update for new documentation method
This commit is contained in:
parent
aad5b98eba
commit
414e415198
@ -274,7 +274,6 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
|
||||
$(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
|
||||
| m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
|
||||
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
|
||||
$(QUIET) echo "## </module>" >> $@
|
||||
|
||||
$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
|
||||
@echo "#" > $@
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="dmesg">
|
||||
## <summary>Policy for dmesg.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="dmesg_domtrans">
|
||||
## <desc>
|
||||
## Execute dmesg in the dmesg domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute dmesg in the dmesg domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`dmesg_domtrans',`
|
||||
gen_require(`
|
||||
@ -29,14 +26,12 @@ interface(`dmesg_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="dmesg_exec">
|
||||
## <desc>
|
||||
## Execute dmesg in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute dmesg in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`dmesg_exec',`
|
||||
gen_require(`
|
||||
@ -47,4 +42,3 @@ interface(`dmesg_exec',`
|
||||
can_exec($1,dmesg_exec_t)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1 +0,0 @@
|
||||
<layer name="admin">
|
@ -1,15 +1,12 @@
|
||||
## <module name="rpm">
|
||||
## <summary>Policy for the RPM package manager.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="rpm_domtrans">
|
||||
## <desc>
|
||||
## Execute rpm programs in the rpm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute rpm programs in the rpm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_domtrans',`
|
||||
gen_require(`
|
||||
@ -30,20 +27,18 @@ interface(`rpm_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="rpm_run">
|
||||
## <desc>
|
||||
## Execute RPM programs in the RPM domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the RPM domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the RPM domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute RPM programs in the RPM domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the RPM domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the RPM domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_run',`
|
||||
gen_require(`
|
||||
@ -58,14 +53,12 @@ interface(`rpm_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="rpm_use_fd">
|
||||
## <desc>
|
||||
## Inherit and use file descriptors from RPM.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Inherit and use file descriptors from RPM.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_use_fd',`
|
||||
gen_require(`
|
||||
@ -77,14 +70,12 @@ interface(`rpm_use_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="rpm_read_pipe">
|
||||
## <desc>
|
||||
## Read from a RPM pipe.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read from a RPM pipe.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_read_pipe',`
|
||||
gen_require(`
|
||||
@ -96,14 +87,12 @@ interface(`rpm_read_pipe',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="rpm_read_db">
|
||||
## <desc>
|
||||
## Read RPM package database.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read RPM package database.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`rpm_read_db',`
|
||||
gen_require(`
|
||||
@ -135,4 +124,3 @@ interface(`rpm_manage_db',`
|
||||
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="usermanage">
|
||||
## <summary>Policy for managing user accounts.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_domtrans_chfn">
|
||||
## <desc>
|
||||
## Execute chfn in the chfn domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute chfn in the chfn domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_domtrans_chfn',`
|
||||
gen_require(`
|
||||
@ -30,21 +27,19 @@ interface(`usermanage_domtrans_chfn',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_run_chfn">
|
||||
## <desc>
|
||||
## Execute chfn in the chfn domain, and
|
||||
## allow the specified role the chfn domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the chfn domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the chfn domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute chfn in the chfn domain, and
|
||||
## allow the specified role the chfn domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the chfn domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the chfn domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_chfn',`
|
||||
gen_require(`
|
||||
@ -58,14 +53,12 @@ interface(`usermanage_run_chfn',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_domtrans_groupadd">
|
||||
## <desc>
|
||||
## Execute groupadd in the groupadd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute groupadd in the groupadd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_domtrans_groupadd',`
|
||||
gen_require(`
|
||||
@ -86,21 +79,19 @@ interface(`usermanage_domtrans_groupadd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_run_groupadd">
|
||||
## <desc>
|
||||
## Execute groupadd in the groupadd domain, and
|
||||
## allow the specified role the groupadd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the groupadd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the groupadd domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute groupadd in the groupadd domain, and
|
||||
## allow the specified role the groupadd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the groupadd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the groupadd domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_groupadd',`
|
||||
gen_require(`
|
||||
@ -114,14 +105,12 @@ interface(`usermanage_run_groupadd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_domtrans_passwd">
|
||||
## <desc>
|
||||
## Execute passwd in the passwd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute passwd in the passwd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_domtrans_passwd',`
|
||||
gen_require(`
|
||||
@ -142,21 +131,19 @@ interface(`usermanage_domtrans_passwd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_run_passwd">
|
||||
## <desc>
|
||||
## Execute passwd in the passwd domain, and
|
||||
## allow the specified role the passwd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the passwd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the passwd domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute passwd in the passwd domain, and
|
||||
## allow the specified role the passwd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the passwd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the passwd domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_passwd',`
|
||||
gen_require(`
|
||||
@ -170,14 +157,12 @@ interface(`usermanage_run_passwd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_domtrans_useradd">
|
||||
## <desc>
|
||||
## Execute useradd in the useradd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute useradd in the useradd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_domtrans_useradd',`
|
||||
gen_require(`
|
||||
@ -198,21 +183,19 @@ interface(`usermanage_domtrans_useradd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="usermanage_run_useradd">
|
||||
## <desc>
|
||||
## Execute useradd in the useradd domain, and
|
||||
## allow the specified role the useradd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the useradd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the useradd domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute useradd in the useradd domain, and
|
||||
## allow the specified role the useradd domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the useradd domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the useradd domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`usermanage_run_useradd',`
|
||||
gen_require(`
|
||||
@ -225,4 +208,3 @@ interface(`usermanage_run_useradd',`
|
||||
allow useradd_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,28 +1,26 @@
|
||||
## <module name="gpg">
|
||||
## <summary>Policy for GNU Privacy Guard and related programs.</summary>
|
||||
|
||||
#######################################
|
||||
## <template name="gpg_per_userdomain_template">
|
||||
## <summary>
|
||||
## The per-userdomain template for the gpg module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates the types and rules for GPG,
|
||||
## GPG-agent, and GPG helper programs. This protects
|
||||
## the user keys and secrets, and runs the programs
|
||||
## in domains specific to the user type.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is invoked automatically for each user, and
|
||||
## generally does not need to be statically invoked
|
||||
## directly by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
## <summary>
|
||||
## The per-userdomain template for the gpg module.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This template creates the types and rules for GPG,
|
||||
## GPG-agent, and GPG helper programs. This protects
|
||||
## the user keys and secrets, and runs the programs
|
||||
## in domains specific to the user type.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is invoked automatically for each user, and
|
||||
## generally does not need to be statically invoked
|
||||
## directly by policy writers.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </param>
|
||||
#
|
||||
template(`gpg_per_userdomain_template',`
|
||||
gen_require(`$0'_depend)
|
||||
@ -368,6 +366,4 @@ template(`gpg_per_userdomain_template',`
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
## </template>
|
||||
|
||||
## </module>
|
||||
|
@ -1 +0,0 @@
|
||||
<layer name="apps">
|
@ -1,15 +1,12 @@
|
||||
## <module name="bootloader">
|
||||
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_domtrans">
|
||||
## <desc>
|
||||
## Execute bootloader in the bootloader domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute bootloader in the bootloader domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_domtrans',`
|
||||
gen_require(`
|
||||
@ -28,21 +25,19 @@ interface(`bootloader_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_run">
|
||||
## <desc>
|
||||
## Execute bootloader interactively and do
|
||||
## a domain transition to the bootloader domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the bootloader domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the bootloader domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute bootloader interactively and do
|
||||
## a domain transition to the bootloader domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the bootloader domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the bootloader domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_run',`
|
||||
gen_require(`
|
||||
@ -57,14 +52,12 @@ interface(`bootloader_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_search_boot_dir">
|
||||
## <desc>
|
||||
## Search the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Search the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_search_boot_dir',`
|
||||
gen_require(`
|
||||
@ -76,14 +69,12 @@ interface(`bootloader_search_boot_dir',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_dontaudit_search_boot">
|
||||
## <desc>
|
||||
## Do not audit attempts to search the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to search the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_dontaudit_search_boot',`
|
||||
gen_require(`
|
||||
@ -95,15 +86,13 @@ interface(`bootloader_dontaudit_search_boot',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_rw_boot_symlinks">
|
||||
## <desc>
|
||||
## Read and write symbolic links
|
||||
## in the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write symbolic links
|
||||
## in the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_rw_boot_symlinks',`
|
||||
gen_require(`
|
||||
@ -117,14 +106,12 @@ interface(`bootloader_rw_boot_symlinks',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_create_kernel">
|
||||
## <desc>
|
||||
## Install a kernel into the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Install a kernel into the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_create_kernel',`
|
||||
gen_require(`
|
||||
@ -140,14 +127,12 @@ interface(`bootloader_create_kernel',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_create_kernel_symbol_table">
|
||||
## <desc>
|
||||
## Install a system.map into the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Install a system.map into the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_create_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
@ -161,14 +146,12 @@ interface(`bootloader_create_kernel_symbol_table',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_read_kernel_symbol_table">
|
||||
## <desc>
|
||||
## Read system.map in the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read system.map in the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_read_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
@ -182,14 +165,12 @@ interface(`bootloader_read_kernel_symbol_table',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_delete_kernel">
|
||||
## <desc>
|
||||
## Delete a kernel from /boot.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Delete a kernel from /boot.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_delete_kernel',`
|
||||
gen_require(`
|
||||
@ -203,14 +184,12 @@ interface(`bootloader_delete_kernel',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_delete_kernel_symbol_table">
|
||||
## <desc>
|
||||
## Delete a system.map in the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Delete a system.map in the /boot directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_delete_kernel_symbol_table',`
|
||||
gen_require(`
|
||||
@ -224,14 +203,12 @@ interface(`bootloader_delete_kernel_symbol_table',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_read_config">
|
||||
## <desc>
|
||||
## Read the bootloader configuration file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the bootloader configuration file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_read_config',`
|
||||
gen_require(`
|
||||
@ -243,15 +220,13 @@ interface(`bootloader_read_config',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_rw_config">
|
||||
## <desc>
|
||||
## Read and write the bootloader
|
||||
## configuration file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the bootloader
|
||||
## configuration file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_rw_config',`
|
||||
gen_require(`
|
||||
@ -263,15 +238,13 @@ interface(`bootloader_rw_config',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_rw_tmp_file">
|
||||
## <desc>
|
||||
## Read and write the bootloader
|
||||
## temporary data in /tmp.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the bootloader
|
||||
## temporary data in /tmp.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_rw_tmp_file',`
|
||||
gen_require(`
|
||||
@ -284,15 +257,13 @@ interface(`bootloader_rw_tmp_file',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_create_runtime_file">
|
||||
## <desc>
|
||||
## Read and write the bootloader
|
||||
## temporary data in /tmp.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the bootloader
|
||||
## temporary data in /tmp.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_create_runtime_file',`
|
||||
gen_require(`
|
||||
@ -307,14 +278,12 @@ interface(`bootloader_create_runtime_file',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_list_kernel_modules">
|
||||
## <desc>
|
||||
## List the contents of the kernel module directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## List the contents of the kernel module directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_list_kernel_modules',`
|
||||
gen_require(`
|
||||
@ -326,14 +295,12 @@ interface(`bootloader_list_kernel_modules',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_read_kernel_modules">
|
||||
## <desc>
|
||||
## Read kernel module files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read kernel module files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_read_kernel_modules',`
|
||||
gen_require(`
|
||||
@ -349,14 +316,12 @@ interface(`bootloader_read_kernel_modules',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_write_kernel_modules">
|
||||
## <desc>
|
||||
## Write kernel module files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Write kernel module files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_write_kernel_modules',`
|
||||
gen_require(`
|
||||
@ -373,15 +338,13 @@ interface(`bootloader_write_kernel_modules',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="bootloader_manage_kernel_modules">
|
||||
## <desc>
|
||||
## Create, read, write, and delete
|
||||
## kernel module files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Create, read, write, and delete
|
||||
## kernel module files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`bootloader_manage_kernel_modules',`
|
||||
gen_require(`
|
||||
@ -417,4 +380,3 @@ interface(`bootloader_create_private_module_dir_entry',`
|
||||
')
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,16 +1,13 @@
|
||||
## <module name="corenetwork">
|
||||
## <summary>Policy controlling access to network objects</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_tcp_sendrecv_generic_if">
|
||||
## <desc>
|
||||
## Send and receive TCP network traffic on the general interfaces.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive TCP network traffic on the general interfaces.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_tcp_sendrecv_generic_if',`
|
||||
gen_require(`
|
||||
|
@ -6,15 +6,13 @@
|
||||
|
||||
define(`create_netif_interfaces',``
|
||||
########################################
|
||||
## <interface name="corenet_tcp_sendrecv_$1">
|
||||
## <desc>
|
||||
## Send and receive TCP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive TCP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_tcp_sendrecv_$1',`
|
||||
gen_require(`
|
||||
@ -26,15 +24,13 @@ interface(`corenet_tcp_sendrecv_$1',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_send_$1">
|
||||
## <desc>
|
||||
## Send UDP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send UDP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_send_$1',`
|
||||
gen_require(`
|
||||
@ -46,15 +42,13 @@ interface(`corenet_udp_send_$1',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_receive_$1">
|
||||
## <desc>
|
||||
## Receive UDP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Receive UDP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_receive_$1',`
|
||||
gen_require(`
|
||||
@ -66,15 +60,13 @@ interface(`corenet_udp_receive_$1',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenetwork_sendrecv_udp_on_$1_interface">
|
||||
## <desc>
|
||||
## Send and receive UDP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive UDP network traffic on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_sendrecv_$1',`
|
||||
corenet_udp_send_$1(dollarsone)
|
||||
@ -82,15 +74,13 @@ interface(`corenet_udp_sendrecv_$1',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_raw_send_$1">
|
||||
## <desc>
|
||||
## Send raw IP packets on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send raw IP packets on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_raw_send_$1',`
|
||||
gen_require(`
|
||||
@ -104,15 +94,13 @@ interface(`corenet_raw_send_$1',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_raw_receive_$1">
|
||||
## <desc>
|
||||
## Receive raw IP packets on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Receive raw IP packets on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_raw_receive_$1',`
|
||||
gen_require(`
|
||||
@ -124,15 +112,13 @@ interface(`corenet_raw_receive_$1',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_raw_sendrecv_$1">
|
||||
## <desc>
|
||||
## Send and receive raw IP packets on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive raw IP packets on the $1 interface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_raw_sendrecv_$1',`
|
||||
corenet_raw_send_$1(dollarsone)
|
||||
@ -148,15 +134,13 @@ interface(`corenet_raw_sendrecv_$1',`
|
||||
|
||||
define(`create_node_interfaces',``
|
||||
########################################
|
||||
## <interface name="corenet_tcp_sendrecv_$1_node">
|
||||
## <desc>
|
||||
## Send and receive TCP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive TCP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_tcp_sendrecv_$1_node',`
|
||||
gen_require(`
|
||||
@ -168,15 +152,13 @@ interface(`corenet_tcp_sendrecv_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_send_$1_node">
|
||||
## <desc>
|
||||
## Send UDP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send UDP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_send_$1_node',`
|
||||
gen_require(`
|
||||
@ -188,15 +170,13 @@ interface(`corenet_udp_send_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_receive_$1_node">
|
||||
## <desc>
|
||||
## Receive UDP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Receive UDP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_receive_$1_node',`
|
||||
gen_require(`
|
||||
@ -208,15 +188,13 @@ interface(`corenet_udp_receive_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_sendrecv_$1_node">
|
||||
## <desc>
|
||||
## Send and receive UDP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive UDP traffic on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_sendrecv_$1_node',`
|
||||
corenet_udp_send_$1_node(dollarsone)
|
||||
@ -224,15 +202,13 @@ interface(`corenet_udp_sendrecv_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_raw_send_$1_node">
|
||||
## <desc>
|
||||
## Send raw IP packets on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send raw IP packets on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_raw_send_$1_node',`
|
||||
gen_require(`
|
||||
@ -244,15 +220,13 @@ interface(`corenet_raw_send_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_raw_receive_$1_node">
|
||||
## <desc>
|
||||
## Receive raw IP packets on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Receive raw IP packets on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_raw_receive_$1_node',`
|
||||
gen_require(`
|
||||
@ -264,15 +238,13 @@ interface(`corenet_raw_receive_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_raw_sendrecv_$1_node">
|
||||
## <desc>
|
||||
## Send and receive raw IP packets on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive raw IP packets on the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_raw_sendrecv_$1_node',`
|
||||
corenet_raw_send_$1_node(dollarsone)
|
||||
@ -280,15 +252,13 @@ interface(`corenet_raw_sendrecv_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_tcp_bind_$1_node">
|
||||
## <desc>
|
||||
## Bind TCP sockets to node $1.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Bind TCP sockets to node $1.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_$1_node',`
|
||||
gen_require(`
|
||||
@ -300,15 +270,13 @@ interface(`corenet_tcp_bind_$1_node',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_bind_$1_node">
|
||||
## <desc>
|
||||
## Bind UDP sockets to the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Bind UDP sockets to the $1 node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_udp_bind_$1_node',`
|
||||
gen_require(`
|
||||
@ -328,15 +296,13 @@ interface(`corenet_udp_bind_$1_node',`
|
||||
|
||||
define(`create_port_interfaces',``
|
||||
########################################
|
||||
## <interface name="corenet_tcp_sendrecv_$1_port">
|
||||
## <desc>
|
||||
## Send and receive TCP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive TCP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_tcp_sendrecv_$1_port',`
|
||||
gen_require(`
|
||||
@ -348,15 +314,13 @@ interface(`corenet_tcp_sendrecv_$1_port',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_send_$1_port">
|
||||
## <desc>
|
||||
## Send UDP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send UDP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_send_$1_port',`
|
||||
gen_require(`
|
||||
@ -368,15 +332,13 @@ interface(`corenet_udp_send_$1_port',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_receive_$1_port">
|
||||
## <desc>
|
||||
## Receive UDP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Receive UDP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_receive_$1_port',`
|
||||
gen_require(`
|
||||
@ -388,15 +350,13 @@ interface(`corenet_udp_receive_$1_port',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenetwork_sendrecv_udp_on_$1_port">
|
||||
## <desc>
|
||||
## Send and receive UDP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send and receive UDP traffic on the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`corenet_udp_sendrecv_$1_port',`
|
||||
corenet_udp_send_$1_port(dollarsone)
|
||||
@ -404,15 +364,13 @@ interface(`corenet_udp_sendrecv_$1_port',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_tcp_bind_$1_port">
|
||||
## <desc>
|
||||
## Bind TCP sockets to the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Bind TCP sockets to the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_tcp_bind_$1_port',`
|
||||
gen_require(`
|
||||
@ -425,15 +383,13 @@ interface(`corenet_tcp_bind_$1_port',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corenet_udp_bind_$1_port">
|
||||
## <desc>
|
||||
## Bind UDP sockets to the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Bind UDP sockets to the $1 port.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`corenet_udp_bind_$1_port',`
|
||||
gen_require(`
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1 +0,0 @@
|
||||
<layer name="kernel">
|
@ -1,17 +1,14 @@
|
||||
## <module name="selinux">
|
||||
## <summary>
|
||||
## Policy for kernel security interface, in particular, selinuxfs.
|
||||
## Policy for kernel security interface, in particular, selinuxfs.
|
||||
## </summary>
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_get_fs_mount">
|
||||
## <desc>
|
||||
## Gets the caller the mountpoint of the selinuxfs filesystem.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type requesting the selinuxfs mountpoint.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Gets the caller the mountpoint of the selinuxfs filesystem.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type requesting the selinuxfs mountpoint.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_get_fs_mount',`
|
||||
# read /proc/filesystems to see if selinuxfs is supported
|
||||
@ -20,15 +17,13 @@ interface(`selinux_get_fs_mount',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_get_enforce_mode">
|
||||
## <desc>
|
||||
## Allows the caller to get the mode of policy enforcement
|
||||
## (enforcing or permissive mode).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to allow to get the enforcing mode.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allows the caller to get the mode of policy enforcement
|
||||
## (enforcing or permissive mode).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to allow to get the enforcing mode.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_get_enforce_mode',`
|
||||
gen_require(`
|
||||
@ -42,15 +37,13 @@ interface(`selinux_get_enforce_mode',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_set_enforce_mode">
|
||||
## <desc>
|
||||
## Allow caller to set the mode of policy enforcement
|
||||
## (enforcing or permissive mode).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to allow to set the enforcement mode.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow caller to set the mode of policy enforcement
|
||||
## (enforcing or permissive mode).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to allow to set the enforcement mode.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_set_enforce_mode',`
|
||||
gen_require(`
|
||||
@ -69,14 +62,12 @@ interface(`selinux_set_enforce_mode',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_load_policy">
|
||||
## <desc>
|
||||
## Allow caller to load the policy into the kernel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type that will load the policy.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow caller to load the policy into the kernel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type that will load the policy.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_load_policy',`
|
||||
gen_require(`
|
||||
@ -95,18 +86,16 @@ interface(`selinux_load_policy',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_set_boolean">
|
||||
## <desc>
|
||||
## Allow caller to set the state of Booleans to
|
||||
## enable or disable conditional portions of the policy.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type allowed to set the Boolean.
|
||||
## </param>
|
||||
## <param name="booltype" optional="true">
|
||||
## The type of Booleans the caller is allowed to set.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow caller to set the state of Booleans to
|
||||
## enable or disable conditional portions of the policy.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type allowed to set the Boolean.
|
||||
## </param>
|
||||
## <param name="booltype" optional="true">
|
||||
## The type of Booleans the caller is allowed to set.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_set_boolean',`
|
||||
gen_require(`
|
||||
@ -130,14 +119,12 @@ interface(`selinux_set_boolean',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_set_parameters">
|
||||
## <desc>
|
||||
## Allow caller to set selinux security parameters.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to allow to set security parameters.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow caller to set selinux security parameters.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to allow to set security parameters.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_set_parameters',`
|
||||
gen_require(`
|
||||
@ -156,14 +143,12 @@ interface(`selinux_set_parameters',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_validate_context">
|
||||
## <desc>
|
||||
## Allows caller to validate security contexts.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type permitted to validate contexts.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allows caller to validate security contexts.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type permitted to validate contexts.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_validate_context',`
|
||||
gen_require(`
|
||||
@ -179,14 +164,12 @@ interface(`selinux_validate_context',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_compute_access_vector">
|
||||
## <desc>
|
||||
## Allows caller to compute an access vector.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type allowed to compute an access vector.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allows caller to compute an access vector.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type allowed to compute an access vector.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_compute_access_vector',`
|
||||
gen_require(`
|
||||
@ -202,14 +185,12 @@ interface(`selinux_compute_access_vector',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_compute_create_context">
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
##
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
##
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_compute_create_context',`
|
||||
gen_require(`
|
||||
@ -225,14 +206,12 @@ interface(`selinux_compute_create_context',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_compute_relabel_context">
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_compute_relabel_context',`
|
||||
gen_require(`
|
||||
@ -248,14 +227,12 @@ interface(`selinux_compute_relabel_context',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_compute_user_contexts">
|
||||
## <desc>
|
||||
## Allows caller to compute possible contexts for a user.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type allowed to compute user contexts.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allows caller to compute possible contexts for a user.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type allowed to compute user contexts.
|
||||
## </param>
|
||||
#
|
||||
interface(`selinux_compute_user_contexts',`
|
||||
gen_require(`
|
||||
@ -270,4 +247,3 @@ interface(`selinux_compute_user_contexts',`
|
||||
allow $1 security_t:security compute_user;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,16 +1,13 @@
|
||||
## <module name="storage">
|
||||
## <summary>Policy controlling access to storage devices</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_fixed_disk">
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes of fixed disk
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes of fixed disk
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -23,15 +20,13 @@ interface(`storage_getattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_getattr_fixed_disk">
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to get
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to get
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_getattr_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -43,15 +38,13 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_fixed_disk">
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes of fixed disk
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes of fixed disk
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_setattr_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -64,15 +57,13 @@ interface(`storage_setattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_setattr_fixed_disk">
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of fixed disk device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_setattr_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -84,17 +75,15 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_read_fixed_disk">
|
||||
## <desc>
|
||||
## Allow the caller to directly read from a fixed disk.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read from a fixed disk.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_read_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -109,17 +98,15 @@ interface(`storage_raw_read_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_write_fixed_disk">
|
||||
## <desc>
|
||||
## Allow the caller to directly write to a fixed disk.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly write to a fixed disk.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_write_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -134,14 +121,12 @@ interface(`storage_raw_write_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_create_fixed_disk">
|
||||
## <desc>
|
||||
## Create block devices in /dev with the fixed disk type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Create block devices in /dev with the fixed disk type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_create_fixed_disk_dev_entry',`
|
||||
gen_require(`
|
||||
@ -156,14 +141,12 @@ interface(`storage_create_fixed_disk_dev_entry',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_manage_fixed_disk">
|
||||
## <desc>
|
||||
## Create, read, write, and delete fixed disk device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Create, read, write, and delete fixed disk device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_manage_fixed_disk',`
|
||||
gen_require(`
|
||||
@ -178,17 +161,15 @@ interface(`storage_manage_fixed_disk',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_read_lvm_volume">
|
||||
## <desc>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_read_lvm_volume',`
|
||||
gen_require(`
|
||||
@ -203,17 +184,15 @@ interface(`storage_raw_read_lvm_volume',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_write_lvm_volume">
|
||||
## <desc>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read from a logical volume.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_write_lvm_volume',`
|
||||
gen_require(`
|
||||
@ -228,15 +207,13 @@ interface(`storage_raw_write_lvm_volume',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_scsi_generic">
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_scsi_generic',`
|
||||
gen_require(`
|
||||
@ -249,15 +226,13 @@ interface(`storage_getattr_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_scsi_generic">
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes of
|
||||
## the generic SCSI interface device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_setattr_scsi_generic',`
|
||||
gen_require(`
|
||||
@ -270,18 +245,16 @@ interface(`storage_setattr_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_read_scsi_generic">
|
||||
## <desc>
|
||||
## Allow the caller to directly read, in a
|
||||
## generic fashion, from any SCSI device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read, in a
|
||||
## generic fashion, from any SCSI device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_read_scsi_generic',`
|
||||
gen_require(`
|
||||
@ -296,18 +269,16 @@ interface(`storage_read_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_write_scsi_generic">
|
||||
## <desc>
|
||||
## Allow the caller to directly write, in a
|
||||
## generic fashion, from any SCSI device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly write, in a
|
||||
## generic fashion, from any SCSI device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_write_scsi_generic',`
|
||||
gen_require(`
|
||||
@ -322,15 +293,13 @@ interface(`storage_write_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_scsi_generic">
|
||||
## <desc>
|
||||
## Get attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Get attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_scsi_generic',`
|
||||
gen_require(`
|
||||
@ -343,15 +312,13 @@ interface(`storage_getattr_scsi_generic',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_scsi_generic">
|
||||
## <desc>
|
||||
## Set attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Set attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_set_scsi_generic_attributes',`
|
||||
gen_require(`
|
||||
@ -364,15 +331,13 @@ interface(`storage_set_scsi_generic_attributes',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_removable_device">
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes of removable
|
||||
## devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes of removable
|
||||
## devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_removable_device',`
|
||||
gen_require(`
|
||||
@ -385,15 +350,13 @@ interface(`storage_getattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_getattr_removable_device">
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to get
|
||||
## the attributes of removable devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to get
|
||||
## the attributes of removable devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_getattr_removable_device',`
|
||||
gen_require(`
|
||||
@ -405,15 +368,13 @@ interface(`storage_dontaudit_getattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_removable_device">
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes of removable
|
||||
## devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes of removable
|
||||
## devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_setattr_removable_device',`
|
||||
gen_require(`
|
||||
@ -426,15 +387,13 @@ interface(`storage_setattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_dontaudit_setattr_removable_device">
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of removable devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts made by the caller to set
|
||||
## the attributes of removable devices device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_dontaudit_setattr_removable_device',`
|
||||
gen_require(`
|
||||
@ -446,18 +405,16 @@ interface(`storage_dontaudit_setattr_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_read_removable_device">
|
||||
## <desc>
|
||||
## Allow the caller to directly read from
|
||||
## a removable device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read from
|
||||
## a removable device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_read_removable_device',`
|
||||
gen_require(`
|
||||
@ -470,18 +427,16 @@ interface(`storage_raw_read_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_raw_write_removable_device">
|
||||
## <desc>
|
||||
## Allow the caller to directly write to
|
||||
## a removable device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly write to
|
||||
## a removable device.
|
||||
## This is extremly dangerous as it can bypass the
|
||||
## SELinux protections for filesystem objects, and
|
||||
## should only be used by trusted domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_raw_write_removable_device',`
|
||||
gen_require(`
|
||||
@ -494,15 +449,13 @@ interface(`storage_raw_write_removable_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_read_tape_device">
|
||||
## <desc>
|
||||
## Allow the caller to directly read
|
||||
## a tape device.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read
|
||||
## a tape device.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_read_tape_device',`
|
||||
gen_require(`
|
||||
@ -515,15 +468,13 @@ interface(`storage_read_tape_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_write_tape_device">
|
||||
## <desc>
|
||||
## Allow the caller to directly read
|
||||
## a tape device.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to directly read
|
||||
## a tape device.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_write_tape_device',`
|
||||
gen_require(`
|
||||
@ -536,15 +487,13 @@ interface(`storage_write_tape_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_getattr_tape_device">
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes
|
||||
## of device nodes of tape devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to get the attributes
|
||||
## of device nodes of tape devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_getattr_tape_device',`
|
||||
gen_require(`
|
||||
@ -557,15 +506,13 @@ interface(`storage_getattr_tape_device',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="storage_setattr_tape_device">
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes
|
||||
## of device nodes of tape devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to set the attributes
|
||||
## of device nodes of tape devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`storage_setattr_tape_device',`
|
||||
gen_require(`
|
||||
@ -577,4 +524,3 @@ interface(`storage_setattr_tape_device',`
|
||||
allow $1 tape_device_t:blk_file setattr;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="terminal">
|
||||
## <summary>Policy for terminals.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="term_pty">
|
||||
## <desc>
|
||||
## Transform specified type into a pty type.
|
||||
## </desc>
|
||||
## <param name="pty_type">
|
||||
## An object type that will applied to a pty.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Transform specified type into a pty type.
|
||||
## </desc>
|
||||
## <param name="pty_type">
|
||||
## An object type that will applied to a pty.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_pty',`
|
||||
gen_require(`
|
||||
@ -23,20 +20,18 @@ interface(`term_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_user_pty">
|
||||
## <desc>
|
||||
## Transform specified type into an user
|
||||
## pty type. This allows it to be relabeled via
|
||||
## type change by login programs such as ssh.
|
||||
## </desc>
|
||||
## <param name="userdomain">
|
||||
## The type of the user domain associated with
|
||||
## this pty.
|
||||
## </param>
|
||||
## <param name="object_type">
|
||||
## An object type that will applied to a pty.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Transform specified type into an user
|
||||
## pty type. This allows it to be relabeled via
|
||||
## type change by login programs such as ssh.
|
||||
## </desc>
|
||||
## <param name="userdomain">
|
||||
## The type of the user domain associated with
|
||||
## this pty.
|
||||
## </param>
|
||||
## <param name="object_type">
|
||||
## An object type that will applied to a pty.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_user_pty',`
|
||||
gen_require(`
|
||||
@ -48,15 +43,13 @@ interface(`term_user_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_login_pty">
|
||||
## <desc>
|
||||
## Transform specified type into a pty type
|
||||
## used by login programs, such as sshd.
|
||||
## </desc>
|
||||
## <param name="pty_type">
|
||||
## An object type that will applied to a pty.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Transform specified type into a pty type
|
||||
## used by login programs, such as sshd.
|
||||
## </desc>
|
||||
## <param name="pty_type">
|
||||
## An object type that will applied to a pty.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_login_pty',`
|
||||
gen_require(`
|
||||
@ -68,14 +61,12 @@ interface(`term_login_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_tty">
|
||||
## <desc>
|
||||
## Transform specified type into a tty type.
|
||||
## </desc>
|
||||
## <param name="tty_type">
|
||||
## An object type that will applied to a tty.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Transform specified type into a tty type.
|
||||
## </desc>
|
||||
## <param name="tty_type">
|
||||
## An object type that will applied to a tty.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_tty',`
|
||||
gen_require(`
|
||||
@ -98,17 +89,15 @@ interface(`term_tty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_create_pty">
|
||||
## <desc>
|
||||
## Create a pty in the /dev/pts directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process creating the pty.
|
||||
## </param>
|
||||
## <param name="pty_type">
|
||||
## The type of the pty.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Create a pty in the /dev/pts directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process creating the pty.
|
||||
## </param>
|
||||
## <param name="pty_type">
|
||||
## The type of the pty.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_create_pty',`
|
||||
gen_require(`
|
||||
@ -128,15 +117,13 @@ interface(`term_create_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_all_terms">
|
||||
## <desc>
|
||||
## Read and write the console, all
|
||||
## ttys and all ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the console, all
|
||||
## ttys and all ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_all_terms',`
|
||||
gen_require(`
|
||||
@ -152,14 +139,12 @@ interface(`term_use_all_terms',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_write_console">
|
||||
## <desc>
|
||||
## Write to the console.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Write to the console.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_write_console',`
|
||||
gen_require(`
|
||||
@ -172,14 +157,12 @@ interface(`term_write_console',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_console">
|
||||
## <desc>
|
||||
## Read from and write to the console.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read from and write to the console.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_console',`
|
||||
gen_require(`
|
||||
@ -192,15 +175,13 @@ interface(`term_use_console',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_use_console">
|
||||
## <desc>
|
||||
## Do not audit attemtps to read from
|
||||
## or write to the console.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attemtps to read from
|
||||
## or write to the console.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_console',`
|
||||
gen_require(`
|
||||
@ -212,15 +193,13 @@ interface(`term_dontaudit_use_console',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_setattr_console">
|
||||
## <desc>
|
||||
## Set the attributes of the console
|
||||
## device node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Set the attributes of the console
|
||||
## device node.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_setattr_console',`
|
||||
gen_require(`
|
||||
@ -233,15 +212,13 @@ interface(`term_setattr_console',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_list_ptys">
|
||||
## <desc>
|
||||
## Read the /dev/pts directory to
|
||||
## list all ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the /dev/pts directory to
|
||||
## list all ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_list_ptys',`
|
||||
gen_require(`
|
||||
@ -254,15 +231,13 @@ interface(`term_list_ptys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_list_ptys">
|
||||
## <desc>
|
||||
## Do not audit attempts to read the
|
||||
## /dev/pts directory to.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read the
|
||||
## /dev/pts directory to.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_list_ptys',`
|
||||
gen_require(`
|
||||
@ -274,16 +249,14 @@ interface(`term_dontaudit_list_ptys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_generic_pty">
|
||||
## <desc>
|
||||
## Read and write the generic pty
|
||||
## type. This is generally only used in
|
||||
## the targeted policy.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the generic pty
|
||||
## type. This is generally only used in
|
||||
## the targeted policy.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_generic_pty',`
|
||||
gen_require(`
|
||||
@ -296,16 +269,14 @@ interface(`term_use_generic_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_use_generic_pty">
|
||||
## <desc>
|
||||
## Dot not audit attempts to read and
|
||||
## write the generic pty type. This is
|
||||
## generally only used in the targeted policy.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Dot not audit attempts to read and
|
||||
## write the generic pty type. This is
|
||||
## generally only used in the targeted policy.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_generic_pty',`
|
||||
gen_require(`
|
||||
@ -317,15 +288,13 @@ interface(`term_dontaudit_use_generic_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_controlling_term">
|
||||
## <desc>
|
||||
## Read and write the controlling
|
||||
## terminal (/dev/tty).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the controlling
|
||||
## terminal (/dev/tty).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_controlling_term',`
|
||||
gen_require(`
|
||||
@ -338,15 +307,13 @@ interface(`term_use_controlling_term',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_use_ptmx">
|
||||
## <desc>
|
||||
## Do not audit attempts to read and
|
||||
## write the pty multiplexor (/dev/ptmx).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read and
|
||||
## write the pty multiplexor (/dev/ptmx).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_ptmx',`
|
||||
gen_require(`
|
||||
@ -358,15 +325,13 @@ interface(`term_dontaudit_use_ptmx',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_getattr_all_user_ptys">
|
||||
## <desc>
|
||||
## Get the attributes of all user
|
||||
## pty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Get the attributes of all user
|
||||
## pty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_getattr_all_user_ptys',`
|
||||
gen_require(`
|
||||
@ -381,14 +346,12 @@ interface(`term_getattr_all_user_ptys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_all_user_ptys">
|
||||
## <desc>
|
||||
## Read and write all user ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write all user ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_all_user_ptys',`
|
||||
gen_require(`
|
||||
@ -403,15 +366,13 @@ interface(`term_use_all_user_ptys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_use_all_user_ptys">
|
||||
## <desc>
|
||||
## Do not audit attempts to read any
|
||||
## user ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read any
|
||||
## user ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_all_user_ptys',`
|
||||
gen_require(`
|
||||
@ -423,15 +384,13 @@ interface(`term_dontaudit_use_all_user_ptys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_relabel_all_user_ptys">
|
||||
## <desc>
|
||||
## Relabel from and to all user
|
||||
## user pty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Relabel from and to all user
|
||||
## user pty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_relabel_all_user_ptys',`
|
||||
gen_require(`
|
||||
@ -444,15 +403,13 @@ interface(`term_relabel_all_user_ptys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_getattr_unallocated_ttys">
|
||||
## <desc>
|
||||
## Get the attributes of all unallocated
|
||||
## tty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Get the attributes of all unallocated
|
||||
## tty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_getattr_unallocated_ttys',`
|
||||
gen_require(`
|
||||
@ -465,15 +422,13 @@ interface(`term_getattr_unallocated_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_setattr_unallocated_ttys">
|
||||
## <desc>
|
||||
## Set the attributes of all unallocated
|
||||
## tty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Set the attributes of all unallocated
|
||||
## tty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_setattr_unallocated_ttys',`
|
||||
gen_require(`
|
||||
@ -486,15 +441,13 @@ interface(`term_setattr_unallocated_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_relabel_unallocated_ttys">
|
||||
## <desc>
|
||||
## Relabel from and to the unallocated
|
||||
## tty type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Relabel from and to the unallocated
|
||||
## tty type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_relabel_unallocated_ttys',`
|
||||
gen_require(`
|
||||
@ -507,15 +460,13 @@ interface(`term_relabel_unallocated_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_reset_tty_labels">
|
||||
## <desc>
|
||||
## Relabel from all user tty types to
|
||||
## the unallocated tty type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Relabel from all user tty types to
|
||||
## the unallocated tty type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_reset_tty_labels',`
|
||||
gen_require(`
|
||||
@ -530,14 +481,12 @@ interface(`term_reset_tty_labels',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_write_unallocated_ttys">
|
||||
## <desc>
|
||||
## Write to unallocated ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Write to unallocated ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_write_unallocated_ttys',`
|
||||
gen_require(`
|
||||
@ -550,14 +499,12 @@ interface(`term_write_unallocated_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_unallocated_tty">
|
||||
## <desc>
|
||||
## Read and write unallocated ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write unallocated ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_unallocated_tty',`
|
||||
gen_require(`
|
||||
@ -570,15 +517,13 @@ interface(`term_use_unallocated_tty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_use_unallocated_tty">
|
||||
## <desc>
|
||||
## Do not audit attempts to read or
|
||||
## write unallocated ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read or
|
||||
## write unallocated ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_unallocated_tty',`
|
||||
gen_require(`
|
||||
@ -590,15 +535,13 @@ interface(`term_dontaudit_use_unallocated_tty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_getattr_all_user_ttys">
|
||||
## <desc>
|
||||
## Get the attributes of all user tty
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Get the attributes of all user tty
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_getattr_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -611,16 +554,14 @@ interface(`term_getattr_all_user_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_getattr_all_user_ttys">
|
||||
## <desc>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of any user tty
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to get the
|
||||
## attributes of any user tty
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_getattr_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -633,15 +574,13 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_setattr_all_user_ttys">
|
||||
## <desc>
|
||||
## Set the attributes of all user tty
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Set the attributes of all user tty
|
||||
## device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_setattr_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -654,15 +593,13 @@ interface(`term_setattr_all_user_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_relabel_all_user_ttys">
|
||||
## <desc>
|
||||
## Relabel from and to all user
|
||||
## user tty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Relabel from and to all user
|
||||
## user tty device nodes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_relabel_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -675,14 +612,12 @@ interface(`term_relabel_all_user_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_write_all_user_ttys">
|
||||
## <desc>
|
||||
## Write to all user ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Write to all user ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_write_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -695,14 +630,12 @@ interface(`term_write_all_user_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_use_all_user_ttys">
|
||||
## <desc>
|
||||
## Read and write all user to all user ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write all user to all user ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_use_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -715,15 +648,13 @@ interface(`term_use_all_user_ttys',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="term_dontaudit_use_all_user_ttys">
|
||||
## <desc>
|
||||
## Do not audit attempts to read or write
|
||||
## any user ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read or write
|
||||
## any user ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`term_dontaudit_use_all_user_ttys',`
|
||||
gen_require(`
|
||||
@ -734,4 +665,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
|
||||
dontaudit $1 ttynode:chr_file { read write };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1 +0,0 @@
|
||||
<layer name="services">
|
@ -1,4 +1,3 @@
|
||||
## <module name="mta">
|
||||
## <summary>Policy common to all email tranfer agents.</summary>
|
||||
|
||||
#######################################
|
||||
@ -194,14 +193,12 @@ interface(`mta_exec',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="mta_read_aliases">
|
||||
## <desc>
|
||||
## Read mail address aliases.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read mail address aliases.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`mta_read_aliases',`
|
||||
gen_require(`
|
||||
@ -293,4 +290,3 @@ interface(`mta_manage_queue',`
|
||||
allow $1 mqueue_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="remotelogin">
|
||||
## <summary>Policy for rshd, rlogind, and telnetd.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="remotelogin_domtrans">
|
||||
## <desc>
|
||||
## Domain transition to the remote login domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Domain transition to the remote login domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`remotelogin_domtrans',`
|
||||
gen_require(`
|
||||
@ -19,4 +16,3 @@ interface(`remotelogin_domtrans',`
|
||||
auth_domtrans_login_program($1,remote_login_t)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="sendmail">
|
||||
## <summary>Policy for sendmail.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="sendmail_domtrans">
|
||||
## <desc>
|
||||
## Domain transition to sendmail.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Domain transition to sendmail.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`sendmail_domtrans',`
|
||||
gen_require(`
|
||||
@ -29,4 +26,3 @@ interface(`sendmail_domtrans',`
|
||||
allow sendmail_t $1:process sigchld;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,4 +1,3 @@
|
||||
## <module name="authlogin">
|
||||
## <summary>Common policy for authentication and user login.</summary>
|
||||
|
||||
#######################################
|
||||
@ -89,14 +88,12 @@ interface(`authlogin_per_userdomain_template',`
|
||||
') dnl end authlogin_per_userdomain_template
|
||||
|
||||
########################################
|
||||
## <interface name="auth_login_entry_type">
|
||||
## <desc>
|
||||
## Use the login program as an entry point program.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of process using the login program as entry point.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Use the login program as an entry point program.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of process using the login program as entry point.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_login_entry_type',`
|
||||
gen_require(`
|
||||
@ -107,17 +104,15 @@ interface(`auth_login_entry_type',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_domtrans_login_program">
|
||||
## <desc>
|
||||
## Execute a login_program in the target domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## The type of the login_program process.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute a login_program in the target domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## The type of the login_program process.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_domtrans_login_program',`
|
||||
gen_require(`
|
||||
@ -137,14 +132,12 @@ interface(`auth_domtrans_login_program',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_domtrans_chk_passwd">
|
||||
## <desc>
|
||||
## Run unix_chkpwd to check a password.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Run unix_chkpwd to check a password.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_domtrans_chk_passwd',`
|
||||
gen_require(`
|
||||
@ -181,14 +174,12 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_dontaudit_getattr_shadow">
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
##
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_dontaudit_getattr_shadow',`
|
||||
gen_require(`
|
||||
@ -200,14 +191,12 @@ interface(`auth_dontaudit_getattr_shadow',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_read_shadow">
|
||||
## <desc>
|
||||
## Read the shadow passwords file (/etc/shadow)
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the shadow passwords file (/etc/shadow)
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_read_shadow',`
|
||||
gen_require(`
|
||||
@ -222,15 +211,13 @@ interface(`auth_read_shadow',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_dontaudit_read_shadow">
|
||||
## <desc>
|
||||
## Do not audit attempts to read the shadow
|
||||
## password file (/etc/shadow).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read the shadow
|
||||
## password file (/etc/shadow).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_dontaudit_read_shadow',`
|
||||
gen_require(`
|
||||
@ -242,14 +229,12 @@ interface(`auth_dontaudit_read_shadow',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_rw_shadow">
|
||||
## <desc>
|
||||
## Read and write the shadow password file (/etc/shadow).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write the shadow password file (/etc/shadow).
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_rw_shadow',`
|
||||
gen_require(`
|
||||
@ -325,14 +310,12 @@ interface(`auth_rw_lastlog',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_domtrans_pam">
|
||||
## <desc>
|
||||
## Execute pam programs in the pam domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute pam programs in the pam domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_domtrans_pam',`
|
||||
gen_require(`
|
||||
@ -351,20 +334,18 @@ interface(`auth_domtrans_pam',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_run_pam">
|
||||
## <desc>
|
||||
## Execute pam programs in the PAM domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the PAM domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the PAM domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute pam programs in the PAM domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the PAM domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the PAM domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_run_pam',`
|
||||
gen_require(`
|
||||
@ -378,14 +359,12 @@ interface(`auth_run_pam',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_exec_pam">
|
||||
## <desc>
|
||||
## Execute the pam program.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute the pam program.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_exec_pam',`
|
||||
gen_require(`
|
||||
@ -413,14 +392,12 @@ interface(`auth_read_pam_pid',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_delete_pam_pid">
|
||||
## <desc>
|
||||
## Delete pam PID files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Delete pam PID files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_delete_pam_pid',`
|
||||
gen_require(`
|
||||
@ -507,19 +484,17 @@ interface(`auth_manage_pam_console_data',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_relabel_all_files_except_shadow">
|
||||
## <desc>
|
||||
## Relabel all files on the filesystem, except
|
||||
## the shadow passwords and listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Relabel all files on the filesystem, except
|
||||
## the shadow passwords and listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
#
|
||||
|
||||
interface(`auth_relabel_all_files_except_shadow',`
|
||||
@ -531,19 +506,17 @@ interface(`auth_relabel_all_files_except_shadow',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_manage_all_files_except_shadow">
|
||||
## <desc>
|
||||
## Manage all files on the filesystem, except
|
||||
## the shadow passwords and listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Manage all files on the filesystem, except
|
||||
## the shadow passwords and listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
#
|
||||
|
||||
interface(`auth_manage_all_files_except_shadow',`
|
||||
@ -555,14 +528,12 @@ interface(`auth_manage_all_files_except_shadow',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_domtrans_utempter">
|
||||
## <desc>
|
||||
## Execute utempter programs in the utempter domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute utempter programs in the utempter domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_domtrans_utempter',`
|
||||
gen_require(`
|
||||
@ -581,20 +552,18 @@ interface(`auth_domtrans_utempter',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="auth_run_utempter">
|
||||
## <desc>
|
||||
## Execute utempter programs in the utempter domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the utempter domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the utempter domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute utempter programs in the utempter domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the utempter domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the utempter domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_run_utempter',`
|
||||
gen_require(`
|
||||
@ -648,4 +617,3 @@ interface(`auth_rw_login_records',`
|
||||
logging_search_logs($1)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="clock">
|
||||
## <summary>Policy for reading and setting the hardware clock.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="clock_domtrans">
|
||||
## <desc>
|
||||
## Execute hwclock in the clock domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute hwclock in the clock domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`clock_domtrans',`
|
||||
gen_require(`
|
||||
@ -27,21 +24,19 @@ interface(`clock_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="clock_run">
|
||||
## <desc>
|
||||
## Execute hwclock in the clock domain, and
|
||||
## allow the specified role the hwclock domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the clock domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the clock domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute hwclock in the clock domain, and
|
||||
## allow the specified role the hwclock domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the clock domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the clock domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`clock_run',`
|
||||
gen_require(`
|
||||
@ -55,14 +50,12 @@ interface(`clock_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="clock_exec">
|
||||
## <desc>
|
||||
## Execute hwclock
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`clock_exec',`
|
||||
gen_require(`
|
||||
@ -73,14 +66,12 @@ interface(`clock_exec',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="clock_rw_adjtime">
|
||||
## <desc>
|
||||
## Allow executing domain to modify clock drift
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`clock_rw_adjtime',`
|
||||
gen_require(`
|
||||
@ -92,4 +83,3 @@ interface(`clock_rw_adjtime',`
|
||||
files_list_etc($1)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,7 +1,6 @@
|
||||
## <module name="corecommands">
|
||||
## <summary>
|
||||
## Core policy for shells, and generic programs
|
||||
## in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
## Core policy for shells, and generic programs
|
||||
## in /bin, /sbin, /usr/bin, and /usr/sbin.
|
||||
## </summary>
|
||||
|
||||
#######################################
|
||||
@ -148,19 +147,17 @@ interface(`corecmd_exec_ls',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corecmd_shell_spec_domtrans">
|
||||
## <desc>
|
||||
## Execute a shell in the target domain. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## The type of the shell process.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute a shell in the target domain. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## The type of the shell process.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_shell_spec_domtrans',`
|
||||
gen_require(`
|
||||
@ -184,17 +181,15 @@ interface(`corecmd_shell_spec_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="corecmd_domtrans_shell">
|
||||
## <desc>
|
||||
## Execute a shell in the target domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## The type of the shell process.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute a shell in the target domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="target_domain">
|
||||
## The type of the shell process.
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_domtrans_shell',`
|
||||
gen_require(`
|
||||
@ -219,4 +214,3 @@ interface(`corecmd_chroot_exec_chroot',`
|
||||
allow $1 self:capability sys_chroot;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,4 +1,3 @@
|
||||
## <module name="domain">
|
||||
## <summary>Core policy for domains.</summary>
|
||||
|
||||
########################################
|
||||
@ -92,15 +91,13 @@ interface(`domain_dyntrans_type',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_subj_id_change_exempt">
|
||||
## <desc>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of user identity.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of user identity.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_subj_id_change_exempt',`
|
||||
gen_require(`
|
||||
@ -111,15 +108,13 @@ interface(`domain_subj_id_change_exempt',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_role_change_exempt">
|
||||
## <desc>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of role.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing of role.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_role_change_exempt',`
|
||||
gen_require(`
|
||||
@ -130,15 +125,13 @@ interface(`domain_role_change_exempt',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_obj_id_change_exempt">
|
||||
## <desc>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing the user identity in object contexts.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Makes caller an exception to the constraint preventing
|
||||
## changing the user identity in object contexts.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The process type to make an exception to the constraint.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_obj_id_change_exempt',`
|
||||
gen_require(`
|
||||
@ -188,14 +181,12 @@ interface(`domain_setpriority_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_signal_all_domains">
|
||||
## <desc>
|
||||
## Send general signals to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send general signals to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_signal_all_domains',`
|
||||
gen_require(`
|
||||
@ -207,14 +198,12 @@ interface(`domain_signal_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_signull_all_domains">
|
||||
## <desc>
|
||||
## Send a null signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send a null signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_signull_all_domains',`
|
||||
gen_require(`
|
||||
@ -226,14 +215,12 @@ interface(`domain_signull_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_sigstop_all_domains">
|
||||
## <desc>
|
||||
## Send a stop signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send a stop signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_sigstop_all_domains',`
|
||||
gen_require(`
|
||||
@ -245,14 +232,12 @@ interface(`domain_sigstop_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_sigchld_all_domains">
|
||||
## <desc>
|
||||
## Send a child terminated signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send a child terminated signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_sigchld_all_domains',`
|
||||
gen_require(`
|
||||
@ -264,14 +249,12 @@ interface(`domain_sigchld_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_kill_all_domains">
|
||||
## <desc>
|
||||
## Send a kill signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send a kill signal to all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_kill_all_domains',`
|
||||
gen_require(`
|
||||
@ -285,14 +268,12 @@ interface(`domain_kill_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_read_all_domains_state">
|
||||
## <desc>
|
||||
## Read the process state (/proc/pid) of all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the process state (/proc/pid) of all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_read_all_domains_state',`
|
||||
gen_require(`
|
||||
@ -316,15 +297,13 @@ interface(`domain_read_all_domains_state',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_dontaudit_list_all_domains_proc">
|
||||
## <desc>
|
||||
## Do not audit attempts to read the process state
|
||||
## directories of all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to read the process state
|
||||
## directories of all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_list_all_domains_proc',`
|
||||
gen_require(`
|
||||
@ -336,14 +315,12 @@ interface(`domain_dontaudit_list_all_domains_proc',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_getsession_all_domains">
|
||||
## <desc>
|
||||
## Get the session ID of all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Get the session ID of all domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_getsession_all_domains',`
|
||||
gen_require(`
|
||||
@ -355,15 +332,13 @@ interface(`domain_getsession_all_domains',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_dontaudit_getattr_all_udp_sockets">
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains UDP sockets.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains UDP sockets.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_getattr_all_udp_sockets',`
|
||||
gen_require(`
|
||||
@ -375,15 +350,13 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_dontaudit_getattr_all_tcp_sockets">
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains TCP sockets.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains TCP sockets.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
|
||||
gen_require(`
|
||||
@ -395,15 +368,13 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets">
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains unix datagram sockets.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains unix datagram sockets.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
|
||||
gen_require(`
|
||||
@ -415,15 +386,13 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="domain_dontaudit_getattr_all_unnamed_pipes">
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains unnamed pipes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all domains unnamed pipes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
|
||||
gen_require(`
|
||||
@ -461,7 +430,6 @@ interface(`domain_read_all_entry_files',`
|
||||
allow $1 entry_type:file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
||||
#
|
||||
# These next macros are not interfaces, but actually are
|
||||
|
@ -1,19 +1,18 @@
|
||||
## <module name="files">
|
||||
## <summary>
|
||||
## Basic filesystem types and interfaces.
|
||||
## Basic filesystem types and interfaces.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## This module contains basic filesystem types and interfaces. This
|
||||
## includes:
|
||||
## <ul>
|
||||
## <li>The concept of different file types including basic
|
||||
## files, mount points, tmp files, etc.</li>
|
||||
## <li>Access to groups of files and all files.</li>
|
||||
## <li>Types and interfaces for the basic filesystem layout
|
||||
## (/, /etc, /tmp, /usr, etc.).</li>
|
||||
## </ul>
|
||||
## </p>
|
||||
## <p>
|
||||
## This module contains basic filesystem types and interfaces. This
|
||||
## includes:
|
||||
## <ul>
|
||||
## <li>The concept of different file types including basic
|
||||
## files, mount points, tmp files, etc.</li>
|
||||
## <li>Access to groups of files and all files.</li>
|
||||
## <li>Types and interfaces for the basic filesystem layout
|
||||
## (/, /etc, /tmp, /usr, etc.).</li>
|
||||
## </ul>
|
||||
## </p>
|
||||
## </desc>
|
||||
|
||||
########################################
|
||||
@ -83,15 +82,13 @@ interface(`files_tmp_file',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_tmpfs_file">
|
||||
## <desc>
|
||||
## Transform the type into a file, for use on a
|
||||
## virtual memory filesystem (tmpfs).
|
||||
## </desc>
|
||||
## <param name="type">
|
||||
## The type to be transformed.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Transform the type into a file, for use on a
|
||||
## virtual memory filesystem (tmpfs).
|
||||
## </desc>
|
||||
## <param name="type">
|
||||
## The type to be transformed.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_tmpfs_file',`
|
||||
gen_require(`
|
||||
@ -125,19 +122,17 @@ interface(`files_getattr_all_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_relabel_all_files">
|
||||
## <desc>
|
||||
## Relabel all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Relabel all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_relabel_all_files',`
|
||||
gen_require(`
|
||||
@ -164,19 +159,17 @@ interface(`files_relabel_all_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_manage_all_files">
|
||||
## <desc>
|
||||
## Manage all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Manage all files on the filesystem, except
|
||||
## the listed exceptions.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the domain perfoming this action.
|
||||
## </param>
|
||||
## <param name="exception_types" optional="true">
|
||||
## The types to be excluded. Each type or attribute
|
||||
## must be negated by the caller.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_manage_all_files',`
|
||||
gen_require(`
|
||||
@ -306,25 +299,23 @@ interface(`files_list_root',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_create_root">
|
||||
## <desc>
|
||||
## Create an object in the root directory, with a private
|
||||
## type. If no object class is specified, the
|
||||
## default is file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="private type" optional="true">
|
||||
## The type of the object to be created. If no type
|
||||
## is specified, the type of the root directory will
|
||||
## be used.
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, file will be used.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Create an object in the root directory, with a private
|
||||
## type. If no object class is specified, the
|
||||
## default is file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="private type" optional="true">
|
||||
## The type of the object to be created. If no type
|
||||
## is specified, the type of the root directory will
|
||||
## be used.
|
||||
## </param>
|
||||
## <param name="object" optional="true">
|
||||
## The object class of the object being created. If
|
||||
## no class is specified, file will be used.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_create_root',`
|
||||
gen_require(`
|
||||
@ -498,14 +489,12 @@ interface(`files_manage_generic_etc_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_delete_generic_etc_files">
|
||||
## <desc>
|
||||
## Delete system configuration files in /etc.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Delete system configuration files in /etc.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_delete_generic_etc_files',`
|
||||
gen_require(`
|
||||
@ -642,14 +631,12 @@ interface(`files_dontaudit_search_isid_type_dir',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_list_home">
|
||||
## <desc>
|
||||
## Get listing home home directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Get listing home home directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_list_home',`
|
||||
gen_require(`
|
||||
@ -743,14 +730,12 @@ interface(`files_read_usr_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_exec_usr_files">
|
||||
## <desc>
|
||||
## Execute programs in /usr/src in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute programs in /usr/src in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_exec_usr_files',`
|
||||
gen_require(`
|
||||
@ -810,14 +795,12 @@ interface(`files_dontaudit_search_var',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_search_var_lib">
|
||||
## <desc>
|
||||
## Search the /var/lib directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Search the /var/lib directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_search_var_lib',`
|
||||
gen_require(`
|
||||
@ -987,14 +970,12 @@ interface(`files_rw_generic_pids',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_dontaudit_write_all_pids">
|
||||
## <desc>
|
||||
## Do not audit attempts to write to daemon runtime data files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to write to daemon runtime data files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_write_all_pids',`
|
||||
gen_require(`
|
||||
@ -1006,14 +987,12 @@ interface(`files_dontaudit_write_all_pids',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_dontaudit_ioctl_all_pids">
|
||||
## <desc>
|
||||
## Do not audit attempts to ioctl daemon runtime data files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to ioctl daemon runtime data files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_ioctl_all_pids',`
|
||||
gen_require(`
|
||||
@ -1123,4 +1102,3 @@ interface(`files_manage_spools',`
|
||||
allow $1 var_spool_t:file create_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="getty">
|
||||
## <summary>Policy for getty.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="getty_domtrans">
|
||||
## <desc>
|
||||
## Execute gettys in the getty domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`getty_domtrans',`
|
||||
gen_require(`
|
||||
@ -29,14 +26,12 @@ interface(`getty_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="getty_read_log">
|
||||
## <desc>
|
||||
## Allow process to read getty log file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`getty_read_log',`
|
||||
gen_require(`
|
||||
@ -49,14 +44,12 @@ interface(`getty_read_log',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="getty_read_config">
|
||||
## <desc>
|
||||
## Allow process to read getty config file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`getty_read_config',`
|
||||
gen_require(`
|
||||
@ -69,14 +62,12 @@ interface(`getty_read_config',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="getty_modify_config">
|
||||
## <desc>
|
||||
## Allow process to edit getty config file.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`getty_modify_config',`
|
||||
gen_require(`
|
||||
@ -88,4 +79,3 @@ interface(`getty_modify_config',`
|
||||
allow $1 getty_etc_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,16 +1,13 @@
|
||||
## <module name="hostname">
|
||||
## <summary>Policy for changing the system host name.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="hostname_domtrans">
|
||||
## <desc>
|
||||
## Execute hostname in the hostname domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## Has a sigchld signal backchannel.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute hostname in the hostname domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## Has a sigchld signal backchannel.
|
||||
## </param>
|
||||
#
|
||||
interface(`hostname_domtrans',`
|
||||
gen_require(`
|
||||
@ -30,22 +27,20 @@ interface(`hostname_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="hostname_run">
|
||||
## <desc>
|
||||
## Execute hostname in the hostname domain, and
|
||||
## allow the specified role the hostname domain.
|
||||
## Has a sigchld signal backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the hostname domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the hostname domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute hostname in the hostname domain, and
|
||||
## allow the specified role the hostname domain.
|
||||
## Has a sigchld signal backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the hostname domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the hostname domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`hostname_run',`
|
||||
gen_require(`
|
||||
@ -59,7 +54,6 @@ interface(`hostname_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="hostname_exec">
|
||||
## <desc>
|
||||
## Execute hostname in the hostname domain, and
|
||||
## Has a sigchld signal backchannel.
|
||||
@ -67,7 +61,6 @@ interface(`hostname_run',`
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`hostname_exec',`
|
||||
gen_require(`
|
||||
@ -77,4 +70,3 @@ interface(`hostname_exec',`
|
||||
can_exec($1,hostname_exec_t)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,7 +1,6 @@
|
||||
## <module name="hotplug">
|
||||
## <summary>
|
||||
## Policy for hotplug system, for supporting the
|
||||
## connection and disconnection of devices at runtime.
|
||||
## Policy for hotplug system, for supporting the
|
||||
## connection and disconnection of devices at runtime.
|
||||
## </summary>
|
||||
|
||||
#######################################
|
||||
@ -78,14 +77,12 @@ interface(`hotplug_dontaudit_search_config',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="hotplug_read_config">
|
||||
## <desc>
|
||||
## Read the configuration files for hotplug.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the configuration files for hotplug.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`hotplug_read_config',`
|
||||
gen_require(`
|
||||
@ -101,4 +98,3 @@ interface(`hotplug_read_config',`
|
||||
allow $1 hotplug_etc_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,4 +1,3 @@
|
||||
## <module name="init">
|
||||
## <summary>System initialization programs (init and init scripts).</summary>
|
||||
|
||||
########################################
|
||||
@ -260,14 +259,12 @@ interface(`init_exec_script',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="init_read_script_process_state">
|
||||
## <desc>
|
||||
## Read the process state (/proc/pid) of the init scripts.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the process state (/proc/pid) of the init scripts.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_read_script_process_state',`
|
||||
gen_require(`
|
||||
@ -330,14 +327,12 @@ interface(`init_get_script_process_group',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="init_rw_script_pipe">
|
||||
## <desc>
|
||||
## Read and write init script unnamed pipes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write init script unnamed pipes.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_rw_script_pipe',`
|
||||
gen_require(`
|
||||
@ -376,14 +371,12 @@ interface(`init_dontaudit_use_script_pty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="init_rw_script_tmp_files">
|
||||
## <desc>
|
||||
## Read and write init script temporary data.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write init script temporary data.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`init_rw_script_tmp_files',`
|
||||
gen_require(`
|
||||
@ -449,4 +442,3 @@ interface(`init_dontaudit_rw_script_pid',`
|
||||
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="iptables">
|
||||
## <summary>Policy for iptables.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="iptables_domtrans">
|
||||
## <desc>
|
||||
## Execute iptables in the iptables domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute iptables in the iptables domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`iptables_domtrans',`
|
||||
gen_require(`
|
||||
@ -29,21 +26,19 @@ interface(`iptables_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="iptables_run">
|
||||
## <desc>
|
||||
## Execute iptables in the iptables domain, and
|
||||
## allow the specified role the iptables domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the iptables domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the iptables domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute iptables in the iptables domain, and
|
||||
## allow the specified role the iptables domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the iptables domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the iptables domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`iptables_run',`
|
||||
gen_require(`
|
||||
@ -57,14 +52,12 @@ interface(`iptables_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="iptables_exec">
|
||||
## <desc>
|
||||
## Execute iptables in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute iptables in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`iptables_exec',`
|
||||
gen_require(`
|
||||
@ -75,4 +68,3 @@ interface(`iptables_exec',`
|
||||
can_exec($1,iptables_exec_t)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="libraries">
|
||||
## <summary>Policy for system libraries.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="libs_domtrans_ldconfig">
|
||||
## <desc>
|
||||
## Execute ldconfig in the ldconfig domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute ldconfig in the ldconfig domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_domtrans_ldconfig',`
|
||||
gen_require(`
|
||||
@ -29,20 +26,18 @@ interface(`libs_domtrans_ldconfig',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_run_ldconfig">
|
||||
## <desc>
|
||||
## Execute ldconfig in the ldconfig domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the ldconfig domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the ldconfig domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute ldconfig in the ldconfig domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the ldconfig domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the ldconfig domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_run_ldconfig',`
|
||||
gen_require(`
|
||||
@ -56,15 +51,13 @@ interface(`libs_run_ldconfig',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_use_ld_so">
|
||||
## <desc>
|
||||
## Use the dynamic link/loader for automatic loading
|
||||
## of shared libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Use the dynamic link/loader for automatic loading
|
||||
## of shared libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_use_ld_so',`
|
||||
gen_require(`
|
||||
@ -83,15 +76,13 @@ interface(`libs_use_ld_so',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_legacy_use_ld_so">
|
||||
## <desc>
|
||||
## Use the dynamic link/loader for automatic loading
|
||||
## of shared libraries with legacy support.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Use the dynamic link/loader for automatic loading
|
||||
## of shared libraries with legacy support.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_legacy_use_ld_so',`
|
||||
gen_require(`
|
||||
@ -105,16 +96,14 @@ interface(`libs_legacy_use_ld_so',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_exec_ld_so">
|
||||
## <desc>
|
||||
## Execute the dynamic link/loader in the caller's
|
||||
## domain. This is commonly needed for the
|
||||
## /usr/bin/ldd program.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute the dynamic link/loader in the caller's
|
||||
## domain. This is commonly needed for the
|
||||
## /usr/bin/ldd program.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_exec_ld_so',`
|
||||
gen_require(`
|
||||
@ -130,15 +119,13 @@ interface(`libs_exec_ld_so',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_rw_ld_so_cache">
|
||||
## <desc>
|
||||
## Modify the dynamic link/loader's cached listing
|
||||
## of shared libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Modify the dynamic link/loader's cached listing
|
||||
## of shared libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_rw_ld_so_cache',`
|
||||
gen_require(`
|
||||
@ -151,14 +138,12 @@ interface(`libs_rw_ld_so_cache',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_search_lib">
|
||||
## <desc>
|
||||
## Search lib directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Search lib directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_search_lib',`
|
||||
gen_require(`
|
||||
@ -170,15 +155,13 @@ interface(`libs_search_lib',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_read_lib">
|
||||
## <desc>
|
||||
## Read files in the library directories, such
|
||||
## as static libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read files in the library directories, such
|
||||
## as static libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_read_lib',`
|
||||
gen_require(`
|
||||
@ -194,14 +177,12 @@ interface(`libs_read_lib',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_exec_lib_files">
|
||||
## <desc>
|
||||
## Execute library scripts in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute library scripts in the caller domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_exec_lib_files',`
|
||||
gen_require(`
|
||||
@ -217,14 +198,12 @@ interface(`libs_exec_lib_files',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_use_shared_libs">
|
||||
## <desc>
|
||||
## Load and execute functions from shared libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Load and execute functions from shared libraries.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_use_shared_libs',`
|
||||
gen_require(`
|
||||
@ -242,15 +221,13 @@ interface(`libs_use_shared_libs',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="libs_legacy_use_shared_libs">
|
||||
## <desc>
|
||||
## Load and execute functions from shared libraries,
|
||||
## with legacy support.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Load and execute functions from shared libraries,
|
||||
## with legacy support.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_legacy_use_shared_libs',`
|
||||
gen_require(`
|
||||
@ -262,4 +239,3 @@ interface(`libs_legacy_use_shared_libs',`
|
||||
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="locallogin">
|
||||
## <summary>Policy for local logins.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="locallogin_domtrans">
|
||||
## <desc>
|
||||
## Execute local logins in the locallogin domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`locallogin_domtrans',`
|
||||
gen_require(`
|
||||
@ -20,14 +17,12 @@ interface(`locallogin_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="locallogin_use_fd">
|
||||
## <desc>
|
||||
## Allow processes to inherit local login file descriptors
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`locallogin_use_fd',`
|
||||
gen_require(`
|
||||
@ -38,4 +33,3 @@ interface(`locallogin_use_fd',`
|
||||
allow $1 local_login_t:fd use;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,4 +1,3 @@
|
||||
## <module name="logging">
|
||||
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
|
||||
|
||||
#######################################
|
||||
@ -60,16 +59,14 @@ interface(`logging_send_syslog_msg',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="logging_search_logs">
|
||||
## <desc>
|
||||
## Allows the domain to open a file in the
|
||||
## log directory, but does not allow the listing
|
||||
## of the contents of the log directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allows the domain to open a file in the
|
||||
## log directory, but does not allow the listing
|
||||
## of the contents of the log directory.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_search_logs',`
|
||||
gen_require(`
|
||||
@ -176,4 +173,3 @@ interface(`logging_rw_generic_logs',`
|
||||
allow $1 var_log_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="lvm">
|
||||
## <summary>Policy for logical volume management programs.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="lvm_domtrans">
|
||||
## <desc>
|
||||
## Execute lvm programs in the lvm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute lvm programs in the lvm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`lvm_domtrans',`
|
||||
gen_require(`
|
||||
@ -29,20 +26,18 @@ interface(`lvm_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="lvm_run">
|
||||
## <desc>
|
||||
## Execute lvm programs in the lvm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the LVM domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the LVM domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute lvm programs in the lvm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the LVM domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the LVM domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`lvm_run',`
|
||||
gen_require(`
|
||||
@ -56,14 +51,12 @@ interface(`lvm_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="lvm_read_config">
|
||||
## <desc>
|
||||
## Read LVM configuration files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read LVM configuration files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`lvm_read_config',`
|
||||
gen_require(`
|
||||
@ -77,4 +70,3 @@ interface(`lvm_read_config',`
|
||||
allow $1 lvm_etc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1 +0,0 @@
|
||||
<layer name="system">
|
@ -1,8 +1,6 @@
|
||||
## <module name="miscfiles">
|
||||
## <summary>Miscelaneous files.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="miscfiles_rw_man_cache">
|
||||
## <desc>
|
||||
## Allow process to create files and dirs in /var/cache/man
|
||||
## and /var/catman/
|
||||
@ -10,7 +8,6 @@
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`miscfiles_rw_man_cache',`
|
||||
gen_require(`
|
||||
@ -25,14 +22,12 @@ interface(`miscfiles_rw_man_cache',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="miscfiles_read_fonts">
|
||||
## <desc>
|
||||
## Allow process to read fonts files
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`miscfiles_read_fonts',`
|
||||
gen_require(`
|
||||
@ -50,14 +45,12 @@ interface(`miscfiles_read_fonts',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="miscfiles_read_localization">
|
||||
## <desc>
|
||||
## Allow process to read localization info
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`miscfiles_read_localization',`
|
||||
gen_require(`
|
||||
@ -79,14 +72,12 @@ interface(`miscfiles_read_localization',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="miscfiles_legacy_read_localization">
|
||||
## <desc>
|
||||
## Allow process to read legacy time localization info
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`miscfiles_legacy_read_localization',`
|
||||
gen_require(`
|
||||
@ -99,14 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="miscfiles_read_man_pages">
|
||||
## <desc>
|
||||
## Allow process to read manpages
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## Type type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`miscfiles_read_man_pages',`
|
||||
gen_require(`
|
||||
@ -122,4 +111,3 @@ interface(`miscfiles_read_man_pages',`
|
||||
allow $1 man_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="modutils">
|
||||
## <summary>Policy for kernel module utilities</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_read_kernel_module_dependencies">
|
||||
## <desc>
|
||||
## Read the dependencies of kernel modules.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the dependencies of kernel modules.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_read_kernel_module_dependencies',`
|
||||
gen_require(`
|
||||
@ -22,15 +19,13 @@ interface(`modutils_read_kernel_module_dependencies',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_read_module_conf">
|
||||
## <desc>
|
||||
## Read the configuration options used when
|
||||
## loading modules.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read the configuration options used when
|
||||
## loading modules.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_read_module_conf',`
|
||||
gen_require(`
|
||||
@ -47,14 +42,12 @@ interface(`modutils_read_module_conf',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_domtrans_insmod">
|
||||
## <desc>
|
||||
## Execute insmod in the insmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute insmod in the insmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_domtrans_insmod',`
|
||||
gen_require(`
|
||||
@ -74,23 +67,21 @@ interface(`modutils_domtrans_insmod',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_run_insmod">
|
||||
## <desc>
|
||||
## Execute insmod in the insmod domain, and
|
||||
## allow the specified role the insmod domain,
|
||||
## and use the caller's terminal. Has a sigchld
|
||||
## backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the insmod domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the insmod domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute insmod in the insmod domain, and
|
||||
## allow the specified role the insmod domain,
|
||||
## and use the caller's terminal. Has a sigchld
|
||||
## backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the insmod domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the insmod domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_run_insmod',`
|
||||
gen_require(`
|
||||
@ -117,14 +108,12 @@ interface(`modutils_exec_insmod',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_domtrans_depmod">
|
||||
## <desc>
|
||||
## Execute depmod in the depmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute depmod in the depmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_domtrans_depmod',`
|
||||
gen_require(`
|
||||
@ -144,20 +133,18 @@ interface(`modutils_domtrans_depmod',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_run_depmod">
|
||||
## <desc>
|
||||
## Execute depmod in the depmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the depmod domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the depmod domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute depmod in the depmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the depmod domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the depmod domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_run_depmod',`
|
||||
gen_require(`
|
||||
@ -184,14 +171,12 @@ interface(`modutils_exec_depmod',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_domtrans_update_mods">
|
||||
## <desc>
|
||||
## Execute depmod in the depmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute depmod in the depmod domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_domtrans_update_mods',`
|
||||
gen_require(`
|
||||
@ -211,20 +196,18 @@ interface(`modutils_domtrans_update_mods',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="modutils_run_update_mods">
|
||||
## <desc>
|
||||
## Execute update_modules in the update_modules domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the update_modules domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the update_modules domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute update_modules in the update_modules domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the update_modules domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the update_modules domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`modutils_run_update_mods',`
|
||||
gen_require(`
|
||||
@ -250,4 +233,3 @@ interface(`modutils_exec_update_mods',`
|
||||
can_exec($1, update_modules_exec_t)
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="mount">
|
||||
## <summary>Policy for mount.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="mount_domtrans">
|
||||
## <desc>
|
||||
## Execute mount in the mount domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute mount in the mount domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`mount_domtrans',`
|
||||
gen_require(`
|
||||
@ -28,22 +25,20 @@ interface(`mount_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="mount_run">
|
||||
## <desc>
|
||||
## Execute mount in the mount domain, and
|
||||
## allow the specified role the mount domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the mount domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the mount domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute mount in the mount domain, and
|
||||
## allow the specified role the mount domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the mount domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the mount domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`mount_run',`
|
||||
gen_require(`
|
||||
@ -57,14 +52,12 @@ interface(`mount_run',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="mount_use_fd">
|
||||
## <desc>
|
||||
## Use file descriptors for mount.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`mount_use_fd',`
|
||||
gen_require(`
|
||||
@ -76,7 +69,6 @@ interface(`mount_use_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="mount_send_nfs_client_request">
|
||||
## <desc>
|
||||
## Allow the mount domain to send nfs requests for mounting
|
||||
## network drives
|
||||
@ -84,7 +76,6 @@ interface(`mount_use_fd',`
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`mount_send_nfs_client_request',`
|
||||
gen_require(`
|
||||
@ -95,4 +86,3 @@ interface(`mount_send_nfs_client_request',`
|
||||
allow $1 mount_t:udp_socket rw_socket_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="selinuxutil">
|
||||
## <summary>Policy for SELinux policy and userland applications.</summary>
|
||||
|
||||
#######################################
|
||||
## <interface name="seutil_domtrans_checkpol">
|
||||
## <desc>
|
||||
## Execute checkpolicy in the checkpolicy domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute checkpolicy in the checkpolicy domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_domtrans_checkpol',`
|
||||
gen_require(`
|
||||
@ -30,23 +27,21 @@ interface(`seutil_domtrans_checkpol',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_run_checkpol">
|
||||
## <desc>
|
||||
## Execute checkpolicy in the checkpolicy domain, and
|
||||
## allow the specified role the checkpolicy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the checkpolicy domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the checkpolicy domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute checkpolicy in the checkpolicy domain, and
|
||||
## allow the specified role the checkpolicy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the checkpolicy domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the checkpolicy domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_run_checkpol',`
|
||||
gen_require(`
|
||||
@ -74,14 +69,12 @@ interface(`seutil_exec_checkpol',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="seutil_domtrans_loadpol">
|
||||
## <desc>
|
||||
## Execute load_policy in the load_policy domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute load_policy in the load_policy domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_domtrans_loadpol',`
|
||||
gen_require(`
|
||||
@ -101,23 +94,21 @@ interface(`seutil_domtrans_loadpol',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_run_loadpol">
|
||||
## <desc>
|
||||
## Execute load_policy in the load_policy domain, and
|
||||
## allow the specified role the load_policy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the load_policy domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the load_policy domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute load_policy in the load_policy domain, and
|
||||
## allow the specified role the load_policy domain,
|
||||
## and use the caller's terminal.
|
||||
## Has a SIGCHLD signal backchannel.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the load_policy domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the load_policy domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_run_loadpol',`
|
||||
gen_require(`
|
||||
@ -158,14 +149,12 @@ interface(`seutil_read_loadpol',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="seutil_domtrans_newrole">
|
||||
## <desc>
|
||||
## Execute newrole in the load_policy domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute newrole in the load_policy domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_domtrans_newrole',`
|
||||
gen_require(`
|
||||
@ -186,22 +175,20 @@ interface(`seutil_domtrans_newrole',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_run_newrole">
|
||||
## <desc>
|
||||
## Execute newrole in the newrole domain, and
|
||||
## allow the specified role the newrole domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the newrole domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the newrole domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute newrole in the newrole domain, and
|
||||
## allow the specified role the newrole domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the newrole domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the newrole domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_run_newrole',`
|
||||
gen_require(`
|
||||
@ -229,15 +216,13 @@ interface(`seutil_exec_newrole',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_dontaudit_newrole_signal">
|
||||
## <desc>
|
||||
## Do not audit the caller attempts to send
|
||||
## a signal to newrole.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit the caller attempts to send
|
||||
## a signal to newrole.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_dontaudit_newrole_signal',`
|
||||
gen_require(`
|
||||
@ -275,14 +260,12 @@ interface(`seutil_use_newrole_fd',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="seutil_domtrans_restorecon">
|
||||
## <desc>
|
||||
## Execute restorecon in the restorecon domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute restorecon in the restorecon domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_domtrans_restorecon',`
|
||||
gen_require(`
|
||||
@ -302,22 +285,20 @@ interface(`seutil_domtrans_restorecon',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_run_restorecon">
|
||||
## <desc>
|
||||
## Execute restorecon in the restorecon domain, and
|
||||
## allow the specified role the restorecon domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the restorecon domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the restorecon domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute restorecon in the restorecon domain, and
|
||||
## allow the specified role the restorecon domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the restorecon domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the restorecon domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_run_restorecon',`
|
||||
gen_require(`
|
||||
@ -344,14 +325,12 @@ interface(`seutil_exec_restorecon',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_domtrans_runinit">
|
||||
## <desc>
|
||||
## Execute run_init in the run_init domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute run_init in the run_init domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_domtrans_runinit',`
|
||||
gen_require(`
|
||||
@ -372,22 +351,20 @@ interface(`seutil_domtrans_runinit',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_run_runinit">
|
||||
## <desc>
|
||||
## Execute run_init in the run_init domain, and
|
||||
## allow the specified role the run_init domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the run_init domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the run_init domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute run_init in the run_init domain, and
|
||||
## allow the specified role the run_init domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the run_init domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the run_init domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_run_runinit',`
|
||||
gen_require(`
|
||||
@ -414,14 +391,12 @@ interface(`seutil_use_runinit_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_domtrans_setfiles">
|
||||
## <desc>
|
||||
## Execute setfiles in the setfiles domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute setfiles in the setfiles domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_domtrans_setfiles',`
|
||||
gen_require(`
|
||||
@ -442,22 +417,20 @@ interface(`seutil_domtrans_setfiles',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_run_setfiles">
|
||||
## <desc>
|
||||
## Execute setfiles in the setfiles domain, and
|
||||
## allow the specified role the setfiles domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the setfiles domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the setfiles domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute setfiles in the setfiles domain, and
|
||||
## allow the specified role the setfiles domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the setfiles domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the setfiles domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_run_setfiles',`
|
||||
gen_require(`
|
||||
@ -571,14 +544,12 @@ interface(`seutil_create_binary_pol',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="seutil_relabelto_binary_pol">
|
||||
## <desc>
|
||||
## Allow the caller to relabel a file to the binary policy type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Allow the caller to relabel a file to the binary policy type.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`seutil_relabelto_binary_pol',`
|
||||
gen_require(`
|
||||
@ -644,4 +615,3 @@ interface(`seutil_manage_src_pol',`
|
||||
allow $1 policy_src_t:file create_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="sysnetwork">
|
||||
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
|
||||
|
||||
#######################################
|
||||
## <interface name="sysnet_domtrans_dhcpc">
|
||||
## <desc>
|
||||
## Execute dhcp client in dhcpc domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`sysnet_domtrans_dhcpc',`
|
||||
gen_require(`
|
||||
@ -29,14 +26,12 @@ interface(`sysnet_domtrans_dhcpc',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="sysnet_domtrans_ifconfig">
|
||||
## <desc>
|
||||
## Execute ifconfig in the ifconfig domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute ifconfig in the ifconfig domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_domtrans_ifconfig',`
|
||||
gen_require(`
|
||||
@ -56,22 +51,20 @@ interface(`sysnet_domtrans_ifconfig',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="sysnet_run_ifconfig">
|
||||
## <desc>
|
||||
## Execute ifconfig in the ifconfig domain, and
|
||||
## allow the specified role the ifconfig domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the ifconfig domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the ifconfig domain to use.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute ifconfig in the ifconfig domain, and
|
||||
## allow the specified role the ifconfig domain,
|
||||
## and use the caller's terminal.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the ifconfig domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the ifconfig domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_run_ifconfig',`
|
||||
gen_require(`
|
||||
@ -86,14 +79,12 @@ interface(`sysnet_run_ifconfig',`
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="sysnet_read_config">
|
||||
## <desc>
|
||||
## Allow network init to read network config files.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`sysnet_read_config',`
|
||||
gen_require(`
|
||||
@ -105,4 +96,3 @@ interface(`sysnet_read_config',`
|
||||
allow $1 net_conf_t:file r_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,15 +1,12 @@
|
||||
## <module name="udev">
|
||||
## <summary>Policy for udev.</summary>
|
||||
|
||||
########################################
|
||||
## <interface name="udev_domtrans">
|
||||
## <desc>
|
||||
## Execute udev in the udev domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`udev_domtrans',`
|
||||
gen_require(`
|
||||
@ -28,14 +25,12 @@ interface(`udev_domtrans',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="udev_read_db">
|
||||
## <desc>
|
||||
## Allow process to read list of devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`udev_read_db',`
|
||||
gen_require(`
|
||||
@ -48,14 +43,12 @@ interface(`udev_read_db',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="udev_rw_db">
|
||||
## <desc>
|
||||
## Allow process to modify list of devices.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
#
|
||||
interface(`udev_rw_db',`
|
||||
gen_require(`
|
||||
@ -67,4 +60,3 @@ interface(`udev_rw_db',`
|
||||
allow $1 udev_tdb_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
@ -1,4 +1,3 @@
|
||||
## <module name="userdomain">
|
||||
## <summary>Policy for user domains</summary>
|
||||
|
||||
########################################
|
||||
@ -809,16 +808,14 @@ template(`admin_domain_template',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_spec_domtrans_all_users">
|
||||
## <desc>
|
||||
## Execute a shell in all user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute a shell in all user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_spec_domtrans_all_users',`
|
||||
gen_require(`
|
||||
@ -829,16 +826,14 @@ interface(`userdom_spec_domtrans_all_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_spec_domtrans_unpriv_users">
|
||||
## <desc>
|
||||
## Execute a shell in all unprivileged user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute a shell in all unprivileged user domains. This
|
||||
## is an explicit transition, requiring the
|
||||
## caller to use setexeccon().
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
gen_require(`
|
||||
@ -849,14 +844,12 @@ interface(`userdom_spec_domtrans_unpriv_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_shell_domtrans_sysadm">
|
||||
## <desc>
|
||||
## Execute a shell in the sysadm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Execute a shell in the sysadm domain.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_shell_domtrans_sysadm',`
|
||||
gen_require(`
|
||||
@ -867,14 +860,12 @@ interface(`userdom_shell_domtrans_sysadm',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_use_sysadm_tty">
|
||||
## <desc>
|
||||
## Read and write sysadm ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write sysadm ttys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_tty',`
|
||||
gen_require(`
|
||||
@ -888,14 +879,12 @@ interface(`userdom_use_sysadm_tty',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_use_sysadm_terms">
|
||||
## <desc>
|
||||
## Read and write sysadm ttys and ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read and write sysadm ttys and ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_sysadm_terms',`
|
||||
gen_require(`
|
||||
@ -909,14 +898,12 @@ interface(`userdom_use_sysadm_terms',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_dontaudit_use_sysadm_terms">
|
||||
## <desc>
|
||||
## Do not audit attempts to use admin ttys and ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to use admin ttys and ptys.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
gen_require(`
|
||||
@ -928,14 +915,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_search_all_users_home">
|
||||
## <desc>
|
||||
## Search all users home directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Search all users home directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_search_all_users_home',`
|
||||
gen_require(`
|
||||
@ -948,14 +933,12 @@ interface(`userdom_search_all_users_home',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_read_all_user_data">
|
||||
## <desc>
|
||||
## Read all files in all users home directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Read all files in all users home directories.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_all_user_data',`
|
||||
gen_require(`
|
||||
@ -970,14 +953,12 @@ interface(`userdom_read_all_user_data',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_use_all_user_fd">
|
||||
## <desc>
|
||||
## Inherit the file descriptors from all user domains
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Inherit the file descriptors from all user domains
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_all_user_fd',`
|
||||
gen_require(`
|
||||
@ -989,14 +970,12 @@ interface(`userdom_use_all_user_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_signal_all_users">
|
||||
## <desc>
|
||||
## Send general signals to all user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send general signals to all user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_signal_all_users',`
|
||||
gen_require(`
|
||||
@ -1008,14 +987,12 @@ interface(`userdom_signal_all_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_signal_unpriv_users">
|
||||
## <desc>
|
||||
## Send general signals to unprivileged user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Send general signals to unprivileged user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_signal_unpriv_users',`
|
||||
gen_require(`
|
||||
@ -1027,14 +1004,12 @@ interface(`userdom_signal_unpriv_users',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_use_unpriv_users_fd">
|
||||
## <desc>
|
||||
## Inherit the file descriptors from all user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Inherit the file descriptors from all user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_use_unpriv_users_fd',`
|
||||
gen_require(`
|
||||
@ -1046,15 +1021,13 @@ interface(`userdom_use_unpriv_users_fd',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="userdom_dontaudit_use_unpriv_user_fd">
|
||||
## <desc>
|
||||
## Do not audit attempts to inherit the
|
||||
## file descriptors from all user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## </interface>
|
||||
## <desc>
|
||||
## Do not audit attempts to inherit the
|
||||
## file descriptors from all user domains.
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_unpriv_user_fd',`
|
||||
gen_require(`
|
||||
@ -1065,4 +1038,3 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
|
||||
dontaudit $1 unpriv_userdomain:fd use;
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
Loading…
Reference in New Issue
Block a user