## <summary>Cobbler installation server.</summary>

## <desc>

##	

##		Cobbler is a Linux installation server that allows for

##		rapid setup of network installation environments. It

##		glues together and automates many associated Linux

##		tasks so you do not have to hop between lots of various

##		commands and applications when rolling out new systems,

##		and, in some cases, changing existing ones.

##	

## </desc>

########################################

## <summary>

##	Execute a domain transition to run cobblerd.

## </summary>

## <param name="domain">

## <summary>

##	Domain allowed to transition.

## </summary>

## </param>

#

interface(`cobblerd_domtrans',`

	gen_require(`

		type cobblerd_t, cobblerd_exec_t;

	')

	domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)

')

########################################

## <summary>

##	Execute cobblerd server in the cobblerd domain.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`cobblerd_initrc_domtrans',`

	gen_require(`

		type cobblerd_initrc_exec_t;

	')

	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)

')

########################################

## <summary>

##	Read Cobbler content in /etc

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_read_config',`

	gen_require(`

		type cobbler_etc_t;

	')

	read_files_pattern($1, cobbler_etc_t, cobbler_etc_t);

	files_search_etc($1)

')

########################################

## <summary>

##	Do not audit attempts to read and write

##	Cobbler log files (leaked fd).

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_dontaudit_rw_log',`

	gen_require(`

		type cobbler_var_log_t;

	')

	dontaudit $1 cobbler_var_log_t:file rw_file_perms;

')

########################################

## <summary>

##	Search cobbler dirs in /var/lib

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_search_lib',`

	gen_require(`

		type cobbler_var_lib_t;

	')

	search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Read cobbler files in /var/lib

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_read_lib_files',`

	gen_require(`

		type cobbler_var_lib_t;

	')

	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Manage cobbler files in /var/lib

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_manage_lib_files',`

	gen_require(`

		type cobbler_var_lib_t;

	')

	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	All of the rules required to administrate

##	an cobblerd environment

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`cobblerd_admin',`

	gen_require(`

		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;

		type cobbler_etc_t, cobblerd_initrc_exec_t;

	')

	allow $1 cobblerd_t:process { ptrace signal_perms getattr };

	read_files_pattern($1, cobblerd_t, cobblerd_t)

	files_search_etc($1)

	admin_pattern($1, cobbler_etc_t)

	files_list_var_lib($1)

	admin_pattern($1, cobbler_var_lib_t)

	logging_search_logs($1)

	admin_pattern($1, cobbler_var_log_t)

	admin_pattern($1, httpd_cobbler_content_rw_t)

	cobblerd_initrc_domtrans($1)

	domain_system_change_exemption($1)

	role_transition $2 cobblerd_initrc_exec_t system_r;

	allow $2 system_r;

')