]>
Commit | Line | Data |
---|---|---|
48b1d0b0 | 1 | ## <summary>Andrew Filesystem server</summary> |
13306f56 CP |
2 | |
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Execute a domain transition to run the | |
6 | ## afs client. | |
7 | ## </summary> | |
8 | ## <param name="domain"> | |
9 | ## <summary> | |
10 | ## Domain allowed to transition. | |
11 | ## </summary> | |
12 | ## </param> | |
13 | # | |
14 | interface(`afs_domtrans',` | |
15 | gen_require(` | |
16 | type afs_t, afs_exec_t; | |
17 | ') | |
18 | ||
534e57b7 | 19 | corecmd_search_bin($1) |
13306f56 CP |
20 | domtrans_pattern($1, afs_exec_t, afs_t) |
21 | ') | |
22 | ||
23 | ######################################## | |
24 | ## <summary> | |
25 | ## Read and write afs client UDP sockets. | |
26 | ## </summary> | |
27 | ## <param name="domain"> | |
28 | ## <summary> | |
29 | ## Domain allowed access. | |
30 | ## </summary> | |
31 | ## </param> | |
32 | # | |
33 | interface(`afs_rw_udp_sockets',` | |
34 | gen_require(` | |
35 | type afs_t; | |
36 | ') | |
37 | ||
38 | allow $1 afs_t:udp_socket { read write }; | |
39 | ') | |
40 | ||
41 | ######################################## | |
42 | ## <summary> | |
43 | ## read/write afs cache files | |
44 | ## </summary> | |
45 | ## <param name="domain"> | |
46 | ## <summary> | |
288845a6 | 47 | ## Domain allowed access. |
13306f56 CP |
48 | ## </summary> |
49 | ## </param> | |
50 | # | |
51 | interface(`afs_rw_cache',` | |
52 | gen_require(` | |
53 | type afs_cache_t; | |
54 | ') | |
55 | ||
534e57b7 | 56 | files_search_var($1) |
13306f56 CP |
57 | allow $1 afs_cache_t:file { read write }; |
58 | ') | |
59 | ||
60 | ######################################## | |
61 | ## <summary> | |
62 | ## Execute afs server in the afs domain. | |
63 | ## </summary> | |
64 | ## <param name="domain"> | |
65 | ## <summary> | |
288845a6 | 66 | ## Domain allowed to transition. |
13306f56 CP |
67 | ## </summary> |
68 | ## </param> | |
69 | # | |
70 | interface(`afs_initrc_domtrans',` | |
71 | gen_require(` | |
72 | type afs_initrc_exec_t; | |
73 | ') | |
74 | ||
534e57b7 | 75 | init_labeled_script_domtrans($1, afs_initrc_exec_t) |
13306f56 CP |
76 | ') |
77 | ||
78 | ######################################## | |
79 | ## <summary> | |
80 | ## All of the rules required to administrate | |
81 | ## an afs environment | |
82 | ## </summary> | |
83 | ## <param name="domain"> | |
84 | ## <summary> | |
85 | ## Domain allowed access. | |
86 | ## </summary> | |
87 | ## </param> | |
88 | ## <param name="role"> | |
89 | ## <summary> | |
90 | ## The role to be allowed to manage the afs domain. | |
91 | ## </summary> | |
92 | ## </param> | |
93 | ## <rolecap/> | |
94 | # | |
95 | interface(`afs_admin',` | |
96 | gen_require(` | |
1d348bd2 | 97 | type afs_t, afs_initrc_exec_t; |
13306f56 CP |
98 | ') |
99 | ||
995bdbb1 | 100 | allow $1 afs_t:process signal_perms; |
39e118bc | 101 | ps_process_pattern($1, afs_t) |
13306f56 | 102 | |
995bdbb1 | 103 | tunable_policy(`deny_ptrace',`',` |
104 | allow $1 afs_t:process ptrace; | |
105 | ') | |
106 | ||
534e57b7 | 107 | # Allow afs_admin to restart the afs service |
13306f56 CP |
108 | afs_initrc_domtrans($1) |
109 | domain_system_change_exemption($1) | |
110 | role_transition $2 afs_initrc_exec_t system_r; | |
111 | allow $2 system_r; | |
112 | ||
113 | ') |