]>
Commit | Line | Data |
---|---|---|
1031ee6f | 1 | ## <summary>Cobbler installation server.</summary> |
2968e068 DW |
2 | ## <desc> |
3 | ## <p> | |
4 | ## Cobbler is a Linux installation server that allows for | |
5 | ## rapid setup of network installation environments. It | |
6 | ## glues together and automates many associated Linux | |
7 | ## tasks so you do not have to hop between lots of various | |
8 | ## commands and applications when rolling out new systems, | |
9 | ## and, in some cases, changing existing ones. | |
10 | ## </p> | |
11 | ## </desc> | |
1031ee6f DG |
12 | |
13 | ######################################## | |
14 | ## <summary> | |
27eab81f | 15 | ## Execute a domain transition to run cobblerd. |
1031ee6f DG |
16 | ## </summary> |
17 | ## <param name="domain"> | |
27eab81f CP |
18 | ## <summary> |
19 | ## Domain allowed to transition. | |
20 | ## </summary> | |
1031ee6f DG |
21 | ## </param> |
22 | # | |
27eab81f | 23 | interface(`cobblerd_domtrans',` |
1031ee6f | 24 | gen_require(` |
27eab81f | 25 | type cobblerd_t, cobblerd_exec_t; |
1031ee6f DG |
26 | ') |
27 | ||
27eab81f | 28 | domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) |
3eaa9939 | 29 | corecmd_search_bin($1) |
1031ee6f DG |
30 | ') |
31 | ||
32 | ######################################## | |
33 | ## <summary> | |
27eab81f | 34 | ## Execute cobblerd server in the cobblerd domain. |
1031ee6f DG |
35 | ## </summary> |
36 | ## <param name="domain"> | |
37 | ## <summary> | |
288845a6 | 38 | ## Domain allowed to transition. |
1031ee6f DG |
39 | ## </summary> |
40 | ## </param> | |
41 | # | |
27eab81f | 42 | interface(`cobblerd_initrc_domtrans',` |
1031ee6f | 43 | gen_require(` |
27eab81f | 44 | type cobblerd_initrc_exec_t; |
1031ee6f DG |
45 | ') |
46 | ||
27eab81f | 47 | init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) |
1031ee6f DG |
48 | ') |
49 | ||
50 | ######################################## | |
51 | ## <summary> | |
3eaa9939 | 52 | ## List Cobbler configuration. |
1031ee6f DG |
53 | ## </summary> |
54 | ## <param name="domain"> | |
55 | ## <summary> | |
56 | ## Domain allowed access. | |
57 | ## </summary> | |
58 | ## </param> | |
59 | # | |
3eaa9939 | 60 | interface(`cobbler_list_config',` |
1031ee6f | 61 | gen_require(` |
27eab81f | 62 | type cobbler_etc_t; |
1031ee6f DG |
63 | ') |
64 | ||
2968e068 | 65 | list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) |
27eab81f | 66 | files_search_etc($1) |
1031ee6f DG |
67 | ') |
68 | ||
69 | ######################################## | |
70 | ## <summary> | |
3eaa9939 | 71 | ## Read Cobbler configuration files. |
1031ee6f DG |
72 | ## </summary> |
73 | ## <param name="domain"> | |
74 | ## <summary> | |
288845a6 | 75 | ## Domain to not audit. |
1031ee6f DG |
76 | ## </summary> |
77 | ## </param> | |
78 | # | |
3eaa9939 | 79 | interface(`cobbler_read_config',` |
1031ee6f | 80 | gen_require(` |
3eaa9939 | 81 | type cobbler_etc_t; |
1031ee6f DG |
82 | ') |
83 | ||
3eaa9939 DW |
84 | read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) |
85 | files_search_etc($1) | |
1031ee6f DG |
86 | ') |
87 | ||
88 | ######################################## | |
89 | ## <summary> | |
2968e068 | 90 | ## Search cobbler dirs in /var/lib |
1031ee6f DG |
91 | ## </summary> |
92 | ## <param name="domain"> | |
93 | ## <summary> | |
94 | ## Domain allowed access. | |
95 | ## </summary> | |
96 | ## </param> | |
97 | # | |
2968e068 | 98 | interface(`cobbler_search_lib',` |
1031ee6f | 99 | gen_require(` |
2968e068 | 100 | type cobbler_var_lib_t; |
1031ee6f DG |
101 | ') |
102 | ||
2968e068 DW |
103 | search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) |
104 | read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) | |
1031ee6f DG |
105 | files_search_var_lib($1) |
106 | ') | |
107 | ||
108 | ######################################## | |
109 | ## <summary> | |
2968e068 | 110 | ## Read cobbler files in /var/lib |
1031ee6f DG |
111 | ## </summary> |
112 | ## <param name="domain"> | |
27eab81f CP |
113 | ## <summary> |
114 | ## Domain allowed access. | |
115 | ## </summary> | |
1031ee6f DG |
116 | ## </param> |
117 | # | |
2968e068 | 118 | interface(`cobbler_read_lib_files',` |
1031ee6f | 119 | gen_require(` |
2968e068 | 120 | type cobbler_var_lib_t; |
1031ee6f DG |
121 | ') |
122 | ||
2968e068 DW |
123 | read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) |
124 | read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) | |
27eab81f | 125 | files_search_var_lib($1) |
1031ee6f DG |
126 | ') |
127 | ||
128 | ######################################## | |
129 | ## <summary> | |
2968e068 | 130 | ## Manage cobbler files in /var/lib |
1031ee6f DG |
131 | ## </summary> |
132 | ## <param name="domain"> | |
133 | ## <summary> | |
27eab81f | 134 | ## Domain allowed access. |
1031ee6f DG |
135 | ## </summary> |
136 | ## </param> | |
137 | # | |
2968e068 | 138 | interface(`cobbler_manage_lib_files',` |
1031ee6f | 139 | gen_require(` |
2968e068 | 140 | type cobbler_var_lib_t; |
1031ee6f DG |
141 | ') |
142 | ||
2968e068 DW |
143 | manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) |
144 | manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) | |
145 | manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) | |
27eab81f | 146 | files_search_var_lib($1) |
1031ee6f DG |
147 | ') |
148 | ||
3eaa9939 DW |
149 | ######################################## |
150 | ## <summary> | |
151 | ## Do not audit attempts to read and write | |
152 | ## Cobbler log files (leaked fd). | |
153 | ## </summary> | |
154 | ## <param name="domain"> | |
155 | ## <summary> | |
156 | ## Domain allowed access. | |
157 | ## </summary> | |
158 | ## </param> | |
159 | # | |
160 | interface(`cobbler_dontaudit_rw_log',` | |
161 | gen_require(` | |
162 | type cobbler_var_log_t; | |
163 | ') | |
164 | ||
165 | dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms; | |
166 | ') | |
167 | ||
1031ee6f DG |
168 | ######################################## |
169 | ## <summary> | |
aeb7a4e1 | 170 | ## All of the rules required to administrate |
1031ee6f DG |
171 | ## an cobblerd environment |
172 | ## </summary> | |
173 | ## <param name="domain"> | |
174 | ## <summary> | |
175 | ## Domain allowed access. | |
176 | ## </summary> | |
177 | ## </param> | |
178 | ## <param name="role"> | |
179 | ## <summary> | |
180 | ## Role allowed access. | |
181 | ## </summary> | |
182 | ## </param> | |
183 | ## <rolecap/> | |
184 | # | |
185 | interface(`cobblerd_admin',` | |
186 | gen_require(` | |
2968e068 DW |
187 | type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; |
188 | type cobbler_etc_t, cobblerd_initrc_exec_t; | |
189 | type httpd_cobbler_content_t; | |
190 | type httpd_cobbler_content_ra_t; | |
191 | type httpd_cobbler_content_rw_t; | |
1031ee6f DG |
192 | ') |
193 | ||
39e118bc DG |
194 | allow $1 cobblerd_t:process { ptrace signal_perms }; |
195 | ps_process_pattern($1, cobblerd_t) | |
1031ee6f | 196 | |
3eaa9939 | 197 | files_search_etc($1) |
2968e068 | 198 | admin_pattern($1, cobbler_etc_t) |
1031ee6f DG |
199 | |
200 | files_list_var_lib($1) | |
2968e068 | 201 | admin_pattern($1, cobbler_var_lib_t) |
1031ee6f | 202 | |
3eaa9939 | 203 | logging_search_logs($1) |
2968e068 | 204 | admin_pattern($1, cobbler_var_log_t) |
1031ee6f | 205 | |
2968e068 DW |
206 | apache_search_sys_content($1) |
207 | admin_pattern($1, httpd_cobbler_content_t) | |
208 | admin_pattern($1, httpd_cobbler_content_ra_t) | |
209 | admin_pattern($1, httpd_cobbler_content_rw_t) | |
3eaa9939 | 210 | |
2968e068 DW |
211 | cobblerd_initrc_domtrans($1) |
212 | domain_system_change_exemption($1) | |
213 | role_transition $2 cobblerd_initrc_exec_t system_r; | |
214 | allow $2 system_r; | |
3eaa9939 DW |
215 | |
216 | optional_policy(` | |
2968e068 | 217 | # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there. |
3eaa9939 DW |
218 | tftp_search_rw_content($1) |
219 | ') | |
1031ee6f | 220 | ') |