rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

update for new documentation method

Browse Source
This commit is contained in:
Chris PeBenito 2005-06-23 21:30:57 +00:00
parent aad5b98eba
commit 414e415198
43 changed files with 3326 additions and 4377 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
refpolicy/Makefile
View File

@ -274,7 +274,6 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
$(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \ $(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
| m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \ | m4 $(M4PARAM) $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(QUIET) echo "## </module>" >> $@
$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
@echo "#" > $@ @echo "#" > $@

30
refpolicy/policy/modules/admin/dmesg.if
View File

@ -1,15 +1,12 @@
## <module name="dmesg">
## <summary>Policy for dmesg.</summary> ## <summary>Policy for dmesg.</summary>
######################################## ########################################
## <interface name="dmesg_domtrans"> ## <desc>
## <desc> ## Execute dmesg in the dmesg domain.
## Execute dmesg in the dmesg domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`dmesg_domtrans',` interface(`dmesg_domtrans',`
gen_require(` gen_require(`
@ -29,14 +26,12 @@ interface(`dmesg_domtrans',`
') ')
######################################## ########################################
## <interface name="dmesg_exec"> ## <desc>
## <desc> ## Execute dmesg in the caller domain.
## Execute dmesg in the caller domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`dmesg_exec',` interface(`dmesg_exec',`
gen_require(` gen_require(`
@ -47,4 +42,3 @@ interface(`dmesg_exec',`
can_exec($1,dmesg_exec_t) can_exec($1,dmesg_exec_t)
') ')
## </module>

1
refpolicy/policy/modules/admin/metadata.xml
View File

@ -1 +0,0 @@
<layer name="admin">

84
refpolicy/policy/modules/admin/rpm.if
View File

@ -1,15 +1,12 @@
## <module name="rpm">
## <summary>Policy for the RPM package manager.</summary> ## <summary>Policy for the RPM package manager.</summary>
######################################## ########################################
## <interface name="rpm_domtrans"> ## <desc>
## <desc> ## Execute rpm programs in the rpm domain.
## Execute rpm programs in the rpm domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`rpm_domtrans',` interface(`rpm_domtrans',`
gen_require(` gen_require(`
@ -30,20 +27,18 @@ interface(`rpm_domtrans',`
') ')
######################################## ########################################
## <interface name="rpm_run"> ## <desc>
## <desc> ## Execute RPM programs in the RPM domain.
## Execute RPM programs in the RPM domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to allow the RPM domain.
## The role to allow the RPM domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the RPM domain to use.
## The type of the terminal allow the RPM domain to use. ## </param>
## </param>
## </interface>
# #
interface(`rpm_run',` interface(`rpm_run',`
gen_require(` gen_require(`
@ -58,14 +53,12 @@ interface(`rpm_run',`
') ')
######################################## ########################################
## <interface name="rpm_use_fd"> ## <desc>
## <desc> ## Inherit and use file descriptors from RPM.
## Inherit and use file descriptors from RPM. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`rpm_use_fd',` interface(`rpm_use_fd',`
gen_require(` gen_require(`
@ -77,14 +70,12 @@ interface(`rpm_use_fd',`
') ')
######################################## ########################################
## <interface name="rpm_read_pipe"> ## <desc>
## <desc> ## Read from a RPM pipe.
## Read from a RPM pipe. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`rpm_read_pipe',` interface(`rpm_read_pipe',`
gen_require(` gen_require(`
@ -96,14 +87,12 @@ interface(`rpm_read_pipe',`
') ')
######################################## ########################################
## <interface name="rpm_read_db"> ## <desc>
## <desc> ## Read RPM package database.
## Read RPM package database. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`rpm_read_db',` interface(`rpm_read_db',`
gen_require(` gen_require(`
@ -135,4 +124,3 @@ interface(`rpm_manage_db',`
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
') ')
## </module>

170
refpolicy/policy/modules/admin/usermanage.if
View File

@ -1,15 +1,12 @@
## <module name="usermanage">
## <summary>Policy for managing user accounts.</summary> ## <summary>Policy for managing user accounts.</summary>
######################################## ########################################
## <interface name="usermanage_domtrans_chfn"> ## <desc>
## <desc> ## Execute chfn in the chfn domain.
## Execute chfn in the chfn domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_domtrans_chfn',` interface(`usermanage_domtrans_chfn',`
gen_require(` gen_require(`
@ -30,21 +27,19 @@ interface(`usermanage_domtrans_chfn',`
') ')
######################################## ########################################
## <interface name="usermanage_run_chfn"> ## <desc>
## <desc> ## Execute chfn in the chfn domain, and
## Execute chfn in the chfn domain, and ## allow the specified role the chfn domain.
## allow the specified role the chfn domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the chfn domain.
## The role to be allowed the chfn domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the chfn domain to use.
## The type of the terminal allow the chfn domain to use. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_run_chfn',` interface(`usermanage_run_chfn',`
gen_require(` gen_require(`
@ -58,14 +53,12 @@ interface(`usermanage_run_chfn',`
') ')
######################################## ########################################
## <interface name="usermanage_domtrans_groupadd"> ## <desc>
## <desc> ## Execute groupadd in the groupadd domain.
## Execute groupadd in the groupadd domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_domtrans_groupadd',` interface(`usermanage_domtrans_groupadd',`
gen_require(` gen_require(`
@ -86,21 +79,19 @@ interface(`usermanage_domtrans_groupadd',`
') ')
######################################## ########################################
## <interface name="usermanage_run_groupadd"> ## <desc>
## <desc> ## Execute groupadd in the groupadd domain, and
## Execute groupadd in the groupadd domain, and ## allow the specified role the groupadd domain.
## allow the specified role the groupadd domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the groupadd domain.
## The role to be allowed the groupadd domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the groupadd domain to use.
## The type of the terminal allow the groupadd domain to use. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_run_groupadd',` interface(`usermanage_run_groupadd',`
gen_require(` gen_require(`
@ -114,14 +105,12 @@ interface(`usermanage_run_groupadd',`
') ')
######################################## ########################################
## <interface name="usermanage_domtrans_passwd"> ## <desc>
## <desc> ## Execute passwd in the passwd domain.
## Execute passwd in the passwd domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_domtrans_passwd',` interface(`usermanage_domtrans_passwd',`
gen_require(` gen_require(`
@ -142,21 +131,19 @@ interface(`usermanage_domtrans_passwd',`
') ')
######################################## ########################################
## <interface name="usermanage_run_passwd"> ## <desc>
## <desc> ## Execute passwd in the passwd domain, and
## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain.
## allow the specified role the passwd domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the passwd domain.
## The role to be allowed the passwd domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the passwd domain to use.
## The type of the terminal allow the passwd domain to use. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_run_passwd',` interface(`usermanage_run_passwd',`
gen_require(` gen_require(`
@ -170,14 +157,12 @@ interface(`usermanage_run_passwd',`
') ')
######################################## ########################################
## <interface name="usermanage_domtrans_useradd"> ## <desc>
## <desc> ## Execute useradd in the useradd domain.
## Execute useradd in the useradd domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_domtrans_useradd',` interface(`usermanage_domtrans_useradd',`
gen_require(` gen_require(`
@ -198,21 +183,19 @@ interface(`usermanage_domtrans_useradd',`
') ')
######################################## ########################################
## <interface name="usermanage_run_useradd"> ## <desc>
## <desc> ## Execute useradd in the useradd domain, and
## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain.
## allow the specified role the useradd domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the useradd domain.
## The role to be allowed the useradd domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the useradd domain to use.
## The type of the terminal allow the useradd domain to use. ## </param>
## </param>
## </interface>
# #
interface(`usermanage_run_useradd',` interface(`usermanage_run_useradd',`
gen_require(` gen_require(`
@ -225,4 +208,3 @@ interface(`usermanage_run_useradd',`
allow useradd_t $3:chr_file rw_term_perms; allow useradd_t $3:chr_file rw_term_perms;
') ')
## </module>

44
refpolicy/policy/modules/apps/gpg.if
View File

@ -1,28 +1,26 @@
## <module name="gpg">
## <summary>Policy for GNU Privacy Guard and related programs.</summary> ## <summary>Policy for GNU Privacy Guard and related programs.</summary>
####################################### #######################################
## <template name="gpg_per_userdomain_template"> ## <summary>
## <summary> ## The per-userdomain template for the gpg module.
## The per-userdomain template for the gpg module. ## </summary>
## </summary> ## <desc>
## <desc> ## <p>
## <p> ## This template creates the types and rules for GPG,
## This template creates the types and rules for GPG, ## GPG-agent, and GPG helper programs. This protects
## GPG-agent, and GPG helper programs. This protects ## the user keys and secrets, and runs the programs
## the user keys and secrets, and runs the programs ## in domains specific to the user type.
## in domains specific to the user type. ## </p>
## </p> ## <p>
## <p> ## This is invoked automatically for each user, and
## This is invoked automatically for each user, and ## generally does not need to be statically invoked
## generally does not need to be statically invoked ## directly by policy writers.
## directly by policy writers. ## </p>
## </p> ## </desc>
## </desc> ## <param name="userdomain_prefix">
## <param name="userdomain_prefix"> ## The prefix of the user domain (e.g., user
## The prefix of the user domain (e.g., user ## is the prefix for user_t).
## is the prefix for user_t). ## </param>
## </param>
# #
template(`gpg_per_userdomain_template',` template(`gpg_per_userdomain_template',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
@ -368,6 +366,4 @@ template(`gpg_per_userdomain_template',`
') dnl end TODO ') dnl end TODO
') ')
## </template>
## </module>

1
refpolicy/policy/modules/apps/metadata.xml
View File

@ -1 +0,0 @@
<layer name="apps">

278
refpolicy/policy/modules/kernel/bootloader.if
View File

@ -1,15 +1,12 @@
## <module name="bootloader">
## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary> ## <summary>Policy for the kernel modules, kernel image, and bootloader.</summary>
######################################## ########################################
## <interface name="bootloader_domtrans"> ## <desc>
## <desc> ## Execute bootloader in the bootloader domain.
## Execute bootloader in the bootloader domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_domtrans',` interface(`bootloader_domtrans',`
gen_require(` gen_require(`
@ -28,21 +25,19 @@ interface(`bootloader_domtrans',`
') ')
######################################## ########################################
## <interface name="bootloader_run"> ## <desc>
## <desc> ## Execute bootloader interactively and do
## Execute bootloader interactively and do ## a domain transition to the bootloader domain.
## a domain transition to the bootloader domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the bootloader domain.
## The role to be allowed the bootloader domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the bootloader domain to use.
## The type of the terminal allow the bootloader domain to use. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_run',` interface(`bootloader_run',`
gen_require(` gen_require(`
@ -57,14 +52,12 @@ interface(`bootloader_run',`
') ')
######################################## ########################################
## <interface name="bootloader_search_boot_dir"> ## <desc>
## <desc> ## Search the /boot directory.
## Search the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_search_boot_dir',` interface(`bootloader_search_boot_dir',`
gen_require(` gen_require(`
@ -76,14 +69,12 @@ interface(`bootloader_search_boot_dir',`
') ')
######################################## ########################################
## <interface name="bootloader_dontaudit_search_boot"> ## <desc>
## <desc> ## Do not audit attempts to search the /boot directory.
## Do not audit attempts to search the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_dontaudit_search_boot',` interface(`bootloader_dontaudit_search_boot',`
gen_require(` gen_require(`
@ -95,15 +86,13 @@ interface(`bootloader_dontaudit_search_boot',`
') ')
######################################## ########################################
## <interface name="bootloader_rw_boot_symlinks"> ## <desc>
## <desc> ## Read and write symbolic links
## Read and write symbolic links ## in the /boot directory.
## in the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_rw_boot_symlinks',` interface(`bootloader_rw_boot_symlinks',`
gen_require(` gen_require(`
@ -117,14 +106,12 @@ interface(`bootloader_rw_boot_symlinks',`
') ')
######################################## ########################################
## <interface name="bootloader_create_kernel"> ## <desc>
## <desc> ## Install a kernel into the /boot directory.
## Install a kernel into the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_create_kernel',` interface(`bootloader_create_kernel',`
gen_require(` gen_require(`
@ -140,14 +127,12 @@ interface(`bootloader_create_kernel',`
') ')
######################################## ########################################
## <interface name="bootloader_create_kernel_symbol_table"> ## <desc>
## <desc> ## Install a system.map into the /boot directory.
## Install a system.map into the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_create_kernel_symbol_table',` interface(`bootloader_create_kernel_symbol_table',`
gen_require(` gen_require(`
@ -161,14 +146,12 @@ interface(`bootloader_create_kernel_symbol_table',`
') ')
######################################## ########################################
## <interface name="bootloader_read_kernel_symbol_table"> ## <desc>
## <desc> ## Read system.map in the /boot directory.
## Read system.map in the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_read_kernel_symbol_table',` interface(`bootloader_read_kernel_symbol_table',`
gen_require(` gen_require(`
@ -182,14 +165,12 @@ interface(`bootloader_read_kernel_symbol_table',`
') ')
######################################## ########################################
## <interface name="bootloader_delete_kernel"> ## <desc>
## <desc> ## Delete a kernel from /boot.
## Delete a kernel from /boot. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_delete_kernel',` interface(`bootloader_delete_kernel',`
gen_require(` gen_require(`
@ -203,14 +184,12 @@ interface(`bootloader_delete_kernel',`
') ')
######################################## ########################################
## <interface name="bootloader_delete_kernel_symbol_table"> ## <desc>
## <desc> ## Delete a system.map in the /boot directory.
## Delete a system.map in the /boot directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_delete_kernel_symbol_table',` interface(`bootloader_delete_kernel_symbol_table',`
gen_require(` gen_require(`
@ -224,14 +203,12 @@ interface(`bootloader_delete_kernel_symbol_table',`
') ')
######################################## ########################################
## <interface name="bootloader_read_config"> ## <desc>
## <desc> ## Read the bootloader configuration file.
## Read the bootloader configuration file. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_read_config',` interface(`bootloader_read_config',`
gen_require(` gen_require(`
@ -243,15 +220,13 @@ interface(`bootloader_read_config',`
') ')
######################################## ########################################
## <interface name="bootloader_rw_config"> ## <desc>
## <desc> ## Read and write the bootloader
## Read and write the bootloader ## configuration file.
## configuration file. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_rw_config',` interface(`bootloader_rw_config',`
gen_require(` gen_require(`
@ -263,15 +238,13 @@ interface(`bootloader_rw_config',`
') ')
######################################## ########################################
## <interface name="bootloader_rw_tmp_file"> ## <desc>
## <desc> ## Read and write the bootloader
## Read and write the bootloader ## temporary data in /tmp.
## temporary data in /tmp. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_rw_tmp_file',` interface(`bootloader_rw_tmp_file',`
gen_require(` gen_require(`
@ -284,15 +257,13 @@ interface(`bootloader_rw_tmp_file',`
') ')
######################################## ########################################
## <interface name="bootloader_create_runtime_file"> ## <desc>
## <desc> ## Read and write the bootloader
## Read and write the bootloader ## temporary data in /tmp.
## temporary data in /tmp. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_create_runtime_file',` interface(`bootloader_create_runtime_file',`
gen_require(` gen_require(`
@ -307,14 +278,12 @@ interface(`bootloader_create_runtime_file',`
') ')
######################################## ########################################
## <interface name="bootloader_list_kernel_modules"> ## <desc>
## <desc> ## List the contents of the kernel module directories.
## List the contents of the kernel module directories. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_list_kernel_modules',` interface(`bootloader_list_kernel_modules',`
gen_require(` gen_require(`
@ -326,14 +295,12 @@ interface(`bootloader_list_kernel_modules',`
') ')
######################################## ########################################
## <interface name="bootloader_read_kernel_modules"> ## <desc>
## <desc> ## Read kernel module files.
## Read kernel module files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_read_kernel_modules',` interface(`bootloader_read_kernel_modules',`
gen_require(` gen_require(`
@ -349,14 +316,12 @@ interface(`bootloader_read_kernel_modules',`
') ')
######################################## ########################################
## <interface name="bootloader_write_kernel_modules"> ## <desc>
## <desc> ## Write kernel module files.
## Write kernel module files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_write_kernel_modules',` interface(`bootloader_write_kernel_modules',`
gen_require(` gen_require(`
@ -373,15 +338,13 @@ interface(`bootloader_write_kernel_modules',`
') ')
######################################## ########################################
## <interface name="bootloader_manage_kernel_modules"> ## <desc>
## <desc> ## Create, read, write, and delete
## Create, read, write, and delete ## kernel module files.
## kernel module files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`bootloader_manage_kernel_modules',` interface(`bootloader_manage_kernel_modules',`
gen_require(` gen_require(`
@ -417,4 +380,3 @@ interface(`bootloader_create_private_module_dir_entry',`
') ')
') ')
## </module>

17
refpolicy/policy/modules/kernel/corenetwork.if.in
View File

@ -1,16 +1,13 @@
## <module name="corenetwork">
## <summary>Policy controlling access to network objects</summary> ## <summary>Policy controlling access to network objects</summary>
######################################## ########################################
## <interface name="corenet_tcp_sendrecv_generic_if"> ## <desc>
## <desc> ## Send and receive TCP network traffic on the general interfaces.
## Send and receive TCP network traffic on the general interfaces. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_tcp_sendrecv_generic_if',` interface(`corenet_tcp_sendrecv_generic_if',`
gen_require(` gen_require(`

352
refpolicy/policy/modules/kernel/corenetwork.if.m4
View File

@ -6,15 +6,13 @@
define(`create_netif_interfaces',`` define(`create_netif_interfaces',``
######################################## ########################################
## <interface name="corenet_tcp_sendrecv_$1"> ## <desc>
## <desc> ## Send and receive TCP network traffic on the $1 interface.
## Send and receive TCP network traffic on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_tcp_sendrecv_$1',` interface(`corenet_tcp_sendrecv_$1',`
gen_require(` gen_require(`
@ -26,15 +24,13 @@ interface(`corenet_tcp_sendrecv_$1',`
') ')
######################################## ########################################
## <interface name="corenet_udp_send_$1"> ## <desc>
## <desc> ## Send UDP network traffic on the $1 interface.
## Send UDP network traffic on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="write" weight="10"/>
## <infoflow type="write" weight="10"/>
## </interface>
# #
interface(`corenet_udp_send_$1',` interface(`corenet_udp_send_$1',`
gen_require(` gen_require(`
@ -46,15 +42,13 @@ interface(`corenet_udp_send_$1',`
') ')
######################################## ########################################
## <interface name="corenet_udp_receive_$1"> ## <desc>
## <desc> ## Receive UDP network traffic on the $1 interface.
## Receive UDP network traffic on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="read" weight="10"/>
## <infoflow type="read" weight="10"/>
## </interface>
# #
interface(`corenet_udp_receive_$1',` interface(`corenet_udp_receive_$1',`
gen_require(` gen_require(`
@ -66,15 +60,13 @@ interface(`corenet_udp_receive_$1',`
') ')
######################################## ########################################
## <interface name="corenetwork_sendrecv_udp_on_$1_interface"> ## <desc>
## <desc> ## Send and receive UDP network traffic on the $1 interface.
## Send and receive UDP network traffic on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_udp_sendrecv_$1',` interface(`corenet_udp_sendrecv_$1',`
corenet_udp_send_$1(dollarsone) corenet_udp_send_$1(dollarsone)
@ -82,15 +74,13 @@ interface(`corenet_udp_sendrecv_$1',`
') ')
######################################## ########################################
## <interface name="corenet_raw_send_$1"> ## <desc>
## <desc> ## Send raw IP packets on the $1 interface.
## Send raw IP packets on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="write" weight="10"/>
## <infoflow type="write" weight="10"/>
## </interface>
# #
interface(`corenet_raw_send_$1',` interface(`corenet_raw_send_$1',`
gen_require(` gen_require(`
@ -104,15 +94,13 @@ interface(`corenet_raw_send_$1',`
') ')
######################################## ########################################
## <interface name="corenet_raw_receive_$1"> ## <desc>
## <desc> ## Receive raw IP packets on the $1 interface.
## Receive raw IP packets on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="read" weight="10"/>
## <infoflow type="read" weight="10"/>
## </interface>
# #
interface(`corenet_raw_receive_$1',` interface(`corenet_raw_receive_$1',`
gen_require(` gen_require(`
@ -124,15 +112,13 @@ interface(`corenet_raw_receive_$1',`
') ')
######################################## ########################################
## <interface name="corenet_raw_sendrecv_$1"> ## <desc>
## <desc> ## Send and receive raw IP packets on the $1 interface.
## Send and receive raw IP packets on the $1 interface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_raw_sendrecv_$1',` interface(`corenet_raw_sendrecv_$1',`
corenet_raw_send_$1(dollarsone) corenet_raw_send_$1(dollarsone)
@ -148,15 +134,13 @@ interface(`corenet_raw_sendrecv_$1',`
define(`create_node_interfaces',`` define(`create_node_interfaces',``
######################################## ########################################
## <interface name="corenet_tcp_sendrecv_$1_node"> ## <desc>
## <desc> ## Send and receive TCP traffic on the $1 node.
## Send and receive TCP traffic on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_tcp_sendrecv_$1_node',` interface(`corenet_tcp_sendrecv_$1_node',`
gen_require(` gen_require(`
@ -168,15 +152,13 @@ interface(`corenet_tcp_sendrecv_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_udp_send_$1_node"> ## <desc>
## <desc> ## Send UDP traffic on the $1 node.
## Send UDP traffic on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="write" weight="10"/>
## <infoflow type="write" weight="10"/>
## </interface>
# #
interface(`corenet_udp_send_$1_node',` interface(`corenet_udp_send_$1_node',`
gen_require(` gen_require(`
@ -188,15 +170,13 @@ interface(`corenet_udp_send_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_udp_receive_$1_node"> ## <desc>
## <desc> ## Receive UDP traffic on the $1 node.
## Receive UDP traffic on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="read" weight="10"/>
## <infoflow type="read" weight="10"/>
## </interface>
# #
interface(`corenet_udp_receive_$1_node',` interface(`corenet_udp_receive_$1_node',`
gen_require(` gen_require(`
@ -208,15 +188,13 @@ interface(`corenet_udp_receive_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_udp_sendrecv_$1_node"> ## <desc>
## <desc> ## Send and receive UDP traffic on the $1 node.
## Send and receive UDP traffic on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_udp_sendrecv_$1_node',` interface(`corenet_udp_sendrecv_$1_node',`
corenet_udp_send_$1_node(dollarsone) corenet_udp_send_$1_node(dollarsone)
@ -224,15 +202,13 @@ interface(`corenet_udp_sendrecv_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_raw_send_$1_node"> ## <desc>
## <desc> ## Send raw IP packets on the $1 node.
## Send raw IP packets on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="write" weight="10"/>
## <infoflow type="write" weight="10"/>
## </interface>
# #
interface(`corenet_raw_send_$1_node',` interface(`corenet_raw_send_$1_node',`
gen_require(` gen_require(`
@ -244,15 +220,13 @@ interface(`corenet_raw_send_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_raw_receive_$1_node"> ## <desc>
## <desc> ## Receive raw IP packets on the $1 node.
## Receive raw IP packets on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="write" weight="10"/>
## <infoflow type="write" weight="10"/>
## </interface>
# #
interface(`corenet_raw_receive_$1_node',` interface(`corenet_raw_receive_$1_node',`
gen_require(` gen_require(`
@ -264,15 +238,13 @@ interface(`corenet_raw_receive_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_raw_sendrecv_$1_node"> ## <desc>
## <desc> ## Send and receive raw IP packets on the $1 node.
## Send and receive raw IP packets on the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_raw_sendrecv_$1_node',` interface(`corenet_raw_sendrecv_$1_node',`
corenet_raw_send_$1_node(dollarsone) corenet_raw_send_$1_node(dollarsone)
@ -280,15 +252,13 @@ interface(`corenet_raw_sendrecv_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_tcp_bind_$1_node"> ## <desc>
## <desc> ## Bind TCP sockets to node $1.
## Bind TCP sockets to node $1. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="none"/>
## <infoflow type="none"/>
## </interface>
# #
interface(`corenet_tcp_bind_$1_node',` interface(`corenet_tcp_bind_$1_node',`
gen_require(` gen_require(`
@ -300,15 +270,13 @@ interface(`corenet_tcp_bind_$1_node',`
') ')
######################################## ########################################
## <interface name="corenet_udp_bind_$1_node"> ## <desc>
## <desc> ## Bind UDP sockets to the $1 node.
## Bind UDP sockets to the $1 node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="none"/>
## <infoflow type="none"/>
## </interface>
# #
interface(`corenet_udp_bind_$1_node',` interface(`corenet_udp_bind_$1_node',`
gen_require(` gen_require(`
@ -328,15 +296,13 @@ interface(`corenet_udp_bind_$1_node',`
define(`create_port_interfaces',`` define(`create_port_interfaces',``
######################################## ########################################
## <interface name="corenet_tcp_sendrecv_$1_port"> ## <desc>
## <desc> ## Send and receive TCP traffic on the $1 port.
## Send and receive TCP traffic on the $1 port. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_tcp_sendrecv_$1_port',` interface(`corenet_tcp_sendrecv_$1_port',`
gen_require(` gen_require(`
@ -348,15 +314,13 @@ interface(`corenet_tcp_sendrecv_$1_port',`
') ')
######################################## ########################################
## <interface name="corenet_udp_send_$1_port"> ## <desc>
## <desc> ## Send UDP traffic on the $1 port.
## Send UDP traffic on the $1 port. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="write" weight="10"/>
## <infoflow type="write" weight="10"/>
## </interface>
# #
interface(`corenet_udp_send_$1_port',` interface(`corenet_udp_send_$1_port',`
gen_require(` gen_require(`
@ -368,15 +332,13 @@ interface(`corenet_udp_send_$1_port',`
') ')
######################################## ########################################
## <interface name="corenet_udp_receive_$1_port"> ## <desc>
## <desc> ## Receive UDP traffic on the $1 port.
## Receive UDP traffic on the $1 port. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="read" weight="10"/>
## <infoflow type="read" weight="10"/>
## </interface>
# #
interface(`corenet_udp_receive_$1_port',` interface(`corenet_udp_receive_$1_port',`
gen_require(` gen_require(`
@ -388,15 +350,13 @@ interface(`corenet_udp_receive_$1_port',`
') ')
######################################## ########################################
## <interface name="corenetwork_sendrecv_udp_on_$1_port"> ## <desc>
## <desc> ## Send and receive UDP traffic on the $1 port.
## Send and receive UDP traffic on the $1 port. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="both" weight="10"/>
## <infoflow type="both" weight="10"/>
## </interface>
# #
interface(`corenet_udp_sendrecv_$1_port',` interface(`corenet_udp_sendrecv_$1_port',`
corenet_udp_send_$1_port(dollarsone) corenet_udp_send_$1_port(dollarsone)
@ -404,15 +364,13 @@ interface(`corenet_udp_sendrecv_$1_port',`
') ')
######################################## ########################################
## <interface name="corenet_tcp_bind_$1_port"> ## <desc>
## <desc> ## Bind TCP sockets to the $1 port.
## Bind TCP sockets to the $1 port. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="none"/>
## <infoflow type="none"/>
## </interface>
# #
interface(`corenet_tcp_bind_$1_port',` interface(`corenet_tcp_bind_$1_port',`
gen_require(` gen_require(`
@ -425,15 +383,13 @@ interface(`corenet_tcp_bind_$1_port',`
') ')
######################################## ########################################
## <interface name="corenet_udp_bind_$1_port"> ## <desc>
## <desc> ## Bind UDP sockets to the $1 port.
## Bind UDP sockets to the $1 port. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <infoflow type="none"/>
## <infoflow type="none"/>
## </interface>
# #
interface(`corenet_udp_bind_$1_port',` interface(`corenet_udp_bind_$1_port',`
gen_require(` gen_require(`

1384
refpolicy/policy/modules/kernel/devices.if
View File

File diff suppressed because it is too large Load Diff

1364
refpolicy/policy/modules/kernel/filesystem.if
View File

File diff suppressed because it is too large Load Diff

730
refpolicy/policy/modules/kernel/kernel.if
View File

File diff suppressed because it is too large Load Diff

1
refpolicy/policy/modules/kernel/metadata.xml
View File

@ -1 +0,0 @@
<layer name="kernel">

164
refpolicy/policy/modules/kernel/selinux.if
View File

@ -1,17 +1,14 @@
## <module name="selinux">
## <summary> ## <summary>
## Policy for kernel security interface, in particular, selinuxfs. ## Policy for kernel security interface, in particular, selinuxfs.
## </summary> ## </summary>
######################################## ########################################
## <interface name="selinux_get_fs_mount"> ## <desc>
## <desc> ## Gets the caller the mountpoint of the selinuxfs filesystem.
## Gets the caller the mountpoint of the selinuxfs filesystem. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type requesting the selinuxfs mountpoint.
## The process type requesting the selinuxfs mountpoint. ## </param>
## </param>
## </interface>
# #
interface(`selinux_get_fs_mount',` interface(`selinux_get_fs_mount',`
# read /proc/filesystems to see if selinuxfs is supported # read /proc/filesystems to see if selinuxfs is supported
@ -20,15 +17,13 @@ interface(`selinux_get_fs_mount',`
') ')
######################################## ########################################
## <interface name="selinux_get_enforce_mode"> ## <desc>
## <desc> ## Allows the caller to get the mode of policy enforcement
## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode).
## (enforcing or permissive mode). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type to allow to get the enforcing mode.
## The process type to allow to get the enforcing mode. ## </param>
## </param>
## </interface>
# #
interface(`selinux_get_enforce_mode',` interface(`selinux_get_enforce_mode',`
gen_require(` gen_require(`
@ -42,15 +37,13 @@ interface(`selinux_get_enforce_mode',`
') ')
######################################## ########################################
## <interface name="selinux_set_enforce_mode"> ## <desc>
## <desc> ## Allow caller to set the mode of policy enforcement
## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode).
## (enforcing or permissive mode). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type to allow to set the enforcement mode.
## The process type to allow to set the enforcement mode. ## </param>
## </param>
## </interface>
# #
interface(`selinux_set_enforce_mode',` interface(`selinux_set_enforce_mode',`
gen_require(` gen_require(`
@ -69,14 +62,12 @@ interface(`selinux_set_enforce_mode',`
') ')
######################################## ########################################
## <interface name="selinux_load_policy"> ## <desc>
## <desc> ## Allow caller to load the policy into the kernel.
## Allow caller to load the policy into the kernel. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type that will load the policy.
## The process type that will load the policy. ## </param>
## </param>
## </interface>
# #
interface(`selinux_load_policy',` interface(`selinux_load_policy',`
gen_require(` gen_require(`
@ -95,18 +86,16 @@ interface(`selinux_load_policy',`
') ')
######################################## ########################################
## <interface name="selinux_set_boolean"> ## <desc>
## <desc> ## Allow caller to set the state of Booleans to
## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy.
## enable or disable conditional portions of the policy. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type allowed to set the Boolean.
## The process type allowed to set the Boolean. ## </param>
## </param> ## <param name="booltype" optional="true">
## <param name="booltype" optional="true"> ## The type of Booleans the caller is allowed to set.
## The type of Booleans the caller is allowed to set. ## </param>
## </param>
## </interface>
# #
interface(`selinux_set_boolean',` interface(`selinux_set_boolean',`
gen_require(` gen_require(`
@ -130,14 +119,12 @@ interface(`selinux_set_boolean',`
') ')
######################################## ########################################
## <interface name="selinux_set_parameters"> ## <desc>
## <desc> ## Allow caller to set selinux security parameters.
## Allow caller to set selinux security parameters. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type to allow to set security parameters.
## The process type to allow to set security parameters. ## </param>
## </param>
## </interface>
# #
interface(`selinux_set_parameters',` interface(`selinux_set_parameters',`
gen_require(` gen_require(`
@ -156,14 +143,12 @@ interface(`selinux_set_parameters',`
') ')
######################################## ########################################
## <interface name="selinux_validate_context"> ## <desc>
## <desc> ## Allows caller to validate security contexts.
## Allows caller to validate security contexts. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type permitted to validate contexts.
## The process type permitted to validate contexts. ## </param>
## </param>
## </interface>
# #
interface(`selinux_validate_context',` interface(`selinux_validate_context',`
gen_require(` gen_require(`
@ -179,14 +164,12 @@ interface(`selinux_validate_context',`
') ')
######################################## ########################################
## <interface name="selinux_compute_access_vector"> ## <desc>
## <desc> ## Allows caller to compute an access vector.
## Allows caller to compute an access vector. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type allowed to compute an access vector.
## The process type allowed to compute an access vector. ## </param>
## </param>
## </interface>
# #
interface(`selinux_compute_access_vector',` interface(`selinux_compute_access_vector',`
gen_require(` gen_require(`
@ -202,14 +185,12 @@ interface(`selinux_compute_access_vector',`
') ')
######################################## ########################################
## <interface name="selinux_compute_create_context"> ## <desc>
## <desc>
## ##
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## ##
## </param> ## </param>
## </interface>
# #
interface(`selinux_compute_create_context',` interface(`selinux_compute_create_context',`
gen_require(` gen_require(`
@ -225,14 +206,12 @@ interface(`selinux_compute_create_context',`
') ')
######################################## ########################################
## <interface name="selinux_compute_relabel_context"> ## <desc>
## <desc>
## ##
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The process type to ## The process type to
## </param> ## </param>
## </interface>
# #
interface(`selinux_compute_relabel_context',` interface(`selinux_compute_relabel_context',`
gen_require(` gen_require(`
@ -248,14 +227,12 @@ interface(`selinux_compute_relabel_context',`
') ')
######################################## ########################################
## <interface name="selinux_compute_user_contexts"> ## <desc>
## <desc> ## Allows caller to compute possible contexts for a user.
## Allows caller to compute possible contexts for a user. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type allowed to compute user contexts.
## The process type allowed to compute user contexts. ## </param>
## </param>
## </interface>
# #
interface(`selinux_compute_user_contexts',` interface(`selinux_compute_user_contexts',`
gen_require(` gen_require(`
@ -270,4 +247,3 @@ interface(`selinux_compute_user_contexts',`
allow $1 security_t:security compute_user; allow $1 security_t:security compute_user;
') ')
## </module>

454
refpolicy/policy/modules/kernel/storage.if
View File

@ -1,16 +1,13 @@
## <module name="storage">
## <summary>Policy controlling access to storage devices</summary> ## <summary>Policy controlling access to storage devices</summary>
######################################## ########################################
## <interface name="storage_getattr_fixed_disk"> ## <desc>
## <desc> ## Allow the caller to get the attributes of fixed disk
## Allow the caller to get the attributes of fixed disk ## device nodes.
## device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_getattr_fixed_disk',` interface(`storage_getattr_fixed_disk',`
gen_require(` gen_require(`
@ -23,15 +20,13 @@ interface(`storage_getattr_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_dontaudit_getattr_fixed_disk"> ## <desc>
## <desc> ## Do not audit attempts made by the caller to get
## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes.
## the attributes of fixed disk device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`storage_dontaudit_getattr_fixed_disk',` interface(`storage_dontaudit_getattr_fixed_disk',`
gen_require(` gen_require(`
@ -43,15 +38,13 @@ interface(`storage_dontaudit_getattr_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_setattr_fixed_disk"> ## <desc>
## <desc> ## Allow the caller to set the attributes of fixed disk
## Allow the caller to set the attributes of fixed disk ## device nodes.
## device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_setattr_fixed_disk',` interface(`storage_setattr_fixed_disk',`
gen_require(` gen_require(`
@ -64,15 +57,13 @@ interface(`storage_setattr_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_dontaudit_setattr_fixed_disk"> ## <desc>
## <desc> ## Do not audit attempts made by the caller to set
## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes.
## the attributes of fixed disk device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`storage_dontaudit_setattr_fixed_disk',` interface(`storage_dontaudit_setattr_fixed_disk',`
gen_require(` gen_require(`
@ -84,17 +75,15 @@ interface(`storage_dontaudit_setattr_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_raw_read_fixed_disk"> ## <desc>
## <desc> ## Allow the caller to directly read from a fixed disk.
## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_raw_read_fixed_disk',` interface(`storage_raw_read_fixed_disk',`
gen_require(` gen_require(`
@ -109,17 +98,15 @@ interface(`storage_raw_read_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_raw_write_fixed_disk"> ## <desc>
## <desc> ## Allow the caller to directly write to a fixed disk.
## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_raw_write_fixed_disk',` interface(`storage_raw_write_fixed_disk',`
gen_require(` gen_require(`
@ -134,14 +121,12 @@ interface(`storage_raw_write_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_create_fixed_disk"> ## <desc>
## <desc> ## Create block devices in /dev with the fixed disk type.
## Create block devices in /dev with the fixed disk type. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_create_fixed_disk_dev_entry',` interface(`storage_create_fixed_disk_dev_entry',`
gen_require(` gen_require(`
@ -156,14 +141,12 @@ interface(`storage_create_fixed_disk_dev_entry',`
') ')
######################################## ########################################
## <interface name="storage_manage_fixed_disk"> ## <desc>
## <desc> ## Create, read, write, and delete fixed disk device nodes.
## Create, read, write, and delete fixed disk device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_manage_fixed_disk',` interface(`storage_manage_fixed_disk',`
gen_require(` gen_require(`
@ -178,17 +161,15 @@ interface(`storage_manage_fixed_disk',`
') ')
######################################## ########################################
## <interface name="storage_raw_read_lvm_volume"> ## <desc>
## <desc> ## Allow the caller to directly read from a logical volume.
## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_raw_read_lvm_volume',` interface(`storage_raw_read_lvm_volume',`
gen_require(` gen_require(`
@ -203,17 +184,15 @@ interface(`storage_raw_read_lvm_volume',`
') ')
######################################## ########################################
## <interface name="storage_raw_write_lvm_volume"> ## <desc>
## <desc> ## Allow the caller to directly read from a logical volume.
## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_raw_write_lvm_volume',` interface(`storage_raw_write_lvm_volume',`
gen_require(` gen_require(`
@ -228,15 +207,13 @@ interface(`storage_raw_write_lvm_volume',`
') ')
######################################## ########################################
## <interface name="storage_getattr_scsi_generic"> ## <desc>
## <desc> ## Allow the caller to get the attributes of
## Allow the caller to get the attributes of ## the generic SCSI interface device nodes.
## the generic SCSI interface device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_getattr_scsi_generic',` interface(`storage_getattr_scsi_generic',`
gen_require(` gen_require(`
@ -249,15 +226,13 @@ interface(`storage_getattr_scsi_generic',`
') ')
######################################## ########################################
## <interface name="storage_setattr_scsi_generic"> ## <desc>
## <desc> ## Allow the caller to set the attributes of
## Allow the caller to set the attributes of ## the generic SCSI interface device nodes.
## the generic SCSI interface device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_setattr_scsi_generic',` interface(`storage_setattr_scsi_generic',`
gen_require(` gen_require(`
@ -270,18 +245,16 @@ interface(`storage_setattr_scsi_generic',`
') ')
######################################## ########################################
## <interface name="storage_read_scsi_generic"> ## <desc>
## <desc> ## Allow the caller to directly read, in a
## Allow the caller to directly read, in a ## generic fashion, from any SCSI device.
## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_read_scsi_generic',` interface(`storage_read_scsi_generic',`
gen_require(` gen_require(`
@ -296,18 +269,16 @@ interface(`storage_read_scsi_generic',`
') ')
######################################## ########################################
## <interface name="storage_write_scsi_generic"> ## <desc>
## <desc> ## Allow the caller to directly write, in a
## Allow the caller to directly write, in a ## generic fashion, from any SCSI device.
## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_write_scsi_generic',` interface(`storage_write_scsi_generic',`
gen_require(` gen_require(`
@ -322,15 +293,13 @@ interface(`storage_write_scsi_generic',`
') ')
######################################## ########################################
## <interface name="storage_getattr_scsi_generic"> ## <desc>
## <desc> ## Get attributes of the device nodes
## Get attributes of the device nodes ## for the SCSI generic inerface.
## for the SCSI generic inerface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_getattr_scsi_generic',` interface(`storage_getattr_scsi_generic',`
gen_require(` gen_require(`
@ -343,15 +312,13 @@ interface(`storage_getattr_scsi_generic',`
') ')
######################################## ########################################
## <interface name="storage_setattr_scsi_generic"> ## <desc>
## <desc> ## Set attributes of the device nodes
## Set attributes of the device nodes ## for the SCSI generic inerface.
## for the SCSI generic inerface. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_set_scsi_generic_attributes',` interface(`storage_set_scsi_generic_attributes',`
gen_require(` gen_require(`
@ -364,15 +331,13 @@ interface(`storage_set_scsi_generic_attributes',`
') ')
######################################## ########################################
## <interface name="storage_getattr_removable_device"> ## <desc>
## <desc> ## Allow the caller to get the attributes of removable
## Allow the caller to get the attributes of removable ## devices device nodes.
## devices device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_getattr_removable_device',` interface(`storage_getattr_removable_device',`
gen_require(` gen_require(`
@ -385,15 +350,13 @@ interface(`storage_getattr_removable_device',`
') ')
######################################## ########################################
## <interface name="storage_dontaudit_getattr_removable_device"> ## <desc>
## <desc> ## Do not audit attempts made by the caller to get
## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes.
## the attributes of removable devices device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`storage_dontaudit_getattr_removable_device',` interface(`storage_dontaudit_getattr_removable_device',`
gen_require(` gen_require(`
@ -405,15 +368,13 @@ interface(`storage_dontaudit_getattr_removable_device',`
') ')
######################################## ########################################
## <interface name="storage_setattr_removable_device"> ## <desc>
## <desc> ## Allow the caller to set the attributes of removable
## Allow the caller to set the attributes of removable ## devices device nodes.
## devices device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_setattr_removable_device',` interface(`storage_setattr_removable_device',`
gen_require(` gen_require(`
@ -426,15 +387,13 @@ interface(`storage_setattr_removable_device',`
') ')
######################################## ########################################
## <interface name="storage_dontaudit_setattr_removable_device"> ## <desc>
## <desc> ## Do not audit attempts made by the caller to set
## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes.
## the attributes of removable devices device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`storage_dontaudit_setattr_removable_device',` interface(`storage_dontaudit_setattr_removable_device',`
gen_require(` gen_require(`
@ -446,18 +405,16 @@ interface(`storage_dontaudit_setattr_removable_device',`
') ')
######################################## ########################################
## <interface name="storage_raw_read_removable_device"> ## <desc>
## <desc> ## Allow the caller to directly read from
## Allow the caller to directly read from ## a removable device.
## a removable device. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_raw_read_removable_device',` interface(`storage_raw_read_removable_device',`
gen_require(` gen_require(`
@ -470,18 +427,16 @@ interface(`storage_raw_read_removable_device',`
') ')
######################################## ########################################
## <interface name="storage_raw_write_removable_device"> ## <desc>
## <desc> ## Allow the caller to directly write to
## Allow the caller to directly write to ## a removable device.
## a removable device. ## This is extremly dangerous as it can bypass the
## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and
## SELinux protections for filesystem objects, and ## should only be used by trusted domains.
## should only be used by trusted domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_raw_write_removable_device',` interface(`storage_raw_write_removable_device',`
gen_require(` gen_require(`
@ -494,15 +449,13 @@ interface(`storage_raw_write_removable_device',`
') ')
######################################## ########################################
## <interface name="storage_read_tape_device"> ## <desc>
## <desc> ## Allow the caller to directly read
## Allow the caller to directly read ## a tape device.
## a tape device. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_read_tape_device',` interface(`storage_read_tape_device',`
gen_require(` gen_require(`
@ -515,15 +468,13 @@ interface(`storage_read_tape_device',`
') ')
######################################## ########################################
## <interface name="storage_write_tape_device"> ## <desc>
## <desc> ## Allow the caller to directly read
## Allow the caller to directly read ## a tape device.
## a tape device. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_write_tape_device',` interface(`storage_write_tape_device',`
gen_require(` gen_require(`
@ -536,15 +487,13 @@ interface(`storage_write_tape_device',`
') ')
######################################## ########################################
## <interface name="storage_getattr_tape_device"> ## <desc>
## <desc> ## Allow the caller to get the attributes
## Allow the caller to get the attributes ## of device nodes of tape devices.
## of device nodes of tape devices. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_getattr_tape_device',` interface(`storage_getattr_tape_device',`
gen_require(` gen_require(`
@ -557,15 +506,13 @@ interface(`storage_getattr_tape_device',`
') ')
######################################## ########################################
## <interface name="storage_setattr_tape_device"> ## <desc>
## <desc> ## Allow the caller to set the attributes
## Allow the caller to set the attributes ## of device nodes of tape devices.
## of device nodes of tape devices. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`storage_setattr_tape_device',` interface(`storage_setattr_tape_device',`
gen_require(` gen_require(`
@ -577,4 +524,3 @@ interface(`storage_setattr_tape_device',`
allow $1 tape_device_t:blk_file setattr; allow $1 tape_device_t:blk_file setattr;
') ')
## </module>

548
refpolicy/policy/modules/kernel/terminal.if
View File

@ -1,15 +1,12 @@
## <module name="terminal">
## <summary>Policy for terminals.</summary> ## <summary>Policy for terminals.</summary>
######################################## ########################################
## <interface name="term_pty"> ## <desc>
## <desc> ## Transform specified type into a pty type.
## Transform specified type into a pty type. ## </desc>
## </desc> ## <param name="pty_type">
## <param name="pty_type"> ## An object type that will applied to a pty.
## An object type that will applied to a pty. ## </param>
## </param>
## </interface>
# #
interface(`term_pty',` interface(`term_pty',`
gen_require(` gen_require(`
@ -23,20 +20,18 @@ interface(`term_pty',`
') ')
######################################## ########################################
## <interface name="term_user_pty"> ## <desc>
## <desc> ## Transform specified type into an user
## Transform specified type into an user ## pty type. This allows it to be relabeled via
## pty type. This allows it to be relabeled via ## type change by login programs such as ssh.
## type change by login programs such as ssh. ## </desc>
## </desc> ## <param name="userdomain">
## <param name="userdomain"> ## The type of the user domain associated with
## The type of the user domain associated with ## this pty.
## this pty. ## </param>
## </param> ## <param name="object_type">
## <param name="object_type"> ## An object type that will applied to a pty.
## An object type that will applied to a pty. ## </param>
## </param>
## </interface>
# #
interface(`term_user_pty',` interface(`term_user_pty',`
gen_require(` gen_require(`
@ -48,15 +43,13 @@ interface(`term_user_pty',`
') ')
######################################## ########################################
## <interface name="term_login_pty"> ## <desc>
## <desc> ## Transform specified type into a pty type
## Transform specified type into a pty type ## used by login programs, such as sshd.
## used by login programs, such as sshd. ## </desc>
## </desc> ## <param name="pty_type">
## <param name="pty_type"> ## An object type that will applied to a pty.
## An object type that will applied to a pty. ## </param>
## </param>
## </interface>
# #
interface(`term_login_pty',` interface(`term_login_pty',`
gen_require(` gen_require(`
@ -68,14 +61,12 @@ interface(`term_login_pty',`
') ')
######################################## ########################################
## <interface name="term_tty"> ## <desc>
## <desc> ## Transform specified type into a tty type.
## Transform specified type into a tty type. ## </desc>
## </desc> ## <param name="tty_type">
## <param name="tty_type"> ## An object type that will applied to a tty.
## An object type that will applied to a tty. ## </param>
## </param>
## </interface>
# #
interface(`term_tty',` interface(`term_tty',`
gen_require(` gen_require(`
@ -98,17 +89,15 @@ interface(`term_tty',`
') ')
######################################## ########################################
## <interface name="term_create_pty"> ## <desc>
## <desc> ## Create a pty in the /dev/pts directory.
## Create a pty in the /dev/pts directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process creating the pty.
## The type of the process creating the pty. ## </param>
## </param> ## <param name="pty_type">
## <param name="pty_type"> ## The type of the pty.
## The type of the pty. ## </param>
## </param>
## </interface>
# #
interface(`term_create_pty',` interface(`term_create_pty',`
gen_require(` gen_require(`
@ -128,15 +117,13 @@ interface(`term_create_pty',`
') ')
######################################## ########################################
## <interface name="term_use_all_terms"> ## <desc>
## <desc> ## Read and write the console, all
## Read and write the console, all ## ttys and all ptys.
## ttys and all ptys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_all_terms',` interface(`term_use_all_terms',`
gen_require(` gen_require(`
@ -152,14 +139,12 @@ interface(`term_use_all_terms',`
') ')
######################################## ########################################
## <interface name="term_write_console"> ## <desc>
## <desc> ## Write to the console.
## Write to the console. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_write_console',` interface(`term_write_console',`
gen_require(` gen_require(`
@ -172,14 +157,12 @@ interface(`term_write_console',`
') ')
######################################## ########################################
## <interface name="term_use_console"> ## <desc>
## <desc> ## Read from and write to the console.
## Read from and write to the console. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_console',` interface(`term_use_console',`
gen_require(` gen_require(`
@ -192,15 +175,13 @@ interface(`term_use_console',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_use_console"> ## <desc>
## <desc> ## Do not audit attemtps to read from
## Do not audit attemtps to read from ## or write to the console.
## or write to the console. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_use_console',` interface(`term_dontaudit_use_console',`
gen_require(` gen_require(`
@ -212,15 +193,13 @@ interface(`term_dontaudit_use_console',`
') ')
######################################## ########################################
## <interface name="term_setattr_console"> ## <desc>
## <desc> ## Set the attributes of the console
## Set the attributes of the console ## device node.
## device node. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_setattr_console',` interface(`term_setattr_console',`
gen_require(` gen_require(`
@ -233,15 +212,13 @@ interface(`term_setattr_console',`
') ')
######################################## ########################################
## <interface name="term_list_ptys"> ## <desc>
## <desc> ## Read the /dev/pts directory to
## Read the /dev/pts directory to ## list all ptys.
## list all ptys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_list_ptys',` interface(`term_list_ptys',`
gen_require(` gen_require(`
@ -254,15 +231,13 @@ interface(`term_list_ptys',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_list_ptys"> ## <desc>
## <desc> ## Do not audit attempts to read the
## Do not audit attempts to read the ## /dev/pts directory to.
## /dev/pts directory to. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_list_ptys',` interface(`term_dontaudit_list_ptys',`
gen_require(` gen_require(`
@ -274,16 +249,14 @@ interface(`term_dontaudit_list_ptys',`
') ')
######################################## ########################################
## <interface name="term_use_generic_pty"> ## <desc>
## <desc> ## Read and write the generic pty
## Read and write the generic pty ## type. This is generally only used in
## type. This is generally only used in ## the targeted policy.
## the targeted policy. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_generic_pty',` interface(`term_use_generic_pty',`
gen_require(` gen_require(`
@ -296,16 +269,14 @@ interface(`term_use_generic_pty',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_use_generic_pty"> ## <desc>
## <desc> ## Dot not audit attempts to read and
## Dot not audit attempts to read and ## write the generic pty type. This is
## write the generic pty type. This is ## generally only used in the targeted policy.
## generally only used in the targeted policy. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_use_generic_pty',` interface(`term_dontaudit_use_generic_pty',`
gen_require(` gen_require(`
@ -317,15 +288,13 @@ interface(`term_dontaudit_use_generic_pty',`
') ')
######################################## ########################################
## <interface name="term_use_controlling_term"> ## <desc>
## <desc> ## Read and write the controlling
## Read and write the controlling ## terminal (/dev/tty).
## terminal (/dev/tty). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_controlling_term',` interface(`term_use_controlling_term',`
gen_require(` gen_require(`
@ -338,15 +307,13 @@ interface(`term_use_controlling_term',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_use_ptmx"> ## <desc>
## <desc> ## Do not audit attempts to read and
## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx).
## write the pty multiplexor (/dev/ptmx). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_use_ptmx',` interface(`term_dontaudit_use_ptmx',`
gen_require(` gen_require(`
@ -358,15 +325,13 @@ interface(`term_dontaudit_use_ptmx',`
') ')
######################################## ########################################
## <interface name="term_getattr_all_user_ptys"> ## <desc>
## <desc> ## Get the attributes of all user
## Get the attributes of all user ## pty device nodes.
## pty device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_getattr_all_user_ptys',` interface(`term_getattr_all_user_ptys',`
gen_require(` gen_require(`
@ -381,14 +346,12 @@ interface(`term_getattr_all_user_ptys',`
') ')
######################################## ########################################
## <interface name="term_use_all_user_ptys"> ## <desc>
## <desc> ## Read and write all user ptys.
## Read and write all user ptys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_all_user_ptys',` interface(`term_use_all_user_ptys',`
gen_require(` gen_require(`
@ -403,15 +366,13 @@ interface(`term_use_all_user_ptys',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_use_all_user_ptys"> ## <desc>
## <desc> ## Do not audit attempts to read any
## Do not audit attempts to read any ## user ptys.
## user ptys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_use_all_user_ptys',` interface(`term_dontaudit_use_all_user_ptys',`
gen_require(` gen_require(`
@ -423,15 +384,13 @@ interface(`term_dontaudit_use_all_user_ptys',`
') ')
######################################## ########################################
## <interface name="term_relabel_all_user_ptys"> ## <desc>
## <desc> ## Relabel from and to all user
## Relabel from and to all user ## user pty device nodes.
## user pty device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_relabel_all_user_ptys',` interface(`term_relabel_all_user_ptys',`
gen_require(` gen_require(`
@ -444,15 +403,13 @@ interface(`term_relabel_all_user_ptys',`
') ')
######################################## ########################################
## <interface name="term_getattr_unallocated_ttys"> ## <desc>
## <desc> ## Get the attributes of all unallocated
## Get the attributes of all unallocated ## tty device nodes.
## tty device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_getattr_unallocated_ttys',` interface(`term_getattr_unallocated_ttys',`
gen_require(` gen_require(`
@ -465,15 +422,13 @@ interface(`term_getattr_unallocated_ttys',`
') ')
######################################## ########################################
## <interface name="term_setattr_unallocated_ttys"> ## <desc>
## <desc> ## Set the attributes of all unallocated
## Set the attributes of all unallocated ## tty device nodes.
## tty device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_setattr_unallocated_ttys',` interface(`term_setattr_unallocated_ttys',`
gen_require(` gen_require(`
@ -486,15 +441,13 @@ interface(`term_setattr_unallocated_ttys',`
') ')
######################################## ########################################
## <interface name="term_relabel_unallocated_ttys"> ## <desc>
## <desc> ## Relabel from and to the unallocated
## Relabel from and to the unallocated ## tty type.
## tty type. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_relabel_unallocated_ttys',` interface(`term_relabel_unallocated_ttys',`
gen_require(` gen_require(`
@ -507,15 +460,13 @@ interface(`term_relabel_unallocated_ttys',`
') ')
######################################## ########################################
## <interface name="term_reset_tty_labels"> ## <desc>
## <desc> ## Relabel from all user tty types to
## Relabel from all user tty types to ## the unallocated tty type.
## the unallocated tty type. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_reset_tty_labels',` interface(`term_reset_tty_labels',`
gen_require(` gen_require(`
@ -530,14 +481,12 @@ interface(`term_reset_tty_labels',`
') ')
######################################## ########################################
## <interface name="term_write_unallocated_ttys"> ## <desc>
## <desc> ## Write to unallocated ttys.
## Write to unallocated ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_write_unallocated_ttys',` interface(`term_write_unallocated_ttys',`
gen_require(` gen_require(`
@ -550,14 +499,12 @@ interface(`term_write_unallocated_ttys',`
') ')
######################################## ########################################
## <interface name="term_use_unallocated_tty"> ## <desc>
## <desc> ## Read and write unallocated ttys.
## Read and write unallocated ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_unallocated_tty',` interface(`term_use_unallocated_tty',`
gen_require(` gen_require(`
@ -570,15 +517,13 @@ interface(`term_use_unallocated_tty',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_use_unallocated_tty"> ## <desc>
## <desc> ## Do not audit attempts to read or
## Do not audit attempts to read or ## write unallocated ttys.
## write unallocated ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process to not audit.
## The type of the process to not audit. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_use_unallocated_tty',` interface(`term_dontaudit_use_unallocated_tty',`
gen_require(` gen_require(`
@ -590,15 +535,13 @@ interface(`term_dontaudit_use_unallocated_tty',`
') ')
######################################## ########################################
## <interface name="term_getattr_all_user_ttys"> ## <desc>
## <desc> ## Get the attributes of all user tty
## Get the attributes of all user tty ## device nodes.
## device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_getattr_all_user_ttys',` interface(`term_getattr_all_user_ttys',`
gen_require(` gen_require(`
@ -611,16 +554,14 @@ interface(`term_getattr_all_user_ttys',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_getattr_all_user_ttys"> ## <desc>
## <desc> ## Do not audit attempts to get the
## Do not audit attempts to get the ## attributes of any user tty
## attributes of any user tty ## device nodes.
## device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_getattr_all_user_ttys',` interface(`term_dontaudit_getattr_all_user_ttys',`
gen_require(` gen_require(`
@ -633,15 +574,13 @@ interface(`term_dontaudit_getattr_all_user_ttys',`
') ')
######################################## ########################################
## <interface name="term_setattr_all_user_ttys"> ## <desc>
## <desc> ## Set the attributes of all user tty
## Set the attributes of all user tty ## device nodes.
## device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_setattr_all_user_ttys',` interface(`term_setattr_all_user_ttys',`
gen_require(` gen_require(`
@ -654,15 +593,13 @@ interface(`term_setattr_all_user_ttys',`
') ')
######################################## ########################################
## <interface name="term_relabel_all_user_ttys"> ## <desc>
## <desc> ## Relabel from and to all user
## Relabel from and to all user ## user tty device nodes.
## user tty device nodes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_relabel_all_user_ttys',` interface(`term_relabel_all_user_ttys',`
gen_require(` gen_require(`
@ -675,14 +612,12 @@ interface(`term_relabel_all_user_ttys',`
') ')
######################################## ########################################
## <interface name="term_write_all_user_ttys"> ## <desc>
## <desc> ## Write to all user ttys.
## Write to all user ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_write_all_user_ttys',` interface(`term_write_all_user_ttys',`
gen_require(` gen_require(`
@ -695,14 +630,12 @@ interface(`term_write_all_user_ttys',`
') ')
######################################## ########################################
## <interface name="term_use_all_user_ttys"> ## <desc>
## <desc> ## Read and write all user to all user ttys.
## Read and write all user to all user ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_use_all_user_ttys',` interface(`term_use_all_user_ttys',`
gen_require(` gen_require(`
@ -715,15 +648,13 @@ interface(`term_use_all_user_ttys',`
') ')
######################################## ########################################
## <interface name="term_dontaudit_use_all_user_ttys"> ## <desc>
## <desc> ## Do not audit attempts to read or write
## Do not audit attempts to read or write ## any user ttys.
## any user ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`term_dontaudit_use_all_user_ttys',` interface(`term_dontaudit_use_all_user_ttys',`
gen_require(` gen_require(`
@ -734,4 +665,3 @@ interface(`term_dontaudit_use_all_user_ttys',`
dontaudit $1 ttynode:chr_file { read write }; dontaudit $1 ttynode:chr_file { read write };
') ')
## </module>

1
refpolicy/policy/modules/services/metadata.xml
View File

@ -1 +0,0 @@
<layer name="services">

16
refpolicy/policy/modules/services/mta.if
View File

@ -1,4 +1,3 @@
## <module name="mta">
## <summary>Policy common to all email tranfer agents.</summary> ## <summary>Policy common to all email tranfer agents.</summary>
####################################### #######################################
@ -194,14 +193,12 @@ interface(`mta_exec',`
') ')
######################################## ########################################
## <interface name="mta_read_aliases"> ## <desc>
## <desc> ## Read mail address aliases.
## Read mail address aliases. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`mta_read_aliases',` interface(`mta_read_aliases',`
gen_require(` gen_require(`
@ -293,4 +290,3 @@ interface(`mta_manage_queue',`
allow $1 mqueue_spool_t:file create_file_perms; allow $1 mqueue_spool_t:file create_file_perms;
') ')
## </module>

16
refpolicy/policy/modules/services/remotelogin.if
View File

@ -1,15 +1,12 @@
## <module name="remotelogin">
## <summary>Policy for rshd, rlogind, and telnetd.</summary> ## <summary>Policy for rshd, rlogind, and telnetd.</summary>
######################################## ########################################
## <interface name="remotelogin_domtrans"> ## <desc>
## <desc> ## Domain transition to the remote login domain.
## Domain transition to the remote login domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`remotelogin_domtrans',` interface(`remotelogin_domtrans',`
gen_require(` gen_require(`
@ -19,4 +16,3 @@ interface(`remotelogin_domtrans',`
auth_domtrans_login_program($1,remote_login_t) auth_domtrans_login_program($1,remote_login_t)
') ')
## </module>

16
refpolicy/policy/modules/services/sendmail.if
View File

@ -1,15 +1,12 @@
## <module name="sendmail">
## <summary>Policy for sendmail.</summary> ## <summary>Policy for sendmail.</summary>
######################################## ########################################
## <interface name="sendmail_domtrans"> ## <desc>
## <desc> ## Domain transition to sendmail.
## Domain transition to sendmail. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`sendmail_domtrans',` interface(`sendmail_domtrans',`
gen_require(` gen_require(`
@ -29,4 +26,3 @@ interface(`sendmail_domtrans',`
allow sendmail_t $1:process sigchld; allow sendmail_t $1:process sigchld;
') ')
## </module>

262
refpolicy/policy/modules/system/authlogin.if
View File

@ -1,4 +1,3 @@
## <module name="authlogin">
## <summary>Common policy for authentication and user login.</summary> ## <summary>Common policy for authentication and user login.</summary>
####################################### #######################################
@ -89,14 +88,12 @@ interface(`authlogin_per_userdomain_template',`
') dnl end authlogin_per_userdomain_template ') dnl end authlogin_per_userdomain_template
######################################## ########################################
## <interface name="auth_login_entry_type"> ## <desc>
## <desc> ## Use the login program as an entry point program.
## Use the login program as an entry point program. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of process using the login program as entry point.
## The type of process using the login program as entry point. ## </param>
## </param>
## </interface>
# #
interface(`auth_login_entry_type',` interface(`auth_login_entry_type',`
gen_require(` gen_require(`
@ -107,17 +104,15 @@ interface(`auth_login_entry_type',`
') ')
######################################## ########################################
## <interface name="auth_domtrans_login_program"> ## <desc>
## <desc> ## Execute a login_program in the target domain.
## Execute a login_program in the target domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="target_domain">
## <param name="target_domain"> ## The type of the login_program process.
## The type of the login_program process. ## </param>
## </param>
## </interface>
# #
interface(`auth_domtrans_login_program',` interface(`auth_domtrans_login_program',`
gen_require(` gen_require(`
@ -137,14 +132,12 @@ interface(`auth_domtrans_login_program',`
') ')
######################################## ########################################
## <interface name="auth_domtrans_chk_passwd"> ## <desc>
## <desc> ## Run unix_chkpwd to check a password.
## Run unix_chkpwd to check a password. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_domtrans_chk_passwd',` interface(`auth_domtrans_chk_passwd',`
gen_require(` gen_require(`
@ -181,14 +174,12 @@ interface(`auth_domtrans_chk_passwd',`
') ')
######################################## ########################################
## <interface name="auth_dontaudit_getattr_shadow"> ## <desc>
## <desc>
## ##
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`auth_dontaudit_getattr_shadow',` interface(`auth_dontaudit_getattr_shadow',`
gen_require(` gen_require(`
@ -200,14 +191,12 @@ interface(`auth_dontaudit_getattr_shadow',`
') ')
######################################## ########################################
## <interface name="auth_read_shadow"> ## <desc>
## <desc> ## Read the shadow passwords file (/etc/shadow)
## Read the shadow passwords file (/etc/shadow) ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_read_shadow',` interface(`auth_read_shadow',`
gen_require(` gen_require(`
@ -222,15 +211,13 @@ interface(`auth_read_shadow',`
') ')
######################################## ########################################
## <interface name="auth_dontaudit_read_shadow"> ## <desc>
## <desc> ## Do not audit attempts to read the shadow
## Do not audit attempts to read the shadow ## password file (/etc/shadow).
## password file (/etc/shadow). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the domain to not audit.
## The type of the domain to not audit. ## </param>
## </param>
## </interface>
# #
interface(`auth_dontaudit_read_shadow',` interface(`auth_dontaudit_read_shadow',`
gen_require(` gen_require(`
@ -242,14 +229,12 @@ interface(`auth_dontaudit_read_shadow',`
') ')
######################################## ########################################
## <interface name="auth_rw_shadow"> ## <desc>
## <desc> ## Read and write the shadow password file (/etc/shadow).
## Read and write the shadow password file (/etc/shadow). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_rw_shadow',` interface(`auth_rw_shadow',`
gen_require(` gen_require(`
@ -325,14 +310,12 @@ interface(`auth_rw_lastlog',`
') ')
######################################## ########################################
## <interface name="auth_domtrans_pam"> ## <desc>
## <desc> ## Execute pam programs in the pam domain.
## Execute pam programs in the pam domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_domtrans_pam',` interface(`auth_domtrans_pam',`
gen_require(` gen_require(`
@ -351,20 +334,18 @@ interface(`auth_domtrans_pam',`
') ')
######################################## ########################################
## <interface name="auth_run_pam"> ## <desc>
## <desc> ## Execute pam programs in the PAM domain.
## Execute pam programs in the PAM domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to allow the PAM domain.
## The role to allow the PAM domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the PAM domain to use.
## The type of the terminal allow the PAM domain to use. ## </param>
## </param>
## </interface>
# #
interface(`auth_run_pam',` interface(`auth_run_pam',`
gen_require(` gen_require(`
@ -378,14 +359,12 @@ interface(`auth_run_pam',`
') ')
######################################## ########################################
## <interface name="auth_exec_pam"> ## <desc>
## <desc> ## Execute the pam program.
## Execute the pam program. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_exec_pam',` interface(`auth_exec_pam',`
gen_require(` gen_require(`
@ -413,14 +392,12 @@ interface(`auth_read_pam_pid',`
') ')
######################################## ########################################
## <interface name="auth_delete_pam_pid"> ## <desc>
## <desc> ## Delete pam PID files.
## Delete pam PID files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_delete_pam_pid',` interface(`auth_delete_pam_pid',`
gen_require(` gen_require(`
@ -507,19 +484,17 @@ interface(`auth_manage_pam_console_data',`
') ')
######################################## ########################################
## <interface name="auth_relabel_all_files_except_shadow"> ## <desc>
## <desc> ## Relabel all files on the filesystem, except
## Relabel all files on the filesystem, except ## the shadow passwords and listed exceptions.
## the shadow passwords and listed exceptions. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the domain perfoming this action.
## The type of the domain perfoming this action. ## </param>
## </param> ## <param name="exception_types" optional="true">
## <param name="exception_types" optional="true"> ## The types to be excluded. Each type or attribute
## The types to be excluded. Each type or attribute ## must be negated by the caller.
## must be negated by the caller. ## </param>
## </param>
## </interface>
# #
interface(`auth_relabel_all_files_except_shadow',` interface(`auth_relabel_all_files_except_shadow',`
@ -531,19 +506,17 @@ interface(`auth_relabel_all_files_except_shadow',`
') ')
######################################## ########################################
## <interface name="auth_manage_all_files_except_shadow"> ## <desc>
## <desc> ## Manage all files on the filesystem, except
## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions.
## the shadow passwords and listed exceptions. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the domain perfoming this action.
## The type of the domain perfoming this action. ## </param>
## </param> ## <param name="exception_types" optional="true">
## <param name="exception_types" optional="true"> ## The types to be excluded. Each type or attribute
## The types to be excluded. Each type or attribute ## must be negated by the caller.
## must be negated by the caller. ## </param>
## </param>
## </interface>
# #
interface(`auth_manage_all_files_except_shadow',` interface(`auth_manage_all_files_except_shadow',`
@ -555,14 +528,12 @@ interface(`auth_manage_all_files_except_shadow',`
') ')
######################################## ########################################
## <interface name="auth_domtrans_utempter"> ## <desc>
## <desc> ## Execute utempter programs in the utempter domain.
## Execute utempter programs in the utempter domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`auth_domtrans_utempter',` interface(`auth_domtrans_utempter',`
gen_require(` gen_require(`
@ -581,20 +552,18 @@ interface(`auth_domtrans_utempter',`
') ')
######################################## ########################################
## <interface name="auth_run_utempter"> ## <desc>
## <desc> ## Execute utempter programs in the utempter domain.
## Execute utempter programs in the utempter domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to allow the utempter domain.
## The role to allow the utempter domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the utempter domain to use.
## The type of the terminal allow the utempter domain to use. ## </param>
## </param>
## </interface>
# #
interface(`auth_run_utempter',` interface(`auth_run_utempter',`
gen_require(` gen_require(`
@ -648,4 +617,3 @@ interface(`auth_rw_login_records',`
logging_search_logs($1) logging_search_logs($1)
') ')
## </module>

48
refpolicy/policy/modules/system/clock.if
View File

@ -1,15 +1,12 @@
## <module name="clock">
## <summary>Policy for reading and setting the hardware clock.</summary> ## <summary>Policy for reading and setting the hardware clock.</summary>
######################################## ########################################
## <interface name="clock_domtrans"> ## <desc>
## <desc> ## Execute hwclock in the clock domain.
## Execute hwclock in the clock domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`clock_domtrans',` interface(`clock_domtrans',`
gen_require(` gen_require(`
@ -27,21 +24,19 @@ interface(`clock_domtrans',`
') ')
######################################## ########################################
## <interface name="clock_run"> ## <desc>
## <desc> ## Execute hwclock in the clock domain, and
## Execute hwclock in the clock domain, and ## allow the specified role the hwclock domain.
## allow the specified role the hwclock domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the clock domain.
## The role to be allowed the clock domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the clock domain to use.
## The type of the terminal allow the clock domain to use. ## </param>
## </param>
## </interface>
# #
interface(`clock_run',` interface(`clock_run',`
gen_require(` gen_require(`
@ -55,14 +50,12 @@ interface(`clock_run',`
') ')
######################################## ########################################
## <interface name="clock_exec">
## <desc> ## <desc>
## Execute hwclock ## Execute hwclock
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`clock_exec',` interface(`clock_exec',`
gen_require(` gen_require(`
@ -73,14 +66,12 @@ interface(`clock_exec',`
') ')
######################################## ########################################
## <interface name="clock_rw_adjtime">
## <desc> ## <desc>
## Allow executing domain to modify clock drift ## Allow executing domain to modify clock drift
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`clock_rw_adjtime',` interface(`clock_rw_adjtime',`
gen_require(` gen_require(`
@ -92,4 +83,3 @@ interface(`clock_rw_adjtime',`
files_list_etc($1) files_list_etc($1)
') ')
## </module>

50
refpolicy/policy/modules/system/corecommands.if
View File

@ -1,7 +1,6 @@
## <module name="corecommands">
## <summary> ## <summary>
## Core policy for shells, and generic programs ## Core policy for shells, and generic programs
## in /bin, /sbin, /usr/bin, and /usr/sbin. ## in /bin, /sbin, /usr/bin, and /usr/sbin.
## </summary> ## </summary>
####################################### #######################################
@ -148,19 +147,17 @@ interface(`corecmd_exec_ls',`
') ')
######################################## ########################################
## <interface name="corecmd_shell_spec_domtrans"> ## <desc>
## <desc> ## Execute a shell in the target domain. This
## Execute a shell in the target domain. This ## is an explicit transition, requiring the
## is an explicit transition, requiring the ## caller to use setexeccon().
## caller to use setexeccon(). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="target_domain">
## <param name="target_domain"> ## The type of the shell process.
## The type of the shell process. ## </param>
## </param>
## </interface>
# #
interface(`corecmd_shell_spec_domtrans',` interface(`corecmd_shell_spec_domtrans',`
gen_require(` gen_require(`
@ -184,17 +181,15 @@ interface(`corecmd_shell_spec_domtrans',`
') ')
######################################## ########################################
## <interface name="corecmd_domtrans_shell"> ## <desc>
## <desc> ## Execute a shell in the target domain.
## Execute a shell in the target domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="target_domain">
## <param name="target_domain"> ## The type of the shell process.
## The type of the shell process. ## </param>
## </param>
## </interface>
# #
interface(`corecmd_domtrans_shell',` interface(`corecmd_domtrans_shell',`
gen_require(` gen_require(`
@ -219,4 +214,3 @@ interface(`corecmd_chroot_exec_chroot',`
allow $1 self:capability sys_chroot; allow $1 self:capability sys_chroot;
') ')
## </module>

228
refpolicy/policy/modules/system/domain.if
View File

@ -1,4 +1,3 @@
## <module name="domain">
## <summary>Core policy for domains.</summary> ## <summary>Core policy for domains.</summary>
######################################## ########################################
@ -92,15 +91,13 @@ interface(`domain_dyntrans_type',`
') ')
######################################## ########################################
## <interface name="domain_subj_id_change_exempt"> ## <desc>
## <desc> ## Makes caller an exception to the constraint preventing
## Makes caller an exception to the constraint preventing ## changing of user identity.
## changing of user identity. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type to make an exception to the constraint.
## The process type to make an exception to the constraint. ## </param>
## </param>
## </interface>
# #
interface(`domain_subj_id_change_exempt',` interface(`domain_subj_id_change_exempt',`
gen_require(` gen_require(`
@ -111,15 +108,13 @@ interface(`domain_subj_id_change_exempt',`
') ')
######################################## ########################################
## <interface name="domain_role_change_exempt"> ## <desc>
## <desc> ## Makes caller an exception to the constraint preventing
## Makes caller an exception to the constraint preventing ## changing of role.
## changing of role. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type to make an exception to the constraint.
## The process type to make an exception to the constraint. ## </param>
## </param>
## </interface>
# #
interface(`domain_role_change_exempt',` interface(`domain_role_change_exempt',`
gen_require(` gen_require(`
@ -130,15 +125,13 @@ interface(`domain_role_change_exempt',`
') ')
######################################## ########################################
## <interface name="domain_obj_id_change_exempt"> ## <desc>
## <desc> ## Makes caller an exception to the constraint preventing
## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts.
## changing the user identity in object contexts. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The process type to make an exception to the constraint.
## The process type to make an exception to the constraint. ## </param>
## </param>
## </interface>
# #
interface(`domain_obj_id_change_exempt',` interface(`domain_obj_id_change_exempt',`
gen_require(` gen_require(`
@ -188,14 +181,12 @@ interface(`domain_setpriority_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_signal_all_domains"> ## <desc>
## <desc> ## Send general signals to all domains.
## Send general signals to all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_signal_all_domains',` interface(`domain_signal_all_domains',`
gen_require(` gen_require(`
@ -207,14 +198,12 @@ interface(`domain_signal_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_signull_all_domains"> ## <desc>
## <desc> ## Send a null signal to all domains.
## Send a null signal to all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_signull_all_domains',` interface(`domain_signull_all_domains',`
gen_require(` gen_require(`
@ -226,14 +215,12 @@ interface(`domain_signull_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_sigstop_all_domains"> ## <desc>
## <desc> ## Send a stop signal to all domains.
## Send a stop signal to all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_sigstop_all_domains',` interface(`domain_sigstop_all_domains',`
gen_require(` gen_require(`
@ -245,14 +232,12 @@ interface(`domain_sigstop_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_sigchld_all_domains"> ## <desc>
## <desc> ## Send a child terminated signal to all domains.
## Send a child terminated signal to all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_sigchld_all_domains',` interface(`domain_sigchld_all_domains',`
gen_require(` gen_require(`
@ -264,14 +249,12 @@ interface(`domain_sigchld_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_kill_all_domains"> ## <desc>
## <desc> ## Send a kill signal to all domains.
## Send a kill signal to all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_kill_all_domains',` interface(`domain_kill_all_domains',`
gen_require(` gen_require(`
@ -285,14 +268,12 @@ interface(`domain_kill_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_read_all_domains_state"> ## <desc>
## <desc> ## Read the process state (/proc/pid) of all domains.
## Read the process state (/proc/pid) of all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_read_all_domains_state',` interface(`domain_read_all_domains_state',`
gen_require(` gen_require(`
@ -316,15 +297,13 @@ interface(`domain_read_all_domains_state',`
') ')
######################################## ########################################
## <interface name="domain_dontaudit_list_all_domains_proc"> ## <desc>
## <desc> ## Do not audit attempts to read the process state
## Do not audit attempts to read the process state ## directories of all domains.
## directories of all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_dontaudit_list_all_domains_proc',` interface(`domain_dontaudit_list_all_domains_proc',`
gen_require(` gen_require(`
@ -336,14 +315,12 @@ interface(`domain_dontaudit_list_all_domains_proc',`
') ')
######################################## ########################################
## <interface name="domain_getsession_all_domains"> ## <desc>
## <desc> ## Get the session ID of all domains.
## Get the session ID of all domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_getsession_all_domains',` interface(`domain_getsession_all_domains',`
gen_require(` gen_require(`
@ -355,15 +332,13 @@ interface(`domain_getsession_all_domains',`
') ')
######################################## ########################################
## <interface name="domain_dontaudit_getattr_all_udp_sockets"> ## <desc>
## <desc> ## Do not audit attempts to get the attributes
## Do not audit attempts to get the attributes ## of all domains UDP sockets.
## of all domains UDP sockets. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_dontaudit_getattr_all_udp_sockets',` interface(`domain_dontaudit_getattr_all_udp_sockets',`
gen_require(` gen_require(`
@ -375,15 +350,13 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
') ')
######################################## ########################################
## <interface name="domain_dontaudit_getattr_all_tcp_sockets"> ## <desc>
## <desc> ## Do not audit attempts to get the attributes
## Do not audit attempts to get the attributes ## of all domains TCP sockets.
## of all domains TCP sockets. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_dontaudit_getattr_all_tcp_sockets',` interface(`domain_dontaudit_getattr_all_tcp_sockets',`
gen_require(` gen_require(`
@ -395,15 +368,13 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
') ')
######################################## ########################################
## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets"> ## <desc>
## <desc> ## Do not audit attempts to get the attributes
## Do not audit attempts to get the attributes ## of all domains unix datagram sockets.
## of all domains unix datagram sockets. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',` interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
gen_require(` gen_require(`
@ -415,15 +386,13 @@ interface(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
') ')
######################################## ########################################
## <interface name="domain_dontaudit_getattr_all_unnamed_pipes"> ## <desc>
## <desc> ## Do not audit attempts to get the attributes
## Do not audit attempts to get the attributes ## of all domains unnamed pipes.
## of all domains unnamed pipes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`domain_dontaudit_getattr_all_unnamed_pipes',` interface(`domain_dontaudit_getattr_all_unnamed_pipes',`
gen_require(` gen_require(`
@ -461,7 +430,6 @@ interface(`domain_read_all_entry_files',`
allow $1 entry_type:file r_file_perms; allow $1 entry_type:file r_file_perms;
') ')
## </module>
# #
# These next macros are not interfaces, but actually are # These next macros are not interfaces, but actually are

210
refpolicy/policy/modules/system/files.if
View File

@ -1,19 +1,18 @@
## <module name="files">
## <summary> ## <summary>
## Basic filesystem types and interfaces. ## Basic filesystem types and interfaces.
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
## This module contains basic filesystem types and interfaces. This ## This module contains basic filesystem types and interfaces. This
## includes: ## includes:
## <ul> ## <ul>
## <li>The concept of different file types including basic ## <li>The concept of different file types including basic
## files, mount points, tmp files, etc.</li> ## files, mount points, tmp files, etc.</li>
## <li>Access to groups of files and all files.</li> ## <li>Access to groups of files and all files.</li>
## <li>Types and interfaces for the basic filesystem layout ## <li>Types and interfaces for the basic filesystem layout
## (/, /etc, /tmp, /usr, etc.).</li> ## (/, /etc, /tmp, /usr, etc.).</li>
## </ul> ## </ul>
## </p> ## </p>
## </desc> ## </desc>
######################################## ########################################
@ -83,15 +82,13 @@ interface(`files_tmp_file',`
') ')
######################################## ########################################
## <interface name="files_tmpfs_file"> ## <desc>
## <desc> ## Transform the type into a file, for use on a
## Transform the type into a file, for use on a ## virtual memory filesystem (tmpfs).
## virtual memory filesystem (tmpfs). ## </desc>
## </desc> ## <param name="type">
## <param name="type"> ## The type to be transformed.
## The type to be transformed. ## </param>
## </param>
## </interface>
# #
interface(`files_tmpfs_file',` interface(`files_tmpfs_file',`
gen_require(` gen_require(`
@ -125,19 +122,17 @@ interface(`files_getattr_all_files',`
') ')
######################################## ########################################
## <interface name="files_relabel_all_files"> ## <desc>
## <desc> ## Relabel all files on the filesystem, except
## Relabel all files on the filesystem, except ## the listed exceptions.
## the listed exceptions. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the domain perfoming this action.
## The type of the domain perfoming this action. ## </param>
## </param> ## <param name="exception_types" optional="true">
## <param name="exception_types" optional="true"> ## The types to be excluded. Each type or attribute
## The types to be excluded. Each type or attribute ## must be negated by the caller.
## must be negated by the caller. ## </param>
## </param>
## </interface>
# #
interface(`files_relabel_all_files',` interface(`files_relabel_all_files',`
gen_require(` gen_require(`
@ -164,19 +159,17 @@ interface(`files_relabel_all_files',`
') ')
######################################## ########################################
## <interface name="files_manage_all_files"> ## <desc>
## <desc> ## Manage all files on the filesystem, except
## Manage all files on the filesystem, except ## the listed exceptions.
## the listed exceptions. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the domain perfoming this action.
## The type of the domain perfoming this action. ## </param>
## </param> ## <param name="exception_types" optional="true">
## <param name="exception_types" optional="true"> ## The types to be excluded. Each type or attribute
## The types to be excluded. Each type or attribute ## must be negated by the caller.
## must be negated by the caller. ## </param>
## </param>
## </interface>
# #
interface(`files_manage_all_files',` interface(`files_manage_all_files',`
gen_require(` gen_require(`
@ -306,25 +299,23 @@ interface(`files_list_root',`
') ')
######################################## ########################################
## <interface name="files_create_root"> ## <desc>
## <desc> ## Create an object in the root directory, with a private
## Create an object in the root directory, with a private ## type. If no object class is specified, the
## type. If no object class is specified, the ## default is file.
## default is file. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="private type" optional="true">
## <param name="private type" optional="true"> ## The type of the object to be created. If no type
## The type of the object to be created. If no type ## is specified, the type of the root directory will
## is specified, the type of the root directory will ## be used.
## be used. ## </param>
## </param> ## <param name="object" optional="true">
## <param name="object" optional="true"> ## The object class of the object being created. If
## The object class of the object being created. If ## no class is specified, file will be used.
## no class is specified, file will be used. ## </param>
## </param>
## </interface>
# #
interface(`files_create_root',` interface(`files_create_root',`
gen_require(` gen_require(`
@ -498,14 +489,12 @@ interface(`files_manage_generic_etc_files',`
') ')
######################################## ########################################
## <interface name="files_delete_generic_etc_files"> ## <desc>
## <desc> ## Delete system configuration files in /etc.
## Delete system configuration files in /etc. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`files_delete_generic_etc_files',` interface(`files_delete_generic_etc_files',`
gen_require(` gen_require(`
@ -642,14 +631,12 @@ interface(`files_dontaudit_search_isid_type_dir',`
') ')
######################################## ########################################
## <interface name="files_list_home"> ## <desc>
## <desc> ## Get listing home home directories.
## Get listing home home directories. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`files_list_home',` interface(`files_list_home',`
gen_require(` gen_require(`
@ -743,14 +730,12 @@ interface(`files_read_usr_files',`
') ')
######################################## ########################################
## <interface name="files_exec_usr_files"> ## <desc>
## <desc> ## Execute programs in /usr/src in the caller domain.
## Execute programs in /usr/src in the caller domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`files_exec_usr_files',` interface(`files_exec_usr_files',`
gen_require(` gen_require(`
@ -810,14 +795,12 @@ interface(`files_dontaudit_search_var',`
') ')
######################################## ########################################
## <interface name="files_search_var_lib"> ## <desc>
## <desc> ## Search the /var/lib directory.
## Search the /var/lib directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`files_search_var_lib',` interface(`files_search_var_lib',`
gen_require(` gen_require(`
@ -987,14 +970,12 @@ interface(`files_rw_generic_pids',`
') ')
######################################## ########################################
## <interface name="files_dontaudit_write_all_pids"> ## <desc>
## <desc> ## Do not audit attempts to write to daemon runtime data files.
## Do not audit attempts to write to daemon runtime data files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`files_dontaudit_write_all_pids',` interface(`files_dontaudit_write_all_pids',`
gen_require(` gen_require(`
@ -1006,14 +987,12 @@ interface(`files_dontaudit_write_all_pids',`
') ')
######################################## ########################################
## <interface name="files_dontaudit_ioctl_all_pids"> ## <desc>
## <desc> ## Do not audit attempts to ioctl daemon runtime data files.
## Do not audit attempts to ioctl daemon runtime data files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`files_dontaudit_ioctl_all_pids',` interface(`files_dontaudit_ioctl_all_pids',`
gen_require(` gen_require(`
@ -1123,4 +1102,3 @@ interface(`files_manage_spools',`
allow $1 var_spool_t:file create_file_perms; allow $1 var_spool_t:file create_file_perms;
') ')
## </module>

10
refpolicy/policy/modules/system/getty.if
View File

@ -1,15 +1,12 @@
## <module name="getty">
## <summary>Policy for getty.</summary> ## <summary>Policy for getty.</summary>
######################################## ########################################
## <interface name="getty_domtrans">
## <desc> ## <desc>
## Execute gettys in the getty domain. ## Execute gettys in the getty domain.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`getty_domtrans',` interface(`getty_domtrans',`
gen_require(` gen_require(`
@ -29,14 +26,12 @@ interface(`getty_domtrans',`
') ')
######################################## ########################################
## <interface name="getty_read_log">
## <desc> ## <desc>
## Allow process to read getty log file. ## Allow process to read getty log file.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`getty_read_log',` interface(`getty_read_log',`
gen_require(` gen_require(`
@ -49,14 +44,12 @@ interface(`getty_read_log',`
') ')
######################################## ########################################
## <interface name="getty_read_config">
## <desc> ## <desc>
## Allow process to read getty config file. ## Allow process to read getty config file.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`getty_read_config',` interface(`getty_read_config',`
gen_require(` gen_require(`
@ -69,14 +62,12 @@ interface(`getty_read_config',`
') ')
######################################## ########################################
## <interface name="getty_modify_config">
## <desc> ## <desc>
## Allow process to edit getty config file. ## Allow process to edit getty config file.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`getty_modify_config',` interface(`getty_modify_config',`
gen_require(` gen_require(`
@ -88,4 +79,3 @@ interface(`getty_modify_config',`
allow $1 getty_etc_t:file rw_file_perms; allow $1 getty_etc_t:file rw_file_perms;
') ')
## </module>

50
refpolicy/policy/modules/system/hostname.if
View File

@ -1,16 +1,13 @@
## <module name="hostname">
## <summary>Policy for changing the system host name.</summary> ## <summary>Policy for changing the system host name.</summary>
######################################## ########################################
## <interface name="hostname_domtrans"> ## <desc>
## <desc> ## Execute hostname in the hostname domain.
## Execute hostname in the hostname domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## Has a sigchld signal backchannel.
## Has a sigchld signal backchannel. ## </param>
## </param>
## </interface>
# #
interface(`hostname_domtrans',` interface(`hostname_domtrans',`
gen_require(` gen_require(`
@ -30,22 +27,20 @@ interface(`hostname_domtrans',`
') ')
######################################## ########################################
## <interface name="hostname_run"> ## <desc>
## <desc> ## Execute hostname in the hostname domain, and
## Execute hostname in the hostname domain, and ## allow the specified role the hostname domain.
## allow the specified role the hostname domain. ## Has a sigchld signal backchannel.
## Has a sigchld signal backchannel. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the hostname domain.
## The role to be allowed the hostname domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the hostname domain to use.
## The type of the terminal allow the hostname domain to use. ## </param>
## </param>
## </interface>
# #
interface(`hostname_run',` interface(`hostname_run',`
gen_require(` gen_require(`
@ -59,7 +54,6 @@ interface(`hostname_run',`
') ')
######################################## ########################################
## <interface name="hostname_exec">
## <desc> ## <desc>
## Execute hostname in the hostname domain, and ## Execute hostname in the hostname domain, and
## Has a sigchld signal backchannel. ## Has a sigchld signal backchannel.
@ -67,7 +61,6 @@ interface(`hostname_run',`
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`hostname_exec',` interface(`hostname_exec',`
gen_require(` gen_require(`
@ -77,4 +70,3 @@ interface(`hostname_exec',`
can_exec($1,hostname_exec_t) can_exec($1,hostname_exec_t)
') ')
## </module>

20
refpolicy/policy/modules/system/hotplug.if
View File

@ -1,7 +1,6 @@
## <module name="hotplug">
## <summary> ## <summary>
## Policy for hotplug system, for supporting the ## Policy for hotplug system, for supporting the
## connection and disconnection of devices at runtime. ## connection and disconnection of devices at runtime.
## </summary> ## </summary>
####################################### #######################################
@ -78,14 +77,12 @@ interface(`hotplug_dontaudit_search_config',`
') ')
######################################## ########################################
## <interface name="hotplug_read_config"> ## <desc>
## <desc> ## Read the configuration files for hotplug.
## Read the configuration files for hotplug. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`hotplug_read_config',` interface(`hotplug_read_config',`
gen_require(` gen_require(`
@ -101,4 +98,3 @@ interface(`hotplug_read_config',`
allow $1 hotplug_etc_t:lnk_file r_file_perms; allow $1 hotplug_etc_t:lnk_file r_file_perms;
') ')
## </module>

44
refpolicy/policy/modules/system/init.if
View File

@ -1,4 +1,3 @@
## <module name="init">
## <summary>System initialization programs (init and init scripts).</summary> ## <summary>System initialization programs (init and init scripts).</summary>
######################################## ########################################
@ -260,14 +259,12 @@ interface(`init_exec_script',`
') ')
######################################## ########################################
## <interface name="init_read_script_process_state"> ## <desc>
## <desc> ## Read the process state (/proc/pid) of the init scripts.
## Read the process state (/proc/pid) of the init scripts. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`init_read_script_process_state',` interface(`init_read_script_process_state',`
gen_require(` gen_require(`
@ -330,14 +327,12 @@ interface(`init_get_script_process_group',`
') ')
######################################## ########################################
## <interface name="init_rw_script_pipe"> ## <desc>
## <desc> ## Read and write init script unnamed pipes.
## Read and write init script unnamed pipes. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`init_rw_script_pipe',` interface(`init_rw_script_pipe',`
gen_require(` gen_require(`
@ -376,14 +371,12 @@ interface(`init_dontaudit_use_script_pty',`
') ')
######################################## ########################################
## <interface name="init_rw_script_tmp_files"> ## <desc>
## <desc> ## Read and write init script temporary data.
## Read and write init script temporary data. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`init_rw_script_tmp_files',` interface(`init_rw_script_tmp_files',`
gen_require(` gen_require(`
@ -449,4 +442,3 @@ interface(`init_dontaudit_rw_script_pid',`
dontaudit $1 initrc_var_run_t:file { getattr read write append }; dontaudit $1 initrc_var_run_t:file { getattr read write append };
') ')
## </module>

58
refpolicy/policy/modules/system/iptables.if
View File

@ -1,15 +1,12 @@
## <module name="iptables">
## <summary>Policy for iptables.</summary> ## <summary>Policy for iptables.</summary>
######################################## ########################################
## <interface name="iptables_domtrans"> ## <desc>
## <desc> ## Execute iptables in the iptables domain.
## Execute iptables in the iptables domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`iptables_domtrans',` interface(`iptables_domtrans',`
gen_require(` gen_require(`
@ -29,21 +26,19 @@ interface(`iptables_domtrans',`
') ')
######################################## ########################################
## <interface name="iptables_run"> ## <desc>
## <desc> ## Execute iptables in the iptables domain, and
## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain.
## allow the specified role the iptables domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the iptables domain.
## The role to be allowed the iptables domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the iptables domain to use.
## The type of the terminal allow the iptables domain to use. ## </param>
## </param>
## </interface>
# #
interface(`iptables_run',` interface(`iptables_run',`
gen_require(` gen_require(`
@ -57,14 +52,12 @@ interface(`iptables_run',`
') ')
######################################## ########################################
## <interface name="iptables_exec"> ## <desc>
## <desc> ## Execute iptables in the caller domain.
## Execute iptables in the caller domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`iptables_exec',` interface(`iptables_exec',`
gen_require(` gen_require(`
@ -75,4 +68,3 @@ interface(`iptables_exec',`
can_exec($1,iptables_exec_t) can_exec($1,iptables_exec_t)
') ')
## </module>

182
refpolicy/policy/modules/system/libraries.if
View File

@ -1,15 +1,12 @@
## <module name="libraries">
## <summary>Policy for system libraries.</summary> ## <summary>Policy for system libraries.</summary>
######################################## ########################################
## <interface name="libs_domtrans_ldconfig"> ## <desc>
## <desc> ## Execute ldconfig in the ldconfig domain.
## Execute ldconfig in the ldconfig domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_domtrans_ldconfig',` interface(`libs_domtrans_ldconfig',`
gen_require(` gen_require(`
@ -29,20 +26,18 @@ interface(`libs_domtrans_ldconfig',`
') ')
######################################## ########################################
## <interface name="libs_run_ldconfig"> ## <desc>
## <desc> ## Execute ldconfig in the ldconfig domain.
## Execute ldconfig in the ldconfig domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to allow the ldconfig domain.
## The role to allow the ldconfig domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the ldconfig domain to use.
## The type of the terminal allow the ldconfig domain to use. ## </param>
## </param>
## </interface>
# #
interface(`libs_run_ldconfig',` interface(`libs_run_ldconfig',`
gen_require(` gen_require(`
@ -56,15 +51,13 @@ interface(`libs_run_ldconfig',`
') ')
######################################## ########################################
## <interface name="libs_use_ld_so"> ## <desc>
## <desc> ## Use the dynamic link/loader for automatic loading
## Use the dynamic link/loader for automatic loading ## of shared libraries.
## of shared libraries. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_use_ld_so',` interface(`libs_use_ld_so',`
gen_require(` gen_require(`
@ -83,15 +76,13 @@ interface(`libs_use_ld_so',`
') ')
######################################## ########################################
## <interface name="libs_legacy_use_ld_so"> ## <desc>
## <desc> ## Use the dynamic link/loader for automatic loading
## Use the dynamic link/loader for automatic loading ## of shared libraries with legacy support.
## of shared libraries with legacy support. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_legacy_use_ld_so',` interface(`libs_legacy_use_ld_so',`
gen_require(` gen_require(`
@ -105,16 +96,14 @@ interface(`libs_legacy_use_ld_so',`
') ')
######################################## ########################################
## <interface name="libs_exec_ld_so"> ## <desc>
## <desc> ## Execute the dynamic link/loader in the caller's
## Execute the dynamic link/loader in the caller's ## domain. This is commonly needed for the
## domain. This is commonly needed for the ## /usr/bin/ldd program.
## /usr/bin/ldd program. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_exec_ld_so',` interface(`libs_exec_ld_so',`
gen_require(` gen_require(`
@ -130,15 +119,13 @@ interface(`libs_exec_ld_so',`
') ')
######################################## ########################################
## <interface name="libs_rw_ld_so_cache"> ## <desc>
## <desc> ## Modify the dynamic link/loader's cached listing
## Modify the dynamic link/loader's cached listing ## of shared libraries.
## of shared libraries. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_rw_ld_so_cache',` interface(`libs_rw_ld_so_cache',`
gen_require(` gen_require(`
@ -151,14 +138,12 @@ interface(`libs_rw_ld_so_cache',`
') ')
######################################## ########################################
## <interface name="libs_search_lib"> ## <desc>
## <desc> ## Search lib directories.
## Search lib directories. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_search_lib',` interface(`libs_search_lib',`
gen_require(` gen_require(`
@ -170,15 +155,13 @@ interface(`libs_search_lib',`
') ')
######################################## ########################################
## <interface name="libs_read_lib"> ## <desc>
## <desc> ## Read files in the library directories, such
## Read files in the library directories, such ## as static libraries.
## as static libraries. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_read_lib',` interface(`libs_read_lib',`
gen_require(` gen_require(`
@ -194,14 +177,12 @@ interface(`libs_read_lib',`
') ')
######################################## ########################################
## <interface name="libs_exec_lib_files"> ## <desc>
## <desc> ## Execute library scripts in the caller domain.
## Execute library scripts in the caller domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_exec_lib_files',` interface(`libs_exec_lib_files',`
gen_require(` gen_require(`
@ -217,14 +198,12 @@ interface(`libs_exec_lib_files',`
') ')
######################################## ########################################
## <interface name="libs_use_shared_libs"> ## <desc>
## <desc> ## Load and execute functions from shared libraries.
## Load and execute functions from shared libraries. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_use_shared_libs',` interface(`libs_use_shared_libs',`
gen_require(` gen_require(`
@ -242,15 +221,13 @@ interface(`libs_use_shared_libs',`
') ')
######################################## ########################################
## <interface name="libs_legacy_use_shared_libs"> ## <desc>
## <desc> ## Load and execute functions from shared libraries,
## Load and execute functions from shared libraries, ## with legacy support.
## with legacy support. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`libs_legacy_use_shared_libs',` interface(`libs_legacy_use_shared_libs',`
gen_require(` gen_require(`
@ -262,4 +239,3 @@ interface(`libs_legacy_use_shared_libs',`
allow $1 { shlib_t texrel_shlib_t }:file execmod; allow $1 { shlib_t texrel_shlib_t }:file execmod;
') ')
## </module>

6
refpolicy/policy/modules/system/locallogin.if
View File

@ -1,15 +1,12 @@
## <module name="locallogin">
## <summary>Policy for local logins.</summary> ## <summary>Policy for local logins.</summary>
######################################## ########################################
## <interface name="locallogin_domtrans">
## <desc> ## <desc>
## Execute local logins in the locallogin domain. ## Execute local logins in the locallogin domain.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`locallogin_domtrans',` interface(`locallogin_domtrans',`
gen_require(` gen_require(`
@ -20,14 +17,12 @@ interface(`locallogin_domtrans',`
') ')
######################################## ########################################
## <interface name="locallogin_use_fd">
## <desc> ## <desc>
## Allow processes to inherit local login file descriptors ## Allow processes to inherit local login file descriptors
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`locallogin_use_fd',` interface(`locallogin_use_fd',`
gen_require(` gen_require(`
@ -38,4 +33,3 @@ interface(`locallogin_use_fd',`
allow $1 local_login_t:fd use; allow $1 local_login_t:fd use;
') ')
## </module>

20
refpolicy/policy/modules/system/logging.if
View File

@ -1,4 +1,3 @@
## <module name="logging">
## <summary>Policy for the kernel message logger and system logging daemon.</summary> ## <summary>Policy for the kernel message logger and system logging daemon.</summary>
####################################### #######################################
@ -60,16 +59,14 @@ interface(`logging_send_syslog_msg',`
') ')
######################################## ########################################
## <interface name="logging_search_logs"> ## <desc>
## <desc> ## Allows the domain to open a file in the
## Allows the domain to open a file in the ## log directory, but does not allow the listing
## log directory, but does not allow the listing ## of the contents of the log directory.
## of the contents of the log directory. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`logging_search_logs',` interface(`logging_search_logs',`
gen_require(` gen_require(`
@ -176,4 +173,3 @@ interface(`logging_rw_generic_logs',`
allow $1 var_log_t:file rw_file_perms; allow $1 var_log_t:file rw_file_perms;
') ')
## </module>

56
refpolicy/policy/modules/system/lvm.if
View File

@ -1,15 +1,12 @@
## <module name="lvm">
## <summary>Policy for logical volume management programs.</summary> ## <summary>Policy for logical volume management programs.</summary>
######################################## ########################################
## <interface name="lvm_domtrans"> ## <desc>
## <desc> ## Execute lvm programs in the lvm domain.
## Execute lvm programs in the lvm domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`lvm_domtrans',` interface(`lvm_domtrans',`
gen_require(` gen_require(`
@ -29,20 +26,18 @@ interface(`lvm_domtrans',`
') ')
######################################## ########################################
## <interface name="lvm_run"> ## <desc>
## <desc> ## Execute lvm programs in the lvm domain.
## Execute lvm programs in the lvm domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to allow the LVM domain.
## The role to allow the LVM domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the LVM domain to use.
## The type of the terminal allow the LVM domain to use. ## </param>
## </param>
## </interface>
# #
interface(`lvm_run',` interface(`lvm_run',`
gen_require(` gen_require(`
@ -56,14 +51,12 @@ interface(`lvm_run',`
') ')
######################################## ########################################
## <interface name="lvm_read_config"> ## <desc>
## <desc> ## Read LVM configuration files.
## Read LVM configuration files. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`lvm_read_config',` interface(`lvm_read_config',`
gen_require(` gen_require(`
@ -77,4 +70,3 @@ interface(`lvm_read_config',`
allow $1 lvm_etc_t:file r_file_perms; allow $1 lvm_etc_t:file r_file_perms;
') ')
## </module>

1
refpolicy/policy/modules/system/metadata.xml
View File

@ -1 +0,0 @@
<layer name="system">

12
refpolicy/policy/modules/system/miscfiles.if
View File

@ -1,8 +1,6 @@
## <module name="miscfiles">
## <summary>Miscelaneous files.</summary> ## <summary>Miscelaneous files.</summary>
######################################## ########################################
## <interface name="miscfiles_rw_man_cache">
## <desc> ## <desc>
## Allow process to create files and dirs in /var/cache/man ## Allow process to create files and dirs in /var/cache/man
## and /var/catman/ ## and /var/catman/
@ -10,7 +8,6 @@
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`miscfiles_rw_man_cache',` interface(`miscfiles_rw_man_cache',`
gen_require(` gen_require(`
@ -25,14 +22,12 @@ interface(`miscfiles_rw_man_cache',`
') ')
######################################## ########################################
## <interface name="miscfiles_read_fonts">
## <desc> ## <desc>
## Allow process to read fonts files ## Allow process to read fonts files
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`miscfiles_read_fonts',` interface(`miscfiles_read_fonts',`
gen_require(` gen_require(`
@ -50,14 +45,12 @@ interface(`miscfiles_read_fonts',`
') ')
######################################## ########################################
## <interface name="miscfiles_read_localization">
## <desc> ## <desc>
## Allow process to read localization info ## Allow process to read localization info
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`miscfiles_read_localization',` interface(`miscfiles_read_localization',`
gen_require(` gen_require(`
@ -79,14 +72,12 @@ interface(`miscfiles_read_localization',`
') ')
######################################## ########################################
## <interface name="miscfiles_legacy_read_localization">
## <desc> ## <desc>
## Allow process to read legacy time localization info ## Allow process to read legacy time localization info
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`miscfiles_legacy_read_localization',` interface(`miscfiles_legacy_read_localization',`
gen_require(` gen_require(`
@ -99,14 +90,12 @@ interface(`miscfiles_legacy_read_localization',`
') ')
######################################## ########################################
## <interface name="miscfiles_read_man_pages">
## <desc> ## <desc>
## Allow process to read manpages ## Allow process to read manpages
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## Type type of the process performing this action. ## Type type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`miscfiles_read_man_pages',` interface(`miscfiles_read_man_pages',`
gen_require(` gen_require(`
@ -122,4 +111,3 @@ interface(`miscfiles_read_man_pages',`
allow $1 man_t:lnk_file r_file_perms; allow $1 man_t:lnk_file r_file_perms;
') ')
## </module>

158
refpolicy/policy/modules/system/modutils.if
View File

@ -1,15 +1,12 @@
## <module name="modutils">
## <summary>Policy for kernel module utilities</summary> ## <summary>Policy for kernel module utilities</summary>
######################################## ########################################
## <interface name="modutils_read_kernel_module_dependencies"> ## <desc>
## <desc> ## Read the dependencies of kernel modules.
## Read the dependencies of kernel modules. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`modutils_read_kernel_module_dependencies',` interface(`modutils_read_kernel_module_dependencies',`
gen_require(` gen_require(`
@ -22,15 +19,13 @@ interface(`modutils_read_kernel_module_dependencies',`
') ')
######################################## ########################################
## <interface name="modutils_read_module_conf"> ## <desc>
## <desc> ## Read the configuration options used when
## Read the configuration options used when ## loading modules.
## loading modules. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`modutils_read_module_conf',` interface(`modutils_read_module_conf',`
gen_require(` gen_require(`
@ -47,14 +42,12 @@ interface(`modutils_read_module_conf',`
') ')
######################################## ########################################
## <interface name="modutils_domtrans_insmod"> ## <desc>
## <desc> ## Execute insmod in the insmod domain.
## Execute insmod in the insmod domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`modutils_domtrans_insmod',` interface(`modutils_domtrans_insmod',`
gen_require(` gen_require(`
@ -74,23 +67,21 @@ interface(`modutils_domtrans_insmod',`
') ')
######################################## ########################################
## <interface name="modutils_run_insmod"> ## <desc>
## <desc> ## Execute insmod in the insmod domain, and
## Execute insmod in the insmod domain, and ## allow the specified role the insmod domain,
## allow the specified role the insmod domain, ## and use the caller's terminal. Has a sigchld
## and use the caller's terminal. Has a sigchld ## backchannel.
## backchannel. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the insmod domain.
## The role to be allowed the insmod domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the insmod domain to use.
## The type of the terminal allow the insmod domain to use. ## </param>
## </param>
## </interface>
# #
interface(`modutils_run_insmod',` interface(`modutils_run_insmod',`
gen_require(` gen_require(`
@ -117,14 +108,12 @@ interface(`modutils_exec_insmod',`
') ')
######################################## ########################################
## <interface name="modutils_domtrans_depmod"> ## <desc>
## <desc> ## Execute depmod in the depmod domain.
## Execute depmod in the depmod domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`modutils_domtrans_depmod',` interface(`modutils_domtrans_depmod',`
gen_require(` gen_require(`
@ -144,20 +133,18 @@ interface(`modutils_domtrans_depmod',`
') ')
######################################## ########################################
## <interface name="modutils_run_depmod"> ## <desc>
## <desc> ## Execute depmod in the depmod domain.
## Execute depmod in the depmod domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the depmod domain.
## The role to be allowed the depmod domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the depmod domain to use.
## The type of the terminal allow the depmod domain to use. ## </param>
## </param>
## </interface>
# #
interface(`modutils_run_depmod',` interface(`modutils_run_depmod',`
gen_require(` gen_require(`
@ -184,14 +171,12 @@ interface(`modutils_exec_depmod',`
') ')
######################################## ########################################
## <interface name="modutils_domtrans_update_mods"> ## <desc>
## <desc> ## Execute depmod in the depmod domain.
## Execute depmod in the depmod domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`modutils_domtrans_update_mods',` interface(`modutils_domtrans_update_mods',`
gen_require(` gen_require(`
@ -211,20 +196,18 @@ interface(`modutils_domtrans_update_mods',`
') ')
######################################## ########################################
## <interface name="modutils_run_update_mods"> ## <desc>
## <desc> ## Execute update_modules in the update_modules domain.
## Execute update_modules in the update_modules domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the update_modules domain.
## The role to be allowed the update_modules domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the update_modules domain to use.
## The type of the terminal allow the update_modules domain to use. ## </param>
## </param>
## </interface>
# #
interface(`modutils_run_update_mods',` interface(`modutils_run_update_mods',`
gen_require(` gen_require(`
@ -250,4 +233,3 @@ interface(`modutils_exec_update_mods',`
can_exec($1, update_modules_exec_t) can_exec($1, update_modules_exec_t)
') ')
## </module>

50
refpolicy/policy/modules/system/mount.if
View File

@ -1,15 +1,12 @@
## <module name="mount">
## <summary>Policy for mount.</summary> ## <summary>Policy for mount.</summary>
######################################## ########################################
## <interface name="mount_domtrans"> ## <desc>
## <desc> ## Execute mount in the mount domain.
## Execute mount in the mount domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`mount_domtrans',` interface(`mount_domtrans',`
gen_require(` gen_require(`
@ -28,22 +25,20 @@ interface(`mount_domtrans',`
') ')
######################################## ########################################
## <interface name="mount_run"> ## <desc>
## <desc> ## Execute mount in the mount domain, and
## Execute mount in the mount domain, and ## allow the specified role the mount domain,
## allow the specified role the mount domain, ## and use the caller's terminal.
## and use the caller's terminal. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the mount domain.
## The role to be allowed the mount domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the mount domain to use.
## The type of the terminal allow the mount domain to use. ## </param>
## </param>
## </interface>
# #
interface(`mount_run',` interface(`mount_run',`
gen_require(` gen_require(`
@ -57,14 +52,12 @@ interface(`mount_run',`
') ')
######################################## ########################################
## <interface name="mount_use_fd">
## <desc> ## <desc>
## Use file descriptors for mount. ## Use file descriptors for mount.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`mount_use_fd',` interface(`mount_use_fd',`
gen_require(` gen_require(`
@ -76,7 +69,6 @@ interface(`mount_use_fd',`
') ')
######################################## ########################################
## <interface name="mount_send_nfs_client_request">
## <desc> ## <desc>
## Allow the mount domain to send nfs requests for mounting ## Allow the mount domain to send nfs requests for mounting
## network drives ## network drives
@ -84,7 +76,6 @@ interface(`mount_use_fd',`
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`mount_send_nfs_client_request',` interface(`mount_send_nfs_client_request',`
gen_require(` gen_require(`
@ -95,4 +86,3 @@ interface(`mount_send_nfs_client_request',`
allow $1 mount_t:udp_socket rw_socket_perms; allow $1 mount_t:udp_socket rw_socket_perms;
') ')
## </module>

300
refpolicy/policy/modules/system/selinuxutil.if
View File

@ -1,15 +1,12 @@
## <module name="selinuxutil">
## <summary>Policy for SELinux policy and userland applications.</summary> ## <summary>Policy for SELinux policy and userland applications.</summary>
####################################### #######################################
## <interface name="seutil_domtrans_checkpol"> ## <desc>
## <desc> ## Execute checkpolicy in the checkpolicy domain.
## Execute checkpolicy in the checkpolicy domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_domtrans_checkpol',` interface(`seutil_domtrans_checkpol',`
gen_require(` gen_require(`
@ -30,23 +27,21 @@ interface(`seutil_domtrans_checkpol',`
') ')
######################################## ########################################
## <interface name="seutil_run_checkpol"> ## <desc>
## <desc> ## Execute checkpolicy in the checkpolicy domain, and
## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain,
## allow the specified role the checkpolicy domain, ## and use the caller's terminal.
## and use the caller's terminal. ## Has a SIGCHLD signal backchannel.
## Has a SIGCHLD signal backchannel. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the checkpolicy domain.
## The role to be allowed the checkpolicy domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the checkpolicy domain to use.
## The type of the terminal allow the checkpolicy domain to use. ## </param>
## </param>
## </interface>
# #
interface(`seutil_run_checkpol',` interface(`seutil_run_checkpol',`
gen_require(` gen_require(`
@ -74,14 +69,12 @@ interface(`seutil_exec_checkpol',`
') ')
####################################### #######################################
## <interface name="seutil_domtrans_loadpol"> ## <desc>
## <desc> ## Execute load_policy in the load_policy domain.
## Execute load_policy in the load_policy domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_domtrans_loadpol',` interface(`seutil_domtrans_loadpol',`
gen_require(` gen_require(`
@ -101,23 +94,21 @@ interface(`seutil_domtrans_loadpol',`
') ')
######################################## ########################################
## <interface name="seutil_run_loadpol"> ## <desc>
## <desc> ## Execute load_policy in the load_policy domain, and
## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain,
## allow the specified role the load_policy domain, ## and use the caller's terminal.
## and use the caller's terminal. ## Has a SIGCHLD signal backchannel.
## Has a SIGCHLD signal backchannel. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the load_policy domain.
## The role to be allowed the load_policy domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the load_policy domain to use.
## The type of the terminal allow the load_policy domain to use. ## </param>
## </param>
## </interface>
# #
interface(`seutil_run_loadpol',` interface(`seutil_run_loadpol',`
gen_require(` gen_require(`
@ -158,14 +149,12 @@ interface(`seutil_read_loadpol',`
') ')
####################################### #######################################
## <interface name="seutil_domtrans_newrole"> ## <desc>
## <desc> ## Execute newrole in the load_policy domain.
## Execute newrole in the load_policy domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_domtrans_newrole',` interface(`seutil_domtrans_newrole',`
gen_require(` gen_require(`
@ -186,22 +175,20 @@ interface(`seutil_domtrans_newrole',`
') ')
######################################## ########################################
## <interface name="seutil_run_newrole"> ## <desc>
## <desc> ## Execute newrole in the newrole domain, and
## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain,
## allow the specified role the newrole domain, ## and use the caller's terminal.
## and use the caller's terminal. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the newrole domain.
## The role to be allowed the newrole domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the newrole domain to use.
## The type of the terminal allow the newrole domain to use. ## </param>
## </param>
## </interface>
# #
interface(`seutil_run_newrole',` interface(`seutil_run_newrole',`
gen_require(` gen_require(`
@ -229,15 +216,13 @@ interface(`seutil_exec_newrole',`
') ')
######################################## ########################################
## <interface name="seutil_dontaudit_newrole_signal"> ## <desc>
## <desc> ## Do not audit the caller attempts to send
## Do not audit the caller attempts to send ## a signal to newrole.
## a signal to newrole. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_dontaudit_newrole_signal',` interface(`seutil_dontaudit_newrole_signal',`
gen_require(` gen_require(`
@ -275,14 +260,12 @@ interface(`seutil_use_newrole_fd',`
') ')
####################################### #######################################
## <interface name="seutil_domtrans_restorecon"> ## <desc>
## <desc> ## Execute restorecon in the restorecon domain.
## Execute restorecon in the restorecon domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_domtrans_restorecon',` interface(`seutil_domtrans_restorecon',`
gen_require(` gen_require(`
@ -302,22 +285,20 @@ interface(`seutil_domtrans_restorecon',`
') ')
######################################## ########################################
## <interface name="seutil_run_restorecon"> ## <desc>
## <desc> ## Execute restorecon in the restorecon domain, and
## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain,
## allow the specified role the restorecon domain, ## and use the caller's terminal.
## and use the caller's terminal. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the restorecon domain.
## The role to be allowed the restorecon domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the restorecon domain to use.
## The type of the terminal allow the restorecon domain to use. ## </param>
## </param>
## </interface>
# #
interface(`seutil_run_restorecon',` interface(`seutil_run_restorecon',`
gen_require(` gen_require(`
@ -344,14 +325,12 @@ interface(`seutil_exec_restorecon',`
') ')
######################################## ########################################
## <interface name="seutil_domtrans_runinit"> ## <desc>
## <desc> ## Execute run_init in the run_init domain.
## Execute run_init in the run_init domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_domtrans_runinit',` interface(`seutil_domtrans_runinit',`
gen_require(` gen_require(`
@ -372,22 +351,20 @@ interface(`seutil_domtrans_runinit',`
') ')
######################################## ########################################
## <interface name="seutil_run_runinit"> ## <desc>
## <desc> ## Execute run_init in the run_init domain, and
## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain,
## allow the specified role the run_init domain, ## and use the caller's terminal.
## and use the caller's terminal. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the run_init domain.
## The role to be allowed the run_init domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the run_init domain to use.
## The type of the terminal allow the run_init domain to use. ## </param>
## </param>
## </interface>
# #
interface(`seutil_run_runinit',` interface(`seutil_run_runinit',`
gen_require(` gen_require(`
@ -414,14 +391,12 @@ interface(`seutil_use_runinit_fd',`
') ')
######################################## ########################################
## <interface name="seutil_domtrans_setfiles"> ## <desc>
## <desc> ## Execute setfiles in the setfiles domain.
## Execute setfiles in the setfiles domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_domtrans_setfiles',` interface(`seutil_domtrans_setfiles',`
gen_require(` gen_require(`
@ -442,22 +417,20 @@ interface(`seutil_domtrans_setfiles',`
') ')
######################################## ########################################
## <interface name="seutil_run_setfiles"> ## <desc>
## <desc> ## Execute setfiles in the setfiles domain, and
## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain,
## allow the specified role the setfiles domain, ## and use the caller's terminal.
## and use the caller's terminal. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the setfiles domain.
## The role to be allowed the setfiles domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the setfiles domain to use.
## The type of the terminal allow the setfiles domain to use. ## </param>
## </param>
## </interface>
# #
interface(`seutil_run_setfiles',` interface(`seutil_run_setfiles',`
gen_require(` gen_require(`
@ -571,14 +544,12 @@ interface(`seutil_create_binary_pol',`
') ')
######################################## ########################################
## <interface name="seutil_relabelto_binary_pol"> ## <desc>
## <desc> ## Allow the caller to relabel a file to the binary policy type.
## Allow the caller to relabel a file to the binary policy type. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`seutil_relabelto_binary_pol',` interface(`seutil_relabelto_binary_pol',`
gen_require(` gen_require(`
@ -644,4 +615,3 @@ interface(`seutil_manage_src_pol',`
allow $1 policy_src_t:file create_file_perms; allow $1 policy_src_t:file create_file_perms;
') ')
## </module>

50
refpolicy/policy/modules/system/sysnetwork.if
View File

@ -1,15 +1,12 @@
## <module name="sysnetwork">
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary> ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
####################################### #######################################
## <interface name="sysnet_domtrans_dhcpc">
## <desc> ## <desc>
## Execute dhcp client in dhcpc domain. ## Execute dhcp client in dhcpc domain.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`sysnet_domtrans_dhcpc',` interface(`sysnet_domtrans_dhcpc',`
gen_require(` gen_require(`
@ -29,14 +26,12 @@ interface(`sysnet_domtrans_dhcpc',`
') ')
####################################### #######################################
## <interface name="sysnet_domtrans_ifconfig"> ## <desc>
## <desc> ## Execute ifconfig in the ifconfig domain.
## Execute ifconfig in the ifconfig domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`sysnet_domtrans_ifconfig',` interface(`sysnet_domtrans_ifconfig',`
gen_require(` gen_require(`
@ -56,22 +51,20 @@ interface(`sysnet_domtrans_ifconfig',`
') ')
######################################## ########################################
## <interface name="sysnet_run_ifconfig"> ## <desc>
## <desc> ## Execute ifconfig in the ifconfig domain, and
## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain,
## allow the specified role the ifconfig domain, ## and use the caller's terminal.
## and use the caller's terminal. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param> ## <param name="role">
## <param name="role"> ## The role to be allowed the ifconfig domain.
## The role to be allowed the ifconfig domain. ## </param>
## </param> ## <param name="terminal">
## <param name="terminal"> ## The type of the terminal allow the ifconfig domain to use.
## The type of the terminal allow the ifconfig domain to use. ## </param>
## </param>
## </interface>
# #
interface(`sysnet_run_ifconfig',` interface(`sysnet_run_ifconfig',`
gen_require(` gen_require(`
@ -86,14 +79,12 @@ interface(`sysnet_run_ifconfig',`
') ')
####################################### #######################################
## <interface name="sysnet_read_config">
## <desc> ## <desc>
## Allow network init to read network config files. ## Allow network init to read network config files.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`sysnet_read_config',` interface(`sysnet_read_config',`
gen_require(` gen_require(`
@ -105,4 +96,3 @@ interface(`sysnet_read_config',`
allow $1 net_conf_t:file r_file_perms; allow $1 net_conf_t:file r_file_perms;
') ')
## </module>

8
refpolicy/policy/modules/system/udev.if
View File

@ -1,15 +1,12 @@
## <module name="udev">
## <summary>Policy for udev.</summary> ## <summary>Policy for udev.</summary>
######################################## ########################################
## <interface name="udev_domtrans">
## <desc> ## <desc>
## Execute udev in the udev domain. ## Execute udev in the udev domain.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`udev_domtrans',` interface(`udev_domtrans',`
gen_require(` gen_require(`
@ -28,14 +25,12 @@ interface(`udev_domtrans',`
') ')
######################################## ########################################
## <interface name="udev_read_db">
## <desc> ## <desc>
## Allow process to read list of devices. ## Allow process to read list of devices.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`udev_read_db',` interface(`udev_read_db',`
gen_require(` gen_require(`
@ -48,14 +43,12 @@ interface(`udev_read_db',`
') ')
######################################## ########################################
## <interface name="udev_rw_db">
## <desc> ## <desc>
## Allow process to modify list of devices. ## Allow process to modify list of devices.
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
## </interface>
# #
interface(`udev_rw_db',` interface(`udev_rw_db',`
gen_require(` gen_require(`
@ -67,4 +60,3 @@ interface(`udev_rw_db',`
allow $1 udev_tdb_t:file rw_file_perms; allow $1 udev_tdb_t:file rw_file_perms;
') ')
## </module>

194
refpolicy/policy/modules/system/userdomain.if
View File

@ -1,4 +1,3 @@
## <module name="userdomain">
## <summary>Policy for user domains</summary> ## <summary>Policy for user domains</summary>
######################################## ########################################
@ -809,16 +808,14 @@ template(`admin_domain_template',`
') ')
######################################## ########################################
## <interface name="userdom_spec_domtrans_all_users"> ## <desc>
## <desc> ## Execute a shell in all user domains. This
## Execute a shell in all user domains. This ## is an explicit transition, requiring the
## is an explicit transition, requiring the ## caller to use setexeccon().
## caller to use setexeccon(). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_spec_domtrans_all_users',` interface(`userdom_spec_domtrans_all_users',`
gen_require(` gen_require(`
@ -829,16 +826,14 @@ interface(`userdom_spec_domtrans_all_users',`
') ')
######################################## ########################################
## <interface name="userdom_spec_domtrans_unpriv_users"> ## <desc>
## <desc> ## Execute a shell in all unprivileged user domains. This
## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the
## is an explicit transition, requiring the ## caller to use setexeccon().
## caller to use setexeccon(). ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_spec_domtrans_unpriv_users',` interface(`userdom_spec_domtrans_unpriv_users',`
gen_require(` gen_require(`
@ -849,14 +844,12 @@ interface(`userdom_spec_domtrans_unpriv_users',`
') ')
######################################## ########################################
## <interface name="userdom_shell_domtrans_sysadm"> ## <desc>
## <desc> ## Execute a shell in the sysadm domain.
## Execute a shell in the sysadm domain. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_shell_domtrans_sysadm',` interface(`userdom_shell_domtrans_sysadm',`
gen_require(` gen_require(`
@ -867,14 +860,12 @@ interface(`userdom_shell_domtrans_sysadm',`
') ')
######################################## ########################################
## <interface name="userdom_use_sysadm_tty"> ## <desc>
## <desc> ## Read and write sysadm ttys.
## Read and write sysadm ttys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_use_sysadm_tty',` interface(`userdom_use_sysadm_tty',`
gen_require(` gen_require(`
@ -888,14 +879,12 @@ interface(`userdom_use_sysadm_tty',`
') ')
######################################## ########################################
## <interface name="userdom_use_sysadm_terms"> ## <desc>
## <desc> ## Read and write sysadm ttys and ptys.
## Read and write sysadm ttys and ptys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_use_sysadm_terms',` interface(`userdom_use_sysadm_terms',`
gen_require(` gen_require(`
@ -909,14 +898,12 @@ interface(`userdom_use_sysadm_terms',`
') ')
######################################## ########################################
## <interface name="userdom_dontaudit_use_sysadm_terms"> ## <desc>
## <desc> ## Do not audit attempts to use admin ttys and ptys.
## Do not audit attempts to use admin ttys and ptys. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_dontaudit_use_sysadm_terms',` interface(`userdom_dontaudit_use_sysadm_terms',`
gen_require(` gen_require(`
@ -928,14 +915,12 @@ interface(`userdom_dontaudit_use_sysadm_terms',`
') ')
######################################## ########################################
## <interface name="userdom_search_all_users_home"> ## <desc>
## <desc> ## Search all users home directories.
## Search all users home directories. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_search_all_users_home',` interface(`userdom_search_all_users_home',`
gen_require(` gen_require(`
@ -948,14 +933,12 @@ interface(`userdom_search_all_users_home',`
') ')
######################################## ########################################
## <interface name="userdom_read_all_user_data"> ## <desc>
## <desc> ## Read all files in all users home directories.
## Read all files in all users home directories. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_read_all_user_data',` interface(`userdom_read_all_user_data',`
gen_require(` gen_require(`
@ -970,14 +953,12 @@ interface(`userdom_read_all_user_data',`
') ')
######################################## ########################################
## <interface name="userdom_use_all_user_fd"> ## <desc>
## <desc> ## Inherit the file descriptors from all user domains
## Inherit the file descriptors from all user domains ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_use_all_user_fd',` interface(`userdom_use_all_user_fd',`
gen_require(` gen_require(`
@ -989,14 +970,12 @@ interface(`userdom_use_all_user_fd',`
') ')
######################################## ########################################
## <interface name="userdom_signal_all_users"> ## <desc>
## <desc> ## Send general signals to all user domains.
## Send general signals to all user domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_signal_all_users',` interface(`userdom_signal_all_users',`
gen_require(` gen_require(`
@ -1008,14 +987,12 @@ interface(`userdom_signal_all_users',`
') ')
######################################## ########################################
## <interface name="userdom_signal_unpriv_users"> ## <desc>
## <desc> ## Send general signals to unprivileged user domains.
## Send general signals to unprivileged user domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_signal_unpriv_users',` interface(`userdom_signal_unpriv_users',`
gen_require(` gen_require(`
@ -1027,14 +1004,12 @@ interface(`userdom_signal_unpriv_users',`
') ')
######################################## ########################################
## <interface name="userdom_use_unpriv_users_fd"> ## <desc>
## <desc> ## Inherit the file descriptors from all user domains.
## Inherit the file descriptors from all user domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_use_unpriv_users_fd',` interface(`userdom_use_unpriv_users_fd',`
gen_require(` gen_require(`
@ -1046,15 +1021,13 @@ interface(`userdom_use_unpriv_users_fd',`
') ')
######################################## ########################################
## <interface name="userdom_dontaudit_use_unpriv_user_fd"> ## <desc>
## <desc> ## Do not audit attempts to inherit the
## Do not audit attempts to inherit the ## file descriptors from all user domains.
## file descriptors from all user domains. ## </desc>
## </desc> ## <param name="domain">
## <param name="domain"> ## The type of the process performing this action.
## The type of the process performing this action. ## </param>
## </param>
## </interface>
# #
interface(`userdom_dontaudit_use_unpriv_user_fd',` interface(`userdom_dontaudit_use_unpriv_user_fd',`
gen_require(` gen_require(`
@ -1065,4 +1038,3 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
dontaudit $1 unpriv_userdomain:fd use; dontaudit $1 unpriv_userdomain:fd use;
') ')
## </module>