| 3 |
- |
1 |
<?xml version="1.0"?>
|
|
|
2 |
|
|
|
3 |
<!-- This configuration file controls the oddjob daemon. It controls
|
|
|
4 |
which requests the daemon will recognize, and whether or not it
|
|
|
5 |
will attempt to fulfill them on the behalf of particular users.
|
|
|
6 |
|
|
|
7 |
Each <oddjobconfig> contains a mixture of <service> and <include> nodes.
|
|
|
8 |
|
|
|
9 |
Each <service> element corresponds to a well-known D-Bus address (given
|
|
|
10 |
in the "name" attribute) which the oddjobd daemon will answer to. It
|
|
|
11 |
may contain one or more <object> elements which each describe an object
|
|
|
12 |
path. Each <object>, in turn, is named by its "name" attribute.
|
|
|
13 |
|
|
|
14 |
Each <object> element must also contain zero or more <interface>
|
|
|
15 |
elements, which are named by their "name" attributes and correspond to
|
|
|
16 |
names of interfaces which the object implements.
|
|
|
17 |
|
|
|
18 |
Each <interface> element must contain zero or more <method>
|
|
|
19 |
elements, which are named by their "name" attributes. Each
|
|
|
20 |
<method> node corresponds to a D-Bus method implemented by the
|
|
|
21 |
object as part of the interface.
|
|
|
22 |
|
|
|
23 |
Each method must include an access-control list which contains at
|
|
|
24 |
least one rule, or the daemon will ignore any attempts to call the
|
|
|
25 |
method.
|
|
|
26 |
|
|
|
27 |
When checking if a client is allowed to use a method, all deny
|
|
|
28 |
rules are processed, then all allow rules. The first rule which
|
|
|
29 |
matches the user decides whether access is allowed or denied.
|
|
|
30 |
|
|
|
31 |
Access rules can specify either a user (using the "user"
|
|
|
32 |
attribute), or a range of UIDs (using the "min_uid" and "max_uid"
|
|
|
33 |
attributes).
|
|
|
34 |
|
|
|
35 |
If SELinux support was compiled in, then a rule can also specify
|
|
|
36 |
whether or not it applies if the SELinux policy is being enforced
|
|
|
37 |
("selinux_enforcing"), or what the caller's SELinux context
|
|
|
38 |
("selinux_context"), user ("selinux_user"), role ("selinux_role"),
|
|
|
39 |
or type ("selinux_type") must be for that rule to apply.
|
|
|
40 |
|
|
|
41 |
A method may, as part of its definition, specify an external
|
|
|
42 |
program which is to be run when the method is invoked, by including
|
|
|
43 |
a <helper> node. The <helper> node should include an "exec"
|
|
|
44 |
attribute naming the external program which will be launched to
|
|
|
45 |
accomplish the given task. Depending on the value of its
|
|
|
46 |
"argument_passing_method" attribute, it will receive its arguments
|
|
|
47 |
either over stdin, one argument per line, or on the command line.
|
|
|
48 |
Depending on the value of the "prepend_user_name" attribute, the
|
|
|
49 |
argument list may or may not begin with the calling user's name.
|
|
|
50 |
The helper will be run with superuser privileges.
|
|
|
51 |
|
|
|
52 |
Here's what an example /etc/oddjobd.conf.d/crontabs.conf might
|
|
|
53 |
look like, allowing either users with either UID=0 or the staff_r role to
|
|
|
54 |
run the regularly scheduled cron jobs at will:
|
|
|
55 |
|
|
|
56 |
<oddjobconfig>
|
|
|
57 |
<service name="com.redhat.periodic_cron">
|
|
|
58 |
<allow user="root"/>
|
|
|
59 |
<allow selinux_enforcing="yes" selinux_role="staff_r"/>
|
|
|
60 |
<object name="/cron/hourly">
|
|
|
61 |
<interface name="com.redhat.periodic_run">
|
|
|
62 |
<method name="run">
|
|
|
63 |
<helper exec="/usr/bin/run-parts /etc/cron.hourly"
|
|
|
64 |
arguments="0"/>
|
|
|
65 |
</method>
|
|
|
66 |
</interface>
|
|
|
67 |
</object>
|
|
|
68 |
<object name="/cron/daily">
|
|
|
69 |
<interface name="com.redhat.periodic_run">
|
|
|
70 |
<method name="run">
|
|
|
71 |
<helper exec="/usr/bin/run-parts /etc/cron.daily"
|
|
|
72 |
arguments="0"/>
|
|
|
73 |
</method>
|
|
|
74 |
</interface>
|
|
|
75 |
</object>
|
|
|
76 |
<object name="/cron/weekly">
|
|
|
77 |
<interface name="com.redhat.periodic_run">
|
|
|
78 |
<method name="run">
|
|
|
79 |
<helper exec="/usr/bin/run-parts /etc/cron.weekly"
|
|
|
80 |
arguments="0"/>
|
|
|
81 |
</method>
|
|
|
82 |
</interface>
|
|
|
83 |
</object>
|
|
|
84 |
<object name="/cron/monthly">
|
|
|
85 |
<interface name="com.redhat.periodic_run">
|
|
|
86 |
<method name="run">
|
|
|
87 |
<helper exec="/usr/bin/run-parts /etc/cron.monthly"
|
|
|
88 |
arguments="0"/>
|
|
|
89 |
</method>
|
|
|
90 |
</interface>
|
|
|
91 |
</object>
|
|
|
92 |
</service>
|
|
|
93 |
</oddjobconfig>
|
|
|
94 |
|
|
|
95 |
-->
|
|
|
96 |
|
|
|
97 |
<oddjobconfig>
|
|
|
98 |
|
|
|
99 |
<service name="com.redhat.oddjob">
|
|
|
100 |
<object name="/com/redhat/oddjob">
|
|
|
101 |
<interface name="com.redhat.oddjob">
|
|
|
102 |
|
|
|
103 |
<method name="listall">
|
|
|
104 |
<allow min_uid="0" max_uid="0"/>
|
|
|
105 |
</method>
|
|
|
106 |
|
|
|
107 |
<method name="list">
|
|
|
108 |
<allow/>
|
|
|
109 |
</method>
|
|
|
110 |
|
|
|
111 |
<method name="quit">
|
|
|
112 |
<allow user="root"/>
|
|
|
113 |
</method>
|
|
|
114 |
|
|
|
115 |
<method name="reload">
|
|
|
116 |
<allow user="root"/>
|
|
|
117 |
</method>
|
|
|
118 |
|
|
|
119 |
</interface>
|
|
|
120 |
|
|
|
121 |
</object>
|
|
|
122 |
|
|
|
123 |
</service>
|
|
|
124 |
|
|
|
125 |
<!-- Site-specific or other distributed additions. -->
|
|
|
126 |
<include ignore_missing="yes">/etc/oddjobd.conf.d/*.conf</include>
|
|
|
127 |
|
|
|
128 |
<!-- Local additions. -->
|
|
|
129 |
<include ignore_missing="yes">/etc/oddjobd-local.conf</include>
|
|
|
130 |
|
|
|
131 |
</oddjobconfig>
|