diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2012-04-21 20:07:46 +0200 |
commit | 3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch) | |
tree | cae07463edd5b609a97513e00d63e1bd410cc8bb /policy/modules/contrib/quota.if | |
parent | Initial commit (diff) | |
download | hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2 hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip |
Pushing 2.20120215 (current version)
Diffstat (limited to 'policy/modules/contrib/quota.if')
-rw-r--r-- | policy/modules/contrib/quota.if | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if new file mode 100644 index 000000000..bf75d999c --- /dev/null +++ b/policy/modules/contrib/quota.if @@ -0,0 +1,85 @@ +## <summary>File system quota management</summary> + +######################################## +## <summary> +## Execute quota management tools in the quota domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`quota_domtrans',` + gen_require(` + type quota_t, quota_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, quota_exec_t, quota_t) +') + +######################################## +## <summary> +## Execute quota management tools in the quota domain, and +## allow the specified role the quota domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`quota_run',` + gen_require(` + type quota_t; + ') + + quota_domtrans($1) + role $2 types quota_t; +') + +######################################## +## <summary> +## Do not audit attempts to get the attributes +## of filesystem quota data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`quota_dontaudit_getattr_db',` + gen_require(` + type quota_db_t; + ') + + dontaudit $1 quota_db_t:file getattr_file_perms; +') + +######################################## +## <summary> +## Create, read, write, and delete quota +## flag files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`quota_manage_flags',` + gen_require(` + type quota_flag_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, quota_flag_t, quota_flag_t) +') |