diff options
author | Nathan Straz <nstraz@redhat.com> | 2009-10-22 17:54:49 -0400 |
---|---|---|
committer | Nathan Straz <nstraz@redhat.com> | 2009-10-22 17:54:49 -0400 |
commit | 6ec522d33eed9bf993c9a5a5f80a21f5db5ce113 (patch) | |
tree | 437f91ff8acc26b54950572c7e86c5235da3cff8 /SELinux/qarshd.te.in | |
parent | 0d65048dd98bc1b408fe9a2f3e6157c28a1c4c7d (diff) | |
download | qarsh-6ec522d33eed9bf993c9a5a5f80a21f5db5ce113.tar.gz qarsh-6ec522d33eed9bf993c9a5a5f80a21f5db5ce113.tar.xz qarsh-6ec522d33eed9bf993c9a5a5f80a21f5db5ce113.zip |
Add SELinux policy for qarshd
We generate the policy based on which services we want to test.
Diffstat (limited to 'SELinux/qarshd.te.in')
-rw-r--r-- | SELinux/qarshd.te.in | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/SELinux/qarshd.te.in b/SELinux/qarshd.te.in new file mode 100644 index 0000000..7936140 --- /dev/null +++ b/SELinux/qarshd.te.in @@ -0,0 +1,36 @@ + +policy_module(qarshd, 1.0.0.22); + +require { + type unconfined_t; +} + +type qarshd_t; +type qarshd_exec_t; + +# --------------- QARSHD part ------------------ + +# we define new domain, assign common attributes +domain_type(qarshd_t); + +# we don't want qarshd domain to be confined in any +# way as qarshd must be able to do all as root +unconfined_domain(qarshd_t); + +# define qarshd as (x)inetd service with it's own domain +inetd_tcp_service_domain(qarshd_t,qarshd_exec_t); + +# whenever we run anything with qarshd_exec_t type +# we want to end up in qarshd_t domain. This will be +# useful when starting daemons manually from shell +domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t); + +# allow any transition from qarshd_t +allow qarshd_t domain:process { transition }; + +# allow any domain to write to qarshd_t sockets +allow domain qarshd_t:tcp_socket { write read }; + +# allow any domain to signal to qarshd_t process +allow domain qarshd_t:process { sigchld }; + |