From 261e0e66eef29bfbd0981c1d46d4567a96ef7648 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Thu, 23 Jun 2005 16:00:05 +0000 Subject: [PATCH] shorten some xml tags --- refpolicy/doc/policy.dtd | 14 +- refpolicy/policy/modules/admin/dmesg.if | 16 +- refpolicy/policy/modules/admin/rpm.if | 48 +- refpolicy/policy/modules/admin/usermanage.if | 96 +-- refpolicy/policy/modules/apps/gpg.if | 8 +- refpolicy/policy/modules/kernel/bootloader.if | 152 ++-- .../policy/modules/kernel/corenetwork.if.in | 8 +- .../policy/modules/kernel/corenetwork.if.m4 | 176 ++--- refpolicy/policy/modules/kernel/devices.if | 384 +++++----- refpolicy/policy/modules/kernel/filesystem.if | 680 +++++++++--------- refpolicy/policy/modules/kernel/kernel.if | 404 +++++------ refpolicy/policy/modules/kernel/selinux.if | 92 +-- refpolicy/policy/modules/kernel/storage.if | 208 +++--- refpolicy/policy/modules/kernel/terminal.if | 280 ++++---- refpolicy/policy/modules/services/mta.if | 8 +- .../policy/modules/services/remotelogin.if | 8 +- refpolicy/policy/modules/services/sendmail.if | 8 +- refpolicy/policy/modules/system/authlogin.if | 148 ++-- refpolicy/policy/modules/system/clock.if | 40 +- .../policy/modules/system/corecommands.if | 24 +- refpolicy/policy/modules/system/domain.if | 120 ++-- refpolicy/policy/modules/system/files.if | 100 +-- refpolicy/policy/modules/system/getty.if | 32 +- refpolicy/policy/modules/system/hostname.if | 32 +- refpolicy/policy/modules/system/hotplug.if | 8 +- refpolicy/policy/modules/system/init.if | 24 +- refpolicy/policy/modules/system/iptables.if | 32 +- refpolicy/policy/modules/system/libraries.if | 96 +-- refpolicy/policy/modules/system/locallogin.if | 16 +- refpolicy/policy/modules/system/logging.if | 8 +- refpolicy/policy/modules/system/lvm.if | 32 +- refpolicy/policy/modules/system/miscfiles.if | 40 +- refpolicy/policy/modules/system/modutils.if | 88 +-- refpolicy/policy/modules/system/mount.if | 40 +- .../policy/modules/system/selinuxutil.if | 160 ++--- refpolicy/policy/modules/system/sysnetwork.if | 40 +- refpolicy/policy/modules/system/udev.if | 24 +- refpolicy/policy/modules/system/userdomain.if | 104 +-- 38 files changed, 1899 insertions(+), 1899 deletions(-) diff --git a/refpolicy/doc/policy.dtd b/refpolicy/doc/policy.dtd index a5ccae75..801e57fe 100644 --- a/refpolicy/doc/policy.dtd +++ b/refpolicy/doc/policy.dtd @@ -4,7 +4,7 @@ - + @@ -12,14 +12,14 @@ name CDATA #REQUIRED dftval CDATA #REQUIRED> - + - + - - - - + + + diff --git a/refpolicy/policy/modules/admin/dmesg.if b/refpolicy/policy/modules/admin/dmesg.if index 189fc5e4..711d3761 100644 --- a/refpolicy/policy/modules/admin/dmesg.if +++ b/refpolicy/policy/modules/admin/dmesg.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute dmesg in the dmesg domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`dmesg_domtrans',` @@ -30,12 +30,12 @@ interface(`dmesg_domtrans',` ######################################## ## -## +## ## Execute dmesg in the caller domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`dmesg_exec',` diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index b7791a7e..cf694fd6 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute rpm programs in the rpm domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`rpm_domtrans',` @@ -31,18 +31,18 @@ interface(`rpm_domtrans',` ######################################## ## -## +## ## Execute RPM programs in the RPM domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to allow the RPM domain. -## -## +## +## ## The type of the terminal allow the RPM domain to use. -## +## ## # interface(`rpm_run',` @@ -59,12 +59,12 @@ interface(`rpm_run',` ######################################## ## -## +## ## Inherit and use file descriptors from RPM. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`rpm_use_fd',` @@ -78,12 +78,12 @@ interface(`rpm_use_fd',` ######################################## ## -## +## ## Read from a RPM pipe. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`rpm_read_pipe',` @@ -97,12 +97,12 @@ interface(`rpm_read_pipe',` ######################################## ## -## +## ## Read RPM package database. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`rpm_read_db',` diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index 34131a4f..71560522 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute chfn in the chfn domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`usermanage_domtrans_chfn',` @@ -31,19 +31,19 @@ interface(`usermanage_domtrans_chfn',` ######################################## ## -## +## ## Execute chfn in the chfn domain, and ## allow the specified role the chfn domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the chfn domain. -## -## +## +## ## The type of the terminal allow the chfn domain to use. -## +## ## # interface(`usermanage_run_chfn',` @@ -59,12 +59,12 @@ interface(`usermanage_run_chfn',` ######################################## ## -## +## ## Execute groupadd in the groupadd domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`usermanage_domtrans_groupadd',` @@ -87,19 +87,19 @@ interface(`usermanage_domtrans_groupadd',` ######################################## ## -## +## ## Execute groupadd in the groupadd domain, and ## allow the specified role the groupadd domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the groupadd domain. -## -## +## +## ## The type of the terminal allow the groupadd domain to use. -## +## ## # interface(`usermanage_run_groupadd',` @@ -115,12 +115,12 @@ interface(`usermanage_run_groupadd',` ######################################## ## -## +## ## Execute passwd in the passwd domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`usermanage_domtrans_passwd',` @@ -143,19 +143,19 @@ interface(`usermanage_domtrans_passwd',` ######################################## ## -## +## ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the passwd domain. -## -## +## +## ## The type of the terminal allow the passwd domain to use. -## +## ## # interface(`usermanage_run_passwd',` @@ -171,12 +171,12 @@ interface(`usermanage_run_passwd',` ######################################## ## -## +## ## Execute useradd in the useradd domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`usermanage_domtrans_useradd',` @@ -199,19 +199,19 @@ interface(`usermanage_domtrans_useradd',` ######################################## ## -## +## ## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the useradd domain. -## -## +## +## ## The type of the terminal allow the useradd domain to use. -## +## ## # interface(`usermanage_run_useradd',` diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 7ccb56fc..04304ca5 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -6,7 +6,7 @@ ## ## The per-userdomain template for the gpg module. ## -## +## ##

## This template creates the types and rules for GPG, ## GPG-agent, and GPG helper programs. This protects @@ -18,11 +18,11 @@ ## generally does not need to be statically invoked ## directly by policy writers. ##

-## -## +## +## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). -## +## # template(`gpg_per_userdomain_template',` gen_require(`$0'_depend) diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index 6e1597f9..a531cf99 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute bootloader in the bootloader domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_domtrans',` @@ -29,19 +29,19 @@ interface(`bootloader_domtrans',` ######################################## ## -## +## ## Execute bootloader interactively and do ## a domain transition to the bootloader domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the bootloader domain. -## -## +## +## ## The type of the terminal allow the bootloader domain to use. -## +## ## # interface(`bootloader_run',` @@ -58,12 +58,12 @@ interface(`bootloader_run',` ######################################## ## -## +## ## Search the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_search_boot_dir',` @@ -77,12 +77,12 @@ interface(`bootloader_search_boot_dir',` ######################################## ## -## +## ## Do not audit attempts to search the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_dontaudit_search_boot',` @@ -96,13 +96,13 @@ interface(`bootloader_dontaudit_search_boot',` ######################################## ## -## +## ## Read and write symbolic links ## in the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_rw_boot_symlinks',` @@ -118,12 +118,12 @@ interface(`bootloader_rw_boot_symlinks',` ######################################## ## -## +## ## Install a kernel into the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_create_kernel',` @@ -141,12 +141,12 @@ interface(`bootloader_create_kernel',` ######################################## ## -## +## ## Install a system.map into the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_create_kernel_symbol_table',` @@ -162,12 +162,12 @@ interface(`bootloader_create_kernel_symbol_table',` ######################################## ## -## +## ## Read system.map in the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_read_kernel_symbol_table',` @@ -183,12 +183,12 @@ interface(`bootloader_read_kernel_symbol_table',` ######################################## ## -## +## ## Delete a kernel from /boot. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_delete_kernel',` @@ -204,12 +204,12 @@ interface(`bootloader_delete_kernel',` ######################################## ## -## +## ## Delete a system.map in the /boot directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_delete_kernel_symbol_table',` @@ -225,12 +225,12 @@ interface(`bootloader_delete_kernel_symbol_table',` ######################################## ## -## +## ## Read the bootloader configuration file. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_read_config',` @@ -244,13 +244,13 @@ interface(`bootloader_read_config',` ######################################## ## -## +## ## Read and write the bootloader ## configuration file. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_rw_config',` @@ -264,13 +264,13 @@ interface(`bootloader_rw_config',` ######################################## ## -## +## ## Read and write the bootloader ## temporary data in /tmp. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_rw_tmp_file',` @@ -285,13 +285,13 @@ interface(`bootloader_rw_tmp_file',` ######################################## ## -## +## ## Read and write the bootloader ## temporary data in /tmp. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_create_runtime_file',` @@ -308,12 +308,12 @@ interface(`bootloader_create_runtime_file',` ######################################## ## -## +## ## List the contents of the kernel module directories. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_list_kernel_modules',` @@ -327,12 +327,12 @@ interface(`bootloader_list_kernel_modules',` ######################################## ## -## +## ## Read kernel module files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_read_kernel_modules',` @@ -350,12 +350,12 @@ interface(`bootloader_read_kernel_modules',` ######################################## ## -## +## ## Write kernel module files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_write_kernel_modules',` @@ -374,13 +374,13 @@ interface(`bootloader_write_kernel_modules',` ######################################## ## -## +## ## Create, read, write, and delete ## kernel module files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`bootloader_manage_kernel_modules',` diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in index 9f3ab475..3095b84b 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Send and receive TCP network traffic on the general interfaces. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4 index fea2b84a..9d6d84df 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if.m4 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4 @@ -7,12 +7,12 @@ define(`create_netif_interfaces',`` ######################################## ## -## +## ## Send and receive TCP network traffic on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -27,12 +27,12 @@ interface(`corenet_tcp_sendrecv_$1',` ######################################## ## -## +## ## Send UDP network traffic on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -47,12 +47,12 @@ interface(`corenet_udp_send_$1',` ######################################## ## -## +## ## Receive UDP network traffic on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -67,12 +67,12 @@ interface(`corenet_udp_receive_$1',` ######################################## ## -## +## ## Send and receive UDP network traffic on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -83,12 +83,12 @@ interface(`corenet_udp_sendrecv_$1',` ######################################## ## -## +## ## Send raw IP packets on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -105,12 +105,12 @@ interface(`corenet_raw_send_$1',` ######################################## ## -## +## ## Receive raw IP packets on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -125,12 +125,12 @@ interface(`corenet_raw_receive_$1',` ######################################## ## -## +## ## Send and receive raw IP packets on the $1 interface. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -149,12 +149,12 @@ interface(`corenet_raw_sendrecv_$1',` define(`create_node_interfaces',`` ######################################## ## -## +## ## Send and receive TCP traffic on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -169,12 +169,12 @@ interface(`corenet_tcp_sendrecv_$1_node',` ######################################## ## -## +## ## Send UDP traffic on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -189,12 +189,12 @@ interface(`corenet_udp_send_$1_node',` ######################################## ## -## +## ## Receive UDP traffic on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -209,12 +209,12 @@ interface(`corenet_udp_receive_$1_node',` ######################################## ## -## +## ## Send and receive UDP traffic on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -225,12 +225,12 @@ interface(`corenet_udp_sendrecv_$1_node',` ######################################## ## -## +## ## Send raw IP packets on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -245,12 +245,12 @@ interface(`corenet_raw_send_$1_node',` ######################################## ## -## +## ## Receive raw IP packets on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -265,12 +265,12 @@ interface(`corenet_raw_receive_$1_node',` ######################################## ## -## +## ## Send and receive raw IP packets on the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -281,12 +281,12 @@ interface(`corenet_raw_sendrecv_$1_node',` ######################################## ## -## +## ## Bind TCP sockets to node $1. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -301,12 +301,12 @@ interface(`corenet_tcp_bind_$1_node',` ######################################## ## -## +## ## Bind UDP sockets to the $1 node. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -329,12 +329,12 @@ interface(`corenet_udp_bind_$1_node',` define(`create_port_interfaces',`` ######################################## ## -## +## ## Send and receive TCP traffic on the $1 port. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -349,12 +349,12 @@ interface(`corenet_tcp_sendrecv_$1_port',` ######################################## ## -## +## ## Send UDP traffic on the $1 port. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -369,12 +369,12 @@ interface(`corenet_udp_send_$1_port',` ######################################## ## -## +## ## Receive UDP traffic on the $1 port. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -389,12 +389,12 @@ interface(`corenet_udp_receive_$1_port',` ######################################## ## -## +## ## Send and receive UDP traffic on the $1 port. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -405,12 +405,12 @@ interface(`corenet_udp_sendrecv_$1_port',` ######################################## ## -## +## ## Bind TCP sockets to the $1 port. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -426,12 +426,12 @@ interface(`corenet_tcp_bind_$1_port',` ######################################## ## -## +## ## Bind UDP sockets to the $1 port. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 8d7e753a..f2bdd400 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2,7 +2,7 @@ ## ## Device nodes and interfaces for many basic system devices. ## -## +## ##

## This module creates the device node concept and provides ## the policy for many of the device files. Notable exceptions are @@ -23,7 +23,7 @@ ## this module. ## ##

-## +## ######################################## ## @@ -31,9 +31,9 @@ ## Make the passed in type a type appropriate for ## use on device nodes (usually files in /dev). ## -## +## ## The object type that will be used on device nodes. -## +## ## # interface(`dev_node',` @@ -55,9 +55,9 @@ interface(`dev_node',` ## ## Allow full relabeling (to and from) of all device nodes. ## -## +## ## Domain allowed to relabel. -## +## ## # interface(`dev_relabel_all_dev_nodes',` @@ -87,9 +87,9 @@ interface(`dev_relabel_all_dev_nodes',` ## ## List all of the device nodes in a device directory. ## -## +## ## Domain allowed to list device nodes. -## +## ## # interface(`dev_list_all_dev_nodes',` @@ -108,9 +108,9 @@ interface(`dev_list_all_dev_nodes',` ## ## Dontaudit attempts to list all device nodes. ## -## +## ## Domain to dontaudit listing of device nodes. -## +## ## # interface(`dev_dontaudit_list_all_dev_nodes',` @@ -127,9 +127,9 @@ interface(`dev_dontaudit_list_all_dev_nodes',` ## ## Create a directory in the device directory. ## -## +## ## Domain allowed to create the directory. -## +## ## # interface(`dev_create_dir',` @@ -146,9 +146,9 @@ interface(`dev_create_dir',` ## ## Allow full relabeling (to and from) of directories in /dev. ## -## +## ## Domain allowed to relabel. -## +## ## # interface(`dev_relabel_dev_dirs',` @@ -165,9 +165,9 @@ interface(`dev_relabel_dev_dirs',` ## ## Dontaudit getattr on generic pipes. ## -## +## ## Domain to dontaudit. -## +## ## # interface(`dev_dontaudit_getattr_generic_pipe',` @@ -184,9 +184,9 @@ interface(`dev_dontaudit_getattr_generic_pipe',` ## ## Allow getattr on generic block devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_generic_blk_file',` @@ -205,9 +205,9 @@ interface(`dev_getattr_generic_blk_file',` ## ## Dontaudit getattr on generic block devices. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_getattr_generic_blk_file',` @@ -224,9 +224,9 @@ interface(`dev_dontaudit_getattr_generic_blk_file',` ## ## Dontaudit setattr on generic block devices. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_setattr_generic_blk_file',` @@ -244,9 +244,9 @@ interface(`dev_dontaudit_setattr_generic_blk_file',` ## Allow read, write, create, and delete for generic ## block files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_generic_blk_file',` @@ -264,9 +264,9 @@ interface(`dev_manage_generic_blk_file',` ## ## Allow read, write, and create for generic character device files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_create_generic_chr_file',` @@ -288,9 +288,9 @@ interface(`dev_create_generic_chr_file',` ## ## Allow getattr for generic character device files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_generic_chr_file',` @@ -309,9 +309,9 @@ interface(`dev_getattr_generic_chr_file',` ## ## Dontaudit getattr for generic character device files. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_getattr_generic_chr_file',` @@ -328,9 +328,9 @@ interface(`dev_dontaudit_getattr_generic_chr_file',` ## ## Dontaudit setattr for generic character device files. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_setattr_generic_chr_file',` @@ -347,9 +347,9 @@ interface(`dev_dontaudit_setattr_generic_chr_file',` ## ## Delete symbolic links in device directories. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_del_generic_symlinks',` @@ -368,9 +368,9 @@ interface(`dev_del_generic_symlinks',` ## ## Create, delete, read, and write symbolic links in device directories. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_generic_symlinks',` @@ -389,9 +389,9 @@ interface(`dev_manage_generic_symlinks',` ## ## Create, delete, read, and write device nodes in device directories. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_dev_nodes',` @@ -427,9 +427,9 @@ interface(`dev_manage_dev_nodes',` ## ## Dontaudit getattr for generic device files. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_rw_generic_dev_nodes',` @@ -447,9 +447,9 @@ interface(`dev_dontaudit_rw_generic_dev_nodes',` ## ## Create, delete, read, and write block device files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_generic_blk_file',` @@ -468,9 +468,9 @@ interface(`dev_manage_generic_blk_file',` ## ## Create, delete, read, and write character device files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_generic_chr_file',` @@ -490,16 +490,16 @@ interface(`dev_manage_generic_chr_file',` ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. ## -## +## ## Domain allowed access. -## -## +## +## ## Type to which the created node will be transitioned. -## -## +## +## ## Object class(es) (single or set including {}) for which this ## the transition will occur. -## +## ## # interface(`dev_create_dev_node',` @@ -521,9 +521,9 @@ interface(`dev_create_dev_node',` ## ## Getattr on all block file device nodes. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_all_blk_files',` @@ -542,9 +542,9 @@ interface(`dev_getattr_all_blk_files',` ## ## Dontaudit getattr on all block file device nodes. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_getattr_all_blk_files',` @@ -561,9 +561,9 @@ interface(`dev_dontaudit_getattr_all_blk_files',` ## ## Getattr on all character file device nodes. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_all_chr_files',` @@ -582,9 +582,9 @@ interface(`dev_getattr_all_chr_files',` ## ## Dontaudit getattr on all character file device nodes. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_getattr_all_chr_files',` @@ -601,9 +601,9 @@ interface(`dev_dontaudit_getattr_all_chr_files',` ## ## Setattr on all block file device nodes. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_all_blk_files',` @@ -622,9 +622,9 @@ interface(`dev_setattr_all_blk_files',` ## ## Setattr on all character file device nodes. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_all_chr_files',` @@ -643,9 +643,9 @@ interface(`dev_setattr_all_chr_files',` ## ## Read, write, create, and delete all block device files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_all_blk_files',` @@ -670,9 +670,9 @@ interface(`dev_manage_all_blk_files',` ## ## Read, write, create, and delete all character device files. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_manage_all_chr_files',` @@ -693,9 +693,9 @@ interface(`dev_manage_all_chr_files',` ## ## Read raw memory devices (e.g. /dev/mem). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_raw_memory',` @@ -719,9 +719,9 @@ interface(`dev_read_raw_memory',` ## ## Write raw memory devices (e.g. /dev/mem). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_raw_memory',` @@ -745,9 +745,9 @@ interface(`dev_write_raw_memory',` ## ## Read and execute raw memory devices (e.g. /dev/mem). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rx_raw_memory',` @@ -765,9 +765,9 @@ interface(`dev_rx_raw_memory',` ## ## Write and execute raw memory devices (e.g. /dev/mem). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_wx_raw_memory',` @@ -785,9 +785,9 @@ interface(`dev_wx_raw_memory',` ## ## Read from random devices (e.g., /dev/random) ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_rand',` @@ -806,9 +806,9 @@ interface(`dev_read_rand',` ## ## Read from pseudo random devices (e.g., /dev/urandom) ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_urand',` @@ -829,9 +829,9 @@ interface(`dev_read_urand',` ## entropy used to generate the random data read from the ## random device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_rand',` @@ -851,9 +851,9 @@ interface(`dev_write_rand',` ## Write to the pseudo random device (e.g., /dev/urandom). This ## sets the random number generator seed. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_urand',` @@ -872,9 +872,9 @@ interface(`dev_write_urand',` ## ## Read and write to the null device (/dev/null). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_null_dev',` @@ -893,9 +893,9 @@ interface(`dev_rw_null_dev',` ## ## Read and write to the zero device (/dev/zero). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_zero_dev',` @@ -914,9 +914,9 @@ interface(`dev_rw_zero_dev',` ## ## Read, write, and execute the zero device (/dev/zero). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rwx_zero_dev',` @@ -934,9 +934,9 @@ interface(`dev_rwx_zero_dev',` ## ## Read the realtime clock (/dev/rtc). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_realtime_clock',` @@ -955,9 +955,9 @@ interface(`dev_read_realtime_clock',` ## ## Read the realtime clock (/dev/rtc). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_realtime_clock',` @@ -976,9 +976,9 @@ interface(`dev_write_realtime_clock',` ## ## Read the realtime clock (/dev/rtc). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_realtime_clock',` @@ -991,9 +991,9 @@ interface(`dev_rw_realtime_clock',` ## ## Get the attributes of the sound devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_snd_dev',` @@ -1012,9 +1012,9 @@ interface(`dev_getattr_snd_dev',` ## ## Set the attributes of the sound devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_snd_dev',` @@ -1033,9 +1033,9 @@ interface(`dev_setattr_snd_dev',` ## ## Read the sound devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_snd_dev',` @@ -1054,9 +1054,9 @@ interface(`dev_read_snd_dev',` ## ## Write the sound devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_snd_dev',` @@ -1075,9 +1075,9 @@ interface(`dev_write_snd_dev',` ## ## Read the sound mixer devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_snd_mixer_dev',` @@ -1096,9 +1096,9 @@ interface(`dev_read_snd_mixer_dev',` ## ## Write the sound mixer devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_snd_mixer_dev',` @@ -1117,9 +1117,9 @@ interface(`dev_write_snd_mixer_dev',` ## ## Read and write the agp devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_agp_dev',` @@ -1138,9 +1138,9 @@ interface(`dev_rw_agp_dev',` ## ## Getattr the agp devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_agp_dev',` @@ -1159,9 +1159,9 @@ interface(`dev_getattr_agp_dev',` ## ## Read and write the dri devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_dri_dev',` @@ -1180,9 +1180,9 @@ interface(`dev_rw_dri_dev',` ## ## Dontaudit read and write on the dri devices. ## -## +## ## Domain to dontaudit access. -## +## ## # interface(`dev_dontaudit_rw_dri_dev',` @@ -1199,9 +1199,9 @@ interface(`dev_dontaudit_rw_dri_dev',` ## ## Read the mtrr device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_mtrr',` @@ -1220,9 +1220,9 @@ interface(`dev_read_mtrr',` ## ## Write the mtrr device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_mtrr',` @@ -1241,9 +1241,9 @@ interface(`dev_write_mtrr',` ## ## Get the attributes of the framebuffer device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_framebuffer',` @@ -1262,9 +1262,9 @@ interface(`dev_getattr_framebuffer',` ## ## Set the attributes of the framebuffer device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_framebuffer',` @@ -1283,9 +1283,9 @@ interface(`dev_setattr_framebuffer',` ## ## Read the framebuffer device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_framebuffer',` @@ -1304,9 +1304,9 @@ interface(`dev_read_framebuffer',` ## ## Write the framebuffer device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_framebuffer',` @@ -1325,9 +1325,9 @@ interface(`dev_write_framebuffer',` ## ## Read the lvm comtrol device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_lvm_control',` @@ -1346,9 +1346,9 @@ interface(`dev_read_lvm_control',` ## ## Read and write the lvm control device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_lvm_control',` @@ -1367,9 +1367,9 @@ interface(`dev_rw_lvm_control',` ## ## Delete the lvm control device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_delete_lvm_control',` @@ -1388,9 +1388,9 @@ interface(`dev_delete_lvm_control',` ## ## Get the attributes of miscellaneous devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_misc',` @@ -1410,9 +1410,9 @@ interface(`dev_getattr_misc',` ## Do not audit attempts to get the attributes ## of miscellaneous devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_dontaudit_getattr_misc',` @@ -1429,9 +1429,9 @@ interface(`dev_dontaudit_getattr_misc',` ## ## Set the attributes of miscellaneous devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_misc',` @@ -1451,9 +1451,9 @@ interface(`dev_setattr_misc',` ## Do not audit attempts to set the attributes ## of miscellaneous devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_dontaudit_setattr_misc',` @@ -1470,9 +1470,9 @@ interface(`dev_dontaudit_setattr_misc',` ## ## Read miscellaneous devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_misc',` @@ -1491,9 +1491,9 @@ interface(`dev_read_misc',` ## ## Write miscellaneous devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_write_misc',` @@ -1512,9 +1512,9 @@ interface(`dev_write_misc',` ## ## Get the attributes of the mouse devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_mouse',` @@ -1533,9 +1533,9 @@ interface(`dev_getattr_mouse',` ## ## Set the attributes of the mouse devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_mouse',` @@ -1554,9 +1554,9 @@ interface(`dev_setattr_mouse',` ## ## Read the mouse devices. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_mouse',` @@ -1575,9 +1575,9 @@ interface(`dev_read_mouse',` ## ## Read the multiplexed input device (/dev/input). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_input',` @@ -1596,9 +1596,9 @@ interface(`dev_read_input',` ## ## Read the multiplexed input device (/dev/input). ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_read_cpuid',` @@ -1618,9 +1618,9 @@ interface(`dev_read_cpuid',` ## Read and write the the cpu microcode device. This ## is required to load cpu microcode. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_cpu_microcode',` @@ -1639,9 +1639,9 @@ interface(`dev_rw_cpu_microcode',` ## ## Get the attributes of the scanner device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_scanner',` @@ -1661,9 +1661,9 @@ interface(`dev_getattr_scanner',` ## Do not audit attempts to get the attributes of ## the scanner device. ## -## +## ## Domain to not audit. -## +## ## # interface(`dev_dontaudit_getattr_scanner',` @@ -1680,9 +1680,9 @@ interface(`dev_dontaudit_getattr_scanner',` ## ## Set the attributes of the scanner device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_scanner',` @@ -1702,9 +1702,9 @@ interface(`dev_setattr_scanner',` ## Do not audit attempts to set the attributes of ## the scanner device. ## -## +## ## Domain to not audit. -## +## ## # interface(`dev_dontaudit_setattr_scanner',` @@ -1721,9 +1721,9 @@ interface(`dev_dontaudit_setattr_scanner',` ## ## Read and write the scanner device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_scanner',` @@ -1742,9 +1742,9 @@ interface(`dev_rw_scanner',` ## ## Get the attributes of the the power management device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_getattr_power_management',` @@ -1763,9 +1763,9 @@ interface(`dev_getattr_power_management',` ## ## Set the attributes of the the power management device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_setattr_power_management',` @@ -1784,9 +1784,9 @@ interface(`dev_setattr_power_management',` ## ## Read and write the the power management device. ## -## +## ## Domain allowed access. -## +## ## # interface(`dev_rw_power_management',` @@ -1805,9 +1805,9 @@ interface(`dev_rw_power_management',` ## ## Get the attributes of sysfs directories. ## -## +## ## The type of the process performing this action. -## +## ## # interface(`dev_getattr_sysfs_dir',` @@ -1824,9 +1824,9 @@ interface(`dev_getattr_sysfs_dir',` ## ## Search the directory containing hardware information. ## -## +## ## The type of the process performing this action. -## +## ## # interface(`dev_search_sysfs',` @@ -1843,9 +1843,9 @@ interface(`dev_search_sysfs',` ## ## Allow caller to read hardware state information. ## -## +## ## The process type reading hardware state information. -## +## ## # interface(`dev_read_sysfs',` @@ -1865,9 +1865,9 @@ interface(`dev_read_sysfs',` ## ## Allow caller to modify hardware state information. ## -## +## ## The process type modifying hardware state information. -## +## ## # interface(`dev_rw_sysfs',` @@ -1888,9 +1888,9 @@ interface(`dev_rw_sysfs',` ## ## Search the directory containing USB hardware information. ## -## +## ## The type of the process performing this action. -## +## ## # interface(`dev_search_usbfs',` @@ -1907,9 +1907,9 @@ interface(`dev_search_usbfs',` ## ## Allow caller to get a list of usb hardware. ## -## +## ## The process type getting the list. -## +## ## # interface(`dev_list_usbfs',` @@ -1931,9 +1931,9 @@ interface(`dev_list_usbfs',` ## Read USB hardware information using ## the usbfs filesystem interface. ## -## +## ## The type of the process performing this action. -## +## ## # interface(`dev_read_usbfs',` @@ -1953,9 +1953,9 @@ interface(`dev_read_usbfs',` ## ## Allow caller to modify usb hardware configuration files. ## -## +## ## The process type modifying the options. -## +## ## # interface(`dev_rw_usbfs',` @@ -1976,9 +1976,9 @@ interface(`dev_rw_usbfs',` ## ## Get the attributes of video4linux devices. ## -## +## ## The process type modifying the options. -## +## ## # interface(`dev_getattr_video_dev',` @@ -1997,9 +1997,9 @@ interface(`dev_getattr_video_dev',` ## ## Set the attributes of video4linux devices. ## -## +## ## The process type modifying the options. -## +## ## # interface(`dev_setattr_video_dev',` diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 6ab8773f..02614760 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Transform specified type into a filesystem type. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_make_fs',` @@ -21,14 +21,14 @@ interface(`fs_make_fs',` ######################################## ## -## +## ## Transform specified type into a filesystem ## type which does not have extended attribute ## support. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_make_noxattr_fs',` @@ -43,15 +43,15 @@ interface(`fs_make_noxattr_fs',` ######################################## ## -## +## ## Associate the specified file type to persistent ## filesystems with extended attributes. This ## allows a file of this type to be created on ## a filesystem such as ext3, JFS, and XFS. -## -## +## +## ## The type of the to be associated. -## +## ## # interface(`fs_associate',` @@ -65,16 +65,16 @@ interface(`fs_associate',` ######################################## ## -## +## ## Associate the specified file type to ## filesystems which lack extended attributes ## support. This allows a file of this type ## to be created on a filesystem such as ## FAT32, and NFS. -## -## +## +## ## The type of the to be associated. -## +## ## # interface(`fs_associate_noxattr',` @@ -88,14 +88,14 @@ interface(`fs_associate_noxattr',` ######################################## ## -## +## ## Mount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_xattr_fs',` @@ -109,15 +109,15 @@ interface(`fs_mount_xattr_fs',` ######################################## ## -## +## ## Remount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. This allows ## some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_xattr_fs',` @@ -131,14 +131,14 @@ interface(`fs_remount_xattr_fs',` ######################################## ## -## +## ## Unmount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_xattr_fs',` @@ -152,15 +152,15 @@ interface(`fs_unmount_xattr_fs',` ######################################## ## -## +## ## Get the attributes of a persistent ## filesystem which has extended ## attributes, such as ext3, JFS, or XFS. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_xattr_fs',` @@ -174,15 +174,15 @@ interface(`fs_getattr_xattr_fs',` ######################################## ## -## +## ## Do not audit attempts to ## get the attributes of a persistent ## filesystem which has extended ## attributes, such as ext3, JFS, or XFS. -## -## +## +## ## The type of the domain to not audit. -## +## ## # interface(`fs_dontaudit_getattr_xattr_fs',` @@ -196,14 +196,14 @@ interface(`fs_dontaudit_getattr_xattr_fs',` ######################################## ## -## +## ## Allow changing of the label of a ## filesystem with extended attributes ## using the context= mount option. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_relabelfrom_xattr_fs',` @@ -217,12 +217,12 @@ interface(`fs_relabelfrom_xattr_fs',` ######################################## ## -## +## ## Mount an automount pseudo filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_autofs',` @@ -237,13 +237,13 @@ interface(`fs_mount_autofs',` ######################################## ## -## +## ## Remount an automount pseudo filesystem ## This allows some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_autofs',` @@ -257,12 +257,12 @@ interface(`fs_remount_autofs',` ######################################## ## -## +## ## Unmount an automount pseudo filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_autofs',` @@ -276,14 +276,14 @@ interface(`fs_unmount_autofs',` ######################################## ## -## +## ## Get the attributes of an automount ## pseudo filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_autofs',` @@ -297,7 +297,7 @@ interface(`fs_getattr_autofs',` ######################################## ## -## +## ## Register an interpreter for new binary ## file types, using the kernel binfmt_misc ## support. A common use for this is to @@ -305,11 +305,11 @@ interface(`fs_getattr_autofs',` ## Java byte code. Registered binaries ## can be directly executed on a command line ## without specifying the interpreter. -## -## +## +## ## The type of the domain registering ## the interpreter. -## +## ## # interface(`fs_register_binary_executable_type',` @@ -325,12 +325,12 @@ interface(`fs_register_binary_executable_type',` ######################################## ## -## +## ## Mount a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_cifs',` @@ -344,13 +344,13 @@ interface(`fs_mount_cifs',` ######################################## ## -## +## ## Remount a CIFS or SMB network filesystem. ## This allows some mount options to be changed. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_remount_cifs',` @@ -364,12 +364,12 @@ interface(`fs_remount_cifs',` ######################################## ## -## +## ## Unmount a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_unmount_cifs',` @@ -383,14 +383,14 @@ interface(`fs_unmount_cifs',` ######################################## ## -## +## ## Get the attributes of a CIFS or ## SMB network filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_cifs',` @@ -404,12 +404,12 @@ interface(`fs_getattr_cifs',` ######################################## ## -## +## ## Read files on a CIFS or SMB filesystem. -## -## +## +## ## The type of the domain reading the files. -## +## ## # interface(`fs_read_cifs_files',` @@ -425,13 +425,13 @@ interface(`fs_read_cifs_files',` ######################################## ## -## +## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. -## -## +## +## ## The type of the domain to not audit. -## +## ## # interface(`fs_dontaudit_rw_cifs_files',` @@ -445,12 +445,12 @@ interface(`fs_dontaudit_rw_cifs_files',` ######################################## ## -## +## ## Read symbolic links on a CIFS or SMB filesystem. -## -## +## +## ## The type of the domain reading the symbolic links. -## +## ## # interface(`fs_read_cifs_symlinks',` @@ -466,14 +466,14 @@ interface(`fs_read_cifs_symlinks',` ######################################## ## -## +## ## Execute files on a CIFS or SMB ## network filesystem, in the caller ## domain. -## -## +## +## ## The type of the domain executing the files. -## +## ## # interface(`fs_execute_cifs_files',` @@ -488,13 +488,13 @@ interface(`fs_execute_cifs_files',` ######################################## ## -## +## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystems. -## -## +## +## ## The type of the domain to not audit. -## +## ## # interface(`fs_read_cifs_files',` @@ -508,13 +508,13 @@ interface(`fs_read_cifs_files',` ######################################## ## -## +## ## Create, read, write, and delete directories ## on a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain managing the directories. -## +## ## # interface(`fs_manage_cifs_dirs',` @@ -528,13 +528,13 @@ interface(`fs_manage_cifs_dirs',` ######################################## ## -## +## ## Create, read, write, and delete files ## on a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain managing the files. -## +## ## # interface(`fs_manage_cifs_files',` @@ -550,13 +550,13 @@ interface(`fs_manage_cifs_files',` ######################################## ## -## +## ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain managing the symbolic links. -## +## ## # interface(`fs_manage_cifs_symlinks',` @@ -572,13 +572,13 @@ interface(`fs_manage_cifs_symlinks',` ######################################## ## -## +## ## Create, read, write, and delete named pipes ## on a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain managing the pipes. -## +## ## # interface(`fs_manage_cifs_named_pipes',` @@ -594,13 +594,13 @@ interface(`fs_manage_cifs_named_pipes',` ######################################## ## -## +## ## Create, read, write, and delete named sockets ## on a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain managing the sockets. -## +## ## # interface(`fs_manage_cifs_named_sockets',` @@ -616,13 +616,13 @@ interface(`fs_manage_cifs_named_sockets',` ######################################## ## -## +## ## Mount a DOS filesystem, such as ## FAT32 or NTFS. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_dos_fs',` @@ -636,14 +636,14 @@ interface(`fs_mount_dos_fs',` ######################################## ## -## +## ## Remount a DOS filesystem, such as ## FAT32 or NTFS. This allows ## some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_dos_fs',` @@ -657,13 +657,13 @@ interface(`fs_remount_dos_fs',` ######################################## ## -## +## ## Unmount a DOS filesystem, such as ## FAT32 or NTFS. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_dos_fs',` @@ -677,14 +677,14 @@ interface(`fs_unmount_dos_fs',` ######################################## ## -## +## ## Get the attributes of a DOS ## filesystem, such as FAT32 or NTFS. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_dos_fs',` @@ -698,13 +698,13 @@ interface(`fs_getattr_dos_fs',` ######################################## ## -## +## ## Allow changing of the label of a ## DOS filesystem using the context= mount option. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_relabelfrom_dos_fs',` @@ -718,13 +718,13 @@ interface(`fs_relabelfrom_dos_fs',` ######################################## ## -## +## ## Mount an iso9660 filesystem, which ## is usually used on CDs. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_iso9660_fs',` @@ -738,14 +738,14 @@ interface(`fs_mount_iso9660_fs',` ######################################## ## -## +## ## Remount an iso9660 filesystem, which ## is usually used on CDs. This allows ## some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_iso9660_fs',` @@ -759,13 +759,13 @@ interface(`fs_remount_iso9660_fs',` ######################################## ## -## +## ## Unmount an iso9660 filesystem, which ## is usually used on CDs. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_iso9660_fs',` @@ -779,14 +779,14 @@ interface(`fs_unmount_iso9660_fs',` ######################################## ## -## +## ## Get the attributes of an iso9660 ## filesystem, which is usually used on CDs. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_iso9660_fs',` @@ -800,12 +800,12 @@ interface(`fs_getattr_iso9660_fs',` ######################################## ## -## +## ## Mount a NFS filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_nfs',` @@ -819,13 +819,13 @@ interface(`fs_mount_nfs',` ######################################## ## -## +## ## Remount a NFS filesystem. This allows ## some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_nfs',` @@ -839,12 +839,12 @@ interface(`fs_remount_nfs',` ######################################## ## -## +## ## Unmount a NFS filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_nfs',` @@ -858,13 +858,13 @@ interface(`fs_unmount_nfs',` ######################################## ## -## +## ## Get the attributes of a NFS filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_nfs',` @@ -878,12 +878,12 @@ interface(`fs_getattr_nfs',` ######################################## ## -## +## ## Read files on a NFS filesystem. -## -## +## +## ## The type of the domain reading the files. -## +## ## # interface(`fs_read_nfs_files',` @@ -899,12 +899,12 @@ interface(`fs_read_nfs_files',` ######################################## ## -## +## ## Execute files on a NFS filesystem. -## -## +## +## ## The type of the domain executing the files. -## +## ## # interface(`fs_execute_nfs_files',` @@ -919,13 +919,13 @@ interface(`fs_execute_nfs_files',` ######################################## ## -## +## ## Do not audit attempts to read or ## write files on a NFS filesystem. -## -## +## +## ## The type of the domain to not audit. -## +## ## # interface(`fs_dontaudit_rw_nfs_files',` @@ -939,12 +939,12 @@ interface(`fs_dontaudit_rw_nfs_files',` ######################################## ## -## +## ## Read symbolic links on a NFS filesystem. -## -## +## +## ## The type of the domain reading the symbolic links. -## +## ## # interface(`fs_read_nfs_symlinks',` @@ -960,13 +960,13 @@ interface(`fs_read_nfs_symlinks',` ######################################## ## -## +## ## Create, read, write, and delete directories ## on a NFS filesystem. -## -## +## +## ## The type of the domain managing the directories. -## +## ## # interface(`fs_manage_nfs_dirs',` @@ -980,13 +980,13 @@ interface(`fs_manage_nfs_dirs',` ######################################## ## -## +## ## Create, read, write, and delete files ## on a NFS filesystem. -## -## +## +## ## The type of the domain managing the files. -## +## ## # interface(`fs_manage_nfs_files',` @@ -1002,13 +1002,13 @@ interface(`fs_manage_nfs_files',` ######################################### ## -## +## ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. -## -## +## +## ## The type of the domain managing the symbolic links. -## +## ## # interface(`fs_manage_nfs_symlinks',` @@ -1024,13 +1024,13 @@ interface(`fs_manage_nfs_symlinks',` ######################################### ## -## +## ## Create, read, write, and delete named pipes ## on a NFS filesystem. -## -## +## +## ## The type of the domain managing the pipes. -## +## ## # interface(`fs_manage_nfs_named_pipes',` @@ -1046,13 +1046,13 @@ interface(`fs_manage_nfs_named_pipes',` ######################################### ## -## +## ## Create, read, write, and delete named sockets ## on a NFS filesystem. -## -## +## +## ## The type of the domain managing the sockets. -## +## ## # interface(`fs_manage_nfs_named_sockets',` @@ -1068,12 +1068,12 @@ interface(`fs_manage_nfs_named_sockets',` ######################################## ## -## +## ## Mount a NFS server pseudo filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_nfsd_fs',` @@ -1087,13 +1087,13 @@ interface(`fs_mount_nfsd_fs',` ######################################## ## -## +## ## Mount a NFS server pseudo filesystem. ## This allows some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_nfsd_fs',` @@ -1107,12 +1107,12 @@ interface(`fs_remount_nfsd_fs',` ######################################## ## -## +## ## Unmount a NFS server pseudo filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_nfsd_fs',` @@ -1126,14 +1126,14 @@ interface(`fs_unmount_nfsd_fs',` ######################################## ## -## +## ## Get the attributes of a NFS server ## pseudo filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_nfsd_fs',` @@ -1147,12 +1147,12 @@ interface(`fs_getattr_nfsd_fs',` ######################################## ## -## +## ## Mount a RAM filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_ramfs',` @@ -1166,13 +1166,13 @@ interface(`fs_mount_ramfs',` ######################################## ## -## +## ## Remount a RAM filesystem. This allows ## some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_ramfs',` @@ -1186,12 +1186,12 @@ interface(`fs_remount_ramfs',` ######################################## ## -## +## ## Unmount a RAM filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_ramfs',` @@ -1205,13 +1205,13 @@ interface(`fs_unmount_ramfs',` ######################################## ## -## +## ## Get the attributes of a RAM filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_ramfs',` @@ -1225,12 +1225,12 @@ interface(`fs_getattr_ramfs',` ######################################## ## -## +## ## Mount a ROM filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_romfs',` @@ -1244,13 +1244,13 @@ interface(`fs_mount_romfs',` ######################################## ## -## +## ## Remount a ROM filesystem. This allows ## some mount options to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_romfs',` @@ -1264,12 +1264,12 @@ interface(`fs_remount_romfs',` ######################################## ## -## +## ## Unmount a ROM filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_romfs',` @@ -1283,14 +1283,14 @@ interface(`fs_unmount_romfs',` ######################################## ## -## +## ## Get the attributes of a ROM ## filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_romfs',` @@ -1304,12 +1304,12 @@ interface(`fs_getattr_romfs',` ######################################## ## -## +## ## Mount a RPC pipe filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_rpc_pipefs',` @@ -1323,13 +1323,13 @@ interface(`fs_mount_rpc_pipefs',` ######################################## ## -## +## ## Remount a RPC pipe filesystem. This ## allows some mount option to be changed. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_rpc_pipefs',` @@ -1343,12 +1343,12 @@ interface(`fs_remount_rpc_pipefs',` ######################################## ## -## +## ## Unmount a RPC pipe filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_rpc_pipefs',` @@ -1362,14 +1362,14 @@ interface(`fs_unmount_rpc_pipefs',` ######################################## ## -## +## ## Get the attributes of a RPC pipe ## filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_rpc_pipefs',` @@ -1383,12 +1383,12 @@ interface(`fs_getattr_rpc_pipefs',` ######################################## ## -## +## ## Mount a tmpfs filesystem. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_tmpfs',` @@ -1402,12 +1402,12 @@ interface(`fs_mount_tmpfs',` ######################################## ## -## +## ## Remount a tmpfs filesystem. -## -## +## +## ## The type of the domain remounting the filesystem. -## +## ## # interface(`fs_remount_tmpfs',` @@ -1421,12 +1421,12 @@ interface(`fs_remount_tmpfs',` ######################################## ## -## +## ## Unmount a tmpfs filesystem. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_tmpfs',` @@ -1440,14 +1440,14 @@ interface(`fs_unmount_tmpfs',` ######################################## ## -## +## ## Get the attributes of a tmpfs ## filesystem. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_tmpfs',` @@ -1461,12 +1461,12 @@ interface(`fs_getattr_tmpfs',` ######################################## ## -## +## ## Allow the type to associate to tmpfs filesystems. -## -## +## +## ## The type of the object to be associated. -## +## ## # interface(`fs_associate_tmpfs',` @@ -1501,12 +1501,12 @@ interface(`fs_create_tmpfs_data',` ######################################## ## -## +## ## Read and write character nodes on tmpfs filesystems. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_use_tmpfs_character_devices',` @@ -1522,12 +1522,12 @@ interface(`fs_use_tmpfs_character_devices',` ######################################## ## -## +## ## Relabel character nodes on tmpfs filesystems. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_relabel_tmpfs_character_devices',` @@ -1543,12 +1543,12 @@ interface(`fs_relabel_tmpfs_character_devices',` ######################################## ## -## +## ## Read and write block nodes on tmpfs filesystems. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_use_tmpfs_block_devices',` @@ -1564,12 +1564,12 @@ interface(`fs_use_tmpfs_block_devices',` ######################################## ## -## +## ## Relabel block nodes on tmpfs filesystems. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_relabel_tmpfs_block_devices',` @@ -1585,13 +1585,13 @@ interface(`fs_relabel_tmpfs_block_devices',` ######################################## ## -## +## ## Read and write, create and delete character ## nodes on tmpfs filesystems. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_manage_tmpfs_character_devices',` @@ -1607,13 +1607,13 @@ interface(`fs_manage_tmpfs_character_devices',` ######################################## ## -## +## ## Read and write, create and delete block nodes ## on tmpfs filesystems. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`fs_manage_tmpfs_block_devices',` @@ -1629,12 +1629,12 @@ interface(`fs_manage_tmpfs_block_devices',` ######################################## ## -## +## ## Mount all filesystems. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_mount_all_fs',` @@ -1648,13 +1648,13 @@ interface(`fs_mount_all_fs',` ######################################## ## -## +## ## Remount all filesystems. This ## allows some mount options to be changed. -## -## +## +## ## The type of the domain mounting the filesystem. -## +## ## # interface(`fs_remount_all_fs',` @@ -1668,12 +1668,12 @@ interface(`fs_remount_all_fs',` ######################################## ## -## +## ## Unmount all filesystems. -## -## +## +## ## The type of the domain unmounting the filesystem. -## +## ## # interface(`fs_unmount_all_fs',` @@ -1687,14 +1687,14 @@ interface(`fs_unmount_all_fs',` ######################################## ## -## +## ## Get the attributes of all persistent ## filesystems. -## -## +## +## ## The type of the domain doing the ## getattr on the filesystem. -## +## ## # interface(`fs_getattr_all_fs',` @@ -1708,13 +1708,13 @@ interface(`fs_getattr_all_fs',` ######################################## ## -## +## ## Do not audit attempts to get the attributes ## all filesystems. -## -## +## +## ## The type of the domain to not audit. -## +## ## # interface(`fs_dontaudit_getattr_all_fs',` @@ -1728,12 +1728,12 @@ interface(`fs_dontaudit_getattr_all_fs',` ######################################## ## -## +## ## Get the quotas of all filesystems. -## -## +## +## ## The type of the domain getting quotas. -## +## ## # interface(`fs_get_all_fs_quotas',` @@ -1747,12 +1747,12 @@ interface(`fs_get_all_fs_quotas',` ######################################## ## -## +## ## Set the quotas of all filesystems. -## -## +## +## ## The type of the domain setting quotas. -## +## ## # interface(`fs_set_all_quotas',` diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index 8c13fdf6..601a219a 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -6,16 +6,16 @@ ######################################## ## -## +## ## Allows to start userland processes ## by transitioning to the specified domain. -## -## +## +## ## The process type entered by kernel. -## -## +## +## ## The executable type for the entrypoint. -## +## ## # interface(`kernel_userland_entry',` @@ -36,13 +36,13 @@ interface(`kernel_userland_entry',` ######################################## ## -## +## ## Allows the kernel to mount filesystems on ## the specified directory type. -## -## +## +## ## The type of the directory to use as a mountpoint. -## +## ## # interface(`kernel_rootfs_mountpoint',` @@ -56,12 +56,12 @@ interface(`kernel_rootfs_mountpoint',` ######################################## ## -## +## ## Send a SIGCHLD signal to kernel threads. -## -## +## +## ## The type of the process sending the signal. -## +## ## # interface(`kernel_sigchld',` @@ -75,13 +75,13 @@ interface(`kernel_sigchld',` ######################################## ## -## +## ## Allows the kernel to share state information with ## the caller. -## -## +## +## ## The type of the process with which to share state information. -## +## ## # interface(`kernel_share_state',` @@ -95,12 +95,12 @@ interface(`kernel_share_state',` ######################################## ## -## +## ## Permits caller to use kernel file descriptors. -## -## +## +## ## The type of the process using the descriptors. -## +## ## # interface(`kernel_use_fd',` @@ -114,13 +114,13 @@ interface(`kernel_use_fd',` ######################################## ## -## +## ## Do not audit attempts to use ## kernel file descriptors. -## -## +## +## ## The type of process not to audit. -## +## ## # interface(`kernel_dontaudit_use_fd',` @@ -134,12 +134,12 @@ interface(`kernel_dontaudit_use_fd',` ######################################## ## -## +## ## Allows caller to load kernel modules -## -## +## +## ## The process type to allow to load kernel modules. -## +## ## # interface(`kernel_load_module',` @@ -154,12 +154,12 @@ interface(`kernel_load_module',` ######################################## ## -## +## ## Allows caller to read the ring buffer. -## -## +## +## ## The process type allowed to read the ring buffer. -## +## ## # interface(`kernel_read_ring_buffer',` @@ -173,12 +173,12 @@ interface(`kernel_read_ring_buffer',` ######################################## ## -## +## ## Do not audit attempts to read the ring buffer. -## -## +## +## ## The domain to not audit. -## +## ## # interface(`kernel_dontaudit_read_ring_buffer',` @@ -192,12 +192,12 @@ interface(`kernel_dontaudit_read_ring_buffer',` ######################################## ## -## +## ## -## -## +## +## ## -## +## ## # interface(`kernel_change_ring_buffer_level',` @@ -211,12 +211,12 @@ interface(`kernel_change_ring_buffer_level',` ######################################## ## -## +## ## Allows the caller to clear the ring buffer. -## -## +## +## ## The process type clearing the buffer. -## +## ## # interface(`kernel_clear_ring_buffer',` @@ -230,12 +230,12 @@ interface(`kernel_clear_ring_buffer',` ######################################## ## -## +## ## Get information on all System V IPC objects. -## -## +## +## ## -## +## ## # interface(`kernel_get_sysvipc_info',` @@ -249,12 +249,12 @@ interface(`kernel_get_sysvipc_info',` ######################################## ## -## +## ## Allows caller to read system state information. -## -## +## +## ## The process type reading the system state information. -## +## ## # interface(`kernel_read_system_state',` @@ -272,13 +272,13 @@ interface(`kernel_read_system_state',` ######################################## ## -## +## ## Do not audit attempts by caller to ## read system state information. -## -## +## +## ## The process type not to audit. -## +## ## # interface(`kernel_dontaudit_read_system_state',` @@ -292,12 +292,12 @@ interface(`kernel_dontaudit_read_system_state',` ####################################### ## -## +## ## Allow caller to read the state information for software raid. -## -## +## +## ## The process type reading software raid state. -## +## ## # interface(`kernel_read_software_raid_state',` @@ -313,12 +313,12 @@ interface(`kernel_read_software_raid_state',` ######################################## ## -## +## ## Allows caller to get attribues of core kernel interface. -## -## +## +## ## The process type getting the attibutes. -## +## ## # interface(`kernel_getattr_core',` @@ -334,13 +334,13 @@ interface(`kernel_getattr_core',` ######################################## ## -## +## ## Do not audit attempts to get the attributes of ## core kernel interfaces. -## -## +## +## ## The process type to not audit. -## +## ## # interface(`kernel_dontaudit_getattr_core',` @@ -354,13 +354,13 @@ interface(`kernel_dontaudit_getattr_core',` ######################################## ## -## +## ## Allow caller to read kernel messages ## using the /proc/kmsg interface. -## -## +## +## ## The process type reading the messages. -## +## ## # interface(`kernel_read_messages',` @@ -378,13 +378,13 @@ interface(`kernel_read_messages',` ######################################## ## -## +## ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). -## -## +## +## ## The process type getting the attributes. -## +## ## # interface(`kernel_getattr_message_if',` @@ -400,13 +400,13 @@ interface(`kernel_getattr_message_if',` ######################################## ## -## +## ## Do not audit attempts by caller to get the attributes of kernel ## message interfaces. -## -## +## +## ## The process type not to audit. -## +## ## # interface(`kernel_dontaudit_getattr_message_if',` @@ -420,12 +420,12 @@ interface(`kernel_dontaudit_getattr_message_if',` ######################################## ## -## +## ## Allow caller to read the network state information. -## -## +## +## ## The process type reading the state. -## +## ## ## # @@ -443,12 +443,12 @@ interface(`kernel_read_network_state',` ######################################## ## -## +## ## Do not audit attempts by caller to search the sysctl directory. -## -## +## +## ## The process type not to audit. -## +## ## ## # @@ -463,12 +463,12 @@ interface(`kernel_dontaudit_search_sysctl_dir',` ######################################## ## -## +## ## Allow caller to read the device sysctls. -## -## +## +## ## The process type to allow to read the device sysctls. -## +## ## # interface(`kernel_read_device_sysctl',` @@ -486,12 +486,12 @@ interface(`kernel_read_device_sysctl',` ######################################## ## -## +## ## Read and write device sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_device_sysctl',` @@ -508,12 +508,12 @@ interface(`kernel_rw_device_sysctl',` ######################################## ## -## +## ## Allow caller to read virtual memory sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -531,12 +531,12 @@ interface(`kernel_read_vm_sysctl',` ######################################## ## -## +## ## Read and write virtual memory sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_vm_sysctl',` @@ -553,12 +553,12 @@ interface(`kernel_rw_vm_sysctl',` ######################################## ## -## +## ## Do not audit attempts by caller to search sysctl network directories. -## -## +## +## ## The process type not to audit. -## +## ## # interface(`kernel_dontaudit_search_network_sysctl_dir',` @@ -572,12 +572,12 @@ interface(`kernel_dontaudit_search_network_sysctl_dir',` ######################################## ## -## +## ## Allow caller to read network sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -596,12 +596,12 @@ interface(`kernel_read_net_sysctl',` ######################################## ## -## +## ## Allow caller to modiry contents of sysctl network files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_net_sysctl',` @@ -619,13 +619,13 @@ interface(`kernel_rw_net_sysctl',` ######################################## ## -## +## ## Allow caller to read unix domain ## socket sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_unix_sysctl',` @@ -643,13 +643,13 @@ interface(`kernel_read_unix_sysctl',` ######################################## ## -## +## ## Read and write unix domain ## socket sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_unix_sysctl',` @@ -667,12 +667,12 @@ interface(`kernel_rw_unix_sysctl',` ######################################## ## -## +## ## Read the hotplug sysctl. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_hotplug_sysctl',` @@ -690,12 +690,12 @@ interface(`kernel_read_hotplug_sysctl',` ######################################## ## -## +## ## Read and write the hotplug sysctl. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_hotplug_sysctl',` @@ -713,12 +713,12 @@ interface(`kernel_rw_hotplug_sysctl',` ######################################## ## -## +## ## Read the modprobe sysctl. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_modprobe_sysctl',` @@ -736,12 +736,12 @@ interface(`kernel_read_modprobe_sysctl',` ######################################## ## -## +## ## Read and write the modprobe sysctl. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_modprobe_sysctl',` @@ -759,12 +759,12 @@ interface(`kernel_rw_modprobe_sysctl',` ######################################## ## -## +## ## Read generic kernel sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_kernel_sysctl',` @@ -782,12 +782,12 @@ interface(`kernel_read_kernel_sysctl',` ######################################## ## -## +## ## Read and write generic kernel sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_kernel_sysctl',` @@ -805,12 +805,12 @@ interface(`kernel_rw_kernel_sysctl',` ######################################## ## -## +## ## Read filesystem sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_fs_sysctl',` @@ -828,12 +828,12 @@ interface(`kernel_read_fs_sysctl',` ######################################## ## -## +## ## Read and write fileystem sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_fs_sysctl',` @@ -851,12 +851,12 @@ interface(`kernel_rw_fs_sysctl',` ######################################## ## -## +## ## Read IRQ sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_irq_sysctl',` @@ -873,12 +873,12 @@ interface(`kernel_read_irq_sysctl',` ######################################## ## -## +## ## Read and write IRQ sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## ## # @@ -930,12 +930,12 @@ interface(`kernel_rw_rpc_sysctl',` ######################################## ## -## +## ## Allow caller to read all sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_read_all_sysctl',` @@ -953,12 +953,12 @@ interface(`kernel_read_all_sysctl',` ######################################## ## -## +## ## Read and write all sysctls. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_rw_all_sysctl',` @@ -976,12 +976,12 @@ interface(`kernel_rw_all_sysctl',` ######################################## ## -## +## ## Send a kill signal to unlabeled processes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_kill_unlabeled',` @@ -995,12 +995,12 @@ interface(`kernel_kill_unlabeled',` ######################################## ## -## +## ## Send general signals to unlabeled processes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_signal_unlabeled',` @@ -1014,12 +1014,12 @@ interface(`kernel_signal_unlabeled',` ######################################## ## -## +## ## Send a null signal to unlabeled processes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_signull_unlabeled',` @@ -1033,12 +1033,12 @@ interface(`kernel_signull_unlabeled',` ######################################## ## -## +## ## Send a stop signal to unlabeled processes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_sigstop_unlabeled',` @@ -1052,12 +1052,12 @@ interface(`kernel_sigstop_unlabeled',` ######################################## ## -## +## ## Send a child terminated signal to unlabeled processes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`kernel_sigchld_unlabeled',` @@ -1071,13 +1071,13 @@ interface(`kernel_sigchld_unlabeled',` ######################################## ## -## +## ## Do not audit attempts by caller to get attributes for ## unlabeled block devices. -## -## +## +## ## The process type not to audit. -## +## ## # interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` @@ -1091,12 +1091,12 @@ interface(`kernel_dontaudit_getattr_unlabeled_blk_dev',` ######################################## ## -## +## ## Allow caller to relabel unlabeled objects. -## -## +## +## ## The process type relabeling the objects. -## +## ## # interface(`kernel_relabel_unlabeled',` diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index 52e5c8d2..61592aaa 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -5,12 +5,12 @@ ######################################## ## -## +## ## Gets the caller the mountpoint of the selinuxfs filesystem. -## -## +## +## ## The process type requesting the selinuxfs mountpoint. -## +## ## # interface(`selinux_get_fs_mount',` @@ -21,13 +21,13 @@ interface(`selinux_get_fs_mount',` ######################################## ## -## +## ## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode). -## -## +## +## ## The process type to allow to get the enforcing mode. -## +## ## # interface(`selinux_get_enforce_mode',` @@ -43,13 +43,13 @@ interface(`selinux_get_enforce_mode',` ######################################## ## -## +## ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). -## -## +## +## ## The process type to allow to set the enforcement mode. -## +## ## # interface(`selinux_set_enforce_mode',` @@ -70,12 +70,12 @@ interface(`selinux_set_enforce_mode',` ######################################## ## -## +## ## Allow caller to load the policy into the kernel. -## -## +## +## ## The process type that will load the policy. -## +## ## # interface(`selinux_load_policy',` @@ -96,16 +96,16 @@ interface(`selinux_load_policy',` ######################################## ## -## +## ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. -## -## +## +## ## The process type allowed to set the Boolean. -## -## +## +## ## The type of Booleans the caller is allowed to set. -## +## ## # interface(`selinux_set_boolean',` @@ -131,12 +131,12 @@ interface(`selinux_set_boolean',` ######################################## ## -## +## ## Allow caller to set selinux security parameters. -## -## +## +## ## The process type to allow to set security parameters. -## +## ## # interface(`selinux_set_parameters',` @@ -157,12 +157,12 @@ interface(`selinux_set_parameters',` ######################################## ## -## +## ## Allows caller to validate security contexts. -## -## +## +## ## The process type permitted to validate contexts. -## +## ## # interface(`selinux_validate_context',` @@ -180,12 +180,12 @@ interface(`selinux_validate_context',` ######################################## ## -## +## ## Allows caller to compute an access vector. -## -## +## +## ## The process type allowed to compute an access vector. -## +## ## # interface(`selinux_compute_access_vector',` @@ -203,12 +203,12 @@ interface(`selinux_compute_access_vector',` ######################################## ## -## +## ## -## -## +## +## ## -## +## ## # interface(`selinux_compute_create_context',` @@ -226,12 +226,12 @@ interface(`selinux_compute_create_context',` ######################################## ## -## +## ## -## -## +## +## ## The process type to -## +## ## # interface(`selinux_compute_relabel_context',` @@ -249,12 +249,12 @@ interface(`selinux_compute_relabel_context',` ######################################## ## -## +## ## Allows caller to compute possible contexts for a user. -## -## +## +## ## The process type allowed to compute user contexts. -## +## ## # interface(`selinux_compute_user_contexts',` diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index d6c1a707..f4f93250 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -3,13 +3,13 @@ ######################################## ## -## +## ## Allow the caller to get the attributes of fixed disk ## device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_getattr_fixed_disk',` @@ -24,13 +24,13 @@ interface(`storage_getattr_fixed_disk',` ######################################## ## -## +## ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`storage_dontaudit_getattr_fixed_disk',` @@ -44,13 +44,13 @@ interface(`storage_dontaudit_getattr_fixed_disk',` ######################################## ## -## +## ## Allow the caller to set the attributes of fixed disk ## device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_setattr_fixed_disk',` @@ -65,13 +65,13 @@ interface(`storage_setattr_fixed_disk',` ######################################## ## -## +## ## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`storage_dontaudit_setattr_fixed_disk',` @@ -85,15 +85,15 @@ interface(`storage_dontaudit_setattr_fixed_disk',` ######################################## ## -## +## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_raw_read_fixed_disk',` @@ -110,15 +110,15 @@ interface(`storage_raw_read_fixed_disk',` ######################################## ## -## +## ## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_raw_write_fixed_disk',` @@ -135,12 +135,12 @@ interface(`storage_raw_write_fixed_disk',` ######################################## ## -## +## ## Create block devices in /dev with the fixed disk type. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_create_fixed_disk_dev_entry',` @@ -157,12 +157,12 @@ interface(`storage_create_fixed_disk_dev_entry',` ######################################## ## -## +## ## Create, read, write, and delete fixed disk device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_manage_fixed_disk',` @@ -179,15 +179,15 @@ interface(`storage_manage_fixed_disk',` ######################################## ## -## +## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_raw_read_lvm_volume',` @@ -204,15 +204,15 @@ interface(`storage_raw_read_lvm_volume',` ######################################## ## -## +## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_raw_write_lvm_volume',` @@ -229,13 +229,13 @@ interface(`storage_raw_write_lvm_volume',` ######################################## ## -## +## ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_getattr_scsi_generic',` @@ -250,13 +250,13 @@ interface(`storage_getattr_scsi_generic',` ######################################## ## -## +## ## Allow the caller to set the attributes of ## the generic SCSI interface device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_setattr_scsi_generic',` @@ -271,16 +271,16 @@ interface(`storage_setattr_scsi_generic',` ######################################## ## -## +## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_read_scsi_generic',` @@ -297,16 +297,16 @@ interface(`storage_read_scsi_generic',` ######################################## ## -## +## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_write_scsi_generic',` @@ -323,13 +323,13 @@ interface(`storage_write_scsi_generic',` ######################################## ## -## +## ## Get attributes of the device nodes ## for the SCSI generic inerface. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_getattr_scsi_generic',` @@ -344,13 +344,13 @@ interface(`storage_getattr_scsi_generic',` ######################################## ## -## +## ## Set attributes of the device nodes ## for the SCSI generic inerface. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_set_scsi_generic_attributes',` @@ -365,13 +365,13 @@ interface(`storage_set_scsi_generic_attributes',` ######################################## ## -## +## ## Allow the caller to get the attributes of removable ## devices device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_getattr_removable_device',` @@ -386,13 +386,13 @@ interface(`storage_getattr_removable_device',` ######################################## ## -## +## ## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`storage_dontaudit_getattr_removable_device',` @@ -406,13 +406,13 @@ interface(`storage_dontaudit_getattr_removable_device',` ######################################## ## -## +## ## Allow the caller to set the attributes of removable ## devices device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_setattr_removable_device',` @@ -427,13 +427,13 @@ interface(`storage_setattr_removable_device',` ######################################## ## -## +## ## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`storage_dontaudit_setattr_removable_device',` @@ -447,16 +447,16 @@ interface(`storage_dontaudit_setattr_removable_device',` ######################################## ## -## +## ## Allow the caller to directly read from ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_raw_read_removable_device',` @@ -471,16 +471,16 @@ interface(`storage_raw_read_removable_device',` ######################################## ## -## +## ## Allow the caller to directly write to ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_raw_write_removable_device',` @@ -495,13 +495,13 @@ interface(`storage_raw_write_removable_device',` ######################################## ## -## +## ## Allow the caller to directly read ## a tape device. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_read_tape_device',` @@ -516,13 +516,13 @@ interface(`storage_read_tape_device',` ######################################## ## -## +## ## Allow the caller to directly read ## a tape device. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_write_tape_device',` @@ -537,13 +537,13 @@ interface(`storage_write_tape_device',` ######################################## ## -## +## ## Allow the caller to get the attributes ## of device nodes of tape devices. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_getattr_tape_device',` @@ -558,13 +558,13 @@ interface(`storage_getattr_tape_device',` ######################################## ## -## +## ## Allow the caller to set the attributes ## of device nodes of tape devices. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`storage_setattr_tape_device',` diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 181effd4..4fbefc27 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Transform specified type into a pty type. -## -## +## +## ## An object type that will applied to a pty. -## +## ## # interface(`term_pty',` @@ -24,18 +24,18 @@ interface(`term_pty',` ######################################## ## -## +## ## Transform specified type into an user ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. -## -## +## +## ## The type of the user domain associated with ## this pty. -## -## +## +## ## An object type that will applied to a pty. -## +## ## # interface(`term_user_pty',` @@ -49,13 +49,13 @@ interface(`term_user_pty',` ######################################## ## -## +## ## Transform specified type into a pty type ## used by login programs, such as sshd. -## -## +## +## ## An object type that will applied to a pty. -## +## ## # interface(`term_login_pty',` @@ -69,12 +69,12 @@ interface(`term_login_pty',` ######################################## ## -## +## ## Transform specified type into a tty type. -## -## +## +## ## An object type that will applied to a tty. -## +## ## # interface(`term_tty',` @@ -99,15 +99,15 @@ interface(`term_tty',` ######################################## ## -## +## ## Create a pty in the /dev/pts directory. -## -## +## +## ## The type of the process creating the pty. -## -## +## +## ## The type of the pty. -## +## ## # interface(`term_create_pty',` @@ -129,13 +129,13 @@ interface(`term_create_pty',` ######################################## ## -## +## ## Read and write the console, all ## ttys and all ptys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_all_terms',` @@ -153,12 +153,12 @@ interface(`term_use_all_terms',` ######################################## ## -## +## ## Write to the console. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_write_console',` @@ -173,12 +173,12 @@ interface(`term_write_console',` ######################################## ## -## +## ## Read from and write to the console. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_console',` @@ -193,13 +193,13 @@ interface(`term_use_console',` ######################################## ## -## +## ## Do not audit attemtps to read from ## or write to the console. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_dontaudit_use_console',` @@ -213,13 +213,13 @@ interface(`term_dontaudit_use_console',` ######################################## ## -## +## ## Set the attributes of the console ## device node. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_setattr_console',` @@ -234,13 +234,13 @@ interface(`term_setattr_console',` ######################################## ## -## +## ## Read the /dev/pts directory to ## list all ptys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_list_ptys',` @@ -255,13 +255,13 @@ interface(`term_list_ptys',` ######################################## ## -## +## ## Do not audit attempts to read the ## /dev/pts directory to. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`term_dontaudit_list_ptys',` @@ -275,14 +275,14 @@ interface(`term_dontaudit_list_ptys',` ######################################## ## -## +## ## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_generic_pty',` @@ -297,14 +297,14 @@ interface(`term_use_generic_pty',` ######################################## ## -## +## ## Dot not audit attempts to read and ## write the generic pty type. This is ## generally only used in the targeted policy. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`term_dontaudit_use_generic_pty',` @@ -318,13 +318,13 @@ interface(`term_dontaudit_use_generic_pty',` ######################################## ## -## +## ## Read and write the controlling ## terminal (/dev/tty). -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_controlling_term',` @@ -339,13 +339,13 @@ interface(`term_use_controlling_term',` ######################################## ## -## +## ## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx). -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`term_dontaudit_use_ptmx',` @@ -359,13 +359,13 @@ interface(`term_dontaudit_use_ptmx',` ######################################## ## -## +## ## Get the attributes of all user ## pty device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_getattr_all_user_ptys',` @@ -382,12 +382,12 @@ interface(`term_getattr_all_user_ptys',` ######################################## ## -## +## ## Read and write all user ptys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_all_user_ptys',` @@ -404,13 +404,13 @@ interface(`term_use_all_user_ptys',` ######################################## ## -## +## ## Do not audit attempts to read any ## user ptys. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`term_dontaudit_use_all_user_ptys',` @@ -424,13 +424,13 @@ interface(`term_dontaudit_use_all_user_ptys',` ######################################## ## -## +## ## Relabel from and to all user ## user pty device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_relabel_all_user_ptys',` @@ -445,13 +445,13 @@ interface(`term_relabel_all_user_ptys',` ######################################## ## -## +## ## Get the attributes of all unallocated ## tty device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_getattr_unallocated_ttys',` @@ -466,13 +466,13 @@ interface(`term_getattr_unallocated_ttys',` ######################################## ## -## +## ## Set the attributes of all unallocated ## tty device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_setattr_unallocated_ttys',` @@ -487,13 +487,13 @@ interface(`term_setattr_unallocated_ttys',` ######################################## ## -## +## ## Relabel from and to the unallocated ## tty type. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_relabel_unallocated_ttys',` @@ -508,13 +508,13 @@ interface(`term_relabel_unallocated_ttys',` ######################################## ## -## +## ## Relabel from all user tty types to ## the unallocated tty type. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_reset_tty_labels',` @@ -531,12 +531,12 @@ interface(`term_reset_tty_labels',` ######################################## ## -## +## ## Write to unallocated ttys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_write_unallocated_ttys',` @@ -551,12 +551,12 @@ interface(`term_write_unallocated_ttys',` ######################################## ## -## +## ## Read and write unallocated ttys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_unallocated_tty',` @@ -571,13 +571,13 @@ interface(`term_use_unallocated_tty',` ######################################## ## -## +## ## Do not audit attempts to read or ## write unallocated ttys. -## -## +## +## ## The type of the process to not audit. -## +## ## # interface(`term_dontaudit_use_unallocated_tty',` @@ -591,13 +591,13 @@ interface(`term_dontaudit_use_unallocated_tty',` ######################################## ## -## +## ## Get the attributes of all user tty ## device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_getattr_all_user_ttys',` @@ -612,14 +612,14 @@ interface(`term_getattr_all_user_ttys',` ######################################## ## -## +## ## Do not audit attempts to get the ## attributes of any user tty ## device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_dontaudit_getattr_all_user_ttys',` @@ -634,13 +634,13 @@ interface(`term_dontaudit_getattr_all_user_ttys',` ######################################## ## -## +## ## Set the attributes of all user tty ## device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_setattr_all_user_ttys',` @@ -655,13 +655,13 @@ interface(`term_setattr_all_user_ttys',` ######################################## ## -## +## ## Relabel from and to all user ## user tty device nodes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_relabel_all_user_ttys',` @@ -676,12 +676,12 @@ interface(`term_relabel_all_user_ttys',` ######################################## ## -## +## ## Write to all user ttys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_write_all_user_ttys',` @@ -696,12 +696,12 @@ interface(`term_write_all_user_ttys',` ######################################## ## -## +## ## Read and write all user to all user ttys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_use_all_user_ttys',` @@ -716,13 +716,13 @@ interface(`term_use_all_user_ttys',` ######################################## ## -## +## ## Do not audit attempts to read or write ## any user ttys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`term_dontaudit_use_all_user_ttys',` diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 679f6ff4..a48d3f4e 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -195,12 +195,12 @@ interface(`mta_exec',` ######################################## ## -## +## ## Read mail address aliases. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`mta_read_aliases',` diff --git a/refpolicy/policy/modules/services/remotelogin.if b/refpolicy/policy/modules/services/remotelogin.if index ed1f2d0a..064d2441 100644 --- a/refpolicy/policy/modules/services/remotelogin.if +++ b/refpolicy/policy/modules/services/remotelogin.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Domain transition to the remote login domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`remotelogin_domtrans',` diff --git a/refpolicy/policy/modules/services/sendmail.if b/refpolicy/policy/modules/services/sendmail.if index b69e0a39..6a3d98d2 100644 --- a/refpolicy/policy/modules/services/sendmail.if +++ b/refpolicy/policy/modules/services/sendmail.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Domain transition to sendmail. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`sendmail_domtrans',` diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 1021d612..567032a1 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -90,12 +90,12 @@ interface(`authlogin_per_userdomain_template',` ######################################## ## -## +## ## Use the login program as an entry point program. -## -## +## +## ## The type of process using the login program as entry point. -## +## ## # interface(`auth_login_entry_type',` @@ -108,15 +108,15 @@ interface(`auth_login_entry_type',` ######################################## ## -## +## ## Execute a login_program in the target domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The type of the login_program process. -## +## ## # interface(`auth_domtrans_login_program',` @@ -138,12 +138,12 @@ interface(`auth_domtrans_login_program',` ######################################## ## -## +## ## Run unix_chkpwd to check a password. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_domtrans_chk_passwd',` @@ -182,12 +182,12 @@ interface(`auth_domtrans_chk_passwd',` ######################################## ## -## +## ## -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_dontaudit_getattr_shadow',` @@ -201,12 +201,12 @@ interface(`auth_dontaudit_getattr_shadow',` ######################################## ## -## +## ## Read the shadow passwords file (/etc/shadow) -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_read_shadow',` @@ -223,13 +223,13 @@ interface(`auth_read_shadow',` ######################################## ## -## +## ## Do not audit attempts to read the shadow ## password file (/etc/shadow). -## -## +## +## ## The type of the domain to not audit. -## +## ## # interface(`auth_dontaudit_read_shadow',` @@ -243,12 +243,12 @@ interface(`auth_dontaudit_read_shadow',` ######################################## ## -## +## ## Read and write the shadow password file (/etc/shadow). -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_rw_shadow',` @@ -326,12 +326,12 @@ interface(`auth_rw_lastlog',` ######################################## ## -## +## ## Execute pam programs in the pam domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_domtrans_pam',` @@ -352,18 +352,18 @@ interface(`auth_domtrans_pam',` ######################################## ## -## +## ## Execute pam programs in the PAM domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to allow the PAM domain. -## -## +## +## ## The type of the terminal allow the PAM domain to use. -## +## ## # interface(`auth_run_pam',` @@ -379,12 +379,12 @@ interface(`auth_run_pam',` ######################################## ## -## +## ## Execute the pam program. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_exec_pam',` @@ -414,12 +414,12 @@ interface(`auth_read_pam_pid',` ######################################## ## -## +## ## Delete pam PID files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_delete_pam_pid',` @@ -508,17 +508,17 @@ interface(`auth_manage_pam_console_data',` ######################################## ## -## +## ## Relabel all files on the filesystem, except ## the shadow passwords and listed exceptions. -## -## +## +## ## The type of the domain perfoming this action. -## -## +## +## ## The types to be excluded. Each type or attribute ## must be negated by the caller. -## +## ## # @@ -532,17 +532,17 @@ interface(`auth_relabel_all_files_except_shadow',` ######################################## ## -## +## ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. -## -## +## +## ## The type of the domain perfoming this action. -## -## +## +## ## The types to be excluded. Each type or attribute ## must be negated by the caller. -## +## ## # @@ -556,12 +556,12 @@ interface(`auth_manage_all_files_except_shadow',` ######################################## ## -## +## ## Execute utempter programs in the utempter domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`auth_domtrans_utempter',` @@ -582,18 +582,18 @@ interface(`auth_domtrans_utempter',` ######################################## ## -## +## ## Execute utempter programs in the utempter domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to allow the utempter domain. -## -## +## +## ## The type of the terminal allow the utempter domain to use. -## +## ## # interface(`auth_run_utempter',` diff --git a/refpolicy/policy/modules/system/clock.if b/refpolicy/policy/modules/system/clock.if index 71fd8ab7..3e9f8537 100644 --- a/refpolicy/policy/modules/system/clock.if +++ b/refpolicy/policy/modules/system/clock.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute hwclock in the clock domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`clock_domtrans',` @@ -28,19 +28,19 @@ interface(`clock_domtrans',` ######################################## ## -## +## ## Execute hwclock in the clock domain, and ## allow the specified role the hwclock domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the clock domain. -## -## +## +## ## The type of the terminal allow the clock domain to use. -## +## ## # interface(`clock_run',` @@ -56,12 +56,12 @@ interface(`clock_run',` ######################################## ## -## +## ## Execute hwclock -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`clock_exec',` @@ -74,12 +74,12 @@ interface(`clock_exec',` ######################################## ## -## +## ## Allow executing domain to modify clock drift -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`clock_rw_adjtime',` diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 77ab4691..5496e119 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -149,17 +149,17 @@ interface(`corecmd_exec_ls',` ######################################## ## -## +## ## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The type of the shell process. -## +## ## # interface(`corecmd_shell_spec_domtrans',` @@ -185,15 +185,15 @@ interface(`corecmd_shell_spec_domtrans',` ######################################## ## -## +## ## Execute a shell in the target domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The type of the shell process. -## +## ## # interface(`corecmd_domtrans_shell',` diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 4088072a..163fc4e6 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -93,13 +93,13 @@ interface(`domain_dyntrans_type',` ######################################## ## -## +## ## Makes caller an exception to the constraint preventing ## changing of user identity. -## -## +## +## ## The process type to make an exception to the constraint. -## +## ## # interface(`domain_subj_id_change_exempt',` @@ -112,13 +112,13 @@ interface(`domain_subj_id_change_exempt',` ######################################## ## -## +## ## Makes caller an exception to the constraint preventing ## changing of role. -## -## +## +## ## The process type to make an exception to the constraint. -## +## ## # interface(`domain_role_change_exempt',` @@ -131,13 +131,13 @@ interface(`domain_role_change_exempt',` ######################################## ## -## +## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. -## -## +## +## ## The process type to make an exception to the constraint. -## +## ## # interface(`domain_obj_id_change_exempt',` @@ -189,12 +189,12 @@ interface(`domain_setpriority_all_domains',` ######################################## ## -## +## ## Send general signals to all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_signal_all_domains',` @@ -208,12 +208,12 @@ interface(`domain_signal_all_domains',` ######################################## ## -## +## ## Send a null signal to all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_signull_all_domains',` @@ -227,12 +227,12 @@ interface(`domain_signull_all_domains',` ######################################## ## -## +## ## Send a stop signal to all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_sigstop_all_domains',` @@ -246,12 +246,12 @@ interface(`domain_sigstop_all_domains',` ######################################## ## -## +## ## Send a child terminated signal to all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_sigchld_all_domains',` @@ -265,12 +265,12 @@ interface(`domain_sigchld_all_domains',` ######################################## ## -## +## ## Send a kill signal to all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_kill_all_domains',` @@ -286,12 +286,12 @@ interface(`domain_kill_all_domains',` ######################################## ## -## +## ## Read the process state (/proc/pid) of all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_read_all_domains_state',` @@ -317,13 +317,13 @@ interface(`domain_read_all_domains_state',` ######################################## ## -## +## ## Do not audit attempts to read the process state ## directories of all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_dontaudit_list_all_domains_proc',` @@ -337,12 +337,12 @@ interface(`domain_dontaudit_list_all_domains_proc',` ######################################## ## -## +## ## Get the session ID of all domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_getsession_all_domains',` @@ -356,13 +356,13 @@ interface(`domain_getsession_all_domains',` ######################################## ## -## +## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_dontaudit_getattr_all_udp_sockets',` @@ -376,13 +376,13 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',` ######################################## ## -## +## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_dontaudit_getattr_all_tcp_sockets',` @@ -396,13 +396,13 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',` ######################################## ## -## +## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` @@ -416,13 +416,13 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` ######################################## ## -## +## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`domain_dontaudit_getattr_all_unnamed_pipes',` diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 7510c01d..53fc9d3d 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -2,7 +2,7 @@ ## ## Basic filesystem types and interfaces. ## -## +## ##

## This module contains basic filesystem types and interfaces. This ## includes: @@ -14,7 +14,7 @@ ## (/, /etc, /tmp, /usr, etc.). ## ##

-## +## ######################################## # @@ -84,13 +84,13 @@ interface(`files_tmp_file',` ######################################## ## -## +## ## Transform the type into a file, for use on a ## virtual memory filesystem (tmpfs). -## -## +## +## ## The type to be transformed. -## +## ## # interface(`files_tmpfs_file',` @@ -126,17 +126,17 @@ interface(`files_getattr_all_files',` ######################################## ## -## +## ## Relabel all files on the filesystem, except ## the listed exceptions. -## -## +## +## ## The type of the domain perfoming this action. -## -## +## +## ## The types to be excluded. Each type or attribute ## must be negated by the caller. -## +## ## # interface(`files_relabel_all_files',` @@ -165,17 +165,17 @@ interface(`files_relabel_all_files',` ######################################## ## -## +## ## Manage all files on the filesystem, except ## the listed exceptions. -## -## +## +## ## The type of the domain perfoming this action. -## -## +## +## ## The types to be excluded. Each type or attribute ## must be negated by the caller. -## +## ## # interface(`files_manage_all_files',` @@ -307,23 +307,23 @@ interface(`files_list_root',` ######################################## ## -## +## ## Create an object in the root directory, with a private ## type. If no object class is specified, the ## default is file. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The type of the object to be created. If no type ## is specified, the type of the root directory will ## be used. -## -## +## +## ## The object class of the object being created. If ## no class is specified, file will be used. -## +## ## # interface(`files_create_root',` @@ -499,12 +499,12 @@ interface(`files_manage_generic_etc_files',` ######################################## ## -## +## ## Delete system configuration files in /etc. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`files_delete_generic_etc_files',` @@ -643,12 +643,12 @@ interface(`files_dontaudit_search_isid_type_dir',` ######################################## ## -## +## ## Get listing home home directories. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`files_list_home',` @@ -744,12 +744,12 @@ interface(`files_read_usr_files',` ######################################## ## -## +## ## Execute programs in /usr/src in the caller domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`files_exec_usr_files',` @@ -811,12 +811,12 @@ interface(`files_dontaudit_search_var',` ######################################## ## -## +## ## Search the /var/lib directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`files_search_var_lib',` @@ -988,12 +988,12 @@ interface(`files_rw_generic_pids',` ######################################## ## -## +## ## Do not audit attempts to write to daemon runtime data files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`files_dontaudit_write_all_pids',` @@ -1007,12 +1007,12 @@ interface(`files_dontaudit_write_all_pids',` ######################################## ## -## +## ## Do not audit attempts to ioctl daemon runtime data files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`files_dontaudit_ioctl_all_pids',` diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index adef2845..a1d895fe 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute gettys in the getty domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`getty_domtrans',` @@ -30,12 +30,12 @@ interface(`getty_domtrans',` ######################################## ## -## +## ## Allow process to read getty log file. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`getty_read_log',` @@ -50,12 +50,12 @@ interface(`getty_read_log',` ######################################## ## -## +## ## Allow process to read getty config file. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`getty_read_config',` @@ -70,12 +70,12 @@ interface(`getty_read_config',` ######################################## ## -## +## ## Allow process to edit getty config file. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`getty_modify_config',` diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if index 9d0f67c7..52cdcca6 100644 --- a/refpolicy/policy/modules/system/hostname.if +++ b/refpolicy/policy/modules/system/hostname.if @@ -3,13 +3,13 @@ ######################################## ## -## +## ## Execute hostname in the hostname domain. -## -## +## +## ## The type of the process performing this action. ## Has a sigchld signal backchannel. -## +## ## # interface(`hostname_domtrans',` @@ -31,20 +31,20 @@ interface(`hostname_domtrans',` ######################################## ## -## +## ## Execute hostname in the hostname domain, and ## allow the specified role the hostname domain. ## Has a sigchld signal backchannel. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the hostname domain. -## -## +## +## ## The type of the terminal allow the hostname domain to use. -## +## ## # interface(`hostname_run',` @@ -60,13 +60,13 @@ interface(`hostname_run',` ######################################## ## -## +## ## Execute hostname in the hostname domain, and ## Has a sigchld signal backchannel. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`hostname_exec',` diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 94ec5054..842f9506 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -79,12 +79,12 @@ interface(`hotplug_dontaudit_search_config',` ######################################## ## -## +## ## Read the configuration files for hotplug. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`hotplug_read_config',` diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index ef2354f5..c7ecd2d9 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -261,12 +261,12 @@ interface(`init_exec_script',` ######################################## ## -## +## ## Read the process state (/proc/pid) of the init scripts. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`init_read_script_process_state',` @@ -331,12 +331,12 @@ interface(`init_get_script_process_group',` ######################################## ## -## +## ## Read and write init script unnamed pipes. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`init_rw_script_pipe',` @@ -377,12 +377,12 @@ interface(`init_dontaudit_use_script_pty',` ######################################## ## -## +## ## Read and write init script temporary data. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`init_rw_script_tmp_files',` diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index 60d4da5a..d8783d08 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute iptables in the iptables domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`iptables_domtrans',` @@ -30,19 +30,19 @@ interface(`iptables_domtrans',` ######################################## ## -## +## ## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the iptables domain. -## -## +## +## ## The type of the terminal allow the iptables domain to use. -## +## ## # interface(`iptables_run',` @@ -58,12 +58,12 @@ interface(`iptables_run',` ######################################## ## -## +## ## Execute iptables in the caller domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`iptables_exec',` diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 2cd42f0f..08449e0a 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute ldconfig in the ldconfig domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_domtrans_ldconfig',` @@ -30,18 +30,18 @@ interface(`libs_domtrans_ldconfig',` ######################################## ## -## +## ## Execute ldconfig in the ldconfig domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to allow the ldconfig domain. -## -## +## +## ## The type of the terminal allow the ldconfig domain to use. -## +## ## # interface(`libs_run_ldconfig',` @@ -57,13 +57,13 @@ interface(`libs_run_ldconfig',` ######################################## ## -## +## ## Use the dynamic link/loader for automatic loading ## of shared libraries. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_use_ld_so',` @@ -84,13 +84,13 @@ interface(`libs_use_ld_so',` ######################################## ## -## +## ## Use the dynamic link/loader for automatic loading ## of shared libraries with legacy support. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_legacy_use_ld_so',` @@ -106,14 +106,14 @@ interface(`libs_legacy_use_ld_so',` ######################################## ## -## +## ## Execute the dynamic link/loader in the caller's ## domain. This is commonly needed for the ## /usr/bin/ldd program. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_exec_ld_so',` @@ -131,13 +131,13 @@ interface(`libs_exec_ld_so',` ######################################## ## -## +## ## Modify the dynamic link/loader's cached listing ## of shared libraries. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_rw_ld_so_cache',` @@ -152,12 +152,12 @@ interface(`libs_rw_ld_so_cache',` ######################################## ## -## +## ## Search lib directories. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_search_lib',` @@ -171,13 +171,13 @@ interface(`libs_search_lib',` ######################################## ## -## +## ## Read files in the library directories, such ## as static libraries. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_read_lib',` @@ -195,12 +195,12 @@ interface(`libs_read_lib',` ######################################## ## -## +## ## Execute library scripts in the caller domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_exec_lib_files',` @@ -218,12 +218,12 @@ interface(`libs_exec_lib_files',` ######################################## ## -## +## ## Load and execute functions from shared libraries. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_use_shared_libs',` @@ -243,13 +243,13 @@ interface(`libs_use_shared_libs',` ######################################## ## -## +## ## Load and execute functions from shared libraries, ## with legacy support. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`libs_legacy_use_shared_libs',` diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index f089e620..fa9d1792 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute local logins in the locallogin domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`locallogin_domtrans',` @@ -21,12 +21,12 @@ interface(`locallogin_domtrans',` ######################################## ## -## +## ## Allow processes to inherit local login file descriptors -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`locallogin_use_fd',` diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index b4271bd3..4dcd83fa 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -61,14 +61,14 @@ interface(`logging_send_syslog_msg',` ######################################## ## -## +## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`logging_search_logs',` diff --git a/refpolicy/policy/modules/system/lvm.if b/refpolicy/policy/modules/system/lvm.if index 9e90c7d5..9b2a3256 100644 --- a/refpolicy/policy/modules/system/lvm.if +++ b/refpolicy/policy/modules/system/lvm.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute lvm programs in the lvm domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`lvm_domtrans',` @@ -30,18 +30,18 @@ interface(`lvm_domtrans',` ######################################## ## -## +## ## Execute lvm programs in the lvm domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to allow the LVM domain. -## -## +## +## ## The type of the terminal allow the LVM domain to use. -## +## ## # interface(`lvm_run',` @@ -57,12 +57,12 @@ interface(`lvm_run',` ######################################## ## -## +## ## Read LVM configuration files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`lvm_read_config',` diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 385af702..99549dff 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -3,13 +3,13 @@ ######################################## ## -## +## ## Allow process to create files and dirs in /var/cache/man ## and /var/catman/ -## -## +## +## ## Type type of the process performing this action. -## +## ## # interface(`miscfiles_rw_man_cache',` @@ -26,12 +26,12 @@ interface(`miscfiles_rw_man_cache',` ######################################## ## -## +## ## Allow process to read fonts files -## -## +## +## ## Type type of the process performing this action. -## +## ## # interface(`miscfiles_read_fonts',` @@ -51,12 +51,12 @@ interface(`miscfiles_read_fonts',` ######################################## ## -## +## ## Allow process to read localization info -## -## +## +## ## Type type of the process performing this action. -## +## ## # interface(`miscfiles_read_localization',` @@ -80,12 +80,12 @@ interface(`miscfiles_read_localization',` ######################################## ## -## +## ## Allow process to read legacy time localization info -## -## +## +## ## Type type of the process performing this action. -## +## ## # interface(`miscfiles_legacy_read_localization',` @@ -100,12 +100,12 @@ interface(`miscfiles_legacy_read_localization',` ######################################## ## -## +## ## Allow process to read manpages -## -## +## +## ## Type type of the process performing this action. -## +## ## # interface(`miscfiles_read_man_pages',` diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 46af2404..8c9eb474 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Read the dependencies of kernel modules. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`modutils_read_kernel_module_dependencies',` @@ -23,13 +23,13 @@ interface(`modutils_read_kernel_module_dependencies',` ######################################## ## -## +## ## Read the configuration options used when ## loading modules. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`modutils_read_module_conf',` @@ -48,12 +48,12 @@ interface(`modutils_read_module_conf',` ######################################## ## -## +## ## Execute insmod in the insmod domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`modutils_domtrans_insmod',` @@ -75,21 +75,21 @@ interface(`modutils_domtrans_insmod',` ######################################## ## -## +## ## Execute insmod in the insmod domain, and ## allow the specified role the insmod domain, ## and use the caller's terminal. Has a sigchld ## backchannel. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the insmod domain. -## -## +## +## ## The type of the terminal allow the insmod domain to use. -## +## ## # interface(`modutils_run_insmod',` @@ -118,12 +118,12 @@ interface(`modutils_exec_insmod',` ######################################## ## -## +## ## Execute depmod in the depmod domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`modutils_domtrans_depmod',` @@ -145,18 +145,18 @@ interface(`modutils_domtrans_depmod',` ######################################## ## -## +## ## Execute depmod in the depmod domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the depmod domain. -## -## +## +## ## The type of the terminal allow the depmod domain to use. -## +## ## # interface(`modutils_run_depmod',` @@ -185,12 +185,12 @@ interface(`modutils_exec_depmod',` ######################################## ## -## +## ## Execute depmod in the depmod domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`modutils_domtrans_update_mods',` @@ -212,18 +212,18 @@ interface(`modutils_domtrans_update_mods',` ######################################## ## -## +## ## Execute update_modules in the update_modules domain. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the update_modules domain. -## -## +## +## ## The type of the terminal allow the update_modules domain to use. -## +## ## # interface(`modutils_run_update_mods',` diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 3c63e293..ec6c88a9 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute mount in the mount domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`mount_domtrans',` @@ -29,20 +29,20 @@ interface(`mount_domtrans',` ######################################## ## -## +## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the mount domain. -## -## +## +## ## The type of the terminal allow the mount domain to use. -## +## ## # interface(`mount_run',` @@ -58,12 +58,12 @@ interface(`mount_run',` ######################################## ## -## +## ## Use file descriptors for mount. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`mount_use_fd',` @@ -77,13 +77,13 @@ interface(`mount_use_fd',` ######################################## ## -## +## ## Allow the mount domain to send nfs requests for mounting ## network drives -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`mount_send_nfs_client_request',` diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 0767bb76..e42bd227 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -3,12 +3,12 @@ ####################################### ## -## +## ## Execute checkpolicy in the checkpolicy domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_domtrans_checkpol',` @@ -31,21 +31,21 @@ interface(`seutil_domtrans_checkpol',` ######################################## ## -## +## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the checkpolicy domain. -## -## +## +## ## The type of the terminal allow the checkpolicy domain to use. -## +## ## # interface(`seutil_run_checkpol',` @@ -75,12 +75,12 @@ interface(`seutil_exec_checkpol',` ####################################### ## -## +## ## Execute load_policy in the load_policy domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_domtrans_loadpol',` @@ -102,21 +102,21 @@ interface(`seutil_domtrans_loadpol',` ######################################## ## -## +## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the load_policy domain. -## -## +## +## ## The type of the terminal allow the load_policy domain to use. -## +## ## # interface(`seutil_run_loadpol',` @@ -159,12 +159,12 @@ interface(`seutil_read_loadpol',` ####################################### ## -## +## ## Execute newrole in the load_policy domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_domtrans_newrole',` @@ -187,20 +187,20 @@ interface(`seutil_domtrans_newrole',` ######################################## ## -## +## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the newrole domain. -## -## +## +## ## The type of the terminal allow the newrole domain to use. -## +## ## # interface(`seutil_run_newrole',` @@ -230,13 +230,13 @@ interface(`seutil_exec_newrole',` ######################################## ## -## +## ## Do not audit the caller attempts to send ## a signal to newrole. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_dontaudit_newrole_signal',` @@ -276,12 +276,12 @@ interface(`seutil_use_newrole_fd',` ####################################### ## -## +## ## Execute restorecon in the restorecon domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_domtrans_restorecon',` @@ -303,20 +303,20 @@ interface(`seutil_domtrans_restorecon',` ######################################## ## -## +## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the restorecon domain. -## -## +## +## ## The type of the terminal allow the restorecon domain to use. -## +## ## # interface(`seutil_run_restorecon',` @@ -345,12 +345,12 @@ interface(`seutil_exec_restorecon',` ######################################## ## -## +## ## Execute run_init in the run_init domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_domtrans_runinit',` @@ -373,20 +373,20 @@ interface(`seutil_domtrans_runinit',` ######################################## ## -## +## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the run_init domain. -## -## +## +## ## The type of the terminal allow the run_init domain to use. -## +## ## # interface(`seutil_run_runinit',` @@ -415,12 +415,12 @@ interface(`seutil_use_runinit_fd',` ######################################## ## -## +## ## Execute setfiles in the setfiles domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_domtrans_setfiles',` @@ -443,20 +443,20 @@ interface(`seutil_domtrans_setfiles',` ######################################## ## -## +## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the setfiles domain. -## -## +## +## ## The type of the terminal allow the setfiles domain to use. -## +## ## # interface(`seutil_run_setfiles',` @@ -572,12 +572,12 @@ interface(`seutil_create_binary_pol',` ######################################## ## -## +## ## Allow the caller to relabel a file to the binary policy type. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`seutil_relabelto_binary_pol',` diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index d5a08080..1aa265d5 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -3,12 +3,12 @@ ####################################### ## -## +## ## Execute dhcp client in dhcpc domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`sysnet_domtrans_dhcpc',` @@ -30,12 +30,12 @@ interface(`sysnet_domtrans_dhcpc',` ####################################### ## -## +## ## Execute ifconfig in the ifconfig domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`sysnet_domtrans_ifconfig',` @@ -57,20 +57,20 @@ interface(`sysnet_domtrans_ifconfig',` ######################################## ## -## +## ## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain, ## and use the caller's terminal. -## -## +## +## ## The type of the process performing this action. -## -## +## +## ## The role to be allowed the ifconfig domain. -## -## +## +## ## The type of the terminal allow the ifconfig domain to use. -## +## ## # interface(`sysnet_run_ifconfig',` @@ -87,12 +87,12 @@ interface(`sysnet_run_ifconfig',` ####################################### ## -## +## ## Allow network init to read network config files. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`sysnet_read_config',` diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 0dd6da72..33d28153 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -3,12 +3,12 @@ ######################################## ## -## +## ## Execute udev in the udev domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`udev_domtrans',` @@ -29,12 +29,12 @@ interface(`udev_domtrans',` ######################################## ## -## +## ## Allow process to read list of devices. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`udev_read_db',` @@ -49,12 +49,12 @@ interface(`udev_read_db',` ######################################## ## -## +## ## Allow process to modify list of devices. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`udev_rw_db',` diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 22927d5d..b05018b3 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -810,14 +810,14 @@ template(`admin_domain_template',` ######################################## ## -## +## ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_spec_domtrans_all_users',` @@ -830,14 +830,14 @@ interface(`userdom_spec_domtrans_all_users',` ######################################## ## -## +## ## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_spec_domtrans_unpriv_users',` @@ -850,12 +850,12 @@ interface(`userdom_spec_domtrans_unpriv_users',` ######################################## ## -## +## ## Execute a shell in the sysadm domain. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_shell_domtrans_sysadm',` @@ -868,12 +868,12 @@ interface(`userdom_shell_domtrans_sysadm',` ######################################## ## -## +## ## Read and write sysadm ttys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_use_sysadm_tty',` @@ -889,12 +889,12 @@ interface(`userdom_use_sysadm_tty',` ######################################## ## -## +## ## Read and write sysadm ttys and ptys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_use_sysadm_terms',` @@ -910,12 +910,12 @@ interface(`userdom_use_sysadm_terms',` ######################################## ## -## +## ## Do not audit attempts to use admin ttys and ptys. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_dontaudit_use_sysadm_terms',` @@ -929,12 +929,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',` ######################################## ## -## +## ## Search all users home directories. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_search_all_users_home',` @@ -949,12 +949,12 @@ interface(`userdom_search_all_users_home',` ######################################## ## -## +## ## Read all files in all users home directories. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_read_all_user_data',` @@ -971,12 +971,12 @@ interface(`userdom_read_all_user_data',` ######################################## ## -## +## ## Inherit the file descriptors from all user domains -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_use_all_user_fd',` @@ -990,12 +990,12 @@ interface(`userdom_use_all_user_fd',` ######################################## ## -## +## ## Send general signals to all user domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_signal_all_users',` @@ -1009,12 +1009,12 @@ interface(`userdom_signal_all_users',` ######################################## ## -## +## ## Send general signals to unprivileged user domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_signal_unpriv_users',` @@ -1028,12 +1028,12 @@ interface(`userdom_signal_unpriv_users',` ######################################## ## -## +## ## Inherit the file descriptors from all user domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_use_unpriv_users_fd',` @@ -1047,13 +1047,13 @@ interface(`userdom_use_unpriv_users_fd',` ######################################## ## -## +## ## Do not audit attempts to inherit the ## file descriptors from all user domains. -## -## +## +## ## The type of the process performing this action. -## +## ## # interface(`userdom_dontaudit_use_unpriv_user_fd',`