diff options
author | Miroslav Grepl <mgrepl@redhat.com> | 2010-09-07 14:46:08 +0200 |
---|---|---|
committer | Miroslav Grepl <mgrepl@redhat.com> | 2010-09-07 14:46:08 +0200 |
commit | 3b0077d21cfb6f284d4baa2d8fb511613229b655 (patch) | |
tree | 4a30d42194476c3472dfd902cffe20c17b6251e5 /passenger.if | |
parent | 8232f3574bdd332a5aeb046ed03642b3817591c7 (diff) | |
download | test_policy_modules-3b0077d21cfb6f284d4baa2d8fb511613229b655.tar.gz test_policy_modules-3b0077d21cfb6f284d4baa2d8fb511613229b655.tar.xz test_policy_modules-3b0077d21cfb6f284d4baa2d8fb511613229b655.zip |
- Add passenger.sh install script
- Rename mod_passanger.* files to appropriate name
- Fixes for passenger policy
- Add /var/run/passenger directory
Diffstat (limited to 'passenger.if')
-rw-r--r-- | passenger.if | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/passenger.if b/passenger.if new file mode 100644 index 0000000..e738452 --- /dev/null +++ b/passenger.if @@ -0,0 +1,68 @@ +## <summary>Passenger policy</summary> + +###################################### +## <summary> +## Execute passenger in the passenger domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`passenger_domtrans',` + gen_require(` + type passenger_t; + ') + + allow $1 self:capability { fowner fsetid }; + + allow $1 passenger_t:process signal; + + domtrans_pattern($1, passenger_exec_t, passenger_t) + allow $1 passenger_t:unix_stream_socket { read write shutdown }; + allow passenger_t $1:unix_stream_socket { read write }; +') + +###################################### +## <summary> +## Manage passenger state content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`passenger_manage_state_content',` + gen_require(` + type passenger_state_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, passenger_state_t, passenger_state_t) + manage_files_pattern($1, passenger_state_t, passenger_state_t) + manage_fifo_files_pattern($1, passenger_state_t, passenger_state_t) + manage_sock_files_pattern($1, passenger_state_t, passenger_state_t) +') + +######################################## +## <summary> +## Read passenger lib files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`passenger_read_lib_files',` + gen_require(` + type passenger_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) + read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) +') + |