[people/stevee/selinux-policy.git] / policy / modules / services / zebra.if

## <summary>Zebra border gateway protocol network routing service</summary>

########################################
## <summary>
##	Read the configuration files for zebra.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`zebra_read_config',`
	gen_require(`
		type zebra_conf_t;
	')

	files_search_etc($1)
	allow $1 zebra_conf_t:dir list_dir_perms;
	read_files_pattern($1, zebra_conf_t, zebra_conf_t)
	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
')

########################################
## <summary>
##	Connect to zebra over an unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`zebra_stream_connect',`
	gen_require(`
		type zebra_t, zebra_var_run_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an zebra environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the zebra domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`zebra_admin',`
	gen_require(`
		type zebra_t, zebra_tmp_t, zebra_log_t;
		type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
	')

	allow $1 zebra_t:process signal_perms;
	ps_process_pattern($1, zebra_t)
	tunable_policy(`deny_ptrace',`',`
		allow $1 zebra_t:process ptrace;
	')

	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 zebra_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_etc($1)
	admin_pattern($1, zebra_conf_t)

	logging_list_logs($1)
	admin_pattern($1, zebra_log_t)

	files_list_tmp($1)
	admin_pattern($1, zebra_tmp_t)

	files_list_pids($1)
	admin_pattern($1, zebra_var_run_t)
')
Commit	Line	Data
9ff30033 CP	1	## <summary>Zebra border gateway protocol network routing service</summary>
	2
	3	########################################
	4	## <summary>
	5	## Read the configuration files for zebra.
	6	## </summary>
	7	## <param name="domain">
885b83ec	8	## <summary>
9ff30033	9	## Domain allowed access.
885b83ec	10	## </summary>
9ff30033	11	## </param>
bbcd3c97	12	## <rolecap/>
9ff30033 CP	13	#
	14	interface(`zebra_read_config',`
	15	gen_require(`
	16	type zebra_conf_t;
9ff30033 CP	17	')
	18
	19	files_search_etc($1)
c0868a7a	20	allow $1 zebra_conf_t:dir list_dir_perms;
ce8a5299 CP	21	read_files_pattern($1, zebra_conf_t, zebra_conf_t)
	22	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
	23	')
	24
	25	########################################
	26	## <summary>
bed0a445 CP	27	## Connect to zebra over an unix stream socket.
	28	## </summary>
	29	## <param name="domain">
	30	## <summary>
	31	## Domain allowed access.
	32	## </summary>
	33	## </param>
	34	#
	35	interface(`zebra_stream_connect',`
	36	gen_require(`
	37	type zebra_t, zebra_var_run_t;
	38	')
	39
	40	files_search_pids($1)
2e2a24e0	41	stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
bed0a445 CP	42	')
	43
	44	########################################
	45	## <summary>
	46	## All of the rules required to administrate
ce8a5299 CP	47	## an zebra environment
	48	## </summary>
	49	## <param name="domain">
	50	## <summary>
	51	## Domain allowed access.
	52	## </summary>
	53	## </param>
e87221ce CP	54	## <param name="role">
	55	## <summary>
	56	## The role to be allowed to manage the zebra domain.
	57	## </summary>
	58	## </param>
ce8a5299 CP	59	## <rolecap/>
	60	#
	61	interface(`zebra_admin',`
	62	gen_require(`
	63	type zebra_t, zebra_tmp_t, zebra_log_t;
2528a2d7	64	type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
ce8a5299 CP	65	')
ce8a5299 CP	66
995bdbb1	67	allow $1 zebra_t:process signal_perms;
e87221ce	68	ps_process_pattern($1, zebra_t)
995bdbb1	69	tunable_policy(`deny_ptrace',`',`
	70	allow $1 zebra_t:process ptrace;
	71	')
2a98379a	72
e87221ce CP	73	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
	74	domain_system_change_exemption($1)
	75	role_transition $2 zebra_initrc_exec_t system_r;
	76	allow $2 system_r;
ce8a5299	77
e87221ce CP	78	files_list_etc($1)
e87221ce CP	79	admin_pattern($1, zebra_conf_t)
2a98379a	80
ce8a5299	81	logging_list_logs($1)
e87221ce	82	admin_pattern($1, zebra_log_t)
ce8a5299	83
e87221ce CP	84	files_list_tmp($1)
e87221ce CP	85	admin_pattern($1, zebra_tmp_t)
ce8a5299 CP	86
ce8a5299 CP	87	files_list_pids($1)
e87221ce	88	admin_pattern($1, zebra_var_run_t)
9ff30033	89	')