← Back to branch summary

~ubuntu-branches/ubuntu/natty/refpolicy-ubuntu/natty

« back to all changes in this revision

Viewing changes to policy/modules/services/certmaster.if

  • Committer: Bazaar Package Importer
  • Author(s): Caleb Case
  • Date: 2009-10-19 01:48:39 UTC
  • mfrom: (1.1.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20091019014839-0rpi67ygkrjya30k
Tags: 0.2.20090730-0ubuntu1
https://launchpad.net/bugs/434084
* Updated to upstream release 2.20090730
* Handle Upstart direct execution of daemons.
* Pre-depend on selinux to ensure that the trigger is handled (LP: #434084).

Show diffs side-by-side

added added

removed removed

Lines of Context:
policy/modules/services/certmaster.if
 
1
## <summary>Certmaster SSL certificate distribution service</summary>
 
2
 
 
3
########################################
 
4
## <summary>
 
5
##      Execute a domain transition to run certmaster.
 
6
## </summary>
 
7
## <param name="domain">
 
8
## <summary>
 
9
##      Domain allowed to transition.
 
10
## </summary>
 
11
## </param>
 
12
#
 
13
interface(`certmaster_domtrans',`
 
14
        gen_require(`
 
15
                type certmaster_t, certmaster_exec_t;
 
16
        ')
 
17
 
 
18
        domtrans_pattern($1, certmaster_exec_t, certmaster_t)
 
19
')
 
20
 
 
21
#######################################
 
22
## <summary>
 
23
##      read certmaster logs.
 
24
## </summary>
 
25
## <param name="domain">
 
26
##      <summary>
 
27
##      Domain allowed access.
 
28
##      </summary>
 
29
## </param>
 
30
#
 
31
interface(`certmaster_read_log',`
 
32
        gen_require(`
 
33
                type certmaster_var_log_t;
 
34
        ')
 
35
 
 
36
        read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
 
37
        logging_search_logs($1)
 
38
')
 
39
 
 
40
#######################################
 
41
## <summary>
 
42
##      Append to certmaster logs.
 
43
## </summary>
 
44
## <param name="domain">
 
45
##      <summary>
 
46
##      Domain allowed access.
 
47
##      </summary>
 
48
## </param>
 
49
#
 
50
interface(`certmaster_append_log',`
 
51
        gen_require(`
 
52
                type certmaster_var_log_t;
 
53
        ')
 
54
 
 
55
        append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
 
56
        logging_search_logs($1)
 
57
')
 
58
 
 
59
#######################################
 
60
## <summary>
 
61
##      Create, read, write, and delete
 
62
##      certmaster logs.
 
63
## </summary>
 
64
## <param name="domain">
 
65
##      <summary>
 
66
##      Domain allowed access.
 
67
##      </summary>
 
68
## </param>
 
69
#
 
70
interface(`certmaster_manage_log',`
 
71
        gen_require(`
 
72
                type certmaster_var_log_t;
 
73
        ')
 
74
 
 
75
        manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
 
76
        manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
 
77
        logging_search_logs($1)
 
78
')
 
79
 
 
80
########################################
 
81
## <summary>
 
82
##      All of the rules required to administrate 
 
83
##      an snort environment
 
84
## </summary>
 
85
## <param name="domain">
 
86
##      <summary>
 
87
##      Domain allowed access.
 
88
##      </summary>
 
89
## </param>
 
90
## <param name="role">
 
91
##      <summary>
 
92
##      The role to be allowed to manage the syslog domain.
 
93
##      </summary>
 
94
## </param>
 
95
## <rolecap/>
 
96
#
 
97
interface(`certmaster_admin',`
 
98
        gen_require(`
 
99
                type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
 
100
                type certmaster_etc_rw_t, certmaster_var_log_t;
 
101
                type certmaster_initrc_exec_t;
 
102
        ')
 
103
 
 
104
        allow $1 certmaster_t:process { ptrace signal_perms };
 
105
        ps_process_pattern($1, certmaster_t)
 
106
 
 
107
        init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
 
108
        domain_system_change_exemption($1)
 
109
        role_transition $2 certmaster_initrc_exec_t system_r;
 
110
        allow $2 system_r;
 
111
 
 
112
        files_list_etc($1)
 
113
        miscfiles_manage_cert_dirs($1)  
 
114
        miscfiles_manage_cert_files($1) 
 
115
 
 
116
        admin_pattern($1, certmaster_etc_rw_t)
 
117
 
 
118
        files_list_pids($1)
 
119
        admin_pattern($1, certmaster_var_run_t)
 
120
 
 
121
        logging_list_logs($1)
 
122
        admin_pattern($1, certmaster_var_log_t)
 
123
 
 
124
        files_list_var_lib($1)
 
125
        admin_pattern($1, certmaster_var_lib_t)
 
126
')