[people/stevee/selinux-policy.git] / policy / modules / services / cobbler.if

## <summary>Cobbler installation server.</summary>
## <desc>
##	<p>
##		Cobbler is a Linux installation server that allows for
##		rapid setup of network installation environments. It
##		glues together and automates many associated Linux
##		tasks so you do not have to hop between lots of various
##		commands and applications when rolling out new systems,
##		and, in some cases, changing existing ones.
##	</p>
## </desc>

########################################
## <summary>
##	Execute a domain transition to run cobblerd.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`cobblerd_domtrans',`
	gen_require(`
		type cobblerd_t, cobblerd_exec_t;
	')

	domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
	corecmd_search_bin($1)
')

########################################
## <summary>
##	Execute cobblerd server in the cobblerd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`cobblerd_initrc_domtrans',`
	gen_require(`
		type cobblerd_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
')

########################################
## <summary>
##	List Cobbler configuration.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cobbler_list_config',`
	gen_require(`
		type cobbler_etc_t;
	')

	list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	files_search_etc($1)
')

########################################
## <summary>
##	Read Cobbler configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`cobbler_read_config',`
	gen_require(`
		type cobbler_etc_t;
	')

	read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
	files_search_etc($1)
')

########################################
## <summary>
##	Search cobbler dirs in /var/lib
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cobbler_search_lib',`
	gen_require(`
		type cobbler_var_lib_t;
	')

	search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	files_search_var_lib($1)
')

########################################
## <summary>
##	Read cobbler files in /var/lib
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cobbler_read_lib_files',`
	gen_require(`
		type cobbler_var_lib_t;
	')

	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	files_search_var_lib($1)
')

########################################
## <summary>
##	Manage cobbler files in /var/lib
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cobbler_manage_lib_files',`
	gen_require(`
		type cobbler_var_lib_t;
	')

	manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	files_search_var_lib($1)
')

########################################
## <summary>
##	Do not audit attempts to read and write
##	Cobbler log files (leaked fd).
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`cobbler_dontaudit_rw_log',`
	gen_require(`
		type cobbler_var_log_t;
	')

	dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
')

########################################
## <summary>
##	All of the rules required to administrate
##	an cobblerd environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`cobblerd_admin',`
	gen_require(`
		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
		type cobbler_etc_t, cobblerd_initrc_exec_t;
		type httpd_cobbler_content_t;
		type httpd_cobbler_content_ra_t;
		type httpd_cobbler_content_rw_t;
	')

	allow $1 cobblerd_t:process { ptrace signal_perms };
	ps_process_pattern($1, cobblerd_t)

	files_search_etc($1)
	admin_pattern($1, cobbler_etc_t)

	files_list_var_lib($1)
	admin_pattern($1, cobbler_var_lib_t)

	logging_search_logs($1)
	admin_pattern($1, cobbler_var_log_t)

	apache_search_sys_content($1)
	admin_pattern($1, httpd_cobbler_content_t)
	admin_pattern($1, httpd_cobbler_content_ra_t)
	admin_pattern($1, httpd_cobbler_content_rw_t)

	cobblerd_initrc_domtrans($1)
	domain_system_change_exemption($1)
	role_transition $2 cobblerd_initrc_exec_t system_r;
	allow $2 system_r;

	optional_policy(`
		# traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
		tftp_search_rw_content($1)
	')
')
Commit	Line	Data
1031ee6f	1	## <summary>Cobbler installation server.</summary>
2968e068 DW	2	## <desc>
	3	## <p>
	4	## Cobbler is a Linux installation server that allows for
	5	## rapid setup of network installation environments. It
	6	## glues together and automates many associated Linux
	7	## tasks so you do not have to hop between lots of various
	8	## commands and applications when rolling out new systems,
	9	## and, in some cases, changing existing ones.
	10	## </p>
	11	## </desc>
1031ee6f DG	12
	13	########################################
	14	## <summary>
27eab81f	15	## Execute a domain transition to run cobblerd.
1031ee6f DG	16	## </summary>
1031ee6f DG	17	## <param name="domain">
27eab81f CP	18	## <summary>
	19	## Domain allowed to transition.
	20	## </summary>
1031ee6f DG	21	## </param>
1031ee6f DG	22	#
27eab81f	23	interface(`cobblerd_domtrans',`
1031ee6f	24	gen_require(`
27eab81f	25	type cobblerd_t, cobblerd_exec_t;
1031ee6f DG	26	')
1031ee6f DG	27
27eab81f	28	domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
3eaa9939	29	corecmd_search_bin($1)
1031ee6f DG	30	')
	31
	32	########################################
	33	## <summary>
27eab81f	34	## Execute cobblerd server in the cobblerd domain.
1031ee6f DG	35	## </summary>
	36	## <param name="domain">
	37	## <summary>
288845a6	38	## Domain allowed to transition.
1031ee6f DG	39	## </summary>
	40	## </param>
	41	#
27eab81f	42	interface(`cobblerd_initrc_domtrans',`
1031ee6f	43	gen_require(`
27eab81f	44	type cobblerd_initrc_exec_t;
1031ee6f DG	45	')
1031ee6f DG	46
27eab81f	47	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
1031ee6f DG	48	')
	49
	50	########################################
	51	## <summary>
3eaa9939	52	## List Cobbler configuration.
1031ee6f DG	53	## </summary>
	54	## <param name="domain">
	55	## <summary>
	56	## Domain allowed access.
	57	## </summary>
	58	## </param>
	59	#
3eaa9939	60	interface(`cobbler_list_config',`
1031ee6f	61	gen_require(`
27eab81f	62	type cobbler_etc_t;
1031ee6f DG	63	')
1031ee6f DG	64
2968e068	65	list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
27eab81f	66	files_search_etc($1)
1031ee6f DG	67	')
	68
	69	########################################
	70	## <summary>
3eaa9939	71	## Read Cobbler configuration files.
1031ee6f DG	72	## </summary>
	73	## <param name="domain">
	74	## <summary>
288845a6	75	## Domain to not audit.
1031ee6f DG	76	## </summary>
	77	## </param>
	78	#
3eaa9939	79	interface(`cobbler_read_config',`
1031ee6f	80	gen_require(`
3eaa9939	81	type cobbler_etc_t;
1031ee6f DG	82	')
1031ee6f DG	83
3eaa9939 DW	84	read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
3eaa9939 DW	85	files_search_etc($1)
1031ee6f DG	86	')
	87
	88	########################################
	89	## <summary>
2968e068	90	## Search cobbler dirs in /var/lib
1031ee6f DG	91	## </summary>
	92	## <param name="domain">
	93	## <summary>
	94	## Domain allowed access.
	95	## </summary>
	96	## </param>
	97	#
2968e068	98	interface(`cobbler_search_lib',`
1031ee6f	99	gen_require(`
2968e068	100	type cobbler_var_lib_t;
1031ee6f DG	101	')
1031ee6f DG	102
2968e068 DW	103	search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
2968e068 DW	104	read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
1031ee6f DG	105	files_search_var_lib($1)
	106	')
	107
	108	########################################
	109	## <summary>
2968e068	110	## Read cobbler files in /var/lib
1031ee6f DG	111	## </summary>
1031ee6f DG	112	## <param name="domain">
27eab81f CP	113	## <summary>
	114	## Domain allowed access.
	115	## </summary>
1031ee6f DG	116	## </param>
1031ee6f DG	117	#
2968e068	118	interface(`cobbler_read_lib_files',`
1031ee6f	119	gen_require(`
2968e068	120	type cobbler_var_lib_t;
1031ee6f DG	121	')
1031ee6f DG	122
2968e068 DW	123	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
2968e068 DW	124	read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
27eab81f	125	files_search_var_lib($1)
1031ee6f DG	126	')
	127
	128	########################################
	129	## <summary>
2968e068	130	## Manage cobbler files in /var/lib
1031ee6f DG	131	## </summary>
	132	## <param name="domain">
	133	## <summary>
27eab81f	134	## Domain allowed access.
1031ee6f DG	135	## </summary>
	136	## </param>
	137	#
2968e068	138	interface(`cobbler_manage_lib_files',`
1031ee6f	139	gen_require(`
2968e068	140	type cobbler_var_lib_t;
1031ee6f DG	141	')
1031ee6f DG	142
2968e068 DW	143	manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	144	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
	145	manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
27eab81f	146	files_search_var_lib($1)
1031ee6f DG	147	')
1031ee6f DG	148
3eaa9939 DW	149	########################################
	150	## <summary>
	151	## Do not audit attempts to read and write
	152	## Cobbler log files (leaked fd).
	153	## </summary>
	154	## <param name="domain">
	155	## <summary>
	156	## Domain allowed access.
	157	## </summary>
	158	## </param>
	159	#
	160	interface(`cobbler_dontaudit_rw_log',`
	161	gen_require(`
	162	type cobbler_var_log_t;
	163	')
	164
	165	dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
	166	')
	167
1031ee6f DG	168	########################################
1031ee6f DG	169	## <summary>
aeb7a4e1	170	## All of the rules required to administrate
1031ee6f DG	171	## an cobblerd environment
	172	## </summary>
	173	## <param name="domain">
	174	## <summary>
	175	## Domain allowed access.
	176	## </summary>
	177	## </param>
	178	## <param name="role">
	179	## <summary>
	180	## Role allowed access.
	181	## </summary>
	182	## </param>
	183	## <rolecap/>
	184	#
	185	interface(`cobblerd_admin',`
	186	gen_require(`
2968e068 DW	187	type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
	188	type cobbler_etc_t, cobblerd_initrc_exec_t;
	189	type httpd_cobbler_content_t;
	190	type httpd_cobbler_content_ra_t;
	191	type httpd_cobbler_content_rw_t;
1031ee6f DG	192	')
1031ee6f DG	193
39e118bc DG	194	allow $1 cobblerd_t:process { ptrace signal_perms };
39e118bc DG	195	ps_process_pattern($1, cobblerd_t)
1031ee6f	196
3eaa9939	197	files_search_etc($1)
2968e068	198	admin_pattern($1, cobbler_etc_t)
1031ee6f DG	199
1031ee6f DG	200	files_list_var_lib($1)
2968e068	201	admin_pattern($1, cobbler_var_lib_t)
1031ee6f	202
3eaa9939	203	logging_search_logs($1)
2968e068	204	admin_pattern($1, cobbler_var_log_t)
1031ee6f	205
2968e068 DW	206	apache_search_sys_content($1)
	207	admin_pattern($1, httpd_cobbler_content_t)
	208	admin_pattern($1, httpd_cobbler_content_ra_t)
	209	admin_pattern($1, httpd_cobbler_content_rw_t)
3eaa9939	210
2968e068 DW	211	cobblerd_initrc_domtrans($1)
	212	domain_system_change_exemption($1)
	213	role_transition $2 cobblerd_initrc_exec_t system_r;
	214	allow $2 system_r;
3eaa9939 DW	215
3eaa9939 DW	216	optional_policy(`
2968e068	217	# traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
3eaa9939 DW	218	tftp_search_rw_content($1)
3eaa9939 DW	219	')
1031ee6f	220	')