[people/stevee/selinux-policy.git] / policy / modules / services / polipo.if

## <summary>Caching web proxy.</summary>

########################################
## <summary>
##	Role access for polipo session.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
template(`polipo_role',`
	gen_require(`
		type polipo_session_t, polipo_exec_t;
	')

	########################################
	#
	# Declarations
	#

	role $1 types polipo_session_t;

	########################################
	#
	# Policy
	#

	allow $2 polipo_session_t:process signal_perms;
	ps_process_pattern($2, polipo_session_t)
	tunable_policy(`deny_ptrace',`',`
		allow $2 polipo_session_t:process ptrace;
	')

	tunable_policy(`polipo_session_users',`
		domtrans_pattern($2, polipo_exec_t, polipo_session_t)
	',`
		can_exec($2, polipo_exec_t)
	')
')

########################################
## <summary>
##	Create configuration files in user
##	home directories with a named file
##	type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`polipo_named_filetrans_config_home_files',`
	gen_require(`
		type polipo_config_home_t;
	')

	userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
')

########################################
## <summary>
##	Create cache directories in user
##	home directories with a named file
##	type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`polipo_named_filetrans_cache_home_dirs',`
	gen_require(`
		type polipo_cache_home_t;
	')

	userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
')

########################################
## <summary>
##	Create configuration files in admin
##	home directories with a named file
##	type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`polipo_named_filetrans_admin_config_home_files',`
	gen_require(`
		type polipo_config_home_t;
	')

	userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
')

########################################
## <summary>
##	Create cache directories in admin
##	home directories with a named file
##	type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`polipo_named_filetrans_admin_cache_home_dirs',`
	gen_require(`
		type polipo_cache_home_t;
	')

	userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
')

########################################
## <summary>
##	Create log files with a named file
##	type transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`polipo_named_filetrans_log_files',`
	gen_require(`
		type polipo_log_t;
	')

	logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
')

########################################
## <summary>
##	Administrate an polipo environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`polipo_admin',`
	gen_require(`
		type polipo_t, polipo_pid_t, polipo_cache_t;
		type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
	')

	allow $1 polipo_t:process signal_perms;
	ps_process_pattern($1, polipo_t)
	tunable_policy(`deny_ptrace',`',`
		allow $1 polipo_t:process ptrace;
	')

	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 polipo_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_etc($1)
	admin_pattern($1, polipo_etc_t)

	logging_list_logs($1)
	admin_pattern($1, polipo_log_t)

	files_list_var($1)
	admin_pattern($1, polipo_cache_t)

	files_list_pids($1)
	admin_pattern($1, polipo_pid_t)
')
Commit	Line	Data
f1b7d092 DG	1	## <summary>Caching web proxy.</summary>
	2
	3	########################################
	4	## <summary>
	5	## Role access for polipo session.
	6	## </summary>
	7	## <param name="role">
	8	## <summary>
	9	## Role allowed access.
	10	## </summary>
	11	## </param>
	12	## <param name="domain">
	13	## <summary>
	14	## Domain allowed access.
	15	## </summary>
	16	## </param>
	17	#
	18	template(`polipo_role',`
	19	gen_require(`
	20	type polipo_session_t, polipo_exec_t;
	21	')
	22
	23	########################################
	24	#
	25	# Declarations
	26	#
	27
	28	role $1 types polipo_session_t;
	29
	30	########################################
	31	#
	32	# Policy
	33	#
	34
995bdbb1	35	allow $2 polipo_session_t:process signal_perms;
f1b7d092	36	ps_process_pattern($2, polipo_session_t)
995bdbb1	37	tunable_policy(`deny_ptrace',`',`
	38	allow $2 polipo_session_t:process ptrace;
	39	')
f1b7d092 DG	40
	41	tunable_policy(`polipo_session_users',`
	42	domtrans_pattern($2, polipo_exec_t, polipo_session_t)
	43	',`
	44	can_exec($2, polipo_exec_t)
	45	')
	46	')
	47
	48	########################################
	49	## <summary>
	50	## Create configuration files in user
	51	## home directories with a named file
	52	## type transition.
	53	## </summary>
	54	## <param name="domain">
	55	## <summary>
	56	## Domain allowed access.
	57	## </summary>
	58	## </param>
	59	#
	60	interface(`polipo_named_filetrans_config_home_files',`
	61	gen_require(`
	62	type polipo_config_home_t;
	63	')
	64
	65	userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
	66	')
	67
	68	########################################
	69	## <summary>
	70	## Create cache directories in user
	71	## home directories with a named file
	72	## type transition.
	73	## </summary>
	74	## <param name="domain">
	75	## <summary>
	76	## Domain allowed access.
	77	## </summary>
	78	## </param>
	79	#
	80	interface(`polipo_named_filetrans_cache_home_dirs',`
	81	gen_require(`
	82	type polipo_cache_home_t;
	83	')
	84
	85	userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
	86	')
	87
	88	########################################
	89	## <summary>
	90	## Create configuration files in admin
	91	## home directories with a named file
	92	## type transition.
	93	## </summary>
	94	## <param name="domain">
	95	## <summary>
	96	## Domain allowed access.
	97	## </summary>
	98	## </param>
	99	#
	100	interface(`polipo_named_filetrans_admin_config_home_files',`
	101	gen_require(`
	102	type polipo_config_home_t;
	103	')
104
105	userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
106	')
107
108	########################################
109	## <summary>
110	## Create cache directories in admin
111	## home directories with a named file
112	## type transition.
113	## </summary>
114	## <param name="domain">
115	## <summary>
116	## Domain allowed access.
117	## </summary>
118	## </param>
119	#
120	interface(`polipo_named_filetrans_admin_cache_home_dirs',`
121	gen_require(`
122	type polipo_cache_home_t;
123	')
124
125	userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
126	')
127
128	########################################
129	## <summary>
130	## Create log files with a named file
131	## type transition.
132	## </summary>
133	## <param name="domain">
134	## <summary>
135	## Domain allowed access.
136	## </summary>
137	## </param>
138	#
139	interface(`polipo_named_filetrans_log_files',`
140	gen_require(`
141	type polipo_log_t;
142	')
143
144	logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
145	')
146
147	########################################
148	## <summary>
149	## Administrate an polipo environment.
150	## </summary>
151	## <param name="domain">
152	## <summary>
153	## Domain allowed access.
154	## </summary>
155	## </param>
156	## <param name="role">
157	## <summary>
158	## Role allowed access.
159	## </summary>
160	## </param>
161	## <rolecap/>
162	#
163	interface(`polipo_admin',`
164	gen_require(`
165	type polipo_t, polipo_pid_t, polipo_cache_t;
166	type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
167	')
168
995bdbb1	169	allow $1 polipo_t:process signal_perms;
f1b7d092	170	ps_process_pattern($1, polipo_t)
995bdbb1	171	tunable_policy(`deny_ptrace',`',`
	172	allow $1 polipo_t:process ptrace;
	173	')
f1b7d092 DG	174
	175	init_labeled_script_domtrans($1, polipo_initrc_exec_t)
	176	domain_system_change_exemption($1)
	177	role_transition $2 polipo_initrc_exec_t system_r;
	178	allow $2 system_r;
	179
	180	files_list_etc($1)
	181	admin_pattern($1, polipo_etc_t)
	182
	183	logging_list_logs($1)
	184	admin_pattern($1, polipo_log_t)
	185
	186	files_list_var($1)
	187	admin_pattern($1, polipo_cache_t)
	188
	189	files_list_pids($1)
	190	admin_pattern($1, polipo_pid_t)
	191	')