-
Notifications
You must be signed in to change notification settings - Fork 0
/
cobbler_extra.te
45 lines (43 loc) · 1.82 KB
/
cobbler_extra.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
module cobbler_extra 1.3;
require {
type default_context_t;
type file_t;
type file_context_t;
type etc_t;
type home_root_t;
type httpd_t;
type chkpwd_exec_t;
type devlog_t;
type syslogd_t;
type shadow_t;
type kerberos_port_t;
type cobblerd_t;
type cobbler_var_lib_t;
class process { execmem setfscreate };
class capability { setuid setgid audit_write };
class file { read write open create rename unlink getattr setattr execute execute_no_trans };
class dir { read write open create rmdir rename add_name remove_name search getattr setattr };
class sock_file { write create };
class netlink_audit_socket { read write create nlmsg_relay };
class unix_dgram_socket sendto;
class tcp_socket name_connect;
}
#============= cobblerd_t ==============
allow cobblerd_t default_context_t:dir search;
allow cobblerd_t file_t:dir { read write open create rmdir rename add_name remove_name search getattr setattr };
allow cobblerd_t file_t:file { read write open create rename unlink getattr setattr };
allow cobblerd_t file_context_t:dir search;
allow cobblerd_t file_context_t:file { read open getattr };
allow cobblerd_t etc_t:file write;
allow cobblerd_t self:process { execmem setfscreate };
allow cobblerd_t self:capability { setuid setgid audit_write };
allow httpd_t cobblerd_t:file write;
allow httpd_t cobbler_var_lib_t:file { write create rename unlink };
allow httpd_t cobbler_var_lib_t:dir { write add_name remove_name };
allow cobblerd_t chkpwd_exec_t:file { read open execute execute_no_trans };
allow cobblerd_t home_root_t:dir search;
allow cobblerd_t devlog_t:sock_file { write create };
allow cobblerd_t shadow_t:file { open read getattr };
allow cobblerd_t self:netlink_audit_socket { read write create nlmsg_relay };
allow cobblerd_t syslogd_t:unix_dgram_socket sendto;
allow cobblerd_t kerberos_port_t:tcp_socket name_connect;