selinux-policy/policy/modules/system/miscfiles.if

365 lines
7.2 KiB
Plaintext
Raw Normal View History

2005-06-07 22:36:07 +00:00
## <summary>Miscelaneous files.</summary>
2005-04-20 19:07:16 +00:00
2005-05-05 21:36:53 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-10-05 21:17:22 +00:00
## Read system SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-10-05 21:17:22 +00:00
## </param>
#
interface(`miscfiles_read_certs',`
gen_require(`
type cert_t;
')
allow $1 cert_t:dir r_dir_perms;
allow $1 cert_t:file r_file_perms;
2005-10-20 19:28:27 +00:00
allow $1 cert_t:lnk_file { getattr read };
2005-10-05 21:17:22 +00:00
')
########################################
## <summary>
## Read fonts.
2005-07-19 18:40:31 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2005-05-05 21:36:53 +00:00
#
interface(`miscfiles_read_fonts',`
2005-06-17 17:59:26 +00:00
gen_require(`
type fonts_t;
')
2005-11-25 19:09:08 +00:00
# cjp: fonts can be in either of these dirs
2005-06-17 17:59:26 +00:00
files_search_usr($1)
libs_search_lib($1)
2005-06-09 14:26:05 +00:00
allow $1 fonts_t:dir r_dir_perms;
allow $1 fonts_t:file r_file_perms;
2005-10-26 16:00:13 +00:00
allow $1 fonts_t:lnk_file { getattr read };
2005-05-05 21:36:53 +00:00
')
2005-11-25 19:09:08 +00:00
########################################
## <summary>
## Create, read, write, and delete fonts.
## </summary>
## <param name="domain">
## <summary>
2005-11-25 19:09:08 +00:00
## Domain allowed access.
## </summary>
2005-11-25 19:09:08 +00:00
## </param>
#
interface(`miscfiles_manage_fonts',`
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir create_dir_perms;
allow $1 fonts_t:file create_file_perms;
allow $1 fonts_t:lnk_file create_lnk_perms;
')
########################################
## <summary>
## Read hardware identification data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_hwdata',`
gen_require(`
type hwdata_t;
')
allow $1 hwdata_t:dir r_dir_perms;
allow $1 hwdata_t:file r_file_perms;
2005-10-31 22:44:03 +00:00
allow $1 hwdata_t:lnk_file { getattr read };
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Allow process to read localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`miscfiles_read_localization',`
2005-06-17 17:59:26 +00:00
gen_require(`
type locale_t;
')
files_search_etc($1)
# FIXME: $1 read etc_t:lnk_file here
2005-06-17 17:59:26 +00:00
files_search_usr($1)
2005-06-09 14:26:05 +00:00
allow $1 locale_t:dir r_dir_perms;
allow $1 locale_t:lnk_file r_file_perms;
allow $1 locale_t:file r_file_perms;
2005-05-11 15:46:51 +00:00
# why?
2006-02-02 21:08:12 +00:00
libs_read_lib_files($1)
2005-04-14 20:18:17 +00:00
')
2005-05-05 20:33:35 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Allow process to read legacy time localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2005-05-05 20:33:35 +00:00
#
interface(`miscfiles_legacy_read_localization',`
2005-06-17 17:59:26 +00:00
gen_require(`
type locale_t;
')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
2005-05-05 20:33:35 +00:00
')
2005-10-23 20:18:36 +00:00
########################################
## <summary>
## Do not audit attempts to search man pages.
## </summary>
## <param name="domain">
## <summary>
2005-10-23 20:18:36 +00:00
## Domain to not audit.
## </summary>
2005-10-23 20:18:36 +00:00
## </param>
#
interface(`miscfiles_dontaudit_search_man_pages',`
gen_require(`
type man_t;
')
dontaudit $1 man_t:dir search;
')
2005-05-11 19:05:15 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
2005-09-16 21:20:37 +00:00
## Read man pages
2005-07-19 18:40:31 +00:00
## </summary>
## <param name="domain">
## <summary>
2005-09-16 21:20:37 +00:00
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
2005-05-11 19:05:15 +00:00
#
interface(`miscfiles_read_man_pages',`
2005-06-17 17:59:26 +00:00
gen_require(`
type man_t;
')
files_search_usr($1)
2005-06-09 14:26:05 +00:00
allow $1 man_t:dir r_dir_perms;
allow $1 man_t:file r_file_perms;
allow $1 man_t:lnk_file r_file_perms;
2005-05-11 19:05:15 +00:00
')
2005-07-19 18:40:31 +00:00
########################################
2005-09-16 21:20:37 +00:00
## <summary>
## Delete man pages
## </summary>
## <param name="domain">
## <summary>
2005-09-16 21:20:37 +00:00
## Domain allowed access.
## </summary>
2005-09-16 21:20:37 +00:00
## </param>
# cjp: added for tmpreaper
#
interface(`miscfiles_delete_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir { setattr rw_dir_perms rmdir };
allow $1 man_t:file { getattr unlink };
allow $1 man_t:lnk_file { getattr unlink };
')
########################################
## <summary>
## Create, read, write, and delete man pages
## </summary>
## <param name="domain">
## <summary>
2005-09-16 21:20:37 +00:00
## Domain allowed access.
## </summary>
2005-09-16 21:20:37 +00:00
## </param>
#
interface(`miscfiles_manage_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir create_dir_perms;
allow $1 man_t:file create_file_perms;
allow $1 man_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Read public files used for file
## transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_public_files',`
gen_require(`
2005-10-24 21:33:46 +00:00
type public_content_t, public_content_rw_t;
')
2005-10-24 21:33:46 +00:00
allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
')
########################################
## <summary>
## Create, read, write, and delete public files
## and directories used for file transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_public_files',`
gen_require(`
type public_content_rw_t;
')
allow $1 public_content_rw_t:dir create_dir_perms;
allow $1 public_content_rw_t:file create_file_perms;
allow $1 public_content_rw_t:lnk_file create_lnk_perms;
')
2005-09-16 21:20:37 +00:00
########################################
2005-07-19 18:40:31 +00:00
## <summary>
## Read TeX data
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`miscfiles_read_tetex_data',`
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir r_dir_perms;
allow $1 tetex_data_t:file r_file_perms;
allow $1 tetex_data_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Execute TeX data programs in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
2005-07-19 18:40:31 +00:00
## </param>
#
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type fonts_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir r_dir_perms;
can_exec($1,tetex_data_t)
')
########################################
## <summary>
## Let test files be an entry point for
## a specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be entered.
## </summary>
## </param>
#
interface(`miscfiles_domain_entry_test_files',`
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
')
########################################
## <summary>
## Read test files and directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_test_files',`
gen_require(`
type test_file_t;
')
allow $1 test_file_t:dir r_dir_perms;
allow $1 test_file_t:file r_file_perms;
allow $1 test_file_t:lnk_file r_file_perms;
')
########################################
## <summary>
## Execute test files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_test_files',`
gen_require(`
type test_file_t;
')
allow $1 test_file_t:dir r_dir_perms;
allow $1 test_file_t:lnk_file r_file_perms;
can_exec($1, test_file_t)
')