add xml
This commit is contained in:
parent
ddea18b0ad
commit
3865d6b95e
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
|||||||
## <module name="clock" layer="keyservices">
|
## <module name="clock" layer="system">
|
||||||
## <summary>Policy for reading and setting the hardware clock.</summary>
|
## <summary>Policy for reading and setting the hardware clock.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -67,9 +67,16 @@ define(`clock_transition_add_role_use_terminal_depend',`
|
|||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="clock_execute">
|
||||||
# clock_execute(domain)
|
## <description>
|
||||||
|
## Execute hwclock
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="execute" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_execute',`
|
define(`clock_execute',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -83,9 +90,16 @@ define(`clock_execute_depend',`
|
|||||||
class file { getattr read execute execute_no_trans };
|
class file { getattr read execute execute_no_trans };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="clock_modify_drift_records">
|
||||||
# clock_modify_drift_records(domain)
|
## <description>
|
||||||
|
## Allow executing domain to modify clock drift
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`clock_modify_drift_records',`
|
define(`clock_modify_drift_records',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
@ -1,7 +1,16 @@
|
|||||||
|
## <module name="getty" layer="system">
|
||||||
|
## <summary>Policy for getty.</summary>
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="getty_transition">
|
||||||
# getty_transition(domain)
|
## <description>
|
||||||
|
## Execute gettys in the getty domain.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_transition',`
|
define(`getty_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -26,9 +35,16 @@ define(`getty_transition_depend',`
|
|||||||
class fifo_file rw_file_perms;
|
class fifo_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="getty_read_log_file">
|
||||||
# getty_read_log_file(domain)
|
## <description>
|
||||||
|
## Allow process to read getty log file.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_read_log_file',`
|
define(`getty_read_log_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -42,9 +58,16 @@ define(`getty_read_log_file_depend',`
|
|||||||
class file { getattr read };
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="getty_read_config_file">
|
||||||
# getty_read_config_file(domain)
|
## <description>
|
||||||
|
## Allow process to read getty config file.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_read_config_file',`
|
define(`getty_read_config_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -58,9 +81,16 @@ define(`getty_read_config_file_depend',`
|
|||||||
class file { getattr read };
|
class file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="getty_modify_config_file">
|
||||||
# getty_modify_config_file(domain)
|
## <description>
|
||||||
|
## Allow process to edit getty config file.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`getty_modify_config_file',`
|
define(`getty_modify_config_file',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -73,3 +103,5 @@ define(`getty_modify_config_file_depend',`
|
|||||||
|
|
||||||
class file { getattr read write };
|
class file { getattr read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
## </module>
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
## <module name="hostname" layer="keyservices">
|
## <module name="hostname" layer="system">
|
||||||
## <summary>Policy for changing the system host name.</summary>
|
## <summary>Policy for changing the system host name.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -69,6 +69,18 @@ define(`hostname_transition_add_role_use_terminal_depend',`
|
|||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="hostname_execute">
|
||||||
|
## <description>
|
||||||
|
## Execute hostname in the hostname domain, and
|
||||||
|
## Has a sigchld signal backchannel.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
#######################################
|
#######################################
|
||||||
#
|
#
|
||||||
# hostname_execute(domain)
|
# hostname_execute(domain)
|
||||||
|
@ -1,7 +1,16 @@
|
|||||||
|
## <module name="locallogin" layer="system">
|
||||||
|
## <summary>Policy for local logins.</summary>
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="locallogin_transition">
|
||||||
# locallogin_transition(domain)
|
## <description>
|
||||||
|
## Execute local logins in the locallogin domain.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`locallogin_transition',`
|
define(`locallogin_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -13,6 +22,17 @@ define(`locallogin_transition_depend',`
|
|||||||
type local_login_t;
|
type local_login_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <interface name="locallogin_use_file_descriptors">
|
||||||
|
## <description>
|
||||||
|
## Allow processes to inherit local login file descriptors
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
|
#
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# locallogin_use_file_descriptors(domain)
|
# locallogin_use_file_descriptors(domain)
|
||||||
@ -28,3 +48,5 @@ define(`locallogin_use_file_descriptors_depend',`
|
|||||||
|
|
||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
## </module>
|
||||||
|
@ -1,7 +1,20 @@
|
|||||||
|
## <module name="miscfiles" layer="system">
|
||||||
|
## <summary>Miscelaneous files.</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="miscfiles_manage_man_page_cache">
|
||||||
# miscfiles_manage_man_page_cache(domain)
|
## <description>
|
||||||
|
## Allow process to create files and dirs in /var/cache/man
|
||||||
|
## and /var/catman/
|
||||||
|
## </description>
|
||||||
|
## <securitydesc>
|
||||||
|
## ...
|
||||||
|
## </securitydesc>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_manage_man_page_cache',`
|
define(`miscfiles_manage_man_page_cache',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -19,8 +32,18 @@ define(`miscfiles_manage_man_page_cache_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="miscfiles_read_fonts">
|
||||||
# miscfiles_read_fonts(domain)
|
## <description>
|
||||||
|
## Allow process to read fonts files
|
||||||
|
## </description>
|
||||||
|
## <securitydesc>
|
||||||
|
## ...
|
||||||
|
## </securitydesc>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_fonts',`
|
define(`miscfiles_read_fonts',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -40,8 +63,18 @@ define(`miscfiles_read_fonts_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="miscfiles_read_localization">
|
||||||
# miscfiles_read_localization(domain)
|
## <description>
|
||||||
|
## Allow process to read localization info
|
||||||
|
## </description>
|
||||||
|
## <securitydesc>
|
||||||
|
## ...
|
||||||
|
## </securitydesc>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_localization',`
|
define(`miscfiles_read_localization',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -65,8 +98,18 @@ define(`miscfiles_read_localization_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="miscfiles_legacy_read_localization">
|
||||||
# miscfiles_legacy_read_localization(domain)
|
## <description>
|
||||||
|
## Allow process to read legacy time localization info
|
||||||
|
## </description>
|
||||||
|
## <securitydesc>
|
||||||
|
## ...
|
||||||
|
## </securitydesc>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_legacy_read_localization',`
|
define(`miscfiles_legacy_read_localization',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -82,8 +125,18 @@ define(`miscfiles_read_localization_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="miscfiles_read_man_pages">
|
||||||
# miscfiles_read_man_pages(domain)
|
## <description>
|
||||||
|
## Allow process to read manpages
|
||||||
|
## </description>
|
||||||
|
## <securitydesc>
|
||||||
|
## ...
|
||||||
|
## </securitydesc>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## Type type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`miscfiles_read_man_pages',`
|
define(`miscfiles_read_man_pages',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -101,3 +154,5 @@ define(`miscfiles_read_man_pages_depend',`
|
|||||||
class file { getattr read };
|
class file { getattr read };
|
||||||
class lnk_file { getattr read };
|
class lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
## </module>
|
||||||
|
@ -68,9 +68,16 @@ define(`mount_transition_add_role_use_terminal_depend',`
|
|||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="mount_use_file_descriptors">
|
||||||
# mount_use_file_descriptors(domain)
|
## <description>
|
||||||
|
## Use file descriptors for mount.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="use" weight="4"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_use_file_descriptors',`
|
define(`mount_use_file_descriptors',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -84,9 +91,17 @@ define(`mount_use_file_descriptors_depend',`
|
|||||||
class fd use;
|
class fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="mount_send_nfs_client_request">
|
||||||
# mount_send_nfs_client_request(domain)
|
## <description>
|
||||||
|
## Allow the mount domain to send nfs requests for mounting
|
||||||
|
## network drives
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write read " weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`mount_send_nfs_client_request',`
|
define(`mount_send_nfs_client_request',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
@ -1,9 +1,16 @@
|
|||||||
## <module name="sysnetwork" layer="system">
|
## <module name="sysnetwork" layer="system">
|
||||||
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
|
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
|
||||||
|
|
||||||
########################################
|
#######################################
|
||||||
#
|
## <interface name="sysnetwork_dhcpc_transition">
|
||||||
# sysnetwork_dhcpc_transition(domain)
|
## <description>
|
||||||
|
## Execute dhcp client in dhcpc domain.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="3"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_dhcpc_transition',`
|
define(`sysnetwork_dhcpc_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -95,9 +102,16 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
|
|||||||
class chr_file { getattr read write ioctl };
|
class chr_file { getattr read write ioctl };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
#######################################
|
||||||
#
|
## <interface name="sysnetwork_read_network_config">
|
||||||
# sysnetwork_read_network_config(domain)
|
## <description>
|
||||||
|
## Allow network init to read network config files.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="3"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`sysnetwork_read_network_config',`
|
define(`sysnetwork_read_network_config',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
@ -1,7 +1,16 @@
|
|||||||
|
## <module name="udev" layer="system">
|
||||||
|
## <summary>Policy for udev.</summary>
|
||||||
|
|
||||||
#######################################
|
########################################
|
||||||
#
|
## <interface name="udev_transition">
|
||||||
# udev_transition(domain)
|
## <description>
|
||||||
|
## Execute udev in the udev domain.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="execute" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_transition',`
|
define(`udev_transition',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -27,8 +36,15 @@ define(`udev_transition_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="udev_read_database">
|
||||||
# udev_read_database(domain)
|
## <description>
|
||||||
|
## Allow process to read list of devices.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="read" weight="3"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_read_database',`
|
define(`udev_read_database',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -43,8 +59,15 @@ define(`udev_read_database_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="udev_modify_database">
|
||||||
# udev_modify_database(domain)
|
## <description>
|
||||||
|
## Allow process to modify list of devices.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## <infoflow type="write" weight="10"/>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`udev_modify_database',`
|
define(`udev_modify_database',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -57,3 +80,5 @@ define(`udev_modify_database_depend',`
|
|||||||
|
|
||||||
class file { getattr read write append };
|
class file { getattr read write append };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
## </module>
|
||||||
|
Loading…
Reference in New Issue
Block a user