Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/pyzor.if
blob: 7bc14f913be72125e6f25c7fec286c0b2c838179 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

## <summary>Pyzor is a distributed, collaborative spam detection and filtering network.</summary>

########################################
## <summary>
##	Role access for pyzor.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	User domain for the role
##	</summary>
## </param>
#
interface(`pyzor_role',`
	gen_require(`
		attribute_role pyzor_roles;
		type pyzor_t, pyzor_exec_t, pyzor_home_t;
		type pyzor_tmp_t;
	')

	roleattribute $1 pyzor_roles;

	domtrans_pattern($2, pyzor_exec_t, pyzor_t)

	allow $2 pyzor_t:process { ptrace signal_perms };
	ps_process_pattern($2, pyzor_t)

	allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
	allow $2  { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
	allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

	userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
')

########################################
## <summary>
##	Send generic signals to pyzor.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`pyzor_signal',`
	gen_require(`
		type pyzor_t;
	')

	allow $1 pyzor_t:process signal;
')

########################################
## <summary>
##	Execute pyzor with a domain transition.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`pyzor_domtrans',`
	gen_require(`
		type pyzor_exec_t, pyzor_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, pyzor_exec_t, pyzor_t)
')

########################################
## <summary>
##	Execute pyzor in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`pyzor_exec',`
	gen_require(`
		type pyzor_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, pyzor_exec_t)
')

########################################
## <summary>
##	All of the rules required to
##	administrate an pyzor environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`pyzor_admin',`
	gen_require(`
		type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
		type pyzor_var_lib_t, pyzor_etc_t;
	')

	allow $1 pyzord_t:process { ptrace signal_perms };
	ps_process_pattern($1, pyzord_t)

	init_startstop_service($1, $2, pyzord_t, pyzord_initrc_exec_t)

	files_search_etc($1)
	admin_pattern($1, pyzor_etc_t)

	logging_search_logs($1)
	admin_pattern($1, pyzord_log_t)

	files_search_var_lib($1)
	admin_pattern($1, pyzor_var_lib_t)

	# This makes it impossible to apply _admin if _role has already been applied
	#pyzor_role($2, $1)
')