blob: 793614003c5ea347121cf5033c40be1abaeb0101 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
policy_module(qarshd, 1.0.0.22);
require {
type unconfined_t;
}
type qarshd_t;
type qarshd_exec_t;
# --------------- QARSHD part ------------------
# we define new domain, assign common attributes
domain_type(qarshd_t);
# we don't want qarshd domain to be confined in any
# way as qarshd must be able to do all as root
unconfined_domain(qarshd_t);
# define qarshd as (x)inetd service with it's own domain
inetd_tcp_service_domain(qarshd_t,qarshd_exec_t);
# whenever we run anything with qarshd_exec_t type
# we want to end up in qarshd_t domain. This will be
# useful when starting daemons manually from shell
domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t);
# allow any transition from qarshd_t
allow qarshd_t domain:process { transition };
# allow any domain to write to qarshd_t sockets
allow domain qarshd_t:tcp_socket { write read };
# allow any domain to signal to qarshd_t process
allow domain qarshd_t:process { sigchld };
|
