# macros for the cdrecord domain # Author: Thomas Bleher define(`cdrecord_domain', ` type $1_cdrecord_t, domain, privlog; domain_auto_trans($1_t, cdrecord_exec_t, $1_cdrecord_t) # The user role is authorized for this domain. role $1_r types $1_cdrecord_t; uses_shlib($1_cdrecord_t) read_locale($1_cdrecord_t) # allow ps to show cdrecord and allow the user to kill it can_ps($1_t, $1_cdrecord_t) allow $1_t $1_cdrecord_t:process signal; # write to the user domain tty. access_terminal($1_cdrecord_t, $1) allow $1_cdrecord_t privfd:fd use; allow $1_cdrecord_t $1_t:unix_stream_socket { getattr read write ioctl }; allow $1_cdrecord_t self:unix_dgram_socket create_socket_perms; allow $1_cdrecord_t self:unix_stream_socket create_stream_socket_perms; can_resmgrd_connect($1_cdrecord_t) allow $1_cdrecord_t { tmp_t home_root_t }:dir search; # allow cdrecord to read user files r_dir_file($1_cdrecord_t, { $1_home_t $1_tmp_t }) if (use_nfs_home_dirs) { r_dir_file($1_cdrecord_t, nfs_t) } if (use_samba_home_dirs) { r_dir_file($1_cdrecord_t, cifs_t) } allow $1_cdrecord_t etc_t:file { getattr read }; # allow searching for cdrom-drive allow $1_cdrecord_t device_t:dir r_dir_perms; allow $1_cdrecord_t device_t:lnk_file { getattr read }; # allow cdrecord to write the CD allow $1_cdrecord_t removable_device_t:blk_file { getattr read write ioctl }; allow $1_cdrecord_t scsi_generic_device_t:chr_file { getattr read write ioctl }; allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio }; allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill }; allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms; read_content($1_cdrecord_t, $1) ')