1 ## <summary>policy for matahari</summary>
3 ######################################
5 ## Creates types and rules for a basic
6 ## matahari init daemon domain.
8 ## <param name="prefix">
10 ## Prefix for the domain.
14 template(`matahari_domain_template',`
16 attribute matahari_domain;
19 ##############################
24 type matahari_$1_t, matahari_domain;
25 type matahari_$1_exec_t;
26 init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
29 ########################################
31 ## Search matahari lib directories.
33 ## <param name="domain">
35 ## Domain allowed access.
39 interface(`matahari_search_lib',`
41 type matahari_var_lib_t;
44 allow $1 matahari_var_lib_t:dir search_dir_perms;
45 files_search_var_lib($1)
48 ########################################
50 ## Read matahari lib files.
52 ## <param name="domain">
54 ## Domain allowed access.
58 interface(`matahari_read_lib_files',`
60 type matahari_var_lib_t;
63 files_search_var_lib($1)
64 read_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
67 ########################################
69 ## Create, read, write, and delete
70 ## matahari lib files.
72 ## <param name="domain">
74 ## Domain allowed access.
78 interface(`matahari_manage_lib_files',`
80 type matahari_var_lib_t;
83 files_search_var_lib($1)
84 manage_files_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
87 ########################################
89 ## Manage matahari lib dirs files.
91 ## <param name="domain">
93 ## Domain allowed access.
97 interface(`matahari_manage_lib_dirs',`
99 type matahari_var_lib_t;
102 files_search_var_lib($1)
103 manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
106 ########################################
108 ## Read matahari PID files.
110 ## <param name="domain">
112 ## Domain allowed access.
116 interface(`matahari_read_pid_files',`
118 type matahari_var_run_t;
121 files_search_pids($1)
122 allow $1 matahari_var_run_t:file read_file_perms;
125 ########################################
127 ## Read matahari PID files.
129 ## <param name="domain">
131 ## Domain allowed access.
135 interface(`matahari_manage_pid_files',`
137 type matahari_var_run_t;
140 files_search_pids($1)
141 manage_files_pattern($1, matahari_var_run_t, matahari_var_run_t)
144 ########################################
146 ## Execute a domain transition to run matahari_hostd.
148 ## <param name="domain">
150 ## Domain allowed access.
154 interface(`matahari_hostd_domtrans',`
156 type matahari_hostd_t, matahari_hostd_exec_t;
159 domtrans_pattern($1, matahari_hostd_exec_t, matahari_hostd_t)
162 ########################################
164 ## Execute a domain transition to run matahari_netd.
166 ## <param name="domain">
168 ## Domain allowed access.
172 interface(`matahari_netd_domtrans',`
174 type matahari_netd_t, matahari_netd_exec_t;
177 domtrans_pattern($1, matahari_netd_exec_t, matahari_netd_t)
180 ########################################
182 ## Execute a domain transition to run matahari_serviced.
184 ## <param name="domain">
186 ## Domain allowed access.
190 interface(`matahari_serviced_domtrans',`
192 type matahari_serviced_t, matahari_serviced_exec_t;
195 domtrans_pattern($1, matahari_serviced_exec_t, matahari_serviced_t)
198 ########################################
200 ## All of the rules required to administrate
201 ## an matahari environment
203 ## <param name="domain">
205 ## Domain allowed access.
208 ## <param name="role">
210 ## Role allowed access.
215 interface(`matahari_admin',`
217 type matahari_initrc_exec_t, matahari_hostd_t;
218 type matahari_netd_t, matahari_serviced_t;
219 type matahari_var_lib_t, matahari_var_run_t;
222 init_labeled_script_domtrans($1, matahari_initrc_exec_t)
223 domain_system_change_exemption($1)
224 role_transition $2 matahari_initrc_exec_t system_r;
227 allow $1 matahari_netd_t:process { ptrace signal_perms };
228 ps_process_pattern($1, matahari_netd_t)
230 allow $1 matahari_hostd_t:process { ptrace signal_perms };
231 ps_process_pattern($1, matahari_hostd_t)
233 allow $1 matahari_serviced_t:process { ptrace signal_perms };
234 ps_process_pattern($1, matahari_serviced_t)
236 allow $1 matahari_sysconfigd_t:process { ptrace signal_perms };
237 ps_process_pattern($1, matahari_sysconfigd_t)
239 files_search_var_lib($1)
240 admin_pattern($1, matahari_var_lib_t)
242 files_search_pids($1)
243 admin_pattern($1, matahari_var_run_t)