diff options
Diffstat (limited to 'policy/modules/services/pwauth.if')
| -rw-r--r-- | policy/modules/services/pwauth.if | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/policy/modules/services/pwauth.if b/policy/modules/services/pwauth.if new file mode 100644 index 00000000..1148dce1 --- /dev/null +++ b/policy/modules/services/pwauth.if @@ -0,0 +1,72 @@ +## <summary>External plugin for mod_authnz_external authenticator.</summary> + +######################################## +## <summary> +## Role access for pwauth. +## </summary> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <param name="domain"> +## <summary> +## User domain for the role. +## </summary> +## </param> +# +interface(`pwauth_role',` + gen_require(` + type pwauth_t; + ') + + pwauth_run($2, $1) + + ps_process_pattern($2, pwauth_t) + allow $2 pwauth_t:process { ptrace signal_perms }; +') + +######################################## +## <summary> +## Execute pwauth in the pwauth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`pwauth_domtrans',` + gen_require(` + type pwauth_t, pwauth_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, pwauth_exec_t, pwauth_t) +') + +######################################## +## <summary> +## Execute pwauth in the pwauth +## domain, and allow the specified +## role the pwauth domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`pwauth_run',` + gen_require(` + attribute_role pwauth_roles; + ') + + pwauth_domtrans($1) + roleattribute $2 pwauth_roles; +') |