Chris PeBenito 17de1b
## <summary>Andrew Filesystem server</summary>
Chris PeBenito 13306f
Chris PeBenito 13306f
########################################
Chris PeBenito 13306f
## <summary>
Chris PeBenito 13306f
##	Execute a domain transition to run the
Chris PeBenito 13306f
##	afs client.
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## <param name="domain">
Chris PeBenito 13306f
## <summary>
Chris PeBenito 13306f
##	Domain allowed to transition.
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## </param>
Chris PeBenito 13306f
#
Chris PeBenito 13306f
interface(`afs_domtrans',`
Chris PeBenito 13306f
	gen_require(`
Chris PeBenito 13306f
		type afs_t, afs_exec_t;
Chris PeBenito 13306f
	')
Chris PeBenito 13306f
Dominick Grift 534e57
	corecmd_search_bin($1)
Chris PeBenito 13306f
	domtrans_pattern($1, afs_exec_t, afs_t)
Chris PeBenito 13306f
')
Chris PeBenito 13306f
Chris PeBenito 13306f
########################################
Chris PeBenito 13306f
## <summary>
Chris PeBenito 13306f
##	Read and write afs client UDP sockets.
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## <param name="domain">
Chris PeBenito 13306f
##	<summary>
Chris PeBenito 13306f
##	Domain allowed access.
Chris PeBenito 13306f
##	</summary>
Chris PeBenito 13306f
## </param>
Chris PeBenito 13306f
#
Chris PeBenito 13306f
interface(`afs_rw_udp_sockets',`
Chris PeBenito 13306f
	gen_require(`
Chris PeBenito 13306f
		type afs_t;
Chris PeBenito 13306f
	')
Chris PeBenito 13306f
Chris PeBenito 13306f
	allow $1 afs_t:udp_socket { read write };
Chris PeBenito 13306f
')
Chris PeBenito 13306f
Chris PeBenito 13306f
########################################
Chris PeBenito 13306f
## <summary>
Chris PeBenito 13306f
##	read/write afs cache files
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## <param name="domain">
Chris PeBenito 13306f
## <summary>
Dominick Grift 288845
##	Domain allowed access.
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## </param>
Chris PeBenito 13306f
#
Chris PeBenito 13306f
interface(`afs_rw_cache',`
Chris PeBenito 13306f
	gen_require(`
Chris PeBenito 13306f
		type afs_cache_t;
Chris PeBenito 13306f
	')
Chris PeBenito 13306f
Dominick Grift 534e57
	files_search_var($1)
Chris PeBenito 13306f
	allow $1 afs_cache_t:file { read write };
Chris PeBenito 13306f
')
Chris PeBenito 13306f
Chris PeBenito 13306f
########################################
Chris PeBenito 13306f
## <summary>
Chris PeBenito 13306f
##	Execute afs server in the afs domain.
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## <param name="domain">
Chris PeBenito 13306f
##	<summary>
Dominick Grift 288845
##	Domain allowed to transition.
Chris PeBenito 13306f
##	</summary>
Chris PeBenito 13306f
## </param>
Chris PeBenito 13306f
#
Chris PeBenito 13306f
interface(`afs_initrc_domtrans',`
Chris PeBenito 13306f
	gen_require(`
Chris PeBenito 13306f
		type afs_initrc_exec_t;
Chris PeBenito 13306f
	')
Chris PeBenito 13306f
Dominick Grift 534e57
	init_labeled_script_domtrans($1, afs_initrc_exec_t)
Chris PeBenito 13306f
')
Chris PeBenito 13306f
Chris PeBenito 13306f
########################################
Chris PeBenito 13306f
## <summary>
Chris PeBenito 13306f
##	All of the rules required to administrate 
Chris PeBenito 13306f
##	an afs environment
Chris PeBenito 13306f
## </summary>
Chris PeBenito 13306f
## <param name="domain">
Chris PeBenito 13306f
##	<summary>
Chris PeBenito 13306f
##	Domain allowed access.
Chris PeBenito 13306f
##	</summary>
Chris PeBenito 13306f
## </param>
Chris PeBenito 13306f
## <param name="role">
Chris PeBenito 13306f
##	<summary>
Chris PeBenito 13306f
##	The role to be allowed to manage the afs domain.
Chris PeBenito 13306f
##	</summary>
Chris PeBenito 13306f
## </param>
Chris PeBenito 13306f
## <rolecap/>
Chris PeBenito 13306f
#
Chris PeBenito 13306f
interface(`afs_admin',`
Chris PeBenito 13306f
	gen_require(`
Jeremy Solt 1d348b
		type afs_t, afs_initrc_exec_t;
Chris PeBenito 13306f
	')
Chris PeBenito 13306f
Chris PeBenito 13306f
	allow $1 afs_t:process { ptrace signal_perms getattr };
Chris PeBenito 13306f
	read_files_pattern($1, afs_t, afs_t)
Chris PeBenito 13306f
Dominick Grift 534e57
	# Allow afs_admin to restart the afs service
Chris PeBenito 13306f
	afs_initrc_domtrans($1)
Chris PeBenito 13306f
	domain_system_change_exemption($1)
Chris PeBenito 13306f
	role_transition $2 afs_initrc_exec_t system_r;
Chris PeBenito 13306f
	allow $2 system_r;
Chris PeBenito 13306f
Chris PeBenito 13306f
')