blob: df4d735b1ddc2be8e81af2776b91a40163222cb7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
policy_module(qarshd, 1.0.0.23);
require {
type unconfined_t;
}
type qarshd_t;
type qarshd_exec_t;
# --------------- QARSHD part ------------------
# we define new domain, assign common attributes
domain_type(qarshd_t);
# we don't want qarshd domain to be confined in any
# way as qarshd must be able to do all as root
unconfined_domain(qarshd_t);
init_daemon_domain(qarshd_t,qarshd_exec_t)
# define qarshd as (x)inetd service with it's own domain
inetd_tcp_service_domain(qarshd_t,qarshd_exec_t);
# whenever we run anything with qarshd_exec_t type
# we want to end up in qarshd_t domain. This will be
# useful when starting daemons manually from shell
domain_auto_trans(unconfined_t, qarshd_exec_t, qarshd_t);
# allow any transition from qarshd_t
allow qarshd_t domain:process { transition };
# qarshd_t sockets end up as stdin, stdout, and stderr
# for processes in other domains, let them read, write,
# fstat and ioctl on them
allow domain qarshd_t:tcp_socket { write read getattr ioctl};
# allow any domain to signal to qarshd_t process
allow domain qarshd_t:process { sigchld };
|
