aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <sven.vermeulen@siphos.be>2012-04-21 20:07:46 +0200
committerSven Vermeulen <sven.vermeulen@siphos.be>2012-04-21 20:07:46 +0200
commit3962a6834f4e7ef04441de4f3134ff329d8602f9 (patch)
treecae07463edd5b609a97513e00d63e1bd410cc8bb /policy/modules/contrib/quota.if
parentInitial commit (diff)
downloadhardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.gz
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.tar.bz2
hardened-refpolicy-3962a6834f4e7ef04441de4f3134ff329d8602f9.zip
Pushing 2.20120215 (current version)
Diffstat (limited to 'policy/modules/contrib/quota.if')
-rw-r--r--policy/modules/contrib/quota.if85
1 files changed, 85 insertions, 0 deletions
diff --git a/policy/modules/contrib/quota.if b/policy/modules/contrib/quota.if
new file mode 100644
index 000000000..bf75d999c
--- /dev/null
+++ b/policy/modules/contrib/quota.if
@@ -0,0 +1,85 @@
+## <summary>File system quota management</summary>
+
+########################################
+## <summary>
+## Execute quota management tools in the quota domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`quota_domtrans',`
+ gen_require(`
+ type quota_t, quota_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, quota_exec_t, quota_t)
+')
+
+########################################
+## <summary>
+## Execute quota management tools in the quota domain, and
+## allow the specified role the quota domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`quota_run',`
+ gen_require(`
+ type quota_t;
+ ')
+
+ quota_domtrans($1)
+ role $2 types quota_t;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of filesystem quota data files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`quota_dontaudit_getattr_db',`
+ gen_require(`
+ type quota_db_t;
+ ')
+
+ dontaudit $1 quota_db_t:file getattr_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete quota
+## flag files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`quota_manage_flags',`
+ gen_require(`
+ type quota_flag_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, quota_flag_t, quota_flag_t)
+')