | |
| 82 | ## </summary> | |
| 83 | ## <param name="domain"> | |
| 84 | ## <summary> | |
| 85 | ## Domain allowed access. | |
| 86 | ## </summary> | |
| 87 | ## </param> | |
| 88 | ## <param name="role"> | |
| 89 | ## <summary> | |
| 90 | ## The role to be allowed to manage the afs domain. | |
| 91 | ## </summary> | |
| 92 | ## </param> | |
| 93 | ## <rolecap/> | |
| 94 | # | |
| 95 | interface(`afs_admin',` | |
| 96 | gen_require(` | |
| 1d348bd2 | 97 | type afs_t, afs_initrc_exec_t; |
| 13306f56 CP |
98 | ') |
| 99 | ||
| 995bdbb1 | 100 | allow $1 afs_t:process signal_perms; |
| 39e118bc | 101 | ps_process_pattern($1, afs_t) |
| 13306f56 | 102 | |
| 995bdbb1 | 103 | tunable_policy(`deny_ptrace',`',` |
| 104 | allow $1 afs_t:process ptrace; | |
| 105 | ') | |
| 106 | ||
| 534e57b7 | 107 | # Allow afs_admin to restart the afs service |
| 13306f56 CP |
108 | afs_initrc_domtrans($1) |
| 109 | domain_system_change_exemption($1) | |
| 110 | role_transition $2 afs_initrc_exec_t system_r; | |
| 111 | allow $2 system_r; | |
| 112 | ||
| 113 | ') |