update for new documentation method

This commit is contained in:
Chris PeBenito 2005-06-23 21:30:57 +00:00
parent aad5b98eba
commit 414e415198
43 changed files with 3326 additions and 4377 deletions

View File

@ -274,7 +274,6 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
$(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
| m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(QUIET) echo "## </module>" >> $@
$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
@echo "#" > $@

View File

@ -1,15 +1,12 @@
## <module name="dmesg">
## <summary>Policy for dmesg.</summary>
########################################
## <interface name="dmesg_domtrans">
## <desc>
## Execute dmesg in the dmesg domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute dmesg in the dmesg domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`dmesg_domtrans',`
gen_require(`
@ -29,14 +26,12 @@ interface(`dmesg_domtrans',`
')
########################################
## <interface name="dmesg_exec">
## <desc>
## Execute dmesg in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute dmesg in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`dmesg_exec',`
gen_require(`
@ -47,4 +42,3 @@ interface(`dmesg_exec',`
can_exec($1,dmesg_exec_t)
')
## </module>

View File

@ -1 +0,0 @@
<layer name="admin">

View File

@ -1,15 +1,12 @@
## <module name="rpm">
## <summary>Policy for the RPM package manager.</summary>
########################################
## <interface name="rpm_domtrans">
## <desc>
## Execute rpm programs in the rpm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute rpm programs in the rpm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`rpm_domtrans',`
gen_require(`
@ -30,20 +27,18 @@ interface(`rpm_domtrans',`
')
########################################
## <interface name="rpm_run">
## <desc>
## Execute RPM programs in the RPM domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the RPM domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the RPM domain to use.
## </param>
## </interface>
## <desc>
## Execute RPM programs in the RPM domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the RPM domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the RPM domain to use.
## </param>
#
interface(`rpm_run',`
gen_require(`
@ -58,14 +53,12 @@ interface(`rpm_run',`
')
########################################
## <interface name="rpm_use_fd">
## <desc>
## Inherit and use file descriptors from RPM.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Inherit and use file descriptors from RPM.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`rpm_use_fd',`
gen_require(`
@ -77,14 +70,12 @@ interface(`rpm_use_fd',`
')
########################################
## <interface name="rpm_read_pipe">
## <desc>
## Read from a RPM pipe.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read from a RPM pipe.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`rpm_read_pipe',`
gen_require(`
@ -96,14 +87,12 @@ interface(`rpm_read_pipe',`
')
########################################
## <interface name="rpm_read_db">
## <desc>
## Read RPM package database.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read RPM package database.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`rpm_read_db',`
gen_require(`
@ -135,4 +124,3 @@ interface(`rpm_manage_db',`
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="usermanage">
## <summary>Policy for managing user accounts.</summary>
########################################
## <interface name="usermanage_domtrans_chfn">
## <desc>
## Execute chfn in the chfn domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute chfn in the chfn domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`usermanage_domtrans_chfn',`
gen_require(`
@ -30,21 +27,19 @@ interface(`usermanage_domtrans_chfn',`
')
########################################
## <interface name="usermanage_run_chfn">
## <desc>
## Execute chfn in the chfn domain, and
## allow the specified role the chfn domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the chfn domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the chfn domain to use.
## </param>
## </interface>
## <desc>
## Execute chfn in the chfn domain, and
## allow the specified role the chfn domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the chfn domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the chfn domain to use.
## </param>
#
interface(`usermanage_run_chfn',`
gen_require(`
@ -58,14 +53,12 @@ interface(`usermanage_run_chfn',`
')
########################################
## <interface name="usermanage_domtrans_groupadd">
## <desc>
## Execute groupadd in the groupadd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute groupadd in the groupadd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`usermanage_domtrans_groupadd',`
gen_require(`
@ -86,21 +79,19 @@ interface(`usermanage_domtrans_groupadd',`
')
########################################
## <interface name="usermanage_run_groupadd">
## <desc>
## Execute groupadd in the groupadd domain, and
## allow the specified role the groupadd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the groupadd domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the groupadd domain to use.
## </param>
## </interface>
## <desc>
## Execute groupadd in the groupadd domain, and
## allow the specified role the groupadd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the groupadd domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the groupadd domain to use.
## </param>
#
interface(`usermanage_run_groupadd',`
gen_require(`
@ -114,14 +105,12 @@ interface(`usermanage_run_groupadd',`
')
########################################
## <interface name="usermanage_domtrans_passwd">
## <desc>
## Execute passwd in the passwd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute passwd in the passwd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`usermanage_domtrans_passwd',`
gen_require(`
@ -142,21 +131,19 @@ interface(`usermanage_domtrans_passwd',`
')
########################################
## <interface name="usermanage_run_passwd">
## <desc>
## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the passwd domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the passwd domain to use.
## </param>
## </interface>
## <desc>
## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the passwd domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the passwd domain to use.
## </param>
#
interface(`usermanage_run_passwd',`
gen_require(`
@ -170,14 +157,12 @@ interface(`usermanage_run_passwd',`
')
########################################
## <interface name="usermanage_domtrans_useradd">
## <desc>
## Execute useradd in the useradd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute useradd in the useradd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`usermanage_domtrans_useradd',`
gen_require(`
@ -198,21 +183,19 @@ interface(`usermanage_domtrans_useradd',`
')
########################################
## <interface name="usermanage_run_useradd">
## <desc>
## Execute useradd in the useradd domain, and
## allow the specified role the useradd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the useradd domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the useradd domain to use.
## </param>
## </interface>
## <desc>
## Execute useradd in the useradd domain, and
## allow the specified role the useradd domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the useradd domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the useradd domain to use.
## </param>
#
interface(`usermanage_run_useradd',`
gen_require(`
@ -225,4 +208,3 @@ interface(`usermanage_run_useradd',`
allow useradd_t $3:chr_file rw_term_perms;
')
## </module>

View File

@ -1,28 +1,26 @@
## <module name="gpg">
## <summary>Policy for GNU Privacy Guard and related programs.</summary>
#######################################
## <template name="gpg_per_userdomain_template">
## <summary>
## The per-userdomain template for the gpg module.
## </summary>
## <desc>
## <p>
## This template creates the types and rules for GPG,
## GPG-agent, and GPG helper programs. This protects
## the user keys and secrets, and runs the programs
## in domains specific to the user type.
## </p>
## <p>
## This is invoked automatically for each user, and
## generally does not need to be statically invoked
## directly by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
## <summary>
## The per-userdomain template for the gpg module.
## </summary>
## <desc>
## <p>
## This template creates the types and rules for GPG,
## GPG-agent, and GPG helper programs. This protects
## the user keys and secrets, and runs the programs
## in domains specific to the user type.
## </p>
## <p>
## This is invoked automatically for each user, and
## generally does not need to be statically invoked
## directly by policy writers.
## </p>
## </desc>
## <param name="userdomain_prefix">
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
## </param>
#
template(`gpg_per_userdomain_template',`
gen_require(`$0'_depend)
@ -368,6 +366,4 @@ template(`gpg_per_userdomain_template',`
') dnl end TODO
')
## </template>
## </module>

View File

@ -1 +0,0 @@
<layer name="apps">

View File

@ -1,15 +1,12 @@
## <module name="bootloader">
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
########################################
## <interface name="bootloader_domtrans">
## <desc>
## Execute bootloader in the bootloader domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute bootloader in the bootloader domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_domtrans',`
gen_require(`
@ -28,21 +25,19 @@ interface(`bootloader_domtrans',`
')
########################################
## <interface name="bootloader_run">
## <desc>
## Execute bootloader interactively and do
## a domain transition to the bootloader domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the bootloader domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the bootloader domain to use.
## </param>
## </interface>
## <desc>
## Execute bootloader interactively and do
## a domain transition to the bootloader domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the bootloader domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the bootloader domain to use.
## </param>
#
interface(`bootloader_run',`
gen_require(`
@ -57,14 +52,12 @@ interface(`bootloader_run',`
')
########################################
## <interface name="bootloader_search_boot_dir">
## <desc>
## Search the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Search the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_search_boot_dir',`
gen_require(`
@ -76,14 +69,12 @@ interface(`bootloader_search_boot_dir',`
')
########################################
## <interface name="bootloader_dontaudit_search_boot">
## <desc>
## Do not audit attempts to search the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to search the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_dontaudit_search_boot',`
gen_require(`
@ -95,15 +86,13 @@ interface(`bootloader_dontaudit_search_boot',`
')
########################################
## <interface name="bootloader_rw_boot_symlinks">
## <desc>
## Read and write symbolic links
## in the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write symbolic links
## in the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_rw_boot_symlinks',`
gen_require(`
@ -117,14 +106,12 @@ interface(`bootloader_rw_boot_symlinks',`
')
########################################
## <interface name="bootloader_create_kernel">
## <desc>
## Install a kernel into the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Install a kernel into the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_create_kernel',`
gen_require(`
@ -140,14 +127,12 @@ interface(`bootloader_create_kernel',`
')
########################################
## <interface name="bootloader_create_kernel_symbol_table">
## <desc>
## Install a system.map into the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Install a system.map into the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_create_kernel_symbol_table',`
gen_require(`
@ -161,14 +146,12 @@ interface(`bootloader_create_kernel_symbol_table',`
')
########################################
## <interface name="bootloader_read_kernel_symbol_table">
## <desc>
## Read system.map in the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read system.map in the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_read_kernel_symbol_table',`
gen_require(`
@ -182,14 +165,12 @@ interface(`bootloader_read_kernel_symbol_table',`
')
########################################
## <interface name="bootloader_delete_kernel">
## <desc>
## Delete a kernel from /boot.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Delete a kernel from /boot.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_delete_kernel',`
gen_require(`
@ -203,14 +184,12 @@ interface(`bootloader_delete_kernel',`
')
########################################
## <interface name="bootloader_delete_kernel_symbol_table">
## <desc>
## Delete a system.map in the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Delete a system.map in the /boot directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_delete_kernel_symbol_table',`
gen_require(`
@ -224,14 +203,12 @@ interface(`bootloader_delete_kernel_symbol_table',`
')
########################################
## <interface name="bootloader_read_config">
## <desc>
## Read the bootloader configuration file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the bootloader configuration file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_read_config',`
gen_require(`
@ -243,15 +220,13 @@ interface(`bootloader_read_config',`
')
########################################
## <interface name="bootloader_rw_config">
## <desc>
## Read and write the bootloader
## configuration file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the bootloader
## configuration file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_rw_config',`
gen_require(`
@ -263,15 +238,13 @@ interface(`bootloader_rw_config',`
')
########################################
## <interface name="bootloader_rw_tmp_file">
## <desc>
## Read and write the bootloader
## temporary data in /tmp.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the bootloader
## temporary data in /tmp.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_rw_tmp_file',`
gen_require(`
@ -284,15 +257,13 @@ interface(`bootloader_rw_tmp_file',`
')
########################################
## <interface name="bootloader_create_runtime_file">
## <desc>
## Read and write the bootloader
## temporary data in /tmp.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the bootloader
## temporary data in /tmp.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_create_runtime_file',`
gen_require(`
@ -307,14 +278,12 @@ interface(`bootloader_create_runtime_file',`
')
########################################
## <interface name="bootloader_list_kernel_modules">
## <desc>
## List the contents of the kernel module directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## List the contents of the kernel module directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_list_kernel_modules',`
gen_require(`
@ -326,14 +295,12 @@ interface(`bootloader_list_kernel_modules',`
')
########################################
## <interface name="bootloader_read_kernel_modules">
## <desc>
## Read kernel module files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read kernel module files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_read_kernel_modules',`
gen_require(`
@ -349,14 +316,12 @@ interface(`bootloader_read_kernel_modules',`
')
########################################
## <interface name="bootloader_write_kernel_modules">
## <desc>
## Write kernel module files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Write kernel module files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_write_kernel_modules',`
gen_require(`
@ -373,15 +338,13 @@ interface(`bootloader_write_kernel_modules',`
')
########################################
## <interface name="bootloader_manage_kernel_modules">
## <desc>
## Create, read, write, and delete
## kernel module files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Create, read, write, and delete
## kernel module files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`bootloader_manage_kernel_modules',`
gen_require(`
@ -417,4 +380,3 @@ interface(`bootloader_create_private_module_dir_entry',`
')
')
## </module>

View File

@ -1,16 +1,13 @@
## <module name="corenetwork">
## <summary>Policy controlling access to network objects</summary>
########################################
## <interface name="corenet_tcp_sendrecv_generic_if">
## <desc>
## Send and receive TCP network traffic on the general interfaces.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive TCP network traffic on the general interfaces.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_generic_if',`
gen_require(`

View File

@ -6,15 +6,13 @@
define(`create_netif_interfaces',``
########################################
## <interface name="corenet_tcp_sendrecv_$1">
## <desc>
## Send and receive TCP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive TCP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_$1',`
gen_require(`
@ -26,15 +24,13 @@ interface(`corenet_tcp_sendrecv_$1',`
')
########################################
## <interface name="corenet_udp_send_$1">
## <desc>
## Send UDP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
## </interface>
## <desc>
## Send UDP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_udp_send_$1',`
gen_require(`
@ -46,15 +42,13 @@ interface(`corenet_udp_send_$1',`
')
########################################
## <interface name="corenet_udp_receive_$1">
## <desc>
## Receive UDP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
## </interface>
## <desc>
## Receive UDP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_udp_receive_$1',`
gen_require(`
@ -66,15 +60,13 @@ interface(`corenet_udp_receive_$1',`
')
########################################
## <interface name="corenetwork_sendrecv_udp_on_$1_interface">
## <desc>
## Send and receive UDP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive UDP network traffic on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_$1',`
corenet_udp_send_$1(dollarsone)
@ -82,15 +74,13 @@ interface(`corenet_udp_sendrecv_$1',`
')
########################################
## <interface name="corenet_raw_send_$1">
## <desc>
## Send raw IP packets on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
## </interface>
## <desc>
## Send raw IP packets on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_raw_send_$1',`
gen_require(`
@ -104,15 +94,13 @@ interface(`corenet_raw_send_$1',`
')
########################################
## <interface name="corenet_raw_receive_$1">
## <desc>
## Receive raw IP packets on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
## </interface>
## <desc>
## Receive raw IP packets on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_raw_receive_$1',`
gen_require(`
@ -124,15 +112,13 @@ interface(`corenet_raw_receive_$1',`
')
########################################
## <interface name="corenet_raw_sendrecv_$1">
## <desc>
## Send and receive raw IP packets on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive raw IP packets on the $1 interface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_raw_sendrecv_$1',`
corenet_raw_send_$1(dollarsone)
@ -148,15 +134,13 @@ interface(`corenet_raw_sendrecv_$1',`
define(`create_node_interfaces',``
########################################
## <interface name="corenet_tcp_sendrecv_$1_node">
## <desc>
## Send and receive TCP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive TCP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_$1_node',`
gen_require(`
@ -168,15 +152,13 @@ interface(`corenet_tcp_sendrecv_$1_node',`
')
########################################
## <interface name="corenet_udp_send_$1_node">
## <desc>
## Send UDP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
## </interface>
## <desc>
## Send UDP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_udp_send_$1_node',`
gen_require(`
@ -188,15 +170,13 @@ interface(`corenet_udp_send_$1_node',`
')
########################################
## <interface name="corenet_udp_receive_$1_node">
## <desc>
## Receive UDP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
## </interface>
## <desc>
## Receive UDP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_udp_receive_$1_node',`
gen_require(`
@ -208,15 +188,13 @@ interface(`corenet_udp_receive_$1_node',`
')
########################################
## <interface name="corenet_udp_sendrecv_$1_node">
## <desc>
## Send and receive UDP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive UDP traffic on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_$1_node',`
corenet_udp_send_$1_node(dollarsone)
@ -224,15 +202,13 @@ interface(`corenet_udp_sendrecv_$1_node',`
')
########################################
## <interface name="corenet_raw_send_$1_node">
## <desc>
## Send raw IP packets on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
## </interface>
## <desc>
## Send raw IP packets on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_raw_send_$1_node',`
gen_require(`
@ -244,15 +220,13 @@ interface(`corenet_raw_send_$1_node',`
')
########################################
## <interface name="corenet_raw_receive_$1_node">
## <desc>
## Receive raw IP packets on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
## </interface>
## <desc>
## Receive raw IP packets on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_raw_receive_$1_node',`
gen_require(`
@ -264,15 +238,13 @@ interface(`corenet_raw_receive_$1_node',`
')
########################################
## <interface name="corenet_raw_sendrecv_$1_node">
## <desc>
## Send and receive raw IP packets on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive raw IP packets on the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_raw_sendrecv_$1_node',`
corenet_raw_send_$1_node(dollarsone)
@ -280,15 +252,13 @@ interface(`corenet_raw_sendrecv_$1_node',`
')
########################################
## <interface name="corenet_tcp_bind_$1_node">
## <desc>
## Bind TCP sockets to node $1.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
## </interface>
## <desc>
## Bind TCP sockets to node $1.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_$1_node',`
gen_require(`
@ -300,15 +270,13 @@ interface(`corenet_tcp_bind_$1_node',`
')
########################################
## <interface name="corenet_udp_bind_$1_node">
## <desc>
## Bind UDP sockets to the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
## </interface>
## <desc>
## Bind UDP sockets to the $1 node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
#
interface(`corenet_udp_bind_$1_node',`
gen_require(`
@ -328,15 +296,13 @@ interface(`corenet_udp_bind_$1_node',`
define(`create_port_interfaces',``
########################################
## <interface name="corenet_tcp_sendrecv_$1_port">
## <desc>
## Send and receive TCP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive TCP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_$1_port',`
gen_require(`
@ -348,15 +314,13 @@ interface(`corenet_tcp_sendrecv_$1_port',`
')
########################################
## <interface name="corenet_udp_send_$1_port">
## <desc>
## Send UDP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
## </interface>
## <desc>
## Send UDP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_udp_send_$1_port',`
gen_require(`
@ -368,15 +332,13 @@ interface(`corenet_udp_send_$1_port',`
')
########################################
## <interface name="corenet_udp_receive_$1_port">
## <desc>
## Receive UDP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
## </interface>
## <desc>
## Receive UDP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_udp_receive_$1_port',`
gen_require(`
@ -388,15 +350,13 @@ interface(`corenet_udp_receive_$1_port',`
')
########################################
## <interface name="corenetwork_sendrecv_udp_on_$1_port">
## <desc>
## Send and receive UDP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
## </interface>
## <desc>
## Send and receive UDP traffic on the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_$1_port',`
corenet_udp_send_$1_port(dollarsone)
@ -404,15 +364,13 @@ interface(`corenet_udp_sendrecv_$1_port',`
')
########################################
## <interface name="corenet_tcp_bind_$1_port">
## <desc>
## Bind TCP sockets to the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
## </interface>
## <desc>
## Bind TCP sockets to the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_$1_port',`
gen_require(`
@ -425,15 +383,13 @@ interface(`corenet_tcp_bind_$1_port',`
')
########################################
## <interface name="corenet_udp_bind_$1_port">
## <desc>
## Bind UDP sockets to the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
## </interface>
## <desc>
## Bind UDP sockets to the $1 port.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <infoflow type="none"/>
#
interface(`corenet_udp_bind_$1_port',`
gen_require(`

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1 +0,0 @@
<layer name="kernel">

View File

@ -1,17 +1,14 @@
## <module name="selinux">
## <summary>
## Policy for kernel security interface, in particular, selinuxfs.
## Policy for kernel security interface, in particular, selinuxfs.
## </summary>
########################################
## <interface name="selinux_get_fs_mount">
## <desc>
## Gets the caller the mountpoint of the selinuxfs filesystem.
## </desc>
## <param name="domain">
## The process type requesting the selinuxfs mountpoint.
## </param>
## </interface>
## <desc>
## Gets the caller the mountpoint of the selinuxfs filesystem.
## </desc>
## <param name="domain">
## The process type requesting the selinuxfs mountpoint.
## </param>
#
interface(`selinux_get_fs_mount',`
# read /proc/filesystems to see if selinuxfs is supported
@ -20,15 +17,13 @@ interface(`selinux_get_fs_mount',`
')
########################################
## <interface name="selinux_get_enforce_mode">
## <desc>
## Allows the caller to get the mode of policy enforcement
## (enforcing or permissive mode).
## </desc>
## <param name="domain">
## The process type to allow to get the enforcing mode.
## </param>
## </interface>
## <desc>
## Allows the caller to get the mode of policy enforcement
## (enforcing or permissive mode).
## </desc>
## <param name="domain">
## The process type to allow to get the enforcing mode.
## </param>
#
interface(`selinux_get_enforce_mode',`
gen_require(`
@ -42,15 +37,13 @@ interface(`selinux_get_enforce_mode',`
')
########################################
## <interface name="selinux_set_enforce_mode">
## <desc>
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
## </desc>
## <param name="domain">
## The process type to allow to set the enforcement mode.
## </param>
## </interface>
## <desc>
## Allow caller to set the mode of policy enforcement
## (enforcing or permissive mode).
## </desc>
## <param name="domain">
## The process type to allow to set the enforcement mode.
## </param>
#
interface(`selinux_set_enforce_mode',`
gen_require(`
@ -69,14 +62,12 @@ interface(`selinux_set_enforce_mode',`
')
########################################
## <interface name="selinux_load_policy">
## <desc>
## Allow caller to load the policy into the kernel.
## </desc>
## <param name="domain">
## The process type that will load the policy.
## </param>
## </interface>
## <desc>
## Allow caller to load the policy into the kernel.
## </desc>
## <param name="domain">
## The process type that will load the policy.
## </param>
#
interface(`selinux_load_policy',`
gen_require(`
@ -95,18 +86,16 @@ interface(`selinux_load_policy',`
')
########################################
## <interface name="selinux_set_boolean">
## <desc>
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
## </desc>
## <param name="domain">
## The process type allowed to set the Boolean.
## </param>
## <param name="booltype" optional="true">
## The type of Booleans the caller is allowed to set.
## </param>
## </interface>
## <desc>
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy.
## </desc>
## <param name="domain">
## The process type allowed to set the Boolean.
## </param>
## <param name="booltype" optional="true">
## The type of Booleans the caller is allowed to set.
## </param>
#
interface(`selinux_set_boolean',`
gen_require(`
@ -130,14 +119,12 @@ interface(`selinux_set_boolean',`
')
########################################
## <interface name="selinux_set_parameters">
## <desc>
## Allow caller to set selinux security parameters.
## </desc>
## <param name="domain">
## The process type to allow to set security parameters.
## </param>
## </interface>
## <desc>
## Allow caller to set selinux security parameters.
## </desc>
## <param name="domain">
## The process type to allow to set security parameters.
## </param>
#
interface(`selinux_set_parameters',`
gen_require(`
@ -156,14 +143,12 @@ interface(`selinux_set_parameters',`
')
########################################
## <interface name="selinux_validate_context">
## <desc>
## Allows caller to validate security contexts.
## </desc>
## <param name="domain">
## The process type permitted to validate contexts.
## </param>
## </interface>
## <desc>
## Allows caller to validate security contexts.
## </desc>
## <param name="domain">
## The process type permitted to validate contexts.
## </param>
#
interface(`selinux_validate_context',`
gen_require(`
@ -179,14 +164,12 @@ interface(`selinux_validate_context',`
')
########################################
## <interface name="selinux_compute_access_vector">
## <desc>
## Allows caller to compute an access vector.
## </desc>
## <param name="domain">
## The process type allowed to compute an access vector.
## </param>
## </interface>
## <desc>
## Allows caller to compute an access vector.
## </desc>
## <param name="domain">
## The process type allowed to compute an access vector.
## </param>
#
interface(`selinux_compute_access_vector',`
gen_require(`
@ -202,14 +185,12 @@ interface(`selinux_compute_access_vector',`
')
########################################
## <interface name="selinux_compute_create_context">
## <desc>
##
## </desc>
## <param name="domain">
##
## </param>
## </interface>
## <desc>
##
## </desc>
## <param name="domain">
##
## </param>
#
interface(`selinux_compute_create_context',`
gen_require(`
@ -225,14 +206,12 @@ interface(`selinux_compute_create_context',`
')
########################################
## <interface name="selinux_compute_relabel_context">
## <desc>
##
## </desc>
## <param name="domain">
## The process type to
## </param>
## </interface>
## <desc>
##
## </desc>
## <param name="domain">
## The process type to
## </param>
#
interface(`selinux_compute_relabel_context',`
gen_require(`
@ -248,14 +227,12 @@ interface(`selinux_compute_relabel_context',`
')
########################################
## <interface name="selinux_compute_user_contexts">
## <desc>
## Allows caller to compute possible contexts for a user.
## </desc>
## <param name="domain">
## The process type allowed to compute user contexts.
## </param>
## </interface>
## <desc>
## Allows caller to compute possible contexts for a user.
## </desc>
## <param name="domain">
## The process type allowed to compute user contexts.
## </param>
#
interface(`selinux_compute_user_contexts',`
gen_require(`
@ -270,4 +247,3 @@ interface(`selinux_compute_user_contexts',`
allow $1 security_t:security compute_user;
')
## </module>

View File

@ -1,16 +1,13 @@
## <module name="storage">
## <summary>Policy controlling access to storage devices</summary>
########################################
## <interface name="storage_getattr_fixed_disk">
## <desc>
## Allow the caller to get the attributes of fixed disk
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to get the attributes of fixed disk
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_getattr_fixed_disk',`
gen_require(`
@ -23,15 +20,13 @@ interface(`storage_getattr_fixed_disk',`
')
########################################
## <interface name="storage_dontaudit_getattr_fixed_disk">
## <desc>
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`storage_dontaudit_getattr_fixed_disk',`
gen_require(`
@ -43,15 +38,13 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
')
########################################
## <interface name="storage_setattr_fixed_disk">
## <desc>
## Allow the caller to set the attributes of fixed disk
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to set the attributes of fixed disk
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_setattr_fixed_disk',`
gen_require(`
@ -64,15 +57,13 @@ interface(`storage_setattr_fixed_disk',`
')
########################################
## <interface name="storage_dontaudit_setattr_fixed_disk">
## <desc>
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`storage_dontaudit_setattr_fixed_disk',`
gen_require(`
@ -84,17 +75,15 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
')
########################################
## <interface name="storage_raw_read_fixed_disk">
## <desc>
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_raw_read_fixed_disk',`
gen_require(`
@ -109,17 +98,15 @@ interface(`storage_raw_read_fixed_disk',`
')
########################################
## <interface name="storage_raw_write_fixed_disk">
## <desc>
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_raw_write_fixed_disk',`
gen_require(`
@ -134,14 +121,12 @@ interface(`storage_raw_write_fixed_disk',`
')
########################################
## <interface name="storage_create_fixed_disk">
## <desc>
## Create block devices in /dev with the fixed disk type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Create block devices in /dev with the fixed disk type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_create_fixed_disk_dev_entry',`
gen_require(`
@ -156,14 +141,12 @@ interface(`storage_create_fixed_disk_dev_entry',`
')
########################################
## <interface name="storage_manage_fixed_disk">
## <desc>
## Create, read, write, and delete fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Create, read, write, and delete fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_manage_fixed_disk',`
gen_require(`
@ -178,17 +161,15 @@ interface(`storage_manage_fixed_disk',`
')
########################################
## <interface name="storage_raw_read_lvm_volume">
## <desc>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_raw_read_lvm_volume',`
gen_require(`
@ -203,17 +184,15 @@ interface(`storage_raw_read_lvm_volume',`
')
########################################
## <interface name="storage_raw_write_lvm_volume">
## <desc>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_raw_write_lvm_volume',`
gen_require(`
@ -228,15 +207,13 @@ interface(`storage_raw_write_lvm_volume',`
')
########################################
## <interface name="storage_getattr_scsi_generic">
## <desc>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_getattr_scsi_generic',`
gen_require(`
@ -249,15 +226,13 @@ interface(`storage_getattr_scsi_generic',`
')
########################################
## <interface name="storage_setattr_scsi_generic">
## <desc>
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_setattr_scsi_generic',`
gen_require(`
@ -270,18 +245,16 @@ interface(`storage_setattr_scsi_generic',`
')
########################################
## <interface name="storage_read_scsi_generic">
## <desc>
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_read_scsi_generic',`
gen_require(`
@ -296,18 +269,16 @@ interface(`storage_read_scsi_generic',`
')
########################################
## <interface name="storage_write_scsi_generic">
## <desc>
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_write_scsi_generic',`
gen_require(`
@ -322,15 +293,13 @@ interface(`storage_write_scsi_generic',`
')
########################################
## <interface name="storage_getattr_scsi_generic">
## <desc>
## Get attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Get attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_getattr_scsi_generic',`
gen_require(`
@ -343,15 +312,13 @@ interface(`storage_getattr_scsi_generic',`
')
########################################
## <interface name="storage_setattr_scsi_generic">
## <desc>
## Set attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Set attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_set_scsi_generic_attributes',`
gen_require(`
@ -364,15 +331,13 @@ interface(`storage_set_scsi_generic_attributes',`
')
########################################
## <interface name="storage_getattr_removable_device">
## <desc>
## Allow the caller to get the attributes of removable
## devices device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to get the attributes of removable
## devices device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_getattr_removable_device',`
gen_require(`
@ -385,15 +350,13 @@ interface(`storage_getattr_removable_device',`
')
########################################
## <interface name="storage_dontaudit_getattr_removable_device">
## <desc>
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`storage_dontaudit_getattr_removable_device',`
gen_require(`
@ -405,15 +368,13 @@ interface(`storage_dontaudit_getattr_removable_device',`
')
########################################
## <interface name="storage_setattr_removable_device">
## <desc>
## Allow the caller to set the attributes of removable
## devices device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to set the attributes of removable
## devices device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_setattr_removable_device',`
gen_require(`
@ -426,15 +387,13 @@ interface(`storage_setattr_removable_device',`
')
########################################
## <interface name="storage_dontaudit_setattr_removable_device">
## <desc>
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`storage_dontaudit_setattr_removable_device',`
gen_require(`
@ -446,18 +405,16 @@ interface(`storage_dontaudit_setattr_removable_device',`
')
########################################
## <interface name="storage_raw_read_removable_device">
## <desc>
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_raw_read_removable_device',`
gen_require(`
@ -470,18 +427,16 @@ interface(`storage_raw_read_removable_device',`
')
########################################
## <interface name="storage_raw_write_removable_device">
## <desc>
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_raw_write_removable_device',`
gen_require(`
@ -494,15 +449,13 @@ interface(`storage_raw_write_removable_device',`
')
########################################
## <interface name="storage_read_tape_device">
## <desc>
## Allow the caller to directly read
## a tape device.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read
## a tape device.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_read_tape_device',`
gen_require(`
@ -515,15 +468,13 @@ interface(`storage_read_tape_device',`
')
########################################
## <interface name="storage_write_tape_device">
## <desc>
## Allow the caller to directly read
## a tape device.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to directly read
## a tape device.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_write_tape_device',`
gen_require(`
@ -536,15 +487,13 @@ interface(`storage_write_tape_device',`
')
########################################
## <interface name="storage_getattr_tape_device">
## <desc>
## Allow the caller to get the attributes
## of device nodes of tape devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to get the attributes
## of device nodes of tape devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_getattr_tape_device',`
gen_require(`
@ -557,15 +506,13 @@ interface(`storage_getattr_tape_device',`
')
########################################
## <interface name="storage_setattr_tape_device">
## <desc>
## Allow the caller to set the attributes
## of device nodes of tape devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to set the attributes
## of device nodes of tape devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`storage_setattr_tape_device',`
gen_require(`
@ -577,4 +524,3 @@ interface(`storage_setattr_tape_device',`
allow $1 tape_device_t:blk_file setattr;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="terminal">
## <summary>Policy for terminals.</summary>
########################################
## <interface name="term_pty">
## <desc>
## Transform specified type into a pty type.
## </desc>
## <param name="pty_type">
## An object type that will applied to a pty.
## </param>
## </interface>
## <desc>
## Transform specified type into a pty type.
## </desc>
## <param name="pty_type">
## An object type that will applied to a pty.
## </param>
#
interface(`term_pty',`
gen_require(`
@ -23,20 +20,18 @@ interface(`term_pty',`
')
########################################
## <interface name="term_user_pty">
## <desc>
## Transform specified type into an user
## pty type. This allows it to be relabeled via
## type change by login programs such as ssh.
## </desc>
## <param name="userdomain">
## The type of the user domain associated with
## this pty.
## </param>
## <param name="object_type">
## An object type that will applied to a pty.
## </param>
## </interface>
## <desc>
## Transform specified type into an user
## pty type. This allows it to be relabeled via
## type change by login programs such as ssh.
## </desc>
## <param name="userdomain">
## The type of the user domain associated with
## this pty.
## </param>
## <param name="object_type">
## An object type that will applied to a pty.
## </param>
#
interface(`term_user_pty',`
gen_require(`
@ -48,15 +43,13 @@ interface(`term_user_pty',`
')
########################################
## <interface name="term_login_pty">
## <desc>
## Transform specified type into a pty type
## used by login programs, such as sshd.
## </desc>
## <param name="pty_type">
## An object type that will applied to a pty.
## </param>
## </interface>
## <desc>
## Transform specified type into a pty type
## used by login programs, such as sshd.
## </desc>
## <param name="pty_type">
## An object type that will applied to a pty.
## </param>
#
interface(`term_login_pty',`
gen_require(`
@ -68,14 +61,12 @@ interface(`term_login_pty',`
')
########################################
## <interface name="term_tty">
## <desc>
## Transform specified type into a tty type.
## </desc>
## <param name="tty_type">
## An object type that will applied to a tty.
## </param>
## </interface>
## <desc>
## Transform specified type into a tty type.
## </desc>
## <param name="tty_type">
## An object type that will applied to a tty.
## </param>
#
interface(`term_tty',`
gen_require(`
@ -98,17 +89,15 @@ interface(`term_tty',`
')
########################################
## <interface name="term_create_pty">
## <desc>
## Create a pty in the /dev/pts directory.
## </desc>
## <param name="domain">
## The type of the process creating the pty.
## </param>
## <param name="pty_type">
## The type of the pty.
## </param>
## </interface>
## <desc>
## Create a pty in the /dev/pts directory.
## </desc>
## <param name="domain">
## The type of the process creating the pty.
## </param>
## <param name="pty_type">
## The type of the pty.
## </param>
#
interface(`term_create_pty',`
gen_require(`
@ -128,15 +117,13 @@ interface(`term_create_pty',`
')
########################################
## <interface name="term_use_all_terms">
## <desc>
## Read and write the console, all
## ttys and all ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the console, all
## ttys and all ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_all_terms',`
gen_require(`
@ -152,14 +139,12 @@ interface(`term_use_all_terms',`
')
########################################
## <interface name="term_write_console">
## <desc>
## Write to the console.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Write to the console.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_write_console',`
gen_require(`
@ -172,14 +157,12 @@ interface(`term_write_console',`
')
########################################
## <interface name="term_use_console">
## <desc>
## Read from and write to the console.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read from and write to the console.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_console',`
gen_require(`
@ -192,15 +175,13 @@ interface(`term_use_console',`
')
########################################
## <interface name="term_dontaudit_use_console">
## <desc>
## Do not audit attemtps to read from
## or write to the console.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attemtps to read from
## or write to the console.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_use_console',`
gen_require(`
@ -212,15 +193,13 @@ interface(`term_dontaudit_use_console',`
')
########################################
## <interface name="term_setattr_console">
## <desc>
## Set the attributes of the console
## device node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Set the attributes of the console
## device node.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_console',`
gen_require(`
@ -233,15 +212,13 @@ interface(`term_setattr_console',`
')
########################################
## <interface name="term_list_ptys">
## <desc>
## Read the /dev/pts directory to
## list all ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the /dev/pts directory to
## list all ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_list_ptys',`
gen_require(`
@ -254,15 +231,13 @@ interface(`term_list_ptys',`
')
########################################
## <interface name="term_dontaudit_list_ptys">
## <desc>
## Do not audit attempts to read the
## /dev/pts directory to.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read the
## /dev/pts directory to.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_list_ptys',`
gen_require(`
@ -274,16 +249,14 @@ interface(`term_dontaudit_list_ptys',`
')
########################################
## <interface name="term_use_generic_pty">
## <desc>
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the generic pty
## type. This is generally only used in
## the targeted policy.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_generic_pty',`
gen_require(`
@ -296,16 +269,14 @@ interface(`term_use_generic_pty',`
')
########################################
## <interface name="term_dontaudit_use_generic_pty">
## <desc>
## Dot not audit attempts to read and
## write the generic pty type. This is
## generally only used in the targeted policy.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Dot not audit attempts to read and
## write the generic pty type. This is
## generally only used in the targeted policy.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_generic_pty',`
gen_require(`
@ -317,15 +288,13 @@ interface(`term_dontaudit_use_generic_pty',`
')
########################################
## <interface name="term_use_controlling_term">
## <desc>
## Read and write the controlling
## terminal (/dev/tty).
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the controlling
## terminal (/dev/tty).
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_controlling_term',`
gen_require(`
@ -338,15 +307,13 @@ interface(`term_use_controlling_term',`
')
########################################
## <interface name="term_dontaudit_use_ptmx">
## <desc>
## Do not audit attempts to read and
## write the pty multiplexor (/dev/ptmx).
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read and
## write the pty multiplexor (/dev/ptmx).
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_ptmx',`
gen_require(`
@ -358,15 +325,13 @@ interface(`term_dontaudit_use_ptmx',`
')
########################################
## <interface name="term_getattr_all_user_ptys">
## <desc>
## Get the attributes of all user
## pty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Get the attributes of all user
## pty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_getattr_all_user_ptys',`
gen_require(`
@ -381,14 +346,12 @@ interface(`term_getattr_all_user_ptys',`
')
########################################
## <interface name="term_use_all_user_ptys">
## <desc>
## Read and write all user ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write all user ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_all_user_ptys',`
gen_require(`
@ -403,15 +366,13 @@ interface(`term_use_all_user_ptys',`
')
########################################
## <interface name="term_dontaudit_use_all_user_ptys">
## <desc>
## Do not audit attempts to read any
## user ptys.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read any
## user ptys.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_all_user_ptys',`
gen_require(`
@ -423,15 +384,13 @@ interface(`term_dontaudit_use_all_user_ptys',`
')
########################################
## <interface name="term_relabel_all_user_ptys">
## <desc>
## Relabel from and to all user
## user pty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Relabel from and to all user
## user pty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabel_all_user_ptys',`
gen_require(`
@ -444,15 +403,13 @@ interface(`term_relabel_all_user_ptys',`
')
########################################
## <interface name="term_getattr_unallocated_ttys">
## <desc>
## Get the attributes of all unallocated
## tty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Get the attributes of all unallocated
## tty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_getattr_unallocated_ttys',`
gen_require(`
@ -465,15 +422,13 @@ interface(`term_getattr_unallocated_ttys',`
')
########################################
## <interface name="term_setattr_unallocated_ttys">
## <desc>
## Set the attributes of all unallocated
## tty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Set the attributes of all unallocated
## tty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_unallocated_ttys',`
gen_require(`
@ -486,15 +441,13 @@ interface(`term_setattr_unallocated_ttys',`
')
########################################
## <interface name="term_relabel_unallocated_ttys">
## <desc>
## Relabel from and to the unallocated
## tty type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Relabel from and to the unallocated
## tty type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabel_unallocated_ttys',`
gen_require(`
@ -507,15 +460,13 @@ interface(`term_relabel_unallocated_ttys',`
')
########################################
## <interface name="term_reset_tty_labels">
## <desc>
## Relabel from all user tty types to
## the unallocated tty type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Relabel from all user tty types to
## the unallocated tty type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_reset_tty_labels',`
gen_require(`
@ -530,14 +481,12 @@ interface(`term_reset_tty_labels',`
')
########################################
## <interface name="term_write_unallocated_ttys">
## <desc>
## Write to unallocated ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Write to unallocated ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_write_unallocated_ttys',`
gen_require(`
@ -550,14 +499,12 @@ interface(`term_write_unallocated_ttys',`
')
########################################
## <interface name="term_use_unallocated_tty">
## <desc>
## Read and write unallocated ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write unallocated ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_unallocated_tty',`
gen_require(`
@ -570,15 +517,13 @@ interface(`term_use_unallocated_tty',`
')
########################################
## <interface name="term_dontaudit_use_unallocated_tty">
## <desc>
## Do not audit attempts to read or
## write unallocated ttys.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read or
## write unallocated ttys.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
#
interface(`term_dontaudit_use_unallocated_tty',`
gen_require(`
@ -590,15 +535,13 @@ interface(`term_dontaudit_use_unallocated_tty',`
')
########################################
## <interface name="term_getattr_all_user_ttys">
## <desc>
## Get the attributes of all user tty
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Get the attributes of all user tty
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_getattr_all_user_ttys',`
gen_require(`
@ -611,16 +554,14 @@ interface(`term_getattr_all_user_ttys',`
')
########################################
## <interface name="term_dontaudit_getattr_all_user_ttys">
## <desc>
## Do not audit attempts to get the
## attributes of any user tty
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to get the
## attributes of any user tty
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_getattr_all_user_ttys',`
gen_require(`
@ -633,15 +574,13 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
')
########################################
## <interface name="term_setattr_all_user_ttys">
## <desc>
## Set the attributes of all user tty
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Set the attributes of all user tty
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_setattr_all_user_ttys',`
gen_require(`
@ -654,15 +593,13 @@ interface(`term_setattr_all_user_ttys',`
')
########################################
## <interface name="term_relabel_all_user_ttys">
## <desc>
## Relabel from and to all user
## user tty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Relabel from and to all user
## user tty device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_relabel_all_user_ttys',`
gen_require(`
@ -675,14 +612,12 @@ interface(`term_relabel_all_user_ttys',`
')
########################################
## <interface name="term_write_all_user_ttys">
## <desc>
## Write to all user ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Write to all user ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_write_all_user_ttys',`
gen_require(`
@ -695,14 +630,12 @@ interface(`term_write_all_user_ttys',`
')
########################################
## <interface name="term_use_all_user_ttys">
## <desc>
## Read and write all user to all user ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write all user to all user ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_use_all_user_ttys',`
gen_require(`
@ -715,15 +648,13 @@ interface(`term_use_all_user_ttys',`
')
########################################
## <interface name="term_dontaudit_use_all_user_ttys">
## <desc>
## Do not audit attempts to read or write
## any user ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read or write
## any user ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`term_dontaudit_use_all_user_ttys',`
gen_require(`
@ -734,4 +665,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
dontaudit $1 ttynode:chr_file { read write };
')
## </module>

View File

@ -1 +0,0 @@
<layer name="services">

View File

@ -1,4 +1,3 @@
## <module name="mta">
## <summary>Policy common to all email tranfer agents.</summary>
#######################################
@ -194,14 +193,12 @@ interface(`mta_exec',`
')
########################################
## <interface name="mta_read_aliases">
## <desc>
## Read mail address aliases.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read mail address aliases.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`mta_read_aliases',`
gen_require(`
@ -293,4 +290,3 @@ interface(`mta_manage_queue',`
allow $1 mqueue_spool_t:file create_file_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="remotelogin">
## <summary>Policy for rshd, rlogind, and telnetd.</summary>
########################################
## <interface name="remotelogin_domtrans">
## <desc>
## Domain transition to the remote login domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Domain transition to the remote login domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`remotelogin_domtrans',`
gen_require(`
@ -19,4 +16,3 @@ interface(`remotelogin_domtrans',`
auth_domtrans_login_program($1,remote_login_t)
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="sendmail">
## <summary>Policy for sendmail.</summary>
########################################
## <interface name="sendmail_domtrans">
## <desc>
## Domain transition to sendmail.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Domain transition to sendmail.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`sendmail_domtrans',`
gen_require(`
@ -29,4 +26,3 @@ interface(`sendmail_domtrans',`
allow sendmail_t $1:process sigchld;
')
## </module>

View File

@ -1,4 +1,3 @@
## <module name="authlogin">
## <summary>Common policy for authentication and user login.</summary>
#######################################
@ -89,14 +88,12 @@ interface(`authlogin_per_userdomain_template',`
') dnl end authlogin_per_userdomain_template
########################################
## <interface name="auth_login_entry_type">
## <desc>
## Use the login program as an entry point program.
## </desc>
## <param name="domain">
## The type of process using the login program as entry point.
## </param>
## </interface>
## <desc>
## Use the login program as an entry point program.
## </desc>
## <param name="domain">
## The type of process using the login program as entry point.
## </param>
#
interface(`auth_login_entry_type',`
gen_require(`
@ -107,17 +104,15 @@ interface(`auth_login_entry_type',`
')
########################################
## <interface name="auth_domtrans_login_program">
## <desc>
## Execute a login_program in the target domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="target_domain">
## The type of the login_program process.
## </param>
## </interface>
## <desc>
## Execute a login_program in the target domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="target_domain">
## The type of the login_program process.
## </param>
#
interface(`auth_domtrans_login_program',`
gen_require(`
@ -137,14 +132,12 @@ interface(`auth_domtrans_login_program',`
')
########################################
## <interface name="auth_domtrans_chk_passwd">
## <desc>
## Run unix_chkpwd to check a password.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Run unix_chkpwd to check a password.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_domtrans_chk_passwd',`
gen_require(`
@ -181,14 +174,12 @@ interface(`auth_domtrans_chk_passwd',`
')
########################################
## <interface name="auth_dontaudit_getattr_shadow">
## <desc>
##
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
##
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_dontaudit_getattr_shadow',`
gen_require(`
@ -200,14 +191,12 @@ interface(`auth_dontaudit_getattr_shadow',`
')
########################################
## <interface name="auth_read_shadow">
## <desc>
## Read the shadow passwords file (/etc/shadow)
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the shadow passwords file (/etc/shadow)
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_read_shadow',`
gen_require(`
@ -222,15 +211,13 @@ interface(`auth_read_shadow',`
')
########################################
## <interface name="auth_dontaudit_read_shadow">
## <desc>
## Do not audit attempts to read the shadow
## password file (/etc/shadow).
## </desc>
## <param name="domain">
## The type of the domain to not audit.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read the shadow
## password file (/etc/shadow).
## </desc>
## <param name="domain">
## The type of the domain to not audit.
## </param>
#
interface(`auth_dontaudit_read_shadow',`
gen_require(`
@ -242,14 +229,12 @@ interface(`auth_dontaudit_read_shadow',`
')
########################################
## <interface name="auth_rw_shadow">
## <desc>
## Read and write the shadow password file (/etc/shadow).
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write the shadow password file (/etc/shadow).
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_rw_shadow',`
gen_require(`
@ -325,14 +310,12 @@ interface(`auth_rw_lastlog',`
')
########################################
## <interface name="auth_domtrans_pam">
## <desc>
## Execute pam programs in the pam domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute pam programs in the pam domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_domtrans_pam',`
gen_require(`
@ -351,20 +334,18 @@ interface(`auth_domtrans_pam',`
')
########################################
## <interface name="auth_run_pam">
## <desc>
## Execute pam programs in the PAM domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the PAM domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the PAM domain to use.
## </param>
## </interface>
## <desc>
## Execute pam programs in the PAM domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the PAM domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the PAM domain to use.
## </param>
#
interface(`auth_run_pam',`
gen_require(`
@ -378,14 +359,12 @@ interface(`auth_run_pam',`
')
########################################
## <interface name="auth_exec_pam">
## <desc>
## Execute the pam program.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute the pam program.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_exec_pam',`
gen_require(`
@ -413,14 +392,12 @@ interface(`auth_read_pam_pid',`
')
########################################
## <interface name="auth_delete_pam_pid">
## <desc>
## Delete pam PID files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Delete pam PID files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_delete_pam_pid',`
gen_require(`
@ -507,19 +484,17 @@ interface(`auth_manage_pam_console_data',`
')
########################################
## <interface name="auth_relabel_all_files_except_shadow">
## <desc>
## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
## </interface>
## <desc>
## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
#
interface(`auth_relabel_all_files_except_shadow',`
@ -531,19 +506,17 @@ interface(`auth_relabel_all_files_except_shadow',`
')
########################################
## <interface name="auth_manage_all_files_except_shadow">
## <desc>
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
## </interface>
## <desc>
## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
#
interface(`auth_manage_all_files_except_shadow',`
@ -555,14 +528,12 @@ interface(`auth_manage_all_files_except_shadow',`
')
########################################
## <interface name="auth_domtrans_utempter">
## <desc>
## Execute utempter programs in the utempter domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute utempter programs in the utempter domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`auth_domtrans_utempter',`
gen_require(`
@ -581,20 +552,18 @@ interface(`auth_domtrans_utempter',`
')
########################################
## <interface name="auth_run_utempter">
## <desc>
## Execute utempter programs in the utempter domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the utempter domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the utempter domain to use.
## </param>
## </interface>
## <desc>
## Execute utempter programs in the utempter domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the utempter domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the utempter domain to use.
## </param>
#
interface(`auth_run_utempter',`
gen_require(`
@ -648,4 +617,3 @@ interface(`auth_rw_login_records',`
logging_search_logs($1)
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="clock">
## <summary>Policy for reading and setting the hardware clock.</summary>
########################################
## <interface name="clock_domtrans">
## <desc>
## Execute hwclock in the clock domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute hwclock in the clock domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`clock_domtrans',`
gen_require(`
@ -27,21 +24,19 @@ interface(`clock_domtrans',`
')
########################################
## <interface name="clock_run">
## <desc>
## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the clock domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the clock domain to use.
## </param>
## </interface>
## <desc>
## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the clock domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the clock domain to use.
## </param>
#
interface(`clock_run',`
gen_require(`
@ -55,14 +50,12 @@ interface(`clock_run',`
')
########################################
## <interface name="clock_exec">
## <desc>
## Execute hwclock
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`clock_exec',`
gen_require(`
@ -73,14 +66,12 @@ interface(`clock_exec',`
')
########################################
## <interface name="clock_rw_adjtime">
## <desc>
## Allow executing domain to modify clock drift
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`clock_rw_adjtime',`
gen_require(`
@ -92,4 +83,3 @@ interface(`clock_rw_adjtime',`
files_list_etc($1)
')
## </module>

View File

@ -1,7 +1,6 @@
## <module name="corecommands">
## <summary>
## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin.
## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin.
## </summary>
#######################################
@ -148,19 +147,17 @@ interface(`corecmd_exec_ls',`
')
########################################
## <interface name="corecmd_shell_spec_domtrans">
## <desc>
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="target_domain">
## The type of the shell process.
## </param>
## </interface>
## <desc>
## Execute a shell in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="target_domain">
## The type of the shell process.
## </param>
#
interface(`corecmd_shell_spec_domtrans',`
gen_require(`
@ -184,17 +181,15 @@ interface(`corecmd_shell_spec_domtrans',`
')
########################################
## <interface name="corecmd_domtrans_shell">
## <desc>
## Execute a shell in the target domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="target_domain">
## The type of the shell process.
## </param>
## </interface>
## <desc>
## Execute a shell in the target domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="target_domain">
## The type of the shell process.
## </param>
#
interface(`corecmd_domtrans_shell',`
gen_require(`
@ -219,4 +214,3 @@ interface(`corecmd_chroot_exec_chroot',`
allow $1 self:capability sys_chroot;
')
## </module>

View File

@ -1,4 +1,3 @@
## <module name="domain">
## <summary>Core policy for domains.</summary>
########################################
@ -92,15 +91,13 @@ interface(`domain_dyntrans_type',`
')
########################################
## <interface name="domain_subj_id_change_exempt">
## <desc>
## Makes caller an exception to the constraint preventing
## changing of user identity.
## </desc>
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
## </interface>
## <desc>
## Makes caller an exception to the constraint preventing
## changing of user identity.
## </desc>
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
#
interface(`domain_subj_id_change_exempt',`
gen_require(`
@ -111,15 +108,13 @@ interface(`domain_subj_id_change_exempt',`
')
########################################
## <interface name="domain_role_change_exempt">
## <desc>
## Makes caller an exception to the constraint preventing
## changing of role.
## </desc>
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
## </interface>
## <desc>
## Makes caller an exception to the constraint preventing
## changing of role.
## </desc>
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
#
interface(`domain_role_change_exempt',`
gen_require(`
@ -130,15 +125,13 @@ interface(`domain_role_change_exempt',`
')
########################################
## <interface name="domain_obj_id_change_exempt">
## <desc>
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
## </desc>
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
## </interface>
## <desc>
## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts.
## </desc>
## <param name="domain">
## The process type to make an exception to the constraint.
## </param>
#
interface(`domain_obj_id_change_exempt',`
gen_require(`
@ -188,14 +181,12 @@ interface(`domain_setpriority_all_domains',`
')
########################################
## <interface name="domain_signal_all_domains">
## <desc>
## Send general signals to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send general signals to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_signal_all_domains',`
gen_require(`
@ -207,14 +198,12 @@ interface(`domain_signal_all_domains',`
')
########################################
## <interface name="domain_signull_all_domains">
## <desc>
## Send a null signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send a null signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_signull_all_domains',`
gen_require(`
@ -226,14 +215,12 @@ interface(`domain_signull_all_domains',`
')
########################################
## <interface name="domain_sigstop_all_domains">
## <desc>
## Send a stop signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send a stop signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_sigstop_all_domains',`
gen_require(`
@ -245,14 +232,12 @@ interface(`domain_sigstop_all_domains',`
')
########################################
## <interface name="domain_sigchld_all_domains">
## <desc>
## Send a child terminated signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send a child terminated signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_sigchld_all_domains',`
gen_require(`
@ -264,14 +249,12 @@ interface(`domain_sigchld_all_domains',`
')
########################################
## <interface name="domain_kill_all_domains">
## <desc>
## Send a kill signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send a kill signal to all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_kill_all_domains',`
gen_require(`
@ -285,14 +268,12 @@ interface(`domain_kill_all_domains',`
')
########################################
## <interface name="domain_read_all_domains_state">
## <desc>
## Read the process state (/proc/pid) of all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the process state (/proc/pid) of all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_read_all_domains_state',`
gen_require(`
@ -316,15 +297,13 @@ interface(`domain_read_all_domains_state',`
')
########################################
## <interface name="domain_dontaudit_list_all_domains_proc">
## <desc>
## Do not audit attempts to read the process state
## directories of all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to read the process state
## directories of all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_list_all_domains_proc',`
gen_require(`
@ -336,14 +315,12 @@ interface(`domain_dontaudit_list_all_domains_proc',`
')
########################################
## <interface name="domain_getsession_all_domains">
## <desc>
## Get the session ID of all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Get the session ID of all domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_getsession_all_domains',`
gen_require(`
@ -355,15 +332,13 @@ interface(`domain_getsession_all_domains',`
')
########################################
## <interface name="domain_dontaudit_getattr_all_udp_sockets">
## <desc>
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to get the attributes
## of all domains UDP sockets.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_udp_sockets',`
gen_require(`
@ -375,15 +350,13 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
')
########################################
## <interface name="domain_dontaudit_getattr_all_tcp_sockets">
## <desc>
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to get the attributes
## of all domains TCP sockets.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_tcp_sockets',`
gen_require(`
@ -395,15 +368,13 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
')
########################################
## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets">
## <desc>
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to get the attributes
## of all domains unix datagram sockets.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
gen_require(`
@ -415,15 +386,13 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
')
########################################
## <interface name="domain_dontaudit_getattr_all_unnamed_pipes">
## <desc>
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
gen_require(`
@ -461,7 +430,6 @@ interface(`domain_read_all_entry_files',`
allow $1 entry_type:file r_file_perms;
')
## </module>
#
# These next macros are not interfaces, but actually are

View File

@ -1,19 +1,18 @@
## <module name="files">
## <summary>
## Basic filesystem types and interfaces.
## Basic filesystem types and interfaces.
## </summary>
## <desc>
## <p>
## This module contains basic filesystem types and interfaces. This
## includes:
## <ul>
## <li>The concept of different file types including basic
## files, mount points, tmp files, etc.</li>
## <li>Access to groups of files and all files.</li>
## <li>Types and interfaces for the basic filesystem layout
## (/, /etc, /tmp, /usr, etc.).</li>
## </ul>
## </p>
## <p>
## This module contains basic filesystem types and interfaces. This
## includes:
## <ul>
## <li>The concept of different file types including basic
## files, mount points, tmp files, etc.</li>
## <li>Access to groups of files and all files.</li>
## <li>Types and interfaces for the basic filesystem layout
## (/, /etc, /tmp, /usr, etc.).</li>
## </ul>
## </p>
## </desc>
########################################
@ -83,15 +82,13 @@ interface(`files_tmp_file',`
')
########################################
## <interface name="files_tmpfs_file">
## <desc>
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
## </desc>
## <param name="type">
## The type to be transformed.
## </param>
## </interface>
## <desc>
## Transform the type into a file, for use on a
## virtual memory filesystem (tmpfs).
## </desc>
## <param name="type">
## The type to be transformed.
## </param>
#
interface(`files_tmpfs_file',`
gen_require(`
@ -125,19 +122,17 @@ interface(`files_getattr_all_files',`
')
########################################
## <interface name="files_relabel_all_files">
## <desc>
## Relabel all files on the filesystem, except
## the listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
## </interface>
## <desc>
## Relabel all files on the filesystem, except
## the listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
#
interface(`files_relabel_all_files',`
gen_require(`
@ -164,19 +159,17 @@ interface(`files_relabel_all_files',`
')
########################################
## <interface name="files_manage_all_files">
## <desc>
## Manage all files on the filesystem, except
## the listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
## </interface>
## <desc>
## Manage all files on the filesystem, except
## the listed exceptions.
## </desc>
## <param name="domain">
## The type of the domain perfoming this action.
## </param>
## <param name="exception_types" optional="true">
## The types to be excluded. Each type or attribute
## must be negated by the caller.
## </param>
#
interface(`files_manage_all_files',`
gen_require(`
@ -306,25 +299,23 @@ interface(`files_list_root',`
')
########################################
## <interface name="files_create_root">
## <desc>
## Create an object in the root directory, with a private
## type. If no object class is specified, the
## default is file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="private type" optional="true">
## The type of the object to be created. If no type
## is specified, the type of the root directory will
## be used.
## </param>
## <param name="object" optional="true">
## The object class of the object being created. If
## no class is specified, file will be used.
## </param>
## </interface>
## <desc>
## Create an object in the root directory, with a private
## type. If no object class is specified, the
## default is file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="private type" optional="true">
## The type of the object to be created. If no type
## is specified, the type of the root directory will
## be used.
## </param>
## <param name="object" optional="true">
## The object class of the object being created. If
## no class is specified, file will be used.
## </param>
#
interface(`files_create_root',`
gen_require(`
@ -498,14 +489,12 @@ interface(`files_manage_generic_etc_files',`
')
########################################
## <interface name="files_delete_generic_etc_files">
## <desc>
## Delete system configuration files in /etc.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Delete system configuration files in /etc.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_delete_generic_etc_files',`
gen_require(`
@ -642,14 +631,12 @@ interface(`files_dontaudit_search_isid_type_dir',`
')
########################################
## <interface name="files_list_home">
## <desc>
## Get listing home home directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Get listing home home directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_list_home',`
gen_require(`
@ -743,14 +730,12 @@ interface(`files_read_usr_files',`
')
########################################
## <interface name="files_exec_usr_files">
## <desc>
## Execute programs in /usr/src in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute programs in /usr/src in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_exec_usr_files',`
gen_require(`
@ -810,14 +795,12 @@ interface(`files_dontaudit_search_var',`
')
########################################
## <interface name="files_search_var_lib">
## <desc>
## Search the /var/lib directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Search the /var/lib directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_search_var_lib',`
gen_require(`
@ -987,14 +970,12 @@ interface(`files_rw_generic_pids',`
')
########################################
## <interface name="files_dontaudit_write_all_pids">
## <desc>
## Do not audit attempts to write to daemon runtime data files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to write to daemon runtime data files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_dontaudit_write_all_pids',`
gen_require(`
@ -1006,14 +987,12 @@ interface(`files_dontaudit_write_all_pids',`
')
########################################
## <interface name="files_dontaudit_ioctl_all_pids">
## <desc>
## Do not audit attempts to ioctl daemon runtime data files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to ioctl daemon runtime data files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`files_dontaudit_ioctl_all_pids',`
gen_require(`
@ -1123,4 +1102,3 @@ interface(`files_manage_spools',`
allow $1 var_spool_t:file create_file_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="getty">
## <summary>Policy for getty.</summary>
########################################
## <interface name="getty_domtrans">
## <desc>
## Execute gettys in the getty domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`getty_domtrans',`
gen_require(`
@ -29,14 +26,12 @@ interface(`getty_domtrans',`
')
########################################
## <interface name="getty_read_log">
## <desc>
## Allow process to read getty log file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`getty_read_log',`
gen_require(`
@ -49,14 +44,12 @@ interface(`getty_read_log',`
')
########################################
## <interface name="getty_read_config">
## <desc>
## Allow process to read getty config file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`getty_read_config',`
gen_require(`
@ -69,14 +62,12 @@ interface(`getty_read_config',`
')
########################################
## <interface name="getty_modify_config">
## <desc>
## Allow process to edit getty config file.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`getty_modify_config',`
gen_require(`
@ -88,4 +79,3 @@ interface(`getty_modify_config',`
allow $1 getty_etc_t:file rw_file_perms;
')
## </module>

View File

@ -1,16 +1,13 @@
## <module name="hostname">
## <summary>Policy for changing the system host name.</summary>
########################################
## <interface name="hostname_domtrans">
## <desc>
## Execute hostname in the hostname domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## Has a sigchld signal backchannel.
## </param>
## </interface>
## <desc>
## Execute hostname in the hostname domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## Has a sigchld signal backchannel.
## </param>
#
interface(`hostname_domtrans',`
gen_require(`
@ -30,22 +27,20 @@ interface(`hostname_domtrans',`
')
########################################
## <interface name="hostname_run">
## <desc>
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
## Has a sigchld signal backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the hostname domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the hostname domain to use.
## </param>
## </interface>
## <desc>
## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain.
## Has a sigchld signal backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the hostname domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the hostname domain to use.
## </param>
#
interface(`hostname_run',`
gen_require(`
@ -59,7 +54,6 @@ interface(`hostname_run',`
')
########################################
## <interface name="hostname_exec">
## <desc>
## Execute hostname in the hostname domain, and
## Has a sigchld signal backchannel.
@ -67,7 +61,6 @@ interface(`hostname_run',`
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`hostname_exec',`
gen_require(`
@ -77,4 +70,3 @@ interface(`hostname_exec',`
can_exec($1,hostname_exec_t)
')
## </module>

View File

@ -1,7 +1,6 @@
## <module name="hotplug">
## <summary>
## Policy for hotplug system, for supporting the
## connection and disconnection of devices at runtime.
## Policy for hotplug system, for supporting the
## connection and disconnection of devices at runtime.
## </summary>
#######################################
@ -78,14 +77,12 @@ interface(`hotplug_dontaudit_search_config',`
')
########################################
## <interface name="hotplug_read_config">
## <desc>
## Read the configuration files for hotplug.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the configuration files for hotplug.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`hotplug_read_config',`
gen_require(`
@ -101,4 +98,3 @@ interface(`hotplug_read_config',`
allow $1 hotplug_etc_t:lnk_file r_file_perms;
')
## </module>

View File

@ -1,4 +1,3 @@
## <module name="init">
## <summary>System initialization programs (init and init scripts).</summary>
########################################
@ -260,14 +259,12 @@ interface(`init_exec_script',`
')
########################################
## <interface name="init_read_script_process_state">
## <desc>
## Read the process state (/proc/pid) of the init scripts.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the process state (/proc/pid) of the init scripts.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`init_read_script_process_state',`
gen_require(`
@ -330,14 +327,12 @@ interface(`init_get_script_process_group',`
')
########################################
## <interface name="init_rw_script_pipe">
## <desc>
## Read and write init script unnamed pipes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write init script unnamed pipes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`init_rw_script_pipe',`
gen_require(`
@ -376,14 +371,12 @@ interface(`init_dontaudit_use_script_pty',`
')
########################################
## <interface name="init_rw_script_tmp_files">
## <desc>
## Read and write init script temporary data.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write init script temporary data.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`init_rw_script_tmp_files',`
gen_require(`
@ -449,4 +442,3 @@ interface(`init_dontaudit_rw_script_pid',`
dontaudit $1 initrc_var_run_t:file { getattr read write append };
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="iptables">
## <summary>Policy for iptables.</summary>
########################################
## <interface name="iptables_domtrans">
## <desc>
## Execute iptables in the iptables domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute iptables in the iptables domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`iptables_domtrans',`
gen_require(`
@ -29,21 +26,19 @@ interface(`iptables_domtrans',`
')
########################################
## <interface name="iptables_run">
## <desc>
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the iptables domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the iptables domain to use.
## </param>
## </interface>
## <desc>
## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the iptables domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the iptables domain to use.
## </param>
#
interface(`iptables_run',`
gen_require(`
@ -57,14 +52,12 @@ interface(`iptables_run',`
')
########################################
## <interface name="iptables_exec">
## <desc>
## Execute iptables in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute iptables in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`iptables_exec',`
gen_require(`
@ -75,4 +68,3 @@ interface(`iptables_exec',`
can_exec($1,iptables_exec_t)
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="libraries">
## <summary>Policy for system libraries.</summary>
########################################
## <interface name="libs_domtrans_ldconfig">
## <desc>
## Execute ldconfig in the ldconfig domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute ldconfig in the ldconfig domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_domtrans_ldconfig',`
gen_require(`
@ -29,20 +26,18 @@ interface(`libs_domtrans_ldconfig',`
')
########################################
## <interface name="libs_run_ldconfig">
## <desc>
## Execute ldconfig in the ldconfig domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the ldconfig domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the ldconfig domain to use.
## </param>
## </interface>
## <desc>
## Execute ldconfig in the ldconfig domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the ldconfig domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the ldconfig domain to use.
## </param>
#
interface(`libs_run_ldconfig',`
gen_require(`
@ -56,15 +51,13 @@ interface(`libs_run_ldconfig',`
')
########################################
## <interface name="libs_use_ld_so">
## <desc>
## Use the dynamic link/loader for automatic loading
## of shared libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Use the dynamic link/loader for automatic loading
## of shared libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_use_ld_so',`
gen_require(`
@ -83,15 +76,13 @@ interface(`libs_use_ld_so',`
')
########################################
## <interface name="libs_legacy_use_ld_so">
## <desc>
## Use the dynamic link/loader for automatic loading
## of shared libraries with legacy support.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Use the dynamic link/loader for automatic loading
## of shared libraries with legacy support.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_legacy_use_ld_so',`
gen_require(`
@ -105,16 +96,14 @@ interface(`libs_legacy_use_ld_so',`
')
########################################
## <interface name="libs_exec_ld_so">
## <desc>
## Execute the dynamic link/loader in the caller's
## domain. This is commonly needed for the
## /usr/bin/ldd program.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute the dynamic link/loader in the caller's
## domain. This is commonly needed for the
## /usr/bin/ldd program.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_exec_ld_so',`
gen_require(`
@ -130,15 +119,13 @@ interface(`libs_exec_ld_so',`
')
########################################
## <interface name="libs_rw_ld_so_cache">
## <desc>
## Modify the dynamic link/loader's cached listing
## of shared libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Modify the dynamic link/loader's cached listing
## of shared libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_rw_ld_so_cache',`
gen_require(`
@ -151,14 +138,12 @@ interface(`libs_rw_ld_so_cache',`
')
########################################
## <interface name="libs_search_lib">
## <desc>
## Search lib directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Search lib directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_search_lib',`
gen_require(`
@ -170,15 +155,13 @@ interface(`libs_search_lib',`
')
########################################
## <interface name="libs_read_lib">
## <desc>
## Read files in the library directories, such
## as static libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read files in the library directories, such
## as static libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_read_lib',`
gen_require(`
@ -194,14 +177,12 @@ interface(`libs_read_lib',`
')
########################################
## <interface name="libs_exec_lib_files">
## <desc>
## Execute library scripts in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute library scripts in the caller domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_exec_lib_files',`
gen_require(`
@ -217,14 +198,12 @@ interface(`libs_exec_lib_files',`
')
########################################
## <interface name="libs_use_shared_libs">
## <desc>
## Load and execute functions from shared libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Load and execute functions from shared libraries.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_use_shared_libs',`
gen_require(`
@ -242,15 +221,13 @@ interface(`libs_use_shared_libs',`
')
########################################
## <interface name="libs_legacy_use_shared_libs">
## <desc>
## Load and execute functions from shared libraries,
## with legacy support.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Load and execute functions from shared libraries,
## with legacy support.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`libs_legacy_use_shared_libs',`
gen_require(`
@ -262,4 +239,3 @@ interface(`libs_legacy_use_shared_libs',`
allow $1 { shlib_t texrel_shlib_t }:file execmod;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="locallogin">
## <summary>Policy for local logins.</summary>
########################################
## <interface name="locallogin_domtrans">
## <desc>
## Execute local logins in the locallogin domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`locallogin_domtrans',`
gen_require(`
@ -20,14 +17,12 @@ interface(`locallogin_domtrans',`
')
########################################
## <interface name="locallogin_use_fd">
## <desc>
## Allow processes to inherit local login file descriptors
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`locallogin_use_fd',`
gen_require(`
@ -38,4 +33,3 @@ interface(`locallogin_use_fd',`
allow $1 local_login_t:fd use;
')
## </module>

View File

@ -1,4 +1,3 @@
## <module name="logging">
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
#######################################
@ -60,16 +59,14 @@ interface(`logging_send_syslog_msg',`
')
########################################
## <interface name="logging_search_logs">
## <desc>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`logging_search_logs',`
gen_require(`
@ -176,4 +173,3 @@ interface(`logging_rw_generic_logs',`
allow $1 var_log_t:file rw_file_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="lvm">
## <summary>Policy for logical volume management programs.</summary>
########################################
## <interface name="lvm_domtrans">
## <desc>
## Execute lvm programs in the lvm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute lvm programs in the lvm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`lvm_domtrans',`
gen_require(`
@ -29,20 +26,18 @@ interface(`lvm_domtrans',`
')
########################################
## <interface name="lvm_run">
## <desc>
## Execute lvm programs in the lvm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the LVM domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the LVM domain to use.
## </param>
## </interface>
## <desc>
## Execute lvm programs in the lvm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to allow the LVM domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the LVM domain to use.
## </param>
#
interface(`lvm_run',`
gen_require(`
@ -56,14 +51,12 @@ interface(`lvm_run',`
')
########################################
## <interface name="lvm_read_config">
## <desc>
## Read LVM configuration files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read LVM configuration files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`lvm_read_config',`
gen_require(`
@ -77,4 +70,3 @@ interface(`lvm_read_config',`
allow $1 lvm_etc_t:file r_file_perms;
')
## </module>

View File

@ -1 +0,0 @@
<layer name="system">

View File

@ -1,8 +1,6 @@
## <module name="miscfiles">
## <summary>Miscelaneous files.</summary>
########################################
## <interface name="miscfiles_rw_man_cache">
## <desc>
## Allow process to create files and dirs in /var/cache/man
## and /var/catman/
@ -10,7 +8,6 @@
## <param name="domain">
## Type type of the process performing this action.
## </param>
## </interface>
#
interface(`miscfiles_rw_man_cache',`
gen_require(`
@ -25,14 +22,12 @@ interface(`miscfiles_rw_man_cache',`
')
########################################
## <interface name="miscfiles_read_fonts">
## <desc>
## Allow process to read fonts files
## </desc>
## <param name="domain">
## Type type of the process performing this action.
## </param>
## </interface>
#
interface(`miscfiles_read_fonts',`
gen_require(`
@ -50,14 +45,12 @@ interface(`miscfiles_read_fonts',`
')
########################################
## <interface name="miscfiles_read_localization">
## <desc>
## Allow process to read localization info
## </desc>
## <param name="domain">
## Type type of the process performing this action.
## </param>
## </interface>
#
interface(`miscfiles_read_localization',`
gen_require(`
@ -79,14 +72,12 @@ interface(`miscfiles_read_localization',`
')
########################################
## <interface name="miscfiles_legacy_read_localization">
## <desc>
## Allow process to read legacy time localization info
## </desc>
## <param name="domain">
## Type type of the process performing this action.
## </param>
## </interface>
#
interface(`miscfiles_legacy_read_localization',`
gen_require(`
@ -99,14 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
')
########################################
## <interface name="miscfiles_read_man_pages">
## <desc>
## Allow process to read manpages
## </desc>
## <param name="domain">
## Type type of the process performing this action.
## </param>
## </interface>
#
interface(`miscfiles_read_man_pages',`
gen_require(`
@ -122,4 +111,3 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:lnk_file r_file_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="modutils">
## <summary>Policy for kernel module utilities</summary>
########################################
## <interface name="modutils_read_kernel_module_dependencies">
## <desc>
## Read the dependencies of kernel modules.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the dependencies of kernel modules.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`modutils_read_kernel_module_dependencies',`
gen_require(`
@ -22,15 +19,13 @@ interface(`modutils_read_kernel_module_dependencies',`
')
########################################
## <interface name="modutils_read_module_conf">
## <desc>
## Read the configuration options used when
## loading modules.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read the configuration options used when
## loading modules.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`modutils_read_module_conf',`
gen_require(`
@ -47,14 +42,12 @@ interface(`modutils_read_module_conf',`
')
########################################
## <interface name="modutils_domtrans_insmod">
## <desc>
## Execute insmod in the insmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute insmod in the insmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`modutils_domtrans_insmod',`
gen_require(`
@ -74,23 +67,21 @@ interface(`modutils_domtrans_insmod',`
')
########################################
## <interface name="modutils_run_insmod">
## <desc>
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the insmod domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the insmod domain to use.
## </param>
## </interface>
## <desc>
## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the insmod domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the insmod domain to use.
## </param>
#
interface(`modutils_run_insmod',`
gen_require(`
@ -117,14 +108,12 @@ interface(`modutils_exec_insmod',`
')
########################################
## <interface name="modutils_domtrans_depmod">
## <desc>
## Execute depmod in the depmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute depmod in the depmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`modutils_domtrans_depmod',`
gen_require(`
@ -144,20 +133,18 @@ interface(`modutils_domtrans_depmod',`
')
########################################
## <interface name="modutils_run_depmod">
## <desc>
## Execute depmod in the depmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the depmod domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the depmod domain to use.
## </param>
## </interface>
## <desc>
## Execute depmod in the depmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the depmod domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the depmod domain to use.
## </param>
#
interface(`modutils_run_depmod',`
gen_require(`
@ -184,14 +171,12 @@ interface(`modutils_exec_depmod',`
')
########################################
## <interface name="modutils_domtrans_update_mods">
## <desc>
## Execute depmod in the depmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute depmod in the depmod domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`modutils_domtrans_update_mods',`
gen_require(`
@ -211,20 +196,18 @@ interface(`modutils_domtrans_update_mods',`
')
########################################
## <interface name="modutils_run_update_mods">
## <desc>
## Execute update_modules in the update_modules domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the update_modules domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the update_modules domain to use.
## </param>
## </interface>
## <desc>
## Execute update_modules in the update_modules domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the update_modules domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the update_modules domain to use.
## </param>
#
interface(`modutils_run_update_mods',`
gen_require(`
@ -250,4 +233,3 @@ interface(`modutils_exec_update_mods',`
can_exec($1, update_modules_exec_t)
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="mount">
## <summary>Policy for mount.</summary>
########################################
## <interface name="mount_domtrans">
## <desc>
## Execute mount in the mount domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute mount in the mount domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`mount_domtrans',`
gen_require(`
@ -28,22 +25,20 @@ interface(`mount_domtrans',`
')
########################################
## <interface name="mount_run">
## <desc>
## Execute mount in the mount domain, and
## allow the specified role the mount domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the mount domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the mount domain to use.
## </param>
## </interface>
## <desc>
## Execute mount in the mount domain, and
## allow the specified role the mount domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the mount domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the mount domain to use.
## </param>
#
interface(`mount_run',`
gen_require(`
@ -57,14 +52,12 @@ interface(`mount_run',`
')
########################################
## <interface name="mount_use_fd">
## <desc>
## Use file descriptors for mount.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`mount_use_fd',`
gen_require(`
@ -76,7 +69,6 @@ interface(`mount_use_fd',`
')
########################################
## <interface name="mount_send_nfs_client_request">
## <desc>
## Allow the mount domain to send nfs requests for mounting
## network drives
@ -84,7 +76,6 @@ interface(`mount_use_fd',`
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`mount_send_nfs_client_request',`
gen_require(`
@ -95,4 +86,3 @@ interface(`mount_send_nfs_client_request',`
allow $1 mount_t:udp_socket rw_socket_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="selinuxutil">
## <summary>Policy for SELinux policy and userland applications.</summary>
#######################################
## <interface name="seutil_domtrans_checkpol">
## <desc>
## Execute checkpolicy in the checkpolicy domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute checkpolicy in the checkpolicy domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_domtrans_checkpol',`
gen_require(`
@ -30,23 +27,21 @@ interface(`seutil_domtrans_checkpol',`
')
########################################
## <interface name="seutil_run_checkpol">
## <desc>
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
## Has a SIGCHLD signal backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the checkpolicy domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the checkpolicy domain to use.
## </param>
## </interface>
## <desc>
## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain,
## and use the caller's terminal.
## Has a SIGCHLD signal backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the checkpolicy domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the checkpolicy domain to use.
## </param>
#
interface(`seutil_run_checkpol',`
gen_require(`
@ -74,14 +69,12 @@ interface(`seutil_exec_checkpol',`
')
#######################################
## <interface name="seutil_domtrans_loadpol">
## <desc>
## Execute load_policy in the load_policy domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute load_policy in the load_policy domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_domtrans_loadpol',`
gen_require(`
@ -101,23 +94,21 @@ interface(`seutil_domtrans_loadpol',`
')
########################################
## <interface name="seutil_run_loadpol">
## <desc>
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
## Has a SIGCHLD signal backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the load_policy domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the load_policy domain to use.
## </param>
## </interface>
## <desc>
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
## Has a SIGCHLD signal backchannel.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the load_policy domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the load_policy domain to use.
## </param>
#
interface(`seutil_run_loadpol',`
gen_require(`
@ -158,14 +149,12 @@ interface(`seutil_read_loadpol',`
')
#######################################
## <interface name="seutil_domtrans_newrole">
## <desc>
## Execute newrole in the load_policy domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute newrole in the load_policy domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_domtrans_newrole',`
gen_require(`
@ -186,22 +175,20 @@ interface(`seutil_domtrans_newrole',`
')
########################################
## <interface name="seutil_run_newrole">
## <desc>
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the newrole domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the newrole domain to use.
## </param>
## </interface>
## <desc>
## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the newrole domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the newrole domain to use.
## </param>
#
interface(`seutil_run_newrole',`
gen_require(`
@ -229,15 +216,13 @@ interface(`seutil_exec_newrole',`
')
########################################
## <interface name="seutil_dontaudit_newrole_signal">
## <desc>
## Do not audit the caller attempts to send
## a signal to newrole.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit the caller attempts to send
## a signal to newrole.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_dontaudit_newrole_signal',`
gen_require(`
@ -275,14 +260,12 @@ interface(`seutil_use_newrole_fd',`
')
#######################################
## <interface name="seutil_domtrans_restorecon">
## <desc>
## Execute restorecon in the restorecon domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute restorecon in the restorecon domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_domtrans_restorecon',`
gen_require(`
@ -302,22 +285,20 @@ interface(`seutil_domtrans_restorecon',`
')
########################################
## <interface name="seutil_run_restorecon">
## <desc>
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the restorecon domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the restorecon domain to use.
## </param>
## </interface>
## <desc>
## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the restorecon domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the restorecon domain to use.
## </param>
#
interface(`seutil_run_restorecon',`
gen_require(`
@ -344,14 +325,12 @@ interface(`seutil_exec_restorecon',`
')
########################################
## <interface name="seutil_domtrans_runinit">
## <desc>
## Execute run_init in the run_init domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute run_init in the run_init domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_domtrans_runinit',`
gen_require(`
@ -372,22 +351,20 @@ interface(`seutil_domtrans_runinit',`
')
########################################
## <interface name="seutil_run_runinit">
## <desc>
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the run_init domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the run_init domain to use.
## </param>
## </interface>
## <desc>
## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the run_init domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the run_init domain to use.
## </param>
#
interface(`seutil_run_runinit',`
gen_require(`
@ -414,14 +391,12 @@ interface(`seutil_use_runinit_fd',`
')
########################################
## <interface name="seutil_domtrans_setfiles">
## <desc>
## Execute setfiles in the setfiles domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute setfiles in the setfiles domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_domtrans_setfiles',`
gen_require(`
@ -442,22 +417,20 @@ interface(`seutil_domtrans_setfiles',`
')
########################################
## <interface name="seutil_run_setfiles">
## <desc>
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the setfiles domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the setfiles domain to use.
## </param>
## </interface>
## <desc>
## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the setfiles domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the setfiles domain to use.
## </param>
#
interface(`seutil_run_setfiles',`
gen_require(`
@ -571,14 +544,12 @@ interface(`seutil_create_binary_pol',`
')
########################################
## <interface name="seutil_relabelto_binary_pol">
## <desc>
## Allow the caller to relabel a file to the binary policy type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Allow the caller to relabel a file to the binary policy type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`seutil_relabelto_binary_pol',`
gen_require(`
@ -644,4 +615,3 @@ interface(`seutil_manage_src_pol',`
allow $1 policy_src_t:file create_file_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="sysnetwork">
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
#######################################
## <interface name="sysnet_domtrans_dhcpc">
## <desc>
## Execute dhcp client in dhcpc domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`sysnet_domtrans_dhcpc',`
gen_require(`
@ -29,14 +26,12 @@ interface(`sysnet_domtrans_dhcpc',`
')
#######################################
## <interface name="sysnet_domtrans_ifconfig">
## <desc>
## Execute ifconfig in the ifconfig domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute ifconfig in the ifconfig domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`sysnet_domtrans_ifconfig',`
gen_require(`
@ -56,22 +51,20 @@ interface(`sysnet_domtrans_ifconfig',`
')
########################################
## <interface name="sysnet_run_ifconfig">
## <desc>
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the ifconfig domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the ifconfig domain to use.
## </param>
## </interface>
## <desc>
## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain,
## and use the caller's terminal.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## <param name="role">
## The role to be allowed the ifconfig domain.
## </param>
## <param name="terminal">
## The type of the terminal allow the ifconfig domain to use.
## </param>
#
interface(`sysnet_run_ifconfig',`
gen_require(`
@ -86,14 +79,12 @@ interface(`sysnet_run_ifconfig',`
')
#######################################
## <interface name="sysnet_read_config">
## <desc>
## Allow network init to read network config files.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`sysnet_read_config',`
gen_require(`
@ -105,4 +96,3 @@ interface(`sysnet_read_config',`
allow $1 net_conf_t:file r_file_perms;
')
## </module>

View File

@ -1,15 +1,12 @@
## <module name="udev">
## <summary>Policy for udev.</summary>
########################################
## <interface name="udev_domtrans">
## <desc>
## Execute udev in the udev domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`udev_domtrans',`
gen_require(`
@ -28,14 +25,12 @@ interface(`udev_domtrans',`
')
########################################
## <interface name="udev_read_db">
## <desc>
## Allow process to read list of devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`udev_read_db',`
gen_require(`
@ -48,14 +43,12 @@ interface(`udev_read_db',`
')
########################################
## <interface name="udev_rw_db">
## <desc>
## Allow process to modify list of devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`udev_rw_db',`
gen_require(`
@ -67,4 +60,3 @@ interface(`udev_rw_db',`
allow $1 udev_tdb_t:file rw_file_perms;
')
## </module>

View File

@ -1,4 +1,3 @@
## <module name="userdomain">
## <summary>Policy for user domains</summary>
########################################
@ -809,16 +808,14 @@ template(`admin_domain_template',`
')
########################################
## <interface name="userdom_spec_domtrans_all_users">
## <desc>
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute a shell in all user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_spec_domtrans_all_users',`
gen_require(`
@ -829,16 +826,14 @@ interface(`userdom_spec_domtrans_all_users',`
')
########################################
## <interface name="userdom_spec_domtrans_unpriv_users">
## <desc>
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute a shell in all unprivileged user domains. This
## is an explicit transition, requiring the
## caller to use setexeccon().
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_spec_domtrans_unpriv_users',`
gen_require(`
@ -849,14 +844,12 @@ interface(`userdom_spec_domtrans_unpriv_users',`
')
########################################
## <interface name="userdom_shell_domtrans_sysadm">
## <desc>
## Execute a shell in the sysadm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Execute a shell in the sysadm domain.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_shell_domtrans_sysadm',`
gen_require(`
@ -867,14 +860,12 @@ interface(`userdom_shell_domtrans_sysadm',`
')
########################################
## <interface name="userdom_use_sysadm_tty">
## <desc>
## Read and write sysadm ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write sysadm ttys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_tty',`
gen_require(`
@ -888,14 +879,12 @@ interface(`userdom_use_sysadm_tty',`
')
########################################
## <interface name="userdom_use_sysadm_terms">
## <desc>
## Read and write sysadm ttys and ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read and write sysadm ttys and ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_sysadm_terms',`
gen_require(`
@ -909,14 +898,12 @@ interface(`userdom_use_sysadm_terms',`
')
########################################
## <interface name="userdom_dontaudit_use_sysadm_terms">
## <desc>
## Do not audit attempts to use admin ttys and ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to use admin ttys and ptys.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_dontaudit_use_sysadm_terms',`
gen_require(`
@ -928,14 +915,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
')
########################################
## <interface name="userdom_search_all_users_home">
## <desc>
## Search all users home directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Search all users home directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_search_all_users_home',`
gen_require(`
@ -948,14 +933,12 @@ interface(`userdom_search_all_users_home',`
')
########################################
## <interface name="userdom_read_all_user_data">
## <desc>
## Read all files in all users home directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Read all files in all users home directories.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_read_all_user_data',`
gen_require(`
@ -970,14 +953,12 @@ interface(`userdom_read_all_user_data',`
')
########################################
## <interface name="userdom_use_all_user_fd">
## <desc>
## Inherit the file descriptors from all user domains
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Inherit the file descriptors from all user domains
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_all_user_fd',`
gen_require(`
@ -989,14 +970,12 @@ interface(`userdom_use_all_user_fd',`
')
########################################
## <interface name="userdom_signal_all_users">
## <desc>
## Send general signals to all user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send general signals to all user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_signal_all_users',`
gen_require(`
@ -1008,14 +987,12 @@ interface(`userdom_signal_all_users',`
')
########################################
## <interface name="userdom_signal_unpriv_users">
## <desc>
## Send general signals to unprivileged user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Send general signals to unprivileged user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_signal_unpriv_users',`
gen_require(`
@ -1027,14 +1004,12 @@ interface(`userdom_signal_unpriv_users',`
')
########################################
## <interface name="userdom_use_unpriv_users_fd">
## <desc>
## Inherit the file descriptors from all user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Inherit the file descriptors from all user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_use_unpriv_users_fd',`
gen_require(`
@ -1046,15 +1021,13 @@ interface(`userdom_use_unpriv_users_fd',`
')
########################################
## <interface name="userdom_dontaudit_use_unpriv_user_fd">
## <desc>
## Do not audit attempts to inherit the
## file descriptors from all user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
## <desc>
## Do not audit attempts to inherit the
## file descriptors from all user domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`userdom_dontaudit_use_unpriv_user_fd',`
gen_require(`
@ -1065,4 +1038,3 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
dontaudit $1 unpriv_userdomain:fd use;
')
## </module>