|
Chris PeBenito |
17de1b |
## <summary>Andrew Filesystem server</summary>
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
########################################
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## Execute a domain transition to run the
|
|
Chris PeBenito |
13306f |
## afs client.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## <param name="domain">
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## Domain allowed to transition.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## </param>
|
|
Chris PeBenito |
13306f |
#
|
|
Chris PeBenito |
13306f |
interface(`afs_domtrans',`
|
|
Chris PeBenito |
13306f |
gen_require(`
|
|
Chris PeBenito |
13306f |
type afs_t, afs_exec_t;
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Dominick Grift |
534e57 |
corecmd_search_bin($1)
|
|
Chris PeBenito |
13306f |
domtrans_pattern($1, afs_exec_t, afs_t)
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
########################################
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## Read and write afs client UDP sockets.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## <param name="domain">
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## Domain allowed access.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## </param>
|
|
Chris PeBenito |
13306f |
#
|
|
Chris PeBenito |
13306f |
interface(`afs_rw_udp_sockets',`
|
|
Chris PeBenito |
13306f |
gen_require(`
|
|
Chris PeBenito |
13306f |
type afs_t;
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
allow $1 afs_t:udp_socket { read write };
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
########################################
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## read/write afs cache files
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## <param name="domain">
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed access.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## </param>
|
|
Chris PeBenito |
13306f |
#
|
|
Chris PeBenito |
13306f |
interface(`afs_rw_cache',`
|
|
Chris PeBenito |
13306f |
gen_require(`
|
|
Chris PeBenito |
13306f |
type afs_cache_t;
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Dominick Grift |
534e57 |
files_search_var($1)
|
|
Chris PeBenito |
13306f |
allow $1 afs_cache_t:file { read write };
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
########################################
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## Execute afs server in the afs domain.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## <param name="domain">
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Dominick Grift |
288845 |
## Domain allowed to transition.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## </param>
|
|
Chris PeBenito |
13306f |
#
|
|
Chris PeBenito |
13306f |
interface(`afs_initrc_domtrans',`
|
|
Chris PeBenito |
13306f |
gen_require(`
|
|
Chris PeBenito |
13306f |
type afs_initrc_exec_t;
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Dominick Grift |
534e57 |
init_labeled_script_domtrans($1, afs_initrc_exec_t)
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
########################################
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## All of the rules required to administrate
|
|
Chris PeBenito |
13306f |
## an afs environment
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## <param name="domain">
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## Domain allowed access.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## </param>
|
|
Chris PeBenito |
13306f |
## <param name="role">
|
|
Chris PeBenito |
13306f |
## <summary>
|
|
Chris PeBenito |
13306f |
## The role to be allowed to manage the afs domain.
|
|
Chris PeBenito |
13306f |
## </summary>
|
|
Chris PeBenito |
13306f |
## </param>
|
|
Chris PeBenito |
13306f |
## <rolecap/>
|
|
Chris PeBenito |
13306f |
#
|
|
Chris PeBenito |
13306f |
interface(`afs_admin',`
|
|
Chris PeBenito |
13306f |
gen_require(`
|
|
Jeremy Solt |
1d348b |
type afs_t, afs_initrc_exec_t;
|
|
Chris PeBenito |
13306f |
')
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
allow $1 afs_t:process { ptrace signal_perms getattr };
|
|
Chris PeBenito |
13306f |
read_files_pattern($1, afs_t, afs_t)
|
|
Chris PeBenito |
13306f |
|
|
Dominick Grift |
534e57 |
# Allow afs_admin to restart the afs service
|
|
Chris PeBenito |
13306f |
afs_initrc_domtrans($1)
|
|
Chris PeBenito |
13306f |
domain_system_change_exemption($1)
|
|
Chris PeBenito |
13306f |
role_transition $2 afs_initrc_exec_t system_r;
|
|
Chris PeBenito |
13306f |
allow $2 system_r;
|
|
Chris PeBenito |
13306f |
|
|
Chris PeBenito |
13306f |
')
|