##

policy for cfengine

###################################### ##

## Creates types and rules for a basic ## cfengine init daemon domain. ##

## ##

## Prefix for the domain. ##

## # template(`cfengine_domain_template',` gen_require(` attribute cfengine_domain; ') ############################## # # Declarations # type cfengine_$1_t, cfengine_domain; type cfengine_$1_exec_t; init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) ') ######################################## ##

## Transition to cfengine. ##

## ##

## Domain allowed to transition. ##

## # interface(`cfengine_domtrans_server',` gen_require(` type cfengine_server_t, cfengine_server_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cfengine_server_exec_t, cfengine_server_t) ') ####################################### ##

## Search cfengine lib files. ##

## ##

## Domain allowed access. ##

## # interface(`cfengine_search_lib_files',` gen_require(` type cfengine_var_lib_t; ') allow $1 cfengine_var_lib_t:dir search_dir_perms; ') ######################################## ##

## Read cfengine lib files. ##

## ##

## Domain allowed access. ##

## # interface(`cfengine_read_lib_files',` gen_require(` type cfengine_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) ') ###################################### ##

## Allow the specified domain to read cfengine's log files. ##

## ##

## Domain allowed access. ##

## # interface(`cfengine_read_log',` gen_require(` type cfengine_var_log_t; ') logging_search_logs($1) files_search_var_lib($1) cfengine_search_lib_files($1) read_files_pattern($1, cfengine_var_log_t, cfengine_var_log_t) ') ##################################### ##

## Allow the specified domain to append cfengine's log files. ##

## ##

## Domain allowed access. ##

## # interface(`cfengine_append_inherited_log',` gen_require(` type cfengine_var_log_t; ') cfengine_search_lib_files($1) allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; ') #################################### ##

## Dontaudit the specified domain to write cfengine's log files. ##

## ##

## Domain allowed access. ##

## # interface(`cfengine_dontaudit_write_log',` gen_require(` type cfengine_var_log_t; ') dontaudit $1 cfengine_var_log_t:file write; ')