]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/collectd.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add a boolean to turn off all instances of ptrace in the policy
[people/stevee/selinux-policy.git] / policy / modules / services / collectd.if
1
2 ## <summary>policy for collectd</summary>
3
4
5 ########################################
6 ## <summary>
7 ## Transition to collectd.
8 ## </summary>
9 ## <param name="domain">
10 ## <summary>
11 ## Domain allowed to transition.
12 ## </summary>
13 ## </param>
14 #
15 interface(`collectd_domtrans',`
16 gen_require(`
17 type collectd_t, collectd_exec_t;
18 ')
19
20 corecmd_search_bin($1)
21 domtrans_pattern($1, collectd_exec_t, collectd_t)
22 ')
23
24
25 ########################################
26 ## <summary>
27 ## Execute collectd server in the collectd domain.
28 ## </summary>
29 ## <param name="domain">
30 ## <summary>
31 ## Domain allowed access.
32 ## </summary>
33 ## </param>
34 #
35 interface(`collectd_initrc_domtrans',`
36 gen_require(`
37 type collectd_initrc_exec_t;
38 ')
39
40 init_labeled_script_domtrans($1, collectd_initrc_exec_t)
41 ')
42
43
44 ########################################
45 ## <summary>
46 ## Search collectd lib directories.
47 ## </summary>
48 ## <param name="domain">
49 ## <summary>
50 ## Domain allowed access.
51 ## </summary>
52 ## </param>
53 #
54 interface(`collectd_search_lib',`
55 gen_require(`
56 type collectd_var_lib_t;
57 ')
58
59 allow $1 collectd_var_lib_t:dir search_dir_perms;
60 files_search_var_lib($1)
61 ')
62
63 ########################################
64 ## <summary>
65 ## Read collectd lib files.
66 ## </summary>
67 ## <param name="domain">
68 ## <summary>
69 ## Domain allowed access.
70 ## </summary>
71 ## </param>
72 #
73 interface(`collectd_read_lib_files',`
74 gen_require(`
75 type collectd_var_lib_t;
76 ')
77
78 files_search_var_lib($1)
79 read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
80 ')
81
82 ########################################
83 ## <summary>
84 ## Manage collectd lib files.
85 ## </summary>
86 ## <param name="domain">
87 ## <summary>
88 ## Domain allowed access.
89 ## </summary>
90 ## </param>
91 #
92 interface(`collectd_manage_lib_files',`
93 gen_require(`
94 type collectd_var_lib_t;
95 ')
96
97 files_search_var_lib($1)
98 manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
99 ')
100
101 ########################################
102 ## <summary>
103 ## Manage collectd lib directories.
104 ## </summary>
105 ## <param name="domain">
106 ## <summary>
107 ## Domain allowed access.
108 ## </summary>
109 ## </param>
110 #
111 interface(`collectd_manage_lib_dirs',`
112 gen_require(`
113 type collectd_var_lib_t;
114 ')
115
116 files_search_var_lib($1)
117 manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
118 ')
119
120
121 ########################################
122 ## <summary>
123 ## All of the rules required to administrate
124 ## an collectd environment
125 ## </summary>
126 ## <param name="domain">
127 ## <summary>
128 ## Domain allowed access.
129 ## </summary>
130 ## </param>
131 ## <param name="role">
132 ## <summary>
133 ## Role allowed access.
134 ## </summary>
135 ## </param>
136 ## <rolecap/>
137 #
138 interface(`collectd_admin',`
139 gen_require(`
140 type collectd_t;
141 type collectd_initrc_exec_t;
142 type collectd_var_lib_t;
143 ')
144
145 allow $1 collectd_t:process signal_perms;
146 ps_process_pattern($1, collectd_t)
147
148 tunable_policy(`deny_ptrace',`',`
149 allow $1 collectd_t:process ptrace;
150 ')
151
152 collectd_initrc_domtrans($1)
153 domain_system_change_exemption($1)
154 role_transition $2 collectd_initrc_exec_t system_r;
155 allow $2 system_r;
156
157 files_search_var_lib($1)
158 admin_pattern($1, collectd_var_lib_t)
159
160 ')
161
The IPFire selinux policy.