policy/modules/services/oddjob.te

   1 policy_module(oddjob, 1.7.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type oddjob_t;
   9 type oddjob_exec_t;
  10 domain_type(oddjob_t)
  11 init_daemon_domain(oddjob_t, oddjob_exec_t)
  12 domain_obj_id_change_exemption(oddjob_t)
  13 domain_role_change_exemption(oddjob_t)
  14 domain_subj_id_change_exemption(oddjob_t)
  15
  16 type oddjob_mkhomedir_t;
  17 type oddjob_mkhomedir_exec_t;
  18 domain_type(oddjob_mkhomedir_t)
  19 domain_obj_id_change_exemption(oddjob_mkhomedir_t)
  20 init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
  21 oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
  22
  23 # pid files
  24 type oddjob_var_run_t;
  25 files_pid_file(oddjob_var_run_t)
  26
  27 ifdef(`enable_mcs',`
  28         init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
  29 ')
  30
  31 ########################################
  32 #
  33 # oddjob local policy
  34 #
  35
  36 allow oddjob_t self:capability setgid;
  37 allow oddjob_t self:process { setexec signal };
  38 allow oddjob_t self:fifo_file rw_fifo_file_perms;
  39 allow oddjob_t self:unix_stream_socket create_stream_socket_perms;
  40
  41 manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
  42 manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
  43 files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
  44
  45 kernel_read_system_state(oddjob_t)
  46
  47 corecmd_exec_bin(oddjob_t)
  48 corecmd_exec_shell(oddjob_t)
  49
  50 mcs_process_set_categories(oddjob_t)
  51
  52 selinux_compute_create_context(oddjob_t)
  53
  54 files_read_etc_files(oddjob_t)
  55
  56 miscfiles_read_localization(oddjob_t)
  57
  58 locallogin_dontaudit_use_fds(oddjob_t)
  59
  60 optional_policy(`
  61         dbus_system_bus_client(oddjob_t)
  62         dbus_connect_system_bus(oddjob_t)
  63 ')
  64
  65 optional_policy(`
  66         unconfined_domtrans(oddjob_t)
  67 ')
  68
  69 ########################################
  70 #
  71 # oddjob_mkhomedir local policy
  72 #
  73
  74 allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
  75 allow oddjob_mkhomedir_t self:process setfscreate;
  76 allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
  77 allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
  78
  79 kernel_read_system_state(oddjob_mkhomedir_t)
  80
  81 files_read_etc_files(oddjob_mkhomedir_t)
  82
  83 auth_use_nsswitch(oddjob_mkhomedir_t)
  84
  85 logging_send_syslog_msg(oddjob_mkhomedir_t)
  86
  87 miscfiles_read_localization(oddjob_mkhomedir_t)
  88
  89 selinux_get_fs_mount(oddjob_mkhomedir_t)
  90 selinux_validate_context(oddjob_mkhomedir_t)
  91 selinux_compute_access_vector(oddjob_mkhomedir_t)
  92 selinux_compute_create_context(oddjob_mkhomedir_t)
  93 selinux_compute_relabel_context(oddjob_mkhomedir_t)
  94 selinux_compute_user_contexts(oddjob_mkhomedir_t)
  95
  96 seutil_read_config(oddjob_mkhomedir_t)
  97 seutil_read_file_contexts(oddjob_mkhomedir_t)
  98 seutil_read_default_contexts(oddjob_mkhomedir_t)
  99
 100 # Add/remove user home directories
 101 userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
 102 userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
 103 userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
 104 userdom_manage_user_home_content(oddjob_mkhomedir_t)
 105