]>
Commit | Line | Data |
---|---|---|
e2b84ef7 CP |
1 | ## <summary> |
2 | ## Oddjob provides a mechanism by which unprivileged applications can | |
3 | ## request that specified privileged operations be performed on their | |
4 | ## behalf. | |
5 | ## </summary> | |
6 | ||
7 | ######################################## | |
8 | ## <summary> | |
9 | ## Execute a domain transition to run oddjob. | |
10 | ## </summary> | |
11 | ## <param name="domain"> | |
1976ddda | 12 | ## <summary> |
e2b84ef7 | 13 | ## Domain allowed to transition. |
1976ddda | 14 | ## </summary> |
e2b84ef7 CP |
15 | ## </param> |
16 | # | |
17 | interface(`oddjob_domtrans',` | |
18 | gen_require(` | |
19 | type oddjob_t, oddjob_exec_t; | |
20 | ') | |
21 | ||
0bfccda4 | 22 | domtrans_pattern($1, oddjob_exec_t, oddjob_t) |
e2b84ef7 CP |
23 | ') |
24 | ||
3eaa9939 DW |
25 | ##################################### |
26 | ## <summary> | |
1976ddda DG |
27 | ## Do not audit attempts to read and write |
28 | ## oddjob fifo file. | |
3eaa9939 DW |
29 | ## </summary> |
30 | ## <param name="domain"> | |
1976ddda DG |
31 | ## <summary> |
32 | ## Domain to not audit. | |
33 | ## </summary> | |
3eaa9939 DW |
34 | ## </param> |
35 | # | |
36 | interface(`oddjob_dontaudit_rw_fifo_file',` | |
1976ddda | 37 | gen_require(` |
f9c2fa55 | 38 | type oddjob_t; |
1976ddda | 39 | ') |
3eaa9939 | 40 | |
1976ddda | 41 | dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; |
3eaa9939 DW |
42 | ') |
43 | ||
e2b84ef7 CP |
44 | ######################################## |
45 | ## <summary> | |
46 | ## Make the specified program domain accessable | |
47 | ## from the oddjob. | |
48 | ## </summary> | |
49 | ## <param name="domain"> | |
50 | ## <summary> | |
51 | ## The type of the process to transition to. | |
52 | ## </summary> | |
53 | ## </param> | |
54 | ## <param name="entrypoint"> | |
55 | ## <summary> | |
56 | ## The type of the file used as an entrypoint to this domain. | |
57 | ## </summary> | |
58 | ## </param> | |
59 | # | |
60 | interface(`oddjob_system_entry',` | |
61 | gen_require(` | |
62 | type oddjob_t; | |
63 | ') | |
64 | ||
c0868a7a | 65 | domtrans_pattern(oddjob_t, $2, $1) |
3eaa9939 | 66 | domain_user_exemption_target($1) |
e2b84ef7 CP |
67 | ') |
68 | ||
e2b84ef7 CP |
69 | ######################################## |
70 | ## <summary> | |
71 | ## Send and receive messages from | |
72 | ## oddjob over dbus. | |
73 | ## </summary> | |
74 | ## <param name="domain"> | |
75 | ## <summary> | |
76 | ## Domain allowed access. | |
77 | ## </summary> | |
78 | ## </param> | |
79 | # | |
80 | interface(`oddjob_dbus_chat',` | |
81 | gen_require(` | |
82 | type oddjob_t; | |
83 | class dbus send_msg; | |
84 | ') | |
85 | ||
86 | allow $1 oddjob_t:dbus send_msg; | |
87 | allow oddjob_t $1:dbus send_msg; | |
88 | ') | |
89 | ||
3eaa9939 DW |
90 | ###################################### |
91 | ## <summary> | |
1976ddda | 92 | ## Send a SIGCHLD signal to oddjob. |
3eaa9939 DW |
93 | ## </summary> |
94 | ## <param name="domain"> | |
1976ddda DG |
95 | ## <summary> |
96 | ## Domain allowed access. | |
97 | ## </summary> | |
3eaa9939 DW |
98 | ## </param> |
99 | # | |
100 | interface(`oddjob_sigchld',` | |
1976ddda DG |
101 | gen_require(` |
102 | type oddjob_t; | |
103 | ') | |
3eaa9939 | 104 | |
1976ddda | 105 | allow $1 oddjob_t:process sigchld; |
3eaa9939 DW |
106 | ') |
107 | ||
e2b84ef7 CP |
108 | ######################################## |
109 | ## <summary> | |
110 | ## Execute a domain transition to run oddjob_mkhomedir. | |
111 | ## </summary> | |
112 | ## <param name="domain"> | |
113 | ## <summary> | |
114 | ## Domain allowed to transition. | |
115 | ## </summary> | |
116 | ## </param> | |
117 | # | |
118 | interface(`oddjob_domtrans_mkhomedir',` | |
119 | gen_require(` | |
120 | type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; | |
121 | ') | |
122 | ||
0bfccda4 | 123 | domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) |
e2b84ef7 | 124 | ') |
708a74a2 CP |
125 | |
126 | ######################################## | |
127 | ## <summary> | |
128 | ## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. | |
129 | ## </summary> | |
130 | ## <param name="domain"> | |
131 | ## <summary> | |
288845a6 | 132 | ## Domain allowed to transition. |
708a74a2 CP |
133 | ## </summary> |
134 | ## </param> | |
135 | ## <param name="role"> | |
136 | ## <summary> | |
137 | ## Role allowed access. | |
138 | ## </summary> | |
139 | ## </param> | |
140 | ## <rolecap/> | |
141 | # | |
142 | interface(`oddjob_run_mkhomedir',` | |
143 | gen_require(` | |
144 | type oddjob_mkhomedir_t; | |
145 | ') | |
146 | ||
147 | oddjob_domtrans_mkhomedir($1) | |
148 | role $2 types oddjob_mkhomedir_t; | |
149 | ') |