|
Chris PeBenito |
0fbfa5 |
# macros for the cdrecord domain
|
|
Chris PeBenito |
0fbfa5 |
# Author: Thomas Bleher <ThomasBleher@gmx.de>
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
define(`cdrecord_domain', `
|
|
Chris PeBenito |
0fbfa5 |
type $1_cdrecord_t, domain, privlog;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# The user role is authorized for this domain.
|
|
Chris PeBenito |
0fbfa5 |
role $1_r types $1_cdrecord_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
uses_shlib($1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
read_locale($1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow ps to show cdrecord and allow the user to kill it
|
|
Chris PeBenito |
0fbfa5 |
can_ps($1_t, $1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_t $1_cdrecord_t:process signal;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# write to the user domain tty.
|
|
Chris PeBenito |
0fbfa5 |
access_terminal($1_cdrecord_t, $1)
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_resmgrd_connect($1_cdrecord_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t { tmp_t home_root_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow cdrecord to read user files
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t })
|
|
Chris PeBenito |
0fbfa5 |
if (use_nfs_home_dirs) {
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_cdrecord_t, nfs_t)
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
if (use_samba_home_dirs) {
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file($1_cdrecord_t, cifs_t)
|
|
Chris PeBenito |
0fbfa5 |
}
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow searching for cdrom-drive
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t device_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t device_t:lnk_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# allow cdrecord to write the CD
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid };
|
|
Chris PeBenito |
0fbfa5 |
allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|