logging_send_syslog_msg(unconfined_t)
logging_run_auditctl(unconfined_t, unconfined_r)
+systemd_config_all_services(unconfined_t)
+
optional_policy(`
mount_run_unconfined(unconfined_t, unconfined_r)
# Unconfined running as system_r
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
type httpd_modules_t, httpd_lock_t, httpd_bool_t;
type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
+ type httpd_systemd_unit_t;
')
allow $1 httpd_t:process { ptrace signal_perms };
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+ allow $1 httpd_systemd_unit_t:service all_service_perms;
+
ifdef(`TODO',`
apache_set_booleans($1, $2, $3, httpd_bool_t)
seutil_setsebool_role_template($1, $3, $2)
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
+type httpd_unit_t;
+systemd_unit_file(httpd_unit_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
allow $1 systemd_logger_t:unix_stream_socket connectto;
')
+
+########################################
+## <summary>
+## Allow the specified domain to connect to
+## systemd_logger with a unix socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_config_all_services',`
+ gen_require(`
+ attribute systemd_unit_file_type;
+ ')
+
+ allow $1 systemd_unit_file_type:service all_service_perms;
+')
+
+
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ systemd_config_all_services($1)
domain_mmap_low($1)
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
+ systemd_config_all_services($1_t)
+
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ')
define(`all_dbus_perms', `{ acquire_svc send_msg } ')
define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_service_perms', `{ start stop status reload kill } ')
define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')