1 ## <summary>Cobbler installation server.</summary>
4 ## Cobbler is a Linux installation server that allows for
5 ## rapid setup of network installation environments. It
6 ## glues together and automates many associated Linux
7 ## tasks so you do not have to hop between lots of various
8 ## commands and applications when rolling out new systems,
9 ## and, in some cases, changing existing ones.
13 ########################################
15 ## Execute a domain transition to run cobblerd.
17 ## <param name="domain">
19 ## Domain allowed to transition.
23 interface(`cobblerd_domtrans',`
25 type cobblerd_t, cobblerd_exec_t;
28 domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)
29 corecmd_search_bin($1)
32 ########################################
34 ## Execute cobblerd server in the cobblerd domain.
36 ## <param name="domain">
38 ## Domain allowed to transition.
42 interface(`cobblerd_initrc_domtrans',`
44 type cobblerd_initrc_exec_t;
47 init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
50 ########################################
52 ## List Cobbler configuration.
54 ## <param name="domain">
56 ## Domain allowed access.
60 interface(`cobbler_list_config',`
65 list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
69 ########################################
71 ## Read Cobbler configuration files.
73 ## <param name="domain">
75 ## Domain to not audit.
79 interface(`cobbler_read_config',`
84 read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)
88 ########################################
90 ## Search cobbler dirs in /var/lib
92 ## <param name="domain">
94 ## Domain allowed access.
98 interface(`cobbler_search_lib',`
100 type cobbler_var_lib_t;
103 search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
104 read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
105 files_search_var_lib($1)
108 ########################################
110 ## Read cobbler files in /var/lib
112 ## <param name="domain">
114 ## Domain allowed access.
118 interface(`cobbler_read_lib_files',`
120 type cobbler_var_lib_t;
123 read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
124 read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
125 files_search_var_lib($1)
128 ########################################
130 ## Manage cobbler files in /var/lib
132 ## <param name="domain">
134 ## Domain allowed access.
138 interface(`cobbler_manage_lib_files',`
140 type cobbler_var_lib_t;
143 manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
144 manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
145 manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
146 files_search_var_lib($1)
149 ########################################
151 ## Do not audit attempts to read and write
152 ## Cobbler log files (leaked fd).
154 ## <param name="domain">
156 ## Domain allowed access.
160 interface(`cobbler_dontaudit_rw_log',`
162 type cobbler_var_log_t;
165 dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;
168 ########################################
170 ## All of the rules required to administrate
171 ## an cobblerd environment
173 ## <param name="domain">
175 ## Domain allowed access.
178 ## <param name="role">
180 ## Role allowed access.
185 interface(`cobblerd_admin',`
187 type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
188 type cobbler_etc_t, cobblerd_initrc_exec_t;
189 type httpd_cobbler_content_t;
190 type httpd_cobbler_content_ra_t;
191 type httpd_cobbler_content_rw_t;
194 allow $1 cobblerd_t:process { ptrace signal_perms };
195 ps_process_pattern($1, cobblerd_t)
198 admin_pattern($1, cobbler_etc_t)
200 files_list_var_lib($1)
201 admin_pattern($1, cobbler_var_lib_t)
203 logging_search_logs($1)
204 admin_pattern($1, cobbler_var_log_t)
206 apache_search_sys_content($1)
207 admin_pattern($1, httpd_cobbler_content_t)
208 admin_pattern($1, httpd_cobbler_content_ra_t)
209 admin_pattern($1, httpd_cobbler_content_rw_t)
211 cobblerd_initrc_domtrans($1)
212 domain_system_change_exemption($1)
213 role_transition $2 cobblerd_initrc_exec_t system_r;
217 # traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.
218 tftp_search_rw_content($1)