[people/stevee/selinux-policy.git] / policy / modules / services / oddjob.te


policy_module(oddjob, 1.5.0)

########################################
#
# Declarations
#

type oddjob_t;
type oddjob_exec_t;
domain_type(oddjob_t)
init_daemon_domain(oddjob_t, oddjob_exec_t)
domain_subj_id_change_exemption(oddjob_t)

type oddjob_mkhomedir_t;
type oddjob_mkhomedir_exec_t;
domain_type(oddjob_mkhomedir_t)
init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)

# pid files
type oddjob_var_run_t;
files_pid_file(oddjob_var_run_t)

########################################
#
# oddjob local policy
#

allow oddjob_t self:capability setgid;
allow oddjob_t self:process { setexec signal };
allow oddjob_t self:fifo_file { read write };
allow oddjob_t self:unix_stream_socket create_stream_socket_perms;

manage_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t)
manage_sock_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t)
files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })

kernel_read_system_state(oddjob_t)

corecmd_exec_bin(oddjob_t)
corecmd_exec_shell(oddjob_t)

mcs_process_set_categories(oddjob_t)

selinux_compute_create_context(oddjob_t)

files_read_etc_files(oddjob_t)

libs_use_ld_so(oddjob_t)
libs_use_shared_libs(oddjob_t)

miscfiles_read_localization(oddjob_t)

locallogin_dontaudit_use_fds(oddjob_t)

optional_policy(`
	dbus_system_bus_client_template(oddjob,oddjob_t)
	dbus_connect_system_bus(oddjob_t)
')

optional_policy(`
	unconfined_domtrans(oddjob_t)
')

########################################
#
# oddjob_mkhomedir local policy
#

allow oddjob_mkhomedir_t self:fifo_file { read write };
allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(oddjob_mkhomedir_t)

libs_use_ld_so(oddjob_mkhomedir_t)
libs_use_shared_libs(oddjob_mkhomedir_t)

miscfiles_read_localization(oddjob_mkhomedir_t)

staff_manage_home_dirs(oddjob_mkhomedir_t)

# Add/remove user home directories
unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
Commit	Line	Data
e2b84ef7	1
cfcf5004	2	policy_module(oddjob, 1.5.0)
e2b84ef7 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type oddjob_t;
	10	type oddjob_exec_t;
	11	domain_type(oddjob_t)
	12	init_daemon_domain(oddjob_t, oddjob_exec_t)
d6d16b97	13	domain_subj_id_change_exemption(oddjob_t)
e2b84ef7 CP	14
	15	type oddjob_mkhomedir_t;
	16	type oddjob_mkhomedir_exec_t;
	17	domain_type(oddjob_mkhomedir_t)
	18	init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
	19	oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
	20
	21	# pid files
	22	type oddjob_var_run_t;
	23	files_pid_file(oddjob_var_run_t)
	24
	25	########################################
	26	#
	27	# oddjob local policy
	28	#
	29
f6a590d7	30	allow oddjob_t self:capability setgid;
d6d16b97	31	allow oddjob_t self:process { setexec signal };
e2b84ef7 CP	32	allow oddjob_t self:fifo_file { read write };
	33	allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
	34
c0868a7a CP	35	manage_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t)
c0868a7a CP	36	manage_sock_files_pattern(oddjob_t,oddjob_var_run_t,oddjob_var_run_t)
e2b84ef7 CP	37	files_pid_filetrans(oddjob_t,oddjob_var_run_t, { file sock_file })
	38
	39	kernel_read_system_state(oddjob_t)
	40
d9845ae9	41	corecmd_exec_bin(oddjob_t)
e2b84ef7 CP	42	corecmd_exec_shell(oddjob_t)
e2b84ef7 CP	43
d9845ae9 CP	44	mcs_process_set_categories(oddjob_t)
d9845ae9 CP	45
e2b84ef7 CP	46	selinux_compute_create_context(oddjob_t)
	47
	48	files_read_etc_files(oddjob_t)
	49
	50	libs_use_ld_so(oddjob_t)
	51	libs_use_shared_libs(oddjob_t)
	52
	53	miscfiles_read_localization(oddjob_t)
	54
e2b84ef7	55	locallogin_dontaudit_use_fds(oddjob_t)
e2b84ef7 CP	56
	57	optional_policy(`
	58	dbus_system_bus_client_template(oddjob,oddjob_t)
e2b84ef7 CP	59	dbus_connect_system_bus(oddjob_t)
	60	')
	61
	62	optional_policy(`
	63	unconfined_domtrans(oddjob_t)
	64	')
	65
	66	########################################
	67	#
	68	# oddjob_mkhomedir local policy
	69	#
	70
	71	allow oddjob_mkhomedir_t self:fifo_file { read write };
	72	allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
	73
	74	files_read_etc_files(oddjob_mkhomedir_t)
	75
	76	libs_use_ld_so(oddjob_mkhomedir_t)
	77	libs_use_shared_libs(oddjob_mkhomedir_t)
	78
	79	miscfiles_read_localization(oddjob_mkhomedir_t)
d9845ae9	80
e9c6cda7 CP	81	staff_manage_home_dirs(oddjob_mkhomedir_t)
e9c6cda7 CP	82
d9845ae9	83	# Add/remove user home directories
e9c6cda7 CP	84	unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
	85	unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
	86	unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
	87	unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
	88	unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
	89