selinux-policy/policy/modules/kernel/selinux.te

policy_module(selinux, 1.8.0)

########################################
#
# Declarations
#

attribute boolean_type;
attribute can_load_policy;
attribute can_setenforce;
attribute can_setsecparam;
attribute selinux_unconfined_type;

# 
# security_t is the target type when checking
# the permissions in the security class.  It is also
# applied to selinuxfs inodes.
#
type security_t, boolean_type;
fs_type(security_t)
mls_trusted_object(security_t)
sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
genfscon securityfs / gen_context(system_u:object_r:security_t,s0)

neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;

########################################
#
# Unconfined access to this module
#

# use SELinuxfs
allow selinux_unconfined_type security_t:dir list_dir_perms;
allow selinux_unconfined_type security_t:file rw_file_perms;
allow selinux_unconfined_type boolean_type:file read_file_perms;

# Access the security API.
allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };

if(!secure_mode_policyload) {
	allow selinux_unconfined_type boolean_type:file rw_file_perms;
	allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };

	ifdef(`distro_rhel4',`
		# needed for systems without audit support
		auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
	')
}
module version number bump for release 2.20090730 that was mistakenly omitted. 2009-08-05 14:59:21 +00:00			`policy_module(selinux, 1.8.0)`
move security_t to selinux module 2005-06-14 20:40:09 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

trunk: add support for labeled booleans. 2009-01-13 13:01:48 +00:00			`attribute boolean_type;`
add unconfined 2005-07-05 20:59:51 +00:00			`attribute can_load_policy;`
			`attribute can_setenforce;`
			`attribute can_setsecparam;`
move selinux unconfined to attribute setup, clean up unconfined interface a bit 2006-05-19 15:15:45 +00:00			`attribute selinux_unconfined_type;`
add unconfined 2005-07-05 20:59:51 +00:00
move security_t to selinux module 2005-06-14 20:40:09 +00:00			`#`
			`# security_t is the target type when checking`
			`# the permissions in the security class. It is also`
			`# applied to selinuxfs inodes.`
			`#`
trunk: add support for labeled booleans. 2009-01-13 13:01:48 +00:00			`type security_t, boolean_type;`
add lost_found_t manage, rename fs_type attribute to filesystem_type and rename fs_make_fs to fs_type 2005-06-28 17:48:59 +00:00			`fs_type(security_t)`
add mls privileges 2005-09-26 20:26:32 +00:00			`mls_trusted_object(security_t)`
- Move range transitions to modules. - Make number of MLS sensitivities, and number of MLS and MCS categories configurable as build options. 2006-10-04 17:25:34 +00:00			`sid security gen_context(system_u:object_r:security_t,mls_systemhigh)`
rename context_template() to gen_context() 2005-10-06 19:33:06 +00:00			`genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)`
trunk: a pair of tweaks from gentoo systems. 2008-03-14 14:55:34 +00:00			`genfscon securityfs / gen_context(system_u:object_r:security_t,s0)`
add unconfined 2005-07-05 20:59:51 +00:00
move selinux unconfined to attribute setup, clean up unconfined interface a bit 2006-05-19 15:15:45 +00:00			`neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;`
			`neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;`
			`neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;`

			`########################################`
			`#`
			`# Unconfined access to this module`
			`#`

			`# use SELinuxfs`
trunk: Enable open permission checks policy capability. 2008-10-16 16:09:20 +00:00			`allow selinux_unconfined_type security_t:dir list_dir_perms;`
			`allow selinux_unconfined_type security_t:file rw_file_perms;`
trunk: add support for labeled booleans. 2009-01-13 13:01:48 +00:00			`allow selinux_unconfined_type boolean_type:file read_file_perms;`
move selinux unconfined to attribute setup, clean up unconfined interface a bit 2006-05-19 15:15:45 +00:00
			`# Access the security API.`
			`allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool };`

			`if(!secure_mode_policyload) {`
trunk: add support for labeled booleans. 2009-01-13 13:01:48 +00:00			`allow selinux_unconfined_type boolean_type:file rw_file_perms;`
move selinux unconfined to attribute setup, clean up unconfined interface a bit 2006-05-19 15:15:45 +00:00			`allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };`
remove setbool auditallow, except for distro_rhel4. 2006-07-13 14:22:21 +00:00
			ifdef(`distro_rhel4',`
			`# needed for systems without audit support`
patch from dan Wed, 26 Jul 2006 14:42:46 -0400 2006-07-28 15:13:58 +00:00			`auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };`
remove setbool auditallow, except for distro_rhel4. 2006-07-13 14:22:21 +00:00			`')`
move selinux unconfined to attribute setup, clean up unconfined interface a bit 2006-05-19 15:15:45 +00:00			`}`