--- /dev/null
--- /dev/null
++
++## <summary>policy for callweaver</summary>
++
++
++########################################
++## <summary>
++## Transition to callweaver.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_domtrans',`
++ gen_require(`
++ type callweaver_t, callweaver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, callweaver_exec_t, callweaver_t)
++')
++
++
++########################################
++## <summary>
++## Execute callweaver server in the callweaver domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_initrc_domtrans',`
++ gen_require(`
++ type callweaver_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Read callweaver's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`callweaver_read_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++## Append to callweaver log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`callweaver_append_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
++ manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
++ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++## Search callweaver lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_search_lib',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ allow $1 callweaver_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read callweaver lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_lib_files',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_lib_files',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_lib_dirs',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read callweaver PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_pid_files',`
++ gen_require(`
++ type callweaver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 callweaver_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Connect to callweaver over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_stream_connect',`
++ gen_require(`
++ type callweaver_t, callweaver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t)
++')
++
++########################################
++## <summary>
++## Search callweaver spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_search_spool',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ allow $1 callweaver_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Read callweaver spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_spool_files',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, callweaver_spool_t callweaver_spool_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_spool_files',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver spool dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_spool_dirs',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an callweaver environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`callweaver_admin',`
++ gen_require(`
++ type callweaver_t;
++ type callweaver_initrc_exec_t;
++ type callweaver_log_t;
++ type callweaver_var_lib_t;
++ type callweaver_var_run_t;
++ type callweaver_spool_t;
++ ')
++
++ allow $1 callweaver_t:process { ptrace signal_perms };
++ ps_process_pattern($1, callweaver_t)
++
++ callweaver_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 callweaver_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, callweaver_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, callweaver_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, callweaver_var_run_t)
++
++ files_search_spool($1)
++ admin_pattern($1, callweaver_spool_t)
++
++')
--- /dev/null
--- /dev/null
++policy_module(callweaver,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type callweaver_t;
++type callweaver_exec_t;
++init_daemon_domain(callweaver_t, callweaver_exec_t)
++
++permissive callweaver_t;
++
++type callweaver_initrc_exec_t;
++init_script_file(callweaver_initrc_exec_t)
++
++type callweaver_log_t;
++logging_log_file(callweaver_log_t)
++
++type callweaver_var_lib_t;
++files_type(callweaver_var_lib_t)
++
++type callweaver_var_run_t;
++files_pid_file(callweaver_var_run_t)
++
++type callweaver_spool_t;
++files_type(callweaver_spool_t)
++
++########################################
++#
++# callweaver local policy
++#
++
++allow callweaver_t self:capability { setuid sys_nice setgid };
++allow callweaver_t self:process { setsched signal };
++allow callweaver_t self:fifo_file rw_fifo_file_perms;
++allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
++
++allow callweaver_t self:tcp_socket create_stream_socket_perms;
++allow callweaver_t self:udp_socket create_socket_perms;
++
++kernel_read_sysctl(callweaver_t)
++kernel_read_kernel_sysctls(callweaver_t)
++
++corenet_udp_bind_asterisk_port(callweaver_t)
++corenet_udp_bind_generic_port(callweaver_t)
++corenet_udp_bind_sip_port(callweaver_t)
++
++dev_manage_generic_symlinks(callweaver_t)
++
++domain_use_interactive_fds(callweaver_t)
++
++files_read_etc_files(callweaver_t)
++
++term_getattr_pty_fs(callweaver_t)
++term_use_generic_ptys(callweaver_t)
++term_use_ptmx(callweaver_t)
++
++auth_use_nsswitch(callweaver_t)
++
++miscfiles_read_localization(callweaver_t)