]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/cobbler.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / services / cobbler.if
1 ## <summary>Cobbler installation server.</summary>
2 ## <desc>
3 ## <p>
4 ## Cobbler is a Linux installation server that allows for
5 ## rapid setup of network installation environments. It
6 ## glues together and automates many associated Linux
7 ## tasks so you do not have to hop between lots of various
8 ## commands and applications when rolling out new systems,
9 ## and, in some cases, changing existing ones.
10 ## </p>
11 ## </desc>
12
13 ########################################
14 ## <summary>
15 ## Execute a domain transition to run cobblerd.
16 ## </summary>
17 ## <param name="domain">
18 ## <summary>
19 ## Domain allowed to transition.
20 ## </summary>
21 ## </param>
22 #
23 interface(`cobblerd_domtrans',`
24 gen_require(`
25 type cobblerd_t, cobblerd_exec_t;
26 ')
27
28 domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
29 corecmd_search_bin($1)
30 ')
31
32 ########################################
33 ## <summary>
34 ## Execute cobblerd server in the cobblerd domain.
35 ## </summary>
36 ## <param name="domain">
37 ## <summary>
38 ## Domain allowed to transition.
39 ## </summary>
40 ## </param>
41 #
42 interface(`cobblerd_initrc_domtrans',`
43 gen_require(`
44 type cobblerd_initrc_exec_t;
45 ')
46
47 init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
48 ')
49
50 ########################################
51 ## <summary>
52 ## List Cobbler configuration.
53 ## </summary>
54 ## <param name="domain">
55 ## <summary>
56 ## Domain allowed access.
57 ## </summary>
58 ## </param>
59 #
60 interface(`cobbler_list_config',`
61 gen_require(`
62 type cobbler_etc_t;
63 ')
64
65 list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
66 files_search_etc($1)
67 ')
68
69 ########################################
70 ## <summary>
71 ## Read Cobbler configuration files.
72 ## </summary>
73 ## <param name="domain">
74 ## <summary>
75 ## Domain to not audit.
76 ## </summary>
77 ## </param>
78 #
79 interface(`cobbler_read_config',`
80 gen_require(`
81 type cobbler_etc_t;
82 ')
83
84 read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
85 files_search_etc($1)
86 ')
87
88 ########################################
89 ## <summary>
90 ## Search cobbler dirs in /var/lib
91 ## </summary>
92 ## <param name="domain">
93 ## <summary>
94 ## Domain allowed access.
95 ## </summary>
96 ## </param>
97 #
98 interface(`cobbler_search_lib',`
99 gen_require(`
100 type cobbler_var_lib_t;
101 ')
102
103 search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
104 read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
105 files_search_var_lib($1)
106 ')
107
108 ########################################
109 ## <summary>
110 ## Read cobbler files in /var/lib
111 ## </summary>
112 ## <param name="domain">
113 ## <summary>
114 ## Domain allowed access.
115 ## </summary>
116 ## </param>
117 #
118 interface(`cobbler_read_lib_files',`
119 gen_require(`
120 type cobbler_var_lib_t;
121 ')
122
123 read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
124 read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
125 files_search_var_lib($1)
126 ')
127
128 ########################################
129 ## <summary>
130 ## Manage cobbler files in /var/lib
131 ## </summary>
132 ## <param name="domain">
133 ## <summary>
134 ## Domain allowed access.
135 ## </summary>
136 ## </param>
137 #
138 interface(`cobbler_manage_lib_files',`
139 gen_require(`
140 type cobbler_var_lib_t;
141 ')
142
143 manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
144 manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
145 manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
146 files_search_var_lib($1)
147 ')
148
149 ########################################
150 ## <summary>
151 ## Do not audit attempts to read and write
152 ## Cobbler log files (leaked fd).
153 ## </summary>
154 ## <param name="domain">
155 ## <summary>
156 ## Domain allowed access.
157 ## </summary>
158 ## </param>
159 #
160 interface(`cobbler_dontaudit_rw_log',`
161 gen_require(`
162 type cobbler_var_log_t;
163 ')
164
165 dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
166 ')
167
168 ########################################
169 ## <summary>
170 ## All of the rules required to administrate
171 ## an cobblerd environment
172 ## </summary>
173 ## <param name="domain">
174 ## <summary>
175 ## Domain allowed access.
176 ## </summary>
177 ## </param>
178 ## <param name="role">
179 ## <summary>
180 ## Role allowed access.
181 ## </summary>
182 ## </param>
183 ## <rolecap/>
184 #
185 interface(`cobblerd_admin',`
186 gen_require(`
187 type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
188 type cobbler_etc_t, cobblerd_initrc_exec_t;
189 type httpd_cobbler_content_t;
190 type httpd_cobbler_content_ra_t;
191 type httpd_cobbler_content_rw_t;
192 ')
193
194 allow $1 cobblerd_t:process { ptrace signal_perms };
195 ps_process_pattern($1, cobblerd_t)
196
197 files_search_etc($1)
198 admin_pattern($1, cobbler_etc_t)
199
200 files_list_var_lib($1)
201 admin_pattern($1, cobbler_var_lib_t)
202
203 logging_search_logs($1)
204 admin_pattern($1, cobbler_var_log_t)
205
206 apache_search_sys_content($1)
207 admin_pattern($1, httpd_cobbler_content_t)
208 admin_pattern($1, httpd_cobbler_content_ra_t)
209 admin_pattern($1, httpd_cobbler_content_rw_t)
210
211 cobblerd_initrc_domtrans($1)
212 domain_system_change_exemption($1)
213 role_transition $2 cobblerd_initrc_exec_t system_r;
214 allow $2 system_r;
215
216 optional_policy(`
217 # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
218 tftp_search_rw_content($1)
219 ')
220 ')
The IPFire selinux policy.