rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

review of system interfaces

Browse Source
This commit is contained in:
Chris PeBenito 2005-06-17 17:59:26 +00:00
parent a7c3a1b920
commit 139520a233
21 changed files with 794 additions and 1265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
refpolicy/policy/modules/admin/dmesg.te
View File

@ -31,7 +31,7 @@ term_dontaudit_use_console(dmesg_t)
domain_use_wide_inherit_fd(dmesg_t)
files_read_generic_etc_files_directory(dmesg_t)
files_list_etc(dmesg_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(dmesg_t)

6
refpolicy/policy/modules/system/authlogin.if
View File

@ -34,7 +34,7 @@ define(`authlogin_per_userdomain_template',`
allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr;
files_read_generic_etc_files_directory($1_chkpwd_t)
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled
@ -276,7 +276,7 @@ define(`auth_dontaudit_getattr_shadow_depend',`
define(`auth_read_shadow',`
gen_require(`$0'_depend)
files_read_generic_etc_files_directory($1)
files_list_etc($1)
allow $1 shadow_t:file r_file_perms;
typeattribute $1 can_read_shadow_passwords;
')
@ -338,7 +338,7 @@ define(`auth_dontaudit_read_shadow_depend',`
define(`auth_rw_shadow',`
gen_require(`$0'_depend)
files_read_generic_etc_files_directory($1)
files_list_etc($1)
allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')

49
refpolicy/policy/modules/system/clock.if
View File

@ -12,7 +12,11 @@
## </interface>
#
define(`clock_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type hwclock_t, hwclock_exec_t;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1,hwclock_exec_t,hwclock_t)
@ -22,15 +26,6 @@ define(`clock_domtrans',`
allow hwclock_t $1:process sigchld;
')
define(`clock_domtrans_depend',`
type hwclock_t, hwclock_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="clock_run">
## <description>
@ -49,19 +44,16 @@ define(`clock_domtrans_depend',`
## </interface>
#
define(`clock_run',`
gen_require(`$0'_depend)
gen_require(`
type hwclock_t;
class chr_file { getattr read write ioctl };
')
clock_domtrans($1)
role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl };
')
define(`clock_run_depend',`
type hwclock_t;
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="clock_exec">
## <description>
@ -73,17 +65,13 @@ define(`clock_run_depend',`
## </interface>
#
define(`clock_exec',`
gen_require(`$0'_depend)
gen_require(`
type hwclock_exec_t;
')
can_exec($1,hwclock_exec_t)
')
define(`clock_exec_depend',`
type hwclock_exec_t;
class file { getattr read execute execute_no_trans };
')
########################################
## <interface name="clock_rw_adjtime">
## <description>
@ -95,16 +83,13 @@ define(`clock_exec_depend',`
## </interface>
#
define(`clock_rw_adjtime',`
gen_require(`$0'_depend)
gen_require(`
type adjtime_t;
class file rw_file_perms;
')
allow $1 adjtime_t:file rw_file_perms;
files_read_generic_etc_files_directory($1)
')
define(`clock_rw_adjtime_depend',`
type adjtime_t;
class file rw_file_perms;
files_list_etc($1)
')
## </module>

2
refpolicy/policy/modules/system/clock.te
View File

@ -46,7 +46,7 @@ domain_use_wide_inherit_fd(hwclock_t)
init_use_fd(hwclock_t)
init_use_script_pty(hwclock_t)
files_read_generic_etc_files_directory(hwclock_t)
files_list_etc(hwclock_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dir(hwclock_t)

161
refpolicy/policy/modules/system/corecommands.if
View File

@ -9,53 +9,49 @@
# corecmd_shell_entry_type(domain)
#
define(`corecmd_shell_entry_type',`
gen_require(`$0'_depend)
gen_require(`
type shell_exec_t;
')
domain_entry_file($1,shell_exec_t)
')
define(`corecmd_shell_entry_type_depend',`
type shell_exec_t;
')
########################################
#
# corecmd_search_bin(domain)
#
define(`corecmd_search_bin',`
gen_require(`$0'_depend)
gen_require(`
type bin_t;
class dir search;
')
allow $1 bin_t:dir search;
')
define(`corecmd_search_bin_depend',`
type bin_t;
class dir search;
')
########################################
#
# corecmd_list_bin(domain)
#
define(`corecmd_list_bin',`
gen_require(`$0'_depend)
gen_require(`
type bin_t;
class dir r_dir_perms;
')
allow $1 bin_t:dir r_dir_perms;
')
define(`corecmd_list_bin_depend',`
type bin_t;
class dir r_dir_perms;
')
########################################
#
# corecmd_exec_bin(domain)
#
define(`corecmd_exec_bin',`
gen_require(`$0'_depend)
gen_require(`
type bin_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
@ -63,68 +59,55 @@ define(`corecmd_exec_bin',`
')
define(`corecmd_exec_bin_depend',`
type bin_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
#
# corecmd_search_sbin(domain)
#
define(`corecmd_search_sbin',`
gen_require(`$0'_depend)
gen_require(`
type sbin_t;
class dir search;
')
allow $1 sbin_t:dir search;
')
define(`corecmd_search_sbin_depend',`
type sbin_t;
class dir search;
')
########################################
#
# corecmd_list_sbin(domain)
#
define(`corecmd_list_sbin',`
gen_require(`$0'_depend)
gen_require(`
type sbin_t;
class dir r_dir_perms;
')
allow $1 sbin_t:dir r_dir_perms;
')
define(`corecmd_list_sbin_depend',`
type sbin_t;
class dir r_dir_perms;
')
########################################
#
# corecmd_dontaudit_getattr_sbin_file(domain)
#
define(`corecmd_dontaudit_getattr_sbin_file',`
gen_require(`$0'_depend)
gen_require(`
type sbin_t;
class file getattr;
')
allow $1 sbin_t:file getattr;
')
define(`corecmd_dontaudit_getattr_sbin_file_depend',`
type sbin_t;
class file getattr;
')
########################################
#
# corecmd_exec_sbin(domain)
#
define(`corecmd_exec_sbin',`
gen_require(`$0'_depend)
gen_require(`
type sbin_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 sbin_t:dir r_dir_perms;
allow $1 sbin_t:lnk_file r_file_perms;
@ -132,54 +115,38 @@ define(`corecmd_exec_sbin',`
')
define(`corecmd_exec_sbin_depend',`
type sbin_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file { getattr read ioctl lock execute execute_no_trans };
')
########################################
#
# corecmd_exec_shell(domain)
#
define(`corecmd_exec_shell',`
gen_require(`$0'_depend)
gen_require(`
type bin_t, shell_exec_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
can_exec($1,shell_exec_t)
')
define(`corecmd_exec_shell_depend',`
type bin_t, shell_exec_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file { getattr read lock ioctl execute execute_no_trans };
')
########################################
#
# corecmd_exec_ls(domain)
#
define(`corecmd_exec_ls',`
gen_require(`$0'_depend)
gen_require(`
type bin_t, ls_exec_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
can_exec($1,ls_exec_t)
')
define(`corecmd_exec_shell_depend',`
type bin_t, ls_exec_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file { getattr read lock ioctl execute execute_no_trans };
')
########################################
## <interface name="corecmd_shell_spec_domtrans">
## <description>
@ -196,7 +163,14 @@ define(`corecmd_exec_shell_depend',`
## </interface>
#
define(`corecmd_shell_spec_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type bin_t, shell_exec_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class fd use;
class fifo_file rw_file_perms;
class process sigchld;
')
allow $1 bin_t:dir r_dir_perms;
allow $1 bin_t:lnk_file r_file_perms;
@ -209,17 +183,6 @@ define(`corecmd_shell_spec_domtrans',`
allow $2 $1:process sigchld;
')
define(`corecmd_shell_spec_domtrans_depend',`
type bin_t, shell_exec_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file rx_file_perms
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="corecmd_domtrans_shell">
## <description>
@ -234,32 +197,26 @@ define(`corecmd_shell_spec_domtrans_depend',`
## </interface>
#
define(`corecmd_domtrans_shell',`
gen_require(`$0'_depend)
gen_require(`
type shell_exec_t;
')
corecmd_shell_spec_domtrans($1,$2)
type_transition $1 shell_exec_t:process $2;
')
define(`corecmd_domtrans_shell_depend',`
type shell_exec_t;
')
########################################
#
# corecmd_chroot_exec_chroot(domain)
#
define(`corecmd_chroot_exec_chroot',`
gen_require(`$0'_depend)
gen_require(`
type chroot_exec_t;
class capability sys_chroot;
')
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
can_exec($1,chroot_exec_t)
allow $1 self:capability sys_chroot;
')
define(`corecmd_chroot_exec_chroot_depend',`
type chroot_exec_t;
class file { getattr read execute execute_no_trans };
class capability sys_chroot;
')
## </module>

28
refpolicy/policy/modules/system/files.if
View File

@ -206,7 +206,7 @@ define(`files_manage_all_files',`
allow $1 { file_type $2 }:sock_file create_file_perms;
# satisfy the assertions:
seutil_write_binary_pol($1)
seutil_create_binary_pol($1)
bootloader_manage_kernel_modules($1)
')
@ -488,33 +488,27 @@ define(`files_unmount_rootfs_depend',`
# files_search_etc(domain)
#
define(`files_search_etc',`
gen_require(`$0'_depend)
gen_require(`
type etc_t;
class dir search;
')
allow $1 etc_t:dir search;
')
define(`files_search_etc_depend',`
type etc_t;
class dir search;
')
########################################
#
# files_read_generic_etc_files_directory(domain)
# files_list_etc(domain)
#
define(`files_read_generic_etc_files_directory',`
gen_require(`$0'_depend)
define(`files_list_etc',`
gen_require(`
type etc_t;
class dir r_dir_perms;
')
allow $1 etc_t:dir r_dir_perms;
')
define(`files_read_generic_etc_files_directory_depend',`
type etc_t;
class dir r_dir_perms;
')
########################################
#
# files_read_generic_etc_files(domain)

60
refpolicy/policy/modules/system/getty.if
View File

@ -12,12 +12,15 @@
## </interface>
#
define(`getty_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type getty_t, getty_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 getty_exec_t:file { getattr read execute };
allow $1 getty_t:process transition;
type_transition $1 getty_exec_t:process getty_t;
dontaudit $1 getty_t:process { noatsecure siginh rlimitinh };
corecmd_search_sbin($1)
domain_auto_trans($1,getty_exec_t,getty_t)
allow $1 getty_t:fd use;
allow getty_t $1:fd use;
@ -25,15 +28,6 @@ define(`getty_domtrans',`
allow getty_t $1:process sigchld;
')
define(`getty_domtrans_depend',`
type getty_t, getty_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="getty_read_log">
## <description>
@ -45,17 +39,15 @@ define(`getty_domtrans_depend',`
## </interface>
#
define(`getty_read_log',`
gen_require(`$0'_depend)
gen_require(`
type getty_log_t;
class file { getattr read };
')
logging_search_logs($1)
allow $1 getty_log_t:file { getattr read };
')
define(`getty_read_log_depend',`
type getty_log_t;
class file { getattr read };
')
########################################
## <interface name="getty_read_config">
## <description>
@ -67,17 +59,15 @@ define(`getty_read_log_depend',`
## </interface>
#
define(`getty_read_config',`
gen_require(`$0'_depend)
gen_require(`
type getty_etc_t;
class file { getattr read };
')
files_search_etc($1)
allow $1 getty_etc_t:file { getattr read };
')
define(`getty_read_config_depend',`
type getty_etc_t;
class file { getattr read };
')
########################################
## <interface name="getty_modify_config">
## <description>
@ -89,15 +79,13 @@ define(`getty_read_config_depend',`
## </interface>
#
define(`getty_modify_config',`
gen_require(`$0'_depend)
gen_require(`
type getty_etc_t;
class file rw_file_perms;
')
allow $1 getty_etc_t:file { getattr read write };
')
define(`getty_modify_config_depend',`
type getty_etc_t;
class file { getattr read write };
files_search_etc($1)
allow $1 getty_etc_t:file rw_file_perms;
')
## </module>

48
refpolicy/policy/modules/system/hostname.if
View File

@ -13,12 +13,15 @@
## </interface>
#
define(`hostname_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type hostname_t, hostname_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 hostname_exec_t:file rx_file_perms;
allow $1 hostname_t:process transition;
type_transition $1 hostname_exec_t:process hostname_t;
dontaudit $1 hostname_t:process { noatsecure siginh rlimitinh };
corecmd_search_bin($1)
domain_auto_trans($1,hostname_exec_t,hostname_t)
allow $1 hostname_t:fd use;
allow hostname_t $1:fd use;
@ -26,15 +29,6 @@ define(`hostname_domtrans',`
allow hostname_t $1:process sigchld;
')
define(`hostname_domtrans_depend',`
type hostname_t, hostname_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="hostname_run">
## <description>
@ -54,19 +48,16 @@ define(`hostname_domtrans_depend',`
## </interface>
#
define(`hostname_run',`
gen_require(`$0'_depend)
gen_require(`
type hostname_t;
class chr_file { getattr read write ioctl };
')
hostname_domtrans($1)
role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl };
')
define(`hostname_run_depend',`
type hostname_t;
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="hostname_exec">
## <description>
@ -78,21 +69,12 @@ define(`hostname_run_depend',`
## </parameter>
## </interface>
#
#######################################
#
# hostname_exec(domain)
#
define(`hostname_exec',`
gen_require(`$0'_depend)
gen_require(`
type hostname_exec_t;
')
can_exec($1,hostname_exec_t)
')
define(`hostname_exec_depend',`
type hostname_exec_t;
class file { getattr read execute execute_no_trans };
')
## </module>

82
refpolicy/policy/modules/system/hotplug.if
View File

@ -9,12 +9,15 @@
# hotplug_domtrans(domain)
#
define(`hotplug_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type hotplug_t, hotplug_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 hotplug_exec_t:file rx_file_perms;
allow $1 hotplug_t:process transition;
type_transition $1 hotplug_exec_t:process hotplug_t;
dontaudit $1 hotplug_t:process { noatsecure siginh rlimitinh };
corecmd_search_sbin($1)
domain_auto_trans($1,hotplug_exec_t,hotplug_t)
allow $1 hotplug_t:fd use;
allow hotplug_t $1:fd use;
@ -22,30 +25,17 @@ define(`hotplug_domtrans',`
allow hotplug_t $1:process sigchld;
')
define(`hotplug_domtrans_depend',`
type hotplug_t, hotplug_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
#######################################
#
# hotplug_exec(domain)
#
define(`hotplug_exec',`
gen_require(`$0'_depend)
gen_require(`
type hotplug_t;
')
corecmd_search_sbin($1)
can_exec($1,hotplug_exec_t)
')
define(`hotplug_exec_depend',`
type hotplug_t;
class file { getattr read execute execute_no_trans };
')
#######################################
@ -53,49 +43,40 @@ define(`hotplug_exec_depend',`
# hotplug_use_fd(domain)
#
define(`hotplug_use_fd',`
gen_require(`$0'_depend)
gen_require(`
type hotplug_t;
class fd use;
')
allow $1 hotplug_t:fd use;
')
define(`hotplug_use_fd_depend',`
type hotplug_t;
class fd use;
')
#######################################
#
# hotplug_dontaudit_use_fd(domain)
#
define(`hotplug_dontaudit_use_fd',`
gen_require(`$0'_depend)
gen_require(`
type hotplug_t;
class fd use;
')
dontaudit $1 hotplug_t:fd use;
')
define(`hotplug_dontaudit_use_fd_depend',`
type hotplug_t;
class fd use;
')
########################################
#
# hotplug_dontaudit_search_config(domain)
#
define(`hotplug_dontaudit_search_config',`
gen_require(`$0'_depend)
gen_require(`
type hotplug_etc_t;
class dir search;
')
dontaudit $1 hotplug_etc_t:dir search;
')
define(`hotplug_dontaudit_search_config_depend',`
type hotplug_etc_t;
class dir search;
')
########################################
## <interface name="hotplug_read_config">
## <description>
@ -107,7 +88,12 @@ define(`hotplug_dontaudit_search_config_depend',`
## </interface>
#
define(`hotplug_read_config',`
gen_require(`$0'_depend)
gen_require(`
type hotplug_etc_t;
class file r_file_perms;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
files_search_etc($1)
allow $1 hotplug_etc_t:file r_file_perms;
@ -115,12 +101,4 @@ define(`hotplug_read_config',`
allow $1 hotplug_etc_t:lnk_file r_file_perms;
')
define(`hotplug_read_config_depend',`
type hotplug_etc_t;
class file r_file_perms;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
## </module>

344
refpolicy/policy/modules/system/init.if
View File

@ -6,17 +6,20 @@
# init_domain(domain,entrypointfile)
#
define(`init_domain',`
gen_require(`$0'_depend)
gen_require(`
type init_t;
role system_r;
class fd use;
class fifo_file rw_file_perms;
class process sigchld;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
allow init_t $1:process transition;
allow init_t $2:file rx_file_perms;
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
type_transition init_t $2:process $1;
domain_auto_trans(init_t,$2,$1)
allow $1 init_t:fd use;
allow init_t $1:fd use;
@ -31,31 +34,25 @@ define(`init_domain',`
')
')
define(`init_domain_depend',`
type init_t;
class file rx_file_perms;
class fd use;
class fifo_file rw_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
role system_r;
')
########################################
#
# init_daemon_domain(domain,entrypointfile)
#
define(`init_daemon_domain',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t;
role system_r;
class fifo_file rw_file_perms;
class fd use;
class process sigchld;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
allow initrc_t $1:process transition;
allow initrc_t $2:file rx_file_perms;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
@ -70,33 +67,25 @@ define(`init_daemon_domain',`
')
')
define(`init_daemon_domain_depend',`
type initrc_t;
role system_r;
class file rx_file_perms;
class fifo_file rw_file_perms;
class fd use;
class process { transition noatsecure siginh rlimitinh sigchld };
')
########################################
#
# init_system_domain(domain,entrypointfile)
#
define(`init_system_domain',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t;
role system_r;
class fd use;
class fifo_file rw_file_perms;
class process sigchld;
')
domain_type($1)
domain_entry_file($1,$2)
role system_r types $1;
allow initrc_t $1:process transition;
allow initrc_t $2:file rx_file_perms;
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
type_transition initrc_t $2:process $1;
domain_auto_trans(initrc_t,$2,$1)
allow initrc_t $1:fd use;
allow $1 initrc_t:fd use;
@ -111,27 +100,19 @@ define(`init_system_domain',`
')
')
define(`init_system_domain_depend',`
type initrc_t;
role system_r;
class file rx_file_perms;
class fd use;
class fifo_file rw_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
')
########################################
#
# init_domtrans(domain)
#
define(`init_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type init_t, init_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 init_exec_t:file rx_file_perms;
allow $1 init_t:process transition;
type_transition $1 init_exec_t:process init_t;
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1,init_exec_t,init_t)
allow $1 init_t:fd use;
allow init_t $1:fd use;
@ -139,155 +120,125 @@ define(`init_domtrans',`
allow init_t $1:process sigchld;
')
define(`init_domtrans_depend',`
type init_t, init_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
#
# init_get_process_group(domain)
#
define(`init_get_process_group',`
gen_require(`$0'_depend)
gen_require(`
type init_t;
class process getpgid;
')
allow $1 init_t:process getpgid;
')
define(`init_get_process_group_depend',`
type init_t;
class process getpgid;
')
########################################
#
# init_getattr_initctl(domain)
#
define(`init_getattr_initctl',`
gen_require(`$0'_depend)
gen_require(`
type initctl_t;
class fifo_file getattr;
')
allow $1 initctl_t:fifo_file getattr;
')
define(`init_getattr_initctl_depend',`
type initctl_t;
class fifo_file getattr;
')
########################################
#
# init_dontaudit_getattr_initctl(domain)
#
define(`init_dontaudit_getattr_initctl',`
gen_require(`$0'_depend)
gen_require(`
type initctl_t;
class fifo_file getattr;
')
dontaudit $1 initctl_t:fifo_file getattr;
')
define(`init_getattr_initctl_depend',`
type initctl_t;
class fifo_file getattr;
')
########################################
#
# init_use_initctl(domain)
#
define(`init_use_initctl',`
gen_require(`$0'_depend)
gen_require(`
type initctl_t;
class fifo_file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms;
')
define(`init_use_initctl_depend',`
type initctl_t;
class fifo_file rw_file_perms;
')
########################################
#
# init_dontaudit_use_initctl(domain)
#
define(`init_dontaudit_use_initctl',`
gen_require(`$0'_depend)
gen_require(`
type initctl_t;
class fifo_file { read write };
')
dontaudit $1 initctl_t:fifo_file { read write };
')
define(`init_dontaudit_use_initctl_depend',`
type initctl_t;
class fifo_file { read write };
')
########################################
#
# init_sigchld(domain)
#
define(`init_sigchld',`
gen_require(`$0'_depend)
gen_require(`
type init_t;
class process sigchld;
')
allow $1 init_t:process sigchld;
')
define(`init_sigchld_depend',`
type init_t;
class process sigchld;
')
########################################
#
# init_use_fd(domain)
#
define(`init_use_fd',`
gen_require(`$0'_depend)
gen_require(`
type init_t;
class fd use;
')
allow $1 init_t:fd use;
')
define(`init_use_fd_depend',`
type init_t;
class fd use;
')
########################################
#
# init_dontaudit_use_fd(domain)
#
define(`init_dontaudit_use_fd',`
gen_require(`$0'_depend)
gen_require(`
type init_t;
class fd use;
')
dontaudit $1 init_t:fd use;
')
define(`init_dontaudit_use_fd_depend',`
type init_t;
class fd use;
')
########################################
#
# init_domtrans_script(domain)
#
define(`init_domtrans_script',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t, initrc_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 initrc_exec_t:file rx_file_perms;
allow $1 initrc_t:process transition;
type_transition $1 initrc_exec_t:process init_t;
dontaudit $1 init_t:process { noatsecure siginh rlimitinh };
files_list_etc($1)
domain_auto_trans($1,initrc_exec_t,initrc_t)
allow $1 initrc_t:fd use;
allow initrc_t $1:fd use;
@ -295,30 +246,17 @@ define(`init_domtrans_script',`
allow initrc_t $1:process sigchld;
')
define(`init_domtrans_script_depend',`
type initrc_t, initrc_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
#
# init_exec_script(domain)
#
define(`init_exec_script',`
gen_require(`$0'_depend)
gen_require(`
type initrc_exec_t;
')
files_list_etc($1)
can_exec($1,initrc_exec_t)
')
define(`init_exec_script_depend',`
type initrc_exec_t;
class file { getattr read execute execute_no_trans };
')
########################################
@ -332,8 +270,15 @@ define(`init_exec_script_depend',`
## </interface>
#
define(`init_read_script_process_state',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
class process { getattr ptrace };
')
#FIXME: search proc dir
allow $1 initrc_t:dir r_dir_perms;
allow $1 initrc_t:{ file lnk_file } r_file_perms;
allow $1 initrc_t:process getattr;
@ -345,78 +290,57 @@ define(`init_read_script_process_state',`
dontaudit $1 initrc_t:process ptrace;
')
define(`init_read_script_process_state_depend',`
type initrc_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
class process { getattr ptrace };
')
########################################
#
# init_use_script_fd(domain)
#
define(`init_use_script_fd',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t;
class fd use;
')
allow $1 initrc_t:fd use;
')
define(`init_use_script_fd_depend',`
type initrc_t;
class fd use;
')
########################################
#
# init_dontaudit_use_script_fd(domain)
#
define(`init_dontaudit_use_script_fd',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t;
class fd use;
')
dontaudit $1 initrc_t:fd use;
')
define(`init_dontaudit_use_script_fd_depend',`
type initrc_t;
class fd use;
')
########################################
#
# init_get_script_process_group(domain)
#
define(`init_get_script_process_group',`
gen_require(`$0'_depend)
gen_require(`
type initrc_t;
class process getpgid;
')
allow $1 initrc_t:process getpgid;
')
define(`init_get_script_process_group_depend',`
type initrc_t;
class process getpgid;
')
########################################
#
# init_use_script_pty(domain)
#
define(`init_use_script_pty',`
gen_require(`$0'_depend)
gen_require(`
type initrc_devpts_t;
class chr_file rw_term_perms;
')
term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
')
define(`init_use_script_pty_depend',`
type initrc_devpts_t;
class chr_file { getattr read write ioctl };
allow $1 initrc_devpts_t:chr_file rw_term_perms;
')
########################################
@ -424,17 +348,14 @@ define(`init_use_script_pty_depend',`
# init_dontaudit_use_script_pty(domain)
#
define(`init_dontaudit_use_script_pty',`
gen_require(`$0'_depend)
gen_require(`
type initrc_devpts_t;
class chr_file { read write ioctl };
')
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
')
define(`init_dontaudit_use_script_pty_depend',`
type initrc_devpts_t;
class chr_file { read write ioctl };
')
########################################
## <interface name="init_rw_script_tmp_files">
## <description>
@ -446,82 +367,67 @@ define(`init_dontaudit_use_script_pty_depend',`
## </interface>
#
define(`init_rw_script_tmp_files',`
gen_require(`$0'_depend)
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
')
# FIXME: read tmp_t
# FIXME: read tmp_t dir
allow $1 initrc_tmp_t:file rw_file_perms;
')
define(`init_rw_script_tmp_files_depend',`
type initrc_var_run_t;
class file rw_file_perms;
')
########################################
#
# init_read_script_pid(domain)
#
define(`init_read_script_pid',`
gen_require(`$0'_depend)
gen_require(`
type initrc_var_run_t;
class file r_file_perms;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file r_file_perms;
')
define(`init_read_script_pid_depend',`
type initrc_var_run_t;
class file r_file_perms;
')
########################################
#
# init_dontaudit_write_script_pid(domain)
#
define(`init_dontaudit_write_script_pid',`
gen_require(`$0'_depend)
gen_require(`
type initrc_var_run_t;
class file { write lock };
')
dontaudit $1 initrc_var_run_t:file { write lock };
')
define(`init_dontaudit_write_script_pid_depend',`
type initrc_var_run_t;
class file { write lock };
')
########################################
#
# init_rw_script_pid(domain)
#
define(`init_rw_script_pid',`
gen_require(`$0'_depend)
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
')
files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms;
')
define(`init_rw_script_pid_depend',`
type initrc_var_run_t;
class file rw_file_perms;
')
########################################
#
# init_dontaudit_rw_script_pid(domain)
#
define(`init_dontaudit_rw_script_pid',`
gen_require(`$0'_depend)
gen_require(`
type initrc_var_run_t;
class file rw_file_perms;
')
dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
define(`init_dontaudit_rw_script_pid_depend',`
type initrc_var_run_t;
class file rw_file_perms;
')
## </module>

47
refpolicy/policy/modules/system/iptables.if
View File

@ -12,12 +12,15 @@
## </interface>
#
define(`iptables_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type iptables_t, iptables_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 iptables_exec_t:file rx_file_perms;
allow $1 iptables_t:process transition;
type_transition $1 iptables_exec_t:process iptables_t;
dontaudit $1 iptables_t:process { noatsecure siginh rlimitinh };
corecmd_search_sbin($1)
domain_auto_trans($1,iptables_exec_t,iptables_t)
allow $1 iptables_t:fd use;
allow iptables_t $1:fd use;
@ -25,15 +28,6 @@ define(`iptables_domtrans',`
allow iptables_t $1:process sigchld;
')
define(`iptables_domtrans_depend',`
type iptables_t, iptables_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="iptables_run">
## <description>
@ -52,17 +46,14 @@ define(`iptables_domtrans_depend',`
## </interface>
#
define(`iptables_run',`
gen_require(`$0'_depend)
gen_require(`
type iptables_t;
class chr_file rw_term_perms;
')
iptables_domtrans($1)
role $2 types iptables_t;
allow iptables_t $3:chr_file { getattr read write ioctl };
')
define(`iptables_run_depend',`
type iptables_t;
class chr_file { getattr read write ioctl };
allow iptables_t $3:chr_file rw_term_perms;
')
########################################
@ -76,16 +67,12 @@ define(`iptables_run_depend',`
## </interface>
#
define(`iptables_exec',`
gen_require(`$0'_depend)
gen_require(`
type iptables_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,iptables_exec_t)
')
define(`iptables_exec_depend',`
type iptables_t, iptables_exec_t;
class file { getattr read execute execute_no_trans };
')
## </module>

159
refpolicy/policy/modules/system/libraries.if
View File

@ -12,8 +12,14 @@
## </interface>
#
define(`libs_domtrans_ldconfig',`
gen_require(`$0'_depend)
gen_require(`
type ldconfig_t, ldconfig_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
allow $1 ldconfig_t:fd use;
@ -22,15 +28,6 @@ define(`libs_domtrans_ldconfig',`
allow ldconfig_t $1:process sigchld;
')
define(`libs_domtrans_ldconfig_depend',`
type ldconfig_t, ldconfig_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="libs_run_ldconfig">
## <description>
@ -48,17 +45,14 @@ define(`libs_domtrans_ldconfig_depend',`
## </interface>
#
define(`libs_run_ldconfig',`
gen_require(`$0'_depend)
gen_require(`
type ldconfig_t;
class chr_file rw_term_perms;
')
libs_domtrans_ldconfig($1)
role $2 types ldconfig_t;
allow ldconfig_t $3:chr_file { getattr read write ioctl };
')
define(`libs_run_ldconfig_depend',`
type ldconfig_t;
class chr_file { getattr read write ioctl };
allow ldconfig_t $3:chr_file rw_term_perms;
')
########################################
@ -73,9 +67,14 @@ define(`libs_run_ldconfig_depend',`
## </interface>
#
define(`libs_use_ld_so',`
gen_require(`$0'_depend)
gen_require(`
type lib_t, ld_so_t, ld_so_cache_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file rx_file_perms;
')
files_read_generic_etc_files_directory($1)
files_list_etc($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
@ -83,14 +82,6 @@ define(`libs_use_ld_so',`
allow $1 ld_so_cache_t:file r_file_perms;
')
define(`libs_use_ld_so_depend',`
type lib_t, ld_so_t, ld_so_cache_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file rx_file_perms;
')
########################################
## <interface name="libs_legacy_use_ld_so">
## <description>
@ -103,19 +94,16 @@ define(`libs_use_ld_so_depend',`
## </interface>
#
define(`libs_legacy_use_ld_so',`
gen_require(`$0'_depend)
gen_require(`
type ld_so_t, ld_so_cache_t;
class file { execute execmod };
')
libs_use_ld_so($1)
allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute;
')
define(`libs_legacy_use_ld_so_depend',`
type ld_so_t, ld_so_cache_t;
class file { execute execmod };
')
########################################
## <interface name="libs_exec_ld_so">
## <description>
@ -132,20 +120,16 @@ define(`libs_legacy_use_ld_so_depend',`
## </interface>
#
define(`libs_exec_ld_so',`
gen_require(`$0'_depend)
gen_require(`
type lib_t, ld_so_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms;
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
')
define(`libs_exec_ld_so_depend',`
type lib_t, ld_so_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file { r_file_perms execute execute_no_trans };
can_exec($1,ld_so_t)
')
########################################
@ -160,16 +144,32 @@ define(`libs_exec_ld_so_depend',`
## </interface>
#
define(`libs_rw_ld_so_cache',`
gen_require(`$0'_depend)
gen_require(`
type ld_so_cache_t;
class file rw_file_perms;
')
files_read_generic_etc_files_directory($1)
files_list_etc($1)
allow $1 ld_so_cache_t:file rw_file_perms;
')
define(`libs_rw_ld_so_cache_depend',`
type ld_so_cache_t;
########################################
## <interface name="libs_search_lib">
## <description>
## Search lib directories.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
## </parameter>
## </interface>
#
define(`libs_search_lib',`
gen_require(`
type lib_t;
class dir search;
')
class file rw_file_perms;
allow $1 lib_t:dir search;
')
########################################
@ -184,20 +184,18 @@ define(`libs_rw_ld_so_cache_depend',`
## </interface>
#
define(`libs_read_lib',`
gen_require(`$0'_depend)
gen_require(`
type lib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
')
files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms;
')
define(`libs_read_lib_depend',`
type lib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
')
########################################
## <interface name="libs_exec_lib_files">
## <description>
@ -209,19 +207,16 @@ define(`libs_read_lib_depend',`
## </interface>
#
define(`libs_exec_lib_files',`
gen_require(`$0'_depend)
gen_require(`
type lib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
')
files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms;
allow $1 lib_t:file { getattr read execute execute_no_trans };
')
define(`libs_exec_lib_files_depend',`
type lib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file { getattr read execute execute_no_trans };
can_exec($1,lib_t)
')
########################################
@ -235,7 +230,12 @@ define(`libs_exec_lib_files_depend',`
## </interface>
#
define(`libs_use_shared_libs',`
gen_require(`$0'_depend)
gen_require(`
type lib_t, shlib_t, texrel_shlib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file rx_dir_perms;
')
files_search_usr($1)
allow $1 lib_t:dir r_dir_perms;
@ -244,14 +244,6 @@ define(`libs_use_shared_libs',`
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
')
define(`libs_use_shared_libs_depend',`
type lib_t, shlib_t, texrel_shlib_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file rx_dir_perms;
')
########################################
## <interface name="libs_legacy_use_shared_libs">
## <description>
@ -264,16 +256,13 @@ define(`libs_use_shared_libs_depend',`
## </interface>
#
define(`libs_legacy_use_shared_libs',`
gen_require(`$0'_depend)
gen_require(`
type shlib_t, texrel_shlib_t;
class file execmod;
')
libs_use_shared_libs($1)
allow $1 { shlib_t texrel_shlib_t }:file execmod;
')
define(`libs_legacy_use_shared_libs_depend',`
type shlib_t, texrel_shlib_t;
class file execmod;
')
## </module>

23
refpolicy/policy/modules/system/locallogin.if
View File

@ -12,15 +12,13 @@
## </interface>
#
define(`locallogin_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type local_login_t;
')
auth_domtrans_login_program($1,local_login_t)
')
define(`locallogin_domtrans_depend',`
type local_login_t;
')
########################################
## <interface name="locallogin_use_fd">
## <description>
@ -31,20 +29,13 @@ define(`locallogin_domtrans_depend',`
## </parameter>
## </interface>
#
########################################
#
# locallogin_use_fd(domain)
#
define(`locallogin_use_fd',`
gen_require(`$0'_depend)
gen_require(`
type local_login_t;
class fd use;
')
allow $1 local_login_t:fd use;
')
define(`locallogin_use_fd_depend',`
type local_login_t;
class fd use;
')
## </module>

128
refpolicy/policy/modules/system/logging.if
View File

@ -6,22 +6,23 @@
# logging_log_file(domain)
#
define(`logging_log_file',`
gen_require(`$0'_depend)
gen_require(`
attribute logfile;
')
files_file_type($1)
typeattribute $1 logfile;
')
define(`logging_log_file_depend',`
attribute logfile;
')
########################################
#
# logging_create_log(domain,privatetype,[class(es)])
#
define(`logging_create_log',`
gen_require(`$0'_depend)
gen_require(`
type var_log_t;
class dir rw_dir_perms;
')
allow $1 var_log_t:dir rw_dir_perms;
@ -32,18 +33,18 @@ define(`logging_create_log',`
')
')
define(`logging_create_log_depend',`
type var_log_t;
class dir rw_dir_perms;
')
#######################################
#
# logging_send_syslog_msg(domain)
#
define(`logging_send_syslog_msg',`
gen_require(`$0'_depend)
gen_require(`
type syslogd_t, devlog_t;
class lnk_file read;
class sock_file rw_file_perms;
class unix_dgram_socket { create_socket_perms sendto };
class unix_stream_socket { create_socket_perms connectto };
')
allow $1 devlog_t:lnk_file read;
allow $1 devlog_t:sock_file rw_file_perms;
@ -58,14 +59,6 @@ define(`logging_send_syslog_msg',`
term_use_console($1)
')
define(`logging_send_syslog_msg_depend',`
type syslogd_t, devlog_t;
class sock_file rw_file_perms;
class unix_dgram_socket { create_socket_perms sendto };
class unix_stream_socket { create_socket_perms connectto };
')
########################################
## <interface name="logging_search_logs">
## <description>
@ -79,131 +72,108 @@ define(`logging_send_syslog_msg_depend',`
## </interface>
#
define(`logging_search_logs',`
gen_require(`$0'_depend)
gen_require(`
type var_log_t;
class dir search;
')
files_search_var($1)
allow $1 var_log_t:dir search;
')
define(`logging_search_logs_depend',`
type var_log_t;
class dir search;
')
#######################################
#
# logging_dontaudit_getattr_all_logs(domain)
#
define(`logging_dontaudit_getattr_all_logs',`
gen_require(`$0'_depend)
gen_require(`
attribute logfile;
class file getattr;
')
dontaudit $1 logfile:file getattr;
')
define(`logging_dontaudit_getattr_all_logs_depend',`
attribute logfile;
class file getattr;
')
#######################################
#
# logging_append_all_logs(domain)
#
define(`logging_append_all_logs',`
gen_require(`$0'_depend)
gen_require(`
attribute logfile;
type var_log_t;
class dir r_dir_perms;
class file { getattr append };
')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file { getattr append };
')
define(`logging_append_all_logs_depend',`
attribute logfile;
type var_log_t;
class dir r_dir_perms;
class file { getattr append };
')
#######################################
#
# logging_read_all_logs(domain)
#
define(`logging_read_all_logs',`
gen_require(`$0'_depend)
gen_require(`
attribute logfile;
type var_log_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file r_file_perms;
')
define(`logging_read_all_logs_depend',`
attribute logfile;
type var_log_t;
class dir r_dir_perms;
class file r_file_perms;
')
#######################################
#
# logging_read_generic_logs(domain)
#
define(`logging_read_generic_logs',`
gen_require(`$0'_depend)
gen_require(`
type var_log_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file r_file_perms;
')
define(`logging_read_generic_logs_depend',`
type var_log_t;
class dir r_dir_perms;
class file r_file_perms;
')
#######################################
#
# logging_write_generic_logs(domain)
#
define(`logging_write_generic_logs',`
gen_require(`$0'_depend)
gen_require(`
type var_log_t;
class dir r_dir_perms;
class file { getattr write };
')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file { getattr write };
')
define(`logging_write_generic_logs_depend',`
type var_log_t;
class dir r_dir_perms;
class file { getattr write };
')
#######################################
#
# logging_rw_generic_logs(domain)
#
define(`logging_rw_generic_logs',`
gen_require(`$0'_depend)
gen_require(`
type var_log_t;
class dir r_dir_perms;
class file rw_file_perms;
')
files_search_var($1)
allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms;
')
define(`logging_rw_generic_logs_depend',`
type var_log_t;
class dir r_dir_perms;
class file rw_file_perms;
')
## </module>

44
refpolicy/policy/modules/system/lvm.if
View File

@ -12,8 +12,14 @@
## </interface>
#
define(`lvm_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type lvm_t, lvm_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1, lvm_exec_t, lvm_t)
allow $1 lvm_t:fd use;
@ -22,15 +28,6 @@ define(`lvm_domtrans',`
allow lvm_t $1:process sigchld;
')
define(`lvm_domtrans_depend',`
type lvm_t, lvm_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="lvm_run">
## <description>
@ -48,17 +45,14 @@ define(`lvm_domtrans_depend',`
## </interface>
#
define(`lvm_run',`
gen_require(`$0'_depend)
gen_require(`
type lvm_t;
class chr_file rw_term_perms;
')
lvm_domtrans($1)
role $2 types lvm_t;
allow lvm_t $3:chr_file { getattr read write ioctl };
')
define(`lvm_run_depend',`
type lvm_t;
class chr_file { getattr read write ioctl };
allow lvm_t $3:chr_file rw_term_perms;
')
########################################
@ -72,17 +66,15 @@ define(`lvm_run_depend',`
## </interface>
#
define(`lvm_read_config',`
gen_require(`$0'_depend)
gen_require(`
type lvm_t, lvm_exec_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_etc($1)
allow $1 lvm_etc_t:dir r_dir_perms;
allow $1 lvm_etc_t:file r_file_perms;
')
define(`lvm_read_config_depend',`
type lvm_t, lvm_exec_t;
class dir r_dir_perms;
class file r_file_perms;
')
## </module>

94
refpolicy/policy/modules/system/miscfiles.if
View File

@ -7,77 +7,69 @@
## Allow process to create files and dirs in /var/cache/man
## and /var/catman/
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_rw_man_cache',`
gen_require(`$0'_depend)
gen_require(`
type catman_t;
class dir create_dir_perms;
class file create_file_perms;
')
# FIXME: search var_t dir
files_search_var($1)
allow $1 catman_t:dir create_dir_perms;
allow $1 catman_t:file create_file_perms;
')
define(`miscfiles_rw_man_cache_depend',`
type catman_t;
class dir create_dir_perms;
class file create_file_perms;
')
########################################
## <interface name="miscfiles_read_fonts">
## <description>
## Allow process to read fonts files
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_read_fonts',`
gen_require(`$0'_depend)
gen_require(`
type fonts_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_usr($1)
libs_search_lib($1)
# FIXME: search usr_t dir
# FIXME: search lib_t dir
# cjp: fonts can be in either of the above dirs
allow $1 fonts_t:dir r_dir_perms;
allow $1 fonts_t:file r_file_perms;
')
define(`miscfiles_read_fonts_depend',`
type fonts_t;
class dir r_dir_perms;
class file r_file_perms;
')
########################################
## <interface name="miscfiles_read_localization">
## <description>
## Allow process to read localization info
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_read_localization',`
gen_require(`$0'_depend)
gen_require(`
type locale_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
')
files_search_etc($1)
# FIXME: $1 read etc_t:lnk_file here
# FIXME: $1 search usr_t:dir here
files_search_usr($1)
allow $1 locale_t:dir r_dir_perms;
allow $1 locale_t:lnk_file r_file_perms;
allow $1 locale_t:file r_file_perms;
@ -86,68 +78,48 @@ define(`miscfiles_read_localization',`
libs_read_lib($1)
')
define(`miscfiles_read_localization_depend',`
type locale_t;
class dir r_dir_perms;
class lnk_file r_file_perms;
class file r_file_perms;
')
########################################
## <interface name="miscfiles_legacy_read_localization">
## <description>
## Allow process to read legacy time localization info
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_legacy_read_localization',`
gen_require(`$0'_depend)
gen_require(`
type locale_t;
class file execute;
')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
')
define(`miscfiles_read_localization_depend',`
type locale_t;
class file execute;
')
########################################
## <interface name="miscfiles_read_man_pages">
## <description>
## Allow process to read manpages
## </description>
## <securitydesc>
## ...
## </securitydesc>
## <parameter name="domain">
## Type type of the process performing this action.
## </parameter>
## </interface>
#
define(`miscfiles_read_man_pages',`
gen_require(`$0'_depend)
gen_require(`
type man_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
# FIXME: search usr_t dir
files_search_usr($1)
allow $1 man_t:dir r_dir_perms;
allow $1 man_t:file r_file_perms;
allow $1 man_t:lnk_file r_file_perms;
')
define(`miscfiles_read_man_pages_depend',`
type man_t;
class dir r_dir_perms;
class file r_file_perms;
class lnk_file r_file_perms;
')
## </module>

154
refpolicy/policy/modules/system/modutils.if
View File

@ -12,19 +12,15 @@
## </interface>
#
define(`modutils_read_kernel_module_dependencies',`
gen_require(`$0'_depend)
gen_require(`
type modules_dep_t;
class file r_file_perms;
')
bootloader_list_kernel_modules($1)
allow $1 modules_dep_t:file r_file_perms;
')
define(`modutils_read_kernel_module_dependencies_depend',`
type modules_dep_t;
class file { getattr create read write setattr unlink };
class dir { search read write add_name remove_name };
')
########################################
## <interface name="modutils_read_module_conf">
## <description>
@ -37,22 +33,23 @@ define(`modutils_read_kernel_module_dependencies_depend',`
## </interface>
#
define(`modutils_read_module_conf',`
gen_require(`$0'_depend)
gen_require(`
type modules_conf_t;
class file r_file_perms;
')
# This file type can be in /etc or
# /lib(64)?/modules
files_search_etc($1)
bootloader_search_boot_dir($1)
allow $1 modules_conf_t:file r_file_perms;
')
define(`modutils_read_module_conf_depend',`
type modules_conf_t;
class file r_file_perms;
')
########################################
## <interface name="modutils_domtrans_insmod">
## <description>
## Execute insmod in the insmod domain. Has a
## sigchld backchannel.
## Execute insmod in the insmod domain.
## </description>
## <parameter name="domain">
## The type of the process performing this action.
@ -60,8 +57,14 @@ define(`modutils_read_module_conf_depend',`
## </interface>
#
define(`modutils_domtrans_insmod',`
gen_require(`$0'_depend)
gen_require(`
type insmod_t, insmod_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1, insmod_exec_t, insmod_t)
allow $1 insmod_t:fd use;
@ -70,15 +73,6 @@ define(`modutils_domtrans_insmod',`
allow insmod_t $1:process sigchld;
')
define(`modutils_domtrans_insmod_depend',`
type insmod_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="modutils_run_insmod">
## <description>
@ -99,17 +93,14 @@ define(`modutils_domtrans_insmod_depend',`
## </interface>
#
define(`modutils_run_insmod',`
gen_require(`$0'_depend)
gen_require(`
type insmod_t;
class chr_file rw_term_perms;
')
modutils_domtrans_insmod($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_run_insmod_depend',`
type insmod_t;
class chr_file { getattr read write ioctl };
allow insmod_t $3:chr_file rw_term_perms;
')
########################################
@ -117,17 +108,14 @@ define(`modutils_run_insmod_depend',`
# modutils_exec_insmod(domain)
#
define(`modutils_exec_insmod',`
gen_require(`$0'_depend)
gen_require(`
type insmod_t;
')
corecmd_search_sbin($1)
can_exec($1, insmod_exec_t)
')
define(`modutils_exec_insmod_depend',`
type insmod_t;
class file { getattr read execute execute_no_trans };
')
########################################
## <interface name="modutils_domtrans_depmod">
## <description>
@ -139,8 +127,14 @@ define(`modutils_exec_insmod_depend',`
## </interface>
#
define(`modutils_domtrans_depmod',`
gen_require(`$0'_depend)
gen_require(`
type depmod_t, depmod_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1, depmod_exec_t, depmod_t)
allow $1 depmod_t:fd use;
@ -149,15 +143,6 @@ define(`modutils_domtrans_depmod',`
allow depmod_t $1:process sigchld;
')
define(`modutils_domtrans_depmod_depend',`
type depmod_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="modutils_run_depmod">
## <description>
@ -175,17 +160,14 @@ define(`modutils_domtrans_depmod_depend',`
## </interface>
#
define(`modutils_run_depmod',`
gen_require(`$0'_depend)
gen_require(`
type depmod_t;
class chr_file rw_term_perms;
')
modutils_domtrans_depmod($1)
role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl };
')
define(`modutils_run_depmod_depend',`
type depmod_t;
class chr_file { getattr read write ioctl };
allow insmod_t $3:chr_file rw_term_perms;
')
########################################
@ -193,17 +175,14 @@ define(`modutils_run_depmod_depend',`
# modutils_exec_depmod(domain)
#
define(`modutils_exec_depmod',`
gen_require(`$0'_depend)
gen_require(`
type depmod_t;
')
corecmd_search_sbin($1)
can_exec($1, depmod_exec_t)
')
define(`modutils_exec_depmod_depend',`
type depmod_t;
class file { getattr read execute execute_no_trans };
')
########################################
## <interface name="modutils_domtrans_update_mods">
## <description>
@ -215,8 +194,14 @@ define(`modutils_exec_depmod_depend',`
## </interface>
#
define(`modutils_domtrans_update_mods',`
gen_require(`$0'_depend)
gen_require(`
type update_modules_t, update_modules_exec_t;
class process signal;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1, update_modules_exec_t, update_modules_t)
allow $1 update_modules_t:fd use;
@ -225,15 +210,6 @@ define(`modutils_domtrans_update_mods',`
allow update_modules_t $1:process sigchld;
')
define(`modutils_domtrans_update_mods_depend',`
type update_modules_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh signal };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="modutils_run_update_mods">
## <description>
@ -251,17 +227,14 @@ define(`modutils_domtrans_update_mods_depend',`
## </interface>
#
define(`modutils_run_update_mods',`
gen_require(`$0'_depend)
gen_require(`
type update_modules_t;
class chr_file rw_term_perms;
')
modutils_domtrans_update_mods($1)
role $2 types update_modules_t;
allow update_modules_t $3:chr_file rw_file_perms;
')
define(`modutils_run_update_mods_depend',`
type update_modules_t;
class chr_file rw_file_perms;
allow update_modules_t $3:chr_file rw_term_perms;
')
########################################
@ -269,15 +242,12 @@ define(`modutils_run_update_mods_depend',`
# modutils_exec_update_mods(domain)
#
define(`modutils_exec_update_mods',`
gen_require(`$0'_depend)
gen_require(`
type update_modules_t;
')
corecmd_search_sbin($1)
can_exec($1, update_modules_exec_t)
')
define(`modutils_exec_update_mods_depend',`
type update_modules_t;
class file { getattr read execute execute_no_trans };
')
## </module>

54
refpolicy/policy/modules/system/mount.if
View File

@ -12,12 +12,14 @@
## </interface>
#
define(`mount_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type mount_t, mount_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 mount_exec_t:file rx_file_perms;
allow $1 mount_t:process transition;
type_transition $1 mount_exec_t:process mount_t;
dontaudit $1 mount_t:process { noatsecure siginh rlimitinh };
domain_auto_trans($1,mount_exec_t,mount_t)
allow $1 mount_t:fd use;
allow mount_t $1:fd use;
@ -25,15 +27,6 @@ define(`mount_domtrans',`
allow mount_t $1:process sigchld;
')
define(`mount_domtrans_depend',`
type mount_t, mount_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="mount_run">
## <description>
@ -53,19 +46,16 @@ define(`mount_domtrans_depend',`
## </interface>
#
define(`mount_run',`
gen_require(`$0'_depend)
gen_require(`
type mount_t;
class chr_file rw_file_perms;
')
mount_domtrans($1)
role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms;
')
define(`mount_run_depend',`
type mount_t;
class chr_file rw_file_perms;
')
########################################
## <interface name="mount_use_fd">
## <description>
@ -77,17 +67,14 @@ define(`mount_run_depend',`
## </interface>
#
define(`mount_use_fd',`
gen_require(`$0'_depend)
gen_require(`
type mount_t;
class fd use;
')
allow $1 mount_t:fd use;
')
define(`mount_use_fd_depend',`
type mount_t;
class fd use;
')
########################################
## <interface name="mount_send_nfs_client_request">
## <description>
@ -100,15 +87,12 @@ define(`mount_use_fd_depend',`
## </interface>
#
define(`mount_send_nfs_client_request',`
gen_require(`$0'_depend)
gen_require(`
type mount_t;
class udp_socket rw_socket_perms;
')
allow $1 mount_t:udp_socket rw_socket_perms;
')
define(`mount_send_nfs_client_request_depend',`
type mount_t;
class udp_socket rw_socket_perms;
')
## </module>

475
refpolicy/policy/modules/system/selinuxutil.if
View File

@ -12,12 +12,16 @@
## </interface>
#
define(`seutil_domtrans_checkpol',`
gen_require(`$0'_depend)
gen_require(`
type checkpolicy_t, checkpolicy_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 checkpolicy_exec_t:file rx_file_perms;
allow $1 checkpolicy_t:process transition;
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)
allow $1 checkpolicy_t:fd use;
allow checkpolicy_t $1:fd use;
@ -25,15 +29,6 @@ define(`seutil_domtrans_checkpol',`
allow checkpolicy_t $1:process sigchld;
')
define(`seutil_domtrans_checkpol_depend',`
type checkpolicy_t, checkpolicy_exec_t;
class file rx_file_perms
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="seutil_run_checkpol">
## <description>
@ -54,17 +49,14 @@ define(`seutil_domtrans_checkpol_depend',`
## </interface>
#
define(`seutil_run_checkpol',`
gen_require(`$0'_depend)
gen_require(`
type checkpolicy_t;
class chr_file rw_term_perms;
')
seutil_domtrans_checkpol($1)
role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')
define(`seutil_run_checkpol_depend',`
type checkpolicy_t;
class chr_file { getattr read write ioctl };
allow checkpolicy_t $3:chr_file rw_term_perms;
')
#######################################
@ -72,17 +64,15 @@ define(`seutil_run_checkpol_depend',`
# seutil_exec_checkpol(domain)
#
define(`seutil_exec_checkpol',`
gen_require(`$0'_depend)
gen_require(`
type checkpolicy_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,checkpolicy_exec_t)
')
define(`seutil_exec_checkpol_depend',`
type checkpolicy_exec_t;
class file { rx_file_perms execute_no_trans };
')
#######################################
## <interface name="seutil_domtrans_loadpol">
## <description>
@ -94,12 +84,15 @@ define(`seutil_exec_checkpol_depend',`
## </interface>
#
define(`seutil_domtrans_loadpol',`
gen_require(`$0'_depend)
gen_require(`
type load_policy_t, load_policy_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 load_policy_exec_t:file rx_file_perms;
allow $1 load_policy_t:process transition;
type_transition $1 load_policy_exec_t:process load_policy_t;
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
corecmd_search_sbin($1)
domain_auto_trans($1,load_policy_exec_t,load_policy_t)
allow $1 load_policy_t:fd use;
allow load_policy_t $1:fd use;
@ -107,15 +100,6 @@ define(`seutil_domtrans_loadpol',`
allow load_policy_t $1:process sigchld;
')
define(`seutil_domtrans_loadpol_depend',`
type load_policy_t, load_policy_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="seutil_run_loadpol">
## <description>
@ -136,17 +120,14 @@ define(`seutil_domtrans_loadpol_depend',`
## </interface>
#
define(`seutil_run_loadpol',`
gen_require(`$0'_depend)
gen_require(`
type load_policy_t;
class chr_file rw_term_perms;
')
seutil_domtrans_loadpol($1)
role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl };
')
define(`seutil_run_loadpol_depend',`
type load_policy_t;
class chr_file { getattr read write ioctl };
allow load_policy_t $3:chr_file rw_term_perms;
')
#######################################
@ -154,33 +135,28 @@ define(`seutil_run_loadpol_depend',`
# seutil_exec_loadpol(domain)
#
define(`seutil_exec_loadpol',`
gen_require(`$0'_depend)
gen_require(`
type load_policy_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,load_policy_exec_t)
')
define(`seutil_exec_loadpol_depend',`
type load_policy_exec_t;
class file { rx_file_perms execute_no_trans };
')
#######################################
#
# seutil_read_loadpol(domain)
#
define(`seutil_read_loadpol',`
gen_require(`$0'_depend)
gen_require(`
type load_policy_exec_t;
class file r_file_perms
')
corecmd_search_sbin($1)
allow $1 load_policy_exec_t:file r_file_perms;
')
define(`seutil_read_loadpol_depend',`
type load_policy_exec_t;
class file r_file_perms
')
#######################################
## <interface name="seutil_domtrans_newrole">
## <description>
@ -192,12 +168,16 @@ define(`seutil_read_loadpol_depend',`
## </interface>
#
define(`seutil_domtrans_newrole',`
gen_require(`$0'_depend)
gen_require(`
type newrole_t, newrole_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 newrole_exec_t:file rx_file_perms;
allow $1 newrole_t:process transition;
type_transition $1 newrole_exec_t:process newrole_t;
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,newrole_exec_t,newrole_t)
allow $1 newrole_t:fd use;
allow newrole_t $1:fd use;
@ -205,15 +185,6 @@ define(`seutil_domtrans_newrole',`
allow newrole_t $1:process sigchld;
')
define(`seutil_domtrans_newrole_depend',`
type newrole_t, newrole_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="seutil_run_newrole">
## <description>
@ -233,17 +204,14 @@ define(`seutil_domtrans_newrole_depend',`
## </interface>
#
define(`seutil_run_newrole',`
gen_require(`$0'_depend)
gen_require(`
type newrole_t;
class chr_file rw_term_perms;
')
seutil_domtrans_newrole($1)
role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl };
')
define(`seutil_run_newrole_depend',`
type newrole_t;
class chr_file { getattr read write ioctl };
allow newrole_t $3:chr_file rw_term_perms;
')
#######################################
@ -251,17 +219,15 @@ define(`seutil_run_newrole_depend',`
# seutil_exec_newrole(domain)
#
define(`seutil_exec_newrole',`
gen_require(`$0'_depend)
gen_require(`
type newrole_t, newrole_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
can_exec($1,newrole_exec_t)
')
define(`seutil_exec_newrole_depend',`
type newrole_t, newrole_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
## <interface name="seutil_dontaudit_newrole_signal">
## <description>
@ -274,49 +240,40 @@ define(`seutil_exec_newrole_depend',`
## </interface>
#
define(`seutil_dontaudit_newrole_signal',`
gen_require(`$0'_depend)
gen_require(`
type newrole_t;
class process signal;
')
dontaudit $1 newrole_t:process signal;
')
define(`seutil_dontaudit_newrole_signal_depend',`
type newrole_t;
class process signal;
')
#######################################
#
# seutil_newrole_sigchld(domain)
#
define(`seutil_newrole_sigchld',`
gen_require(`$0'_depend)
gen_require(`
type newrole_t;
class process sigchld;
')
allow $1 newrole_t:process sigchld;
')
define(`seutil_newrole_sigchld_depend',`
type newrole_t;
class process sigchld;
')
#######################################
#
# seutil_use_newrole_fd(domain)
#
define(`seutil_use_newrole_fd',`
gen_require(`$0'_depend)
gen_require(`
type newrole_t;
class fd use;
')
allow $1 newrole_t:fd use;
')
define(`seutil_use_newrole_fd_depend',`
type newrole_t;
class fd use;
')
#######################################
## <interface name="seutil_domtrans_restorecon">
## <description>
@ -328,12 +285,15 @@ define(`seutil_use_newrole_fd_depend',`
## </interface>
#
define(`seutil_domtrans_restorecon',`
gen_require(`$0'_depend)
gen_require(`
type restorecon_t, restorecon_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 restorecon_exec_t:file rx_file_perms;
allow $1 restorecon_t:process transition;
type_transition $1 restorecon_exec_t:process restorecon_t;
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
corecmd_search_sbin($1)
domain_auto_trans($1,restorecon_exec_t,restorecon_t)
allow $1 restorecon_t:fd use;
allow restorecon_t $1:fd use;
@ -341,15 +301,6 @@ define(`seutil_domtrans_restorecon',`
allow restorecon_t $1:process sigchld;
')
define(`seutil_domtrans_restorecon_depend',`
type restorecon_t, restorecon_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="seutil_run_restorecon">
## <description>
@ -369,17 +320,14 @@ define(`seutil_domtrans_restorecon_depend',`
## </interface>
#
define(`seutil_run_restorecon',`
gen_require(`$0'_depend)
gen_require(`
type restorecon_t;
class chr_file rw_term_perms;
')
seutil_domtrans_restorecon($1)
role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl };
')
define(`seutil_run_restorecon_depend',`
type restorecon_t;
class chr_file { getattr read write ioctl };
allow restorecon_t $3:chr_file rw_term_perms;
')
#######################################
@ -387,16 +335,14 @@ define(`seutil_run_restorecon_depend',`
# seutil_exec_restorecon(domain)
#
define(`seutil_exec_restorecon',`
gen_require(`$0'_depend)
gen_require(`
type restorecon_t, restorecon_exec_t;
')
corecmd_search_sbin($1)
can_exec($1,restorecon_exec_t)
')
define(`seutil_exec_restorecon_depend',`
type restorecon_t, restorecon_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
## <interface name="seutil_domtrans_runinit">
## <description>
@ -408,12 +354,16 @@ define(`seutil_exec_restorecon_depend',`
## </interface>
#
define(`seutil_domtrans_runinit',`
gen_require(`$0'_depend)
gen_require(`
type run_init_t, run_init_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 run_init_exec_t:file rx_file_perms;
allow $1 run_init_t:process transition;
type_transition $1 run_init_exec_t:process run_init_t;
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,run_init_exec_t,run_init_t)
allow $1 run_init_t:fd use;
allow run_init_t $1:fd use;
@ -421,15 +371,6 @@ define(`seutil_domtrans_runinit',`
allow run_init_t $1:process sigchld;
')
define(`seutil_domtrans_runinit_depend',`
type run_init_t, run_init_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="seutil_run_runinit">
## <description>
@ -449,17 +390,14 @@ define(`seutil_domtrans_runinit_depend',`
## </interface>
#
define(`seutil_run_runinit',`
gen_require(`$0'_depend)
gen_require(`
type run_init_t;
class chr_file rw_term_perms;
')
seutil_domtrans_runinit($1)
role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl };
')
define(`seutil_run_runinit_depend',`
type run_init_t;
class chr_file { getattr read write ioctl };
allow run_init_t $3:chr_file rw_term_perms;
')
########################################
@ -467,17 +405,14 @@ define(`seutil_run_runinit_depend',`
# seutil_use_runinit_fd(domain)
#
define(`seutil_use_runinit_fd',`
gen_require(`$0'_depend)
gen_require(`
type run_init_t;
class fd use;
')
allow $1 run_init_t:fd use;
')
define(`seutil_use_runinit_fd_depend',`
type run_init_t;
class fd use;
')
########################################
## <interface name="seutil_domtrans_setfiles">
## <description>
@ -489,12 +424,16 @@ define(`seutil_use_runinit_fd_depend',`
## </interface>
#
define(`seutil_domtrans_setfiles',`
gen_require(`$0'_depend)
gen_require(`
type setfiles_t, setfiles_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
allow $1 setfiles_exec_t:file rx_file_perms;
allow $1 setfiles_t:process transition;
type_transition $1 setfiles_exec_t:process setfiles_t;
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
files_search_usr($1)
corecmd_search_sbin($1)
domain_auto_trans($1,setfiles_exec_t,setfiles_t)
allow $1 setfiles_t:fd use;
allow setfiles_t $1:fd use;
@ -502,15 +441,6 @@ define(`seutil_domtrans_setfiles',`
allow setfiles_t $1:process sigchld;
')
define(`seutil_domtrans_setfiles_depend',`
type setfiles_t, setfiles_exec_t;
class file rx_file_perms;
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="seutil_run_setfiles">
## <description>
@ -530,17 +460,14 @@ define(`seutil_domtrans_setfiles_depend',`
## </interface>
#
define(`seutil_run_setfiles',`
gen_require(`$0'_depend)
gen_require(`
type setfiles_t;
class chr_file rw_term_perms;
')
seutil_domtrans_setfiles($1)
role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl };
')
define(`seutil_run_setfiles_depend',`
type setfiles_t;
class chr_file { getattr read write ioctl };
allow setfiles_t $3:chr_file rw_term_perms;
')
#######################################
@ -548,112 +475,101 @@ define(`seutil_run_setfiles_depend',`
# seutil_exec_setfiles(domain)
#
define(`seutil_exec_setfiles',`
gen_require(`$0'_depend)
gen_require(`
type setfiles_exec_t;
')
files_search_usr($1)
corecmd_search_sbin($1)
can_exec($1,setfiles_exec_t)
')
define(`seutil_exec_setfiles_depend',`
type setfiles_exec_t;
class file { rx_file_perms execute_no_trans };
')
########################################
#
# seutil_read_config(domain)
#
define(`seutil_read_config',`
gen_require(`$0'_depend)
gen_require(`
type selinux_config_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_etc($1)
allow $1 selinux_config_t:dir r_dir_perms;
allow $1 selinux_config_t:file r_file_perms;
')
define(`seutil_read_config_depend',`
type selinux_config_t;
class dir r_dir_perms;
class file r_file_perms;
')
########################################
#
# seutil_read_default_contexts(domain)
#
define(`seutil_read_default_contexts',`
gen_require(`$0'_depend)
gen_require(`
type selinux_config_t, default_context_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 default_context_t:dir r_dir_perms;
allow $1 default_context_t:file r_file_perms;
')
define(`seutil_read_default_contexts_depend',`
type selinux_config_t, default_context_t;
class dir r_dir_perms;
class file r_file_perms;
')
########################################
#
# seutil_read_file_contexts(domain)
#
define(`seutil_read_file_contexts',`
gen_require(`$0'_depend)
gen_require(`
type selinux_config_t, file_context_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file r_file_perms;
')
define(`seutil_read_file_contexts_depend',`
type selinux_config_t, file_context_t;
class dir r_dir_perms;
class file r_file_perms;
')
########################################
#
# seutil_read_binary_pol(domain)
#
define(`seutil_read_binary_pol',`
gen_require(`$0'_depend)
gen_require(`
type selinux_config_t, policy_config_t;
class dir r_dir_perms;
class file r_file_perms;
')
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms;
')
define(`seutil_read_binary_pol_depend',`
type policy_config_t;
class dir r_dir_perms;
class file r_file_perms;
')
########################################
#
# seutil_write_binary_pol(domain)
# seutil_create_binary_pol(domain)
#
define(`seutil_write_binary_pol',`
gen_require(`$0'_depend)
define(`seutil_create_binary_pol',`
gen_require(`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
class dir ra_dir_perms;
class file { getattr create write };
')
allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file { getattr create write unlink };
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir ra_dir_perms;
allow $1 policy_config_t:file { getattr create write };
typeattribute $1 can_write_binary_policy;
')
define(`seutil_write_binary_pol_depend',`
attribute can_write_binary_policy;
type policy_config_t;
class dir rw_dir_perms;
class file { getattr create write unlink };
')
########################################
## <interface name="seutil_relabelto_binary_pol">
## <description>
@ -665,80 +581,67 @@ define(`seutil_write_binary_pol_depend',`
## </interface>
#
define(`seutil_relabelto_binary_pol',`
gen_require(`$0'_depend)
gen_require(`
attribute can_relabelto_binary_policy;
type policy_config_t;
class file relabelto;
')
allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy;
')
define(`seutil_relabelto_binary_pol_depend',`
attribute can_relabelto_binary_policy;
type policy_config_t;
class file relabelto;
')
########################################
#
# seutil_manage_binary_pol(domain)
#
define(`seutil_manage_binary_pol',`
gen_require(`$0'_depend)
gen_require(`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
class dir rw_dir_perms;
class file create_file_perms;
')
# FIXME: search etc_t:dir
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:dir rw_dir_perms;
allow $1 policy_config_t:file create_file_perms;
typeattribute $1 can_write_binary_policy;
')
define(`seutil_manage_binary_pol_depend',`
attribute can_write_binary_policy;
type selinux_config_t, policy_config_t;
class dir create_dir_perms;
class file create_file_perms;
')
########################################
#
# seutil_read_src_pol(domain)
#
define(`seutil_read_src_pol',`
gen_require(`$0'_depend)
gen_require(`
type selinux_config_t, policy_src_t;
class dir r_dir_perms;
class file r_file_perms;
')
# FIXME: search etc_t:dir
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir r_dir_perms;
allow $1 policy_src_t:file r_file_perms;
')
define(`seutil_read_src_pol_depend',`
type selinux_config_t, policy_src_t;
class dir r_dir_perms;
class file r_file_perms;
')
########################################
#
# seutil_manage_src_pol(domain)
#
define(`seutil_manage_src_pol',`
gen_require(`$0'_depend)
gen_require(`
type selinux_config_t, policy_src_t;
class dir create_dir_perms;
class file create_file_perms;
')
# FIXME: search etc_t:dir
files_search_etc($1)
allow $1 selinux_config_t:dir search;
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
define(`seutil_manage_src_pol_depend',`
type selinux_config_t, policy_src_t;
class dir create_dir_perms;
class file create_file_perms;
')
## </module>

59
refpolicy/policy/modules/system/sysnetwork.if
View File

@ -12,8 +12,14 @@
## </interface>
#
define(`sysnet_domtrans_dhcpc',`
gen_require(`$0'_depend)
gen_require(`
type dhcpc_t, dhcpc_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
allow $1 dhcpc_t:fd use;
@ -22,15 +28,6 @@ define(`sysnet_domtrans_dhcpc',`
allow dhcpc_t $1:process sigchld;
')
define(`sysnet_domtrans_dhcpc_depend',`
type dhcpc_t, dhcpc_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
#######################################
## <interface name="sysnet_domtrans_ifconfig">
## <description>
@ -42,8 +39,14 @@ define(`sysnet_domtrans_dhcpc_depend',`
## </interface>
#
define(`sysnet_domtrans_ifconfig',`
gen_require(`$0'_depend)
gen_require(`
type ifconfig_t, ifconfig_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
allow $1 ifconfig_t:fd use;
@ -52,15 +55,6 @@ define(`sysnet_domtrans_ifconfig',`
allow ifconfig_t $1:process sigchld;
')
define(`sysnet_domtrans_ifconfig_depend',`
type ifconfig_t, ifconfig_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="sysnet_run_ifconfig">
## <description>
@ -80,17 +74,15 @@ define(`sysnet_domtrans_ifconfig_depend',`
## </interface>
#
define(`sysnet_run_ifconfig',`
gen_require(`$0'_depend)
gen_require(`
type ifconfig_t;
class chr_file rw_term_perms;
')
corecmd_search_sbin($1)
sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file { getattr read write ioctl };
')
define(`sysnet_run_ifconfig_depend',`
type ifconfig_t;
class chr_file { getattr read write ioctl };
allow ifconfig_t $3:chr_file rw_term_perms;
')
#######################################
@ -104,16 +96,13 @@ define(`sysnet_run_ifconfig_depend',`
## </interface>
#
define(`sysnet_read_config',`
gen_require(`$0'_depend)
gen_require(`
type net_conf_t;
class file r_file_perms;
')
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
')
define(`sysnet_read_config_depend',`
type net_conf_t;
class file r_file_perms;
')
## </module>

40
refpolicy/policy/modules/system/udev.if
View File

@ -12,7 +12,12 @@
## </interface>
#
define(`udev_domtrans',`
gen_require(`$0'_depend)
gen_require(`
type udev_t, udev_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
domain_auto_trans($1, udev_exec_t, udev_t)
@ -22,15 +27,6 @@ define(`udev_domtrans',`
allow udev_t $1:process sigchld;
')
define(`udev_domtrans_depend',`
type udev_t, udev_exec_t;
class file { getattr read execute };
class process { transition noatsecure siginh rlimitinh sigchld };
class fd use;
class fifo_file rw_file_perms;
')
########################################
## <interface name="udev_read_db">
## <description>
@ -42,17 +38,15 @@ define(`udev_domtrans_depend',`
## </interface>
#
define(`udev_read_db',`
gen_require(`$0'_depend)
gen_require(`
type udev_tdb_t;
class file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file r_file_perms;
')
define(`udev_read_db_depend',`
type udev_tdb_t;
class file r_file_perms;
')
########################################
## <interface name="udev_rw_db">
## <description>
@ -64,15 +58,13 @@ define(`udev_read_db_depend',`
## </interface>
#
define(`udev_rw_db',`
gen_require(`$0'_depend)
gen_require(`
type udev_tdb_t;
class file rw_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 udev_tdb_t:file rw_file_perms;
')
define(`udev_rw_db_depend',`
type udev_tdb_t;
class file rw_file_perms;
')
## </module>