[people/stevee/selinux-policy.git] / policy / modules / services / oddjob.if

## <summary>
##	Oddjob provides a mechanism by which unprivileged applications can
##	request that specified privileged operations be performed on their
##	behalf.
## </summary>

########################################
## <summary>
##	Execute a domain transition to run oddjob.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`oddjob_domtrans',`
	gen_require(`
		type oddjob_t, oddjob_exec_t;
	')

	domtrans_pattern($1, oddjob_exec_t, oddjob_t)
')

#####################################
## <summary>
##	Do not audit attempts to read and write 
##	oddjob fifo file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`oddjob_dontaudit_rw_fifo_file',`
	gen_require(`
		type oddjob_t;
	')

	dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
')

########################################
## <summary>
##	Make the specified program domain accessable
##	from the oddjob.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to transition to.
##	</summary>
## </param>
## <param name="entrypoint">
##	<summary>
##	The type of the file used as an entrypoint to this domain.
##	</summary>
## </param>
#
interface(`oddjob_system_entry',`
	gen_require(`
		type oddjob_t;
	')

	domtrans_pattern(oddjob_t, $2, $1)
	domain_user_exemption_target($1)
')

########################################
## <summary>
##	Send and receive messages from
##	oddjob over dbus.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`oddjob_dbus_chat',`
	gen_require(`
		type oddjob_t;
		class dbus send_msg;
	')

	allow $1 oddjob_t:dbus send_msg;
	allow oddjob_t $1:dbus send_msg;
')

######################################
## <summary>
##	Send a SIGCHLD signal to oddjob.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`oddjob_sigchld',`
	gen_require(`
		type oddjob_t;
	')

	allow $1 oddjob_t:process sigchld;
')

########################################
## <summary>
##	Execute a domain transition to run oddjob_mkhomedir.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`oddjob_domtrans_mkhomedir',`
	gen_require(`
		type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
	')

	domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
')

########################################
## <summary>
##	Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`oddjob_run_mkhomedir',`
	gen_require(`
		type oddjob_mkhomedir_t;
	')

	oddjob_domtrans_mkhomedir($1)
	role $2 types oddjob_mkhomedir_t;
')
Commit	Line	Data
e2b84ef7 CP	1	## <summary>
	2	## Oddjob provides a mechanism by which unprivileged applications can
	3	## request that specified privileged operations be performed on their
	4	## behalf.
	5	## </summary>
	6
	7	########################################
	8	## <summary>
	9	## Execute a domain transition to run oddjob.
	10	## </summary>
	11	## <param name="domain">
1976ddda	12	## <summary>
e2b84ef7	13	## Domain allowed to transition.
1976ddda	14	## </summary>
e2b84ef7 CP	15	## </param>
	16	#
	17	interface(`oddjob_domtrans',`
	18	gen_require(`
	19	type oddjob_t, oddjob_exec_t;
	20	')
	21
0bfccda4	22	domtrans_pattern($1, oddjob_exec_t, oddjob_t)
e2b84ef7 CP	23	')
e2b84ef7 CP	24
3eaa9939 DW	25	#####################################
3eaa9939 DW	26	## <summary>
1976ddda DG	27	## Do not audit attempts to read and write
1976ddda DG	28	## oddjob fifo file.
3eaa9939 DW	29	## </summary>
3eaa9939 DW	30	## <param name="domain">
1976ddda DG	31	## <summary>
	32	## Domain to not audit.
	33	## </summary>
3eaa9939 DW	34	## </param>
	35	#
	36	interface(`oddjob_dontaudit_rw_fifo_file',`
1976ddda	37	gen_require(`
f9c2fa55	38	type oddjob_t;
1976ddda	39	')
3eaa9939	40
1976ddda	41	dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
3eaa9939 DW	42	')
3eaa9939 DW	43
e2b84ef7 CP	44	########################################
	45	## <summary>
	46	## Make the specified program domain accessable
	47	## from the oddjob.
	48	## </summary>
	49	## <param name="domain">
	50	## <summary>
	51	## The type of the process to transition to.
	52	## </summary>
	53	## </param>
	54	## <param name="entrypoint">
	55	## <summary>
	56	## The type of the file used as an entrypoint to this domain.
	57	## </summary>
	58	## </param>
	59	#
	60	interface(`oddjob_system_entry',`
	61	gen_require(`
	62	type oddjob_t;
	63	')
	64
c0868a7a	65	domtrans_pattern(oddjob_t, $2, $1)
3eaa9939	66	domain_user_exemption_target($1)
e2b84ef7 CP	67	')
e2b84ef7 CP	68
e2b84ef7 CP	69	########################################
	70	## <summary>
	71	## Send and receive messages from
	72	## oddjob over dbus.
	73	## </summary>
	74	## <param name="domain">
	75	## <summary>
	76	## Domain allowed access.
	77	## </summary>
	78	## </param>
	79	#
	80	interface(`oddjob_dbus_chat',`
	81	gen_require(`
	82	type oddjob_t;
	83	class dbus send_msg;
	84	')
	85
	86	allow $1 oddjob_t:dbus send_msg;
	87	allow oddjob_t $1:dbus send_msg;
	88	')
	89
3eaa9939 DW	90	######################################
3eaa9939 DW	91	## <summary>
1976ddda	92	## Send a SIGCHLD signal to oddjob.
3eaa9939 DW	93	## </summary>
3eaa9939 DW	94	## <param name="domain">
1976ddda DG	95	## <summary>
	96	## Domain allowed access.
	97	## </summary>
3eaa9939 DW	98	## </param>
	99	#
	100	interface(`oddjob_sigchld',`
1976ddda DG	101	gen_require(`
	102	type oddjob_t;
	103	')
3eaa9939	104
1976ddda	105	allow $1 oddjob_t:process sigchld;
3eaa9939 DW	106	')
3eaa9939 DW	107
e2b84ef7 CP	108	########################################
	109	## <summary>
	110	## Execute a domain transition to run oddjob_mkhomedir.
	111	## </summary>
	112	## <param name="domain">
	113	## <summary>
	114	## Domain allowed to transition.
	115	## </summary>
	116	## </param>
	117	#
	118	interface(`oddjob_domtrans_mkhomedir',`
	119	gen_require(`
	120	type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
	121	')
	122
0bfccda4	123	domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
e2b84ef7	124	')
708a74a2 CP	125
	126	########################################
	127	## <summary>
	128	## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
	129	## </summary>
	130	## <param name="domain">
	131	## <summary>
288845a6	132	## Domain allowed to transition.
708a74a2 CP	133	## </summary>
	134	## </param>
	135	## <param name="role">
	136	## <summary>
	137	## Role allowed access.
	138	## </summary>
	139	## </param>
	140	## <rolecap/>
	141	#
	142	interface(`oddjob_run_mkhomedir',`
	143	gen_require(`
	144	type oddjob_mkhomedir_t;
	145	')
	146
	147	oddjob_domtrans_mkhomedir($1)
	148	role $2 types oddjob_mkhomedir_t;
	149	')