## <summary>Cobbler installation server.</summary>

## <desc>

##	

##	Cobbler is a Linux installation server that allows for

##	rapid setup of network installation environments. It

##	glues together and automates many associated Linux

##	tasks so you do not have to hop between lots of various

##	commands and applications when rolling out new systems,

##	and, in some cases, changing existing ones.

##	

## </desc>

########################################

## <summary>

##	Execute a domain transition to run cobblerd.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

#

interface(`cobblerd_domtrans',`

	gen_require(`

		type cobblerd_t, cobblerd_exec_t;

	')

	domtrans_pattern($1, cobblerd_exec_t, cobblerd_t)

	corecmd_search_bin($1)

')

########################################

## <summary>

##	Execute cobblerd server in the cobblerd domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

#

interface(`cobblerd_initrc_domtrans',`

	gen_require(`

		type cobblerd_initrc_exec_t;

	')

	init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)

')

########################################

## <summary>

##	List Cobbler configuration.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_list_config',`

	gen_require(`

		type cobbler_etc_t;

	')

	list_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_etc($1)

')

########################################

## <summary>

##	Read Cobbler configuration files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`cobbler_read_config',`

	gen_require(`

		type cobbler_etc_t;

	')

	read_files_pattern($1, cobbler_etc_t, cobbler_etc_t)

	files_search_etc($1)

')

########################################

## <summary>

##	Search cobbler dirs in /var/lib

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_search_lib',`

	gen_require(`

		type cobbler_var_lib_t;

	')

	search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Read cobbler files in /var/lib

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_read_lib_files',`

	gen_require(`

		type cobbler_var_lib_t;

	')

	read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Manage cobbler files in /var/lib

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`cobbler_manage_lib_files',`

	gen_require(`

		type cobbler_var_lib_t;

	')

	manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)

	files_search_var_lib($1)

')

########################################

## <summary>

##	Do not audit attempts to read and write

##	Cobbler log files (leaked fd).

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`cobbler_dontaudit_rw_log',`

	gen_require(`

		type cobbler_var_log_t;

	')

	dontaudit $1 cobbler_var_log_t:file rw_inherited_file_perms;

')

########################################

## <summary>

##	All of the rules required to administrate

##	an cobblerd environment

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`cobblerd_admin',`

	gen_require(`

		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;

		type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;

		type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t;

	')

	allow $1 cobblerd_t:process { ptrace signal_perms };

	ps_process_pattern($1, cobblerd_t)

	files_search_etc($1)

	admin_pattern($1, cobbler_etc_t)

	files_list_var_lib($1)

	admin_pattern($1, cobbler_var_lib_t)

	logging_search_logs($1)

	admin_pattern($1, cobbler_var_log_t)

	apache_search_sys_content($1)

	admin_pattern($1, httpd_cobbler_content_t)

	admin_pattern($1, httpd_cobbler_content_ra_t)

	admin_pattern($1, httpd_cobbler_content_rw_t)

	cobblerd_initrc_domtrans($1)

	domain_system_change_exemption($1)

	role_transition $2 cobblerd_initrc_exec_t system_r;

	allow $2 system_r;

	optional_policy(`

		# traverse /var/lib/tftpdir to get to cobbler_var_lib_t there.

		tftp_search_rw_content($1)

	')

')