finish renaming system/selinux to system/selinuxutil
This commit is contained in:
Chris PeBenito
parent
ff7bc148e4
commit
5e0da6a03e
@ -56,7 +56,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(dmesg_t)
|
||||
seutil_newrole_sigchld(dmesg_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -95,12 +95,12 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
|
||||
|
||||
kernel_read_system_state(rpm_t)
|
||||
kernel_read_kernel_sysctl(rpm_t)
|
||||
kernel_get_selinuxfs_mount_point(rpm_t)
|
||||
kernel_validate_context(rpm_t)
|
||||
kernel_compute_access_vector(rpm_t)
|
||||
kernel_compute_create_context(rpm_t)
|
||||
kernel_compute_relabel_context(rpm_t)
|
||||
kernel_compute_reachable_user_contexts(rpm_t)
|
||||
selinux_get_fs_mount(rpm_t)
|
||||
selinux_validate_context(rpm_t)
|
||||
selinux_compute_access_vector(rpm_t)
|
||||
selinux_compute_create_context(rpm_t)
|
||||
selinux_compute_relabel_context(rpm_t)
|
||||
selinux_compute_user_contexts(rpm_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(rpm_t)
|
||||
corenet_raw_sendrecv_all_if(rpm_t)
|
||||
@ -149,8 +149,8 @@ libs_domtrans_ldconfig(rpm_t)
|
||||
logging_send_syslog_msg(rpm_t)
|
||||
|
||||
# allow compiling and loading new policy
|
||||
selinux_manage_src_pol(rpm_t)
|
||||
selinux_manage_binary_pol(rpm_t)
|
||||
seutil_manage_src_pol(rpm_t)
|
||||
seutil_manage_binary_pol(rpm_t)
|
||||
|
||||
sysnet_read_config(rpm_t)
|
||||
|
||||
@ -245,12 +245,12 @@ allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
|
||||
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
kernel_read_kernel_sysctl(rpm_script_t)
|
||||
kernel_get_selinuxfs_mount_point(rpm_script_t)
|
||||
kernel_validate_context(rpm_script_t)
|
||||
kernel_compute_access_vector(rpm_script_t)
|
||||
kernel_compute_create_context(rpm_script_t)
|
||||
kernel_compute_relabel_context(rpm_script_t)
|
||||
kernel_compute_reachable_user_contexts(rpm_script_t)
|
||||
selinux_get_fs_mount(rpm_script_t)
|
||||
selinux_validate_context(rpm_script_t)
|
||||
selinux_compute_access_vector(rpm_script_t)
|
||||
selinux_compute_create_context(rpm_script_t)
|
||||
selinux_compute_relabel_context(rpm_script_t)
|
||||
selinux_compute_user_contexts(rpm_script_t)
|
||||
kernel_read_system_state(rpm_script_t)
|
||||
|
||||
# ideally we would not need this
|
||||
@ -303,8 +303,8 @@ miscfiles_read_localization(rpm_script_t)
|
||||
modutils_domtrans_depmod(rpm_script_t)
|
||||
modutils_domtrans_insmod(rpm_script_t)
|
||||
|
||||
selinux_domtrans_loadpol(rpm_script_t)
|
||||
selinux_domtrans_restorecon(rpm_script_t)
|
||||
seutil_domtrans_loadpol(rpm_script_t)
|
||||
seutil_domtrans_restorecon(rpm_script_t)
|
||||
|
||||
userdom_use_all_user_fd(rpm_script_t)
|
||||
|
||||
@ -347,14 +347,14 @@ allow sshd_t rpm_script_t:fd use;
|
||||
# can transition to this domain, nor can it
|
||||
# really do anything useful.
|
||||
|
||||
kernel_get_selinuxfs_mount_point(rpmbuild_t)
|
||||
kernel_validate_context(rpmbuild_t)
|
||||
kernel_compute_access_vector(rpmbuild_t)
|
||||
kernel_compute_create_context(rpmbuild_t)
|
||||
kernel_compute_relabel_context(rpmbuild_t)
|
||||
kernel_compute_reachable_user_contexts(rpmbuild_t)
|
||||
selinux_get_fs_mount(rpmbuild_t)
|
||||
selinux_validate_context(rpmbuild_t)
|
||||
selinux_compute_access_vector(rpmbuild_t)
|
||||
selinux_compute_create_context(rpmbuild_t)
|
||||
selinux_compute_relabel_context(rpmbuild_t)
|
||||
selinux_compute_user_contexts(rpmbuild_t)
|
||||
|
||||
selinux_read_src_pol(rpmbuild_t)
|
||||
seutil_read_src_pol(rpmbuild_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
|
||||
@ -77,12 +77,12 @@ allow chfn_t self:msgq create_msgq_perms;
|
||||
allow chfn_t self:msg { send receive };
|
||||
|
||||
kernel_read_system_state(chfn_t)
|
||||
kernel_get_selinuxfs_mount_point(chfn_t)
|
||||
kernel_validate_context(chfn_t)
|
||||
kernel_compute_access_vector(chfn_t)
|
||||
kernel_compute_create_context(chfn_t)
|
||||
kernel_compute_relabel_context(chfn_t)
|
||||
kernel_compute_reachable_user_contexts(chfn_t)
|
||||
selinux_get_fs_mount(chfn_t)
|
||||
selinux_validate_context(chfn_t)
|
||||
selinux_compute_access_vector(chfn_t)
|
||||
selinux_compute_create_context(chfn_t)
|
||||
selinux_compute_relabel_context(chfn_t)
|
||||
selinux_compute_user_contexts(chfn_t)
|
||||
|
||||
term_use_all_user_ttys(chfn_t)
|
||||
term_use_all_user_ptys(chfn_t)
|
||||
@ -210,12 +210,12 @@ allow groupadd_t self:msgq create_msgq_perms;
|
||||
allow groupadd_t self:msg { send receive };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
kernel_get_selinuxfs_mount_point(groupadd_t)
|
||||
kernel_validate_context(groupadd_t)
|
||||
kernel_compute_access_vector(groupadd_t)
|
||||
kernel_compute_create_context(groupadd_t)
|
||||
kernel_compute_relabel_context(groupadd_t)
|
||||
kernel_compute_reachable_user_contexts(groupadd_t)
|
||||
selinux_get_fs_mount(groupadd_t)
|
||||
selinux_validate_context(groupadd_t)
|
||||
selinux_compute_access_vector(groupadd_t)
|
||||
selinux_compute_create_context(groupadd_t)
|
||||
selinux_compute_relabel_context(groupadd_t)
|
||||
selinux_compute_user_contexts(groupadd_t)
|
||||
|
||||
fs_getattr_xattr_fs(groupadd_t)
|
||||
|
||||
@ -243,7 +243,7 @@ miscfiles_read_localization(groupadd_t)
|
||||
auth_manage_shadow(groupadd_t)
|
||||
auth_rw_lastlog(groupadd_t)
|
||||
|
||||
selinux_read_config(groupadd_t)
|
||||
seutil_read_config(groupadd_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
role sysadm_r types groupadd_t;
|
||||
@ -285,12 +285,12 @@ allow passwd_t self:sem create_sem_perms;
|
||||
allow passwd_t self:msgq create_msgq_perms;
|
||||
allow passwd_t self:msg { send receive };
|
||||
|
||||
kernel_get_selinuxfs_mount_point(passwd_t)
|
||||
kernel_validate_context(passwd_t)
|
||||
kernel_compute_access_vector(passwd_t)
|
||||
kernel_compute_create_context(passwd_t)
|
||||
kernel_compute_relabel_context(passwd_t)
|
||||
kernel_compute_reachable_user_contexts(passwd_t)
|
||||
selinux_get_fs_mount(passwd_t)
|
||||
selinux_validate_context(passwd_t)
|
||||
selinux_compute_access_vector(passwd_t)
|
||||
selinux_compute_create_context(passwd_t)
|
||||
selinux_compute_relabel_context(passwd_t)
|
||||
selinux_compute_user_contexts(passwd_t)
|
||||
|
||||
# for SSP
|
||||
dev_read_urand(passwd_t)
|
||||
@ -382,12 +382,12 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
|
||||
files_search_var(sysadm_passwd_t)
|
||||
|
||||
kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
|
||||
kernel_validate_context(sysadm_passwd_t)
|
||||
kernel_compute_access_vector(sysadm_passwd_t)
|
||||
kernel_compute_create_context(sysadm_passwd_t)
|
||||
kernel_compute_relabel_context(sysadm_passwd_t)
|
||||
kernel_compute_reachable_user_contexts(sysadm_passwd_t)
|
||||
selinux_get_fs_mount(sysadm_passwd_t)
|
||||
selinux_validate_context(sysadm_passwd_t)
|
||||
selinux_compute_access_vector(sysadm_passwd_t)
|
||||
selinux_compute_create_context(sysadm_passwd_t)
|
||||
selinux_compute_relabel_context(sysadm_passwd_t)
|
||||
selinux_compute_user_contexts(sysadm_passwd_t)
|
||||
# for /proc/meminfo
|
||||
kernel_read_system_state(sysadm_passwd_t)
|
||||
|
||||
@ -474,12 +474,12 @@ allow useradd_t self:msgq create_msgq_perms;
|
||||
allow useradd_t self:msg { send receive };
|
||||
|
||||
# Allow access to context for shadow file
|
||||
kernel_get_selinuxfs_mount_point(useradd_t)
|
||||
kernel_validate_context(useradd_t)
|
||||
kernel_compute_access_vector(useradd_t)
|
||||
kernel_compute_create_context(useradd_t)
|
||||
kernel_compute_relabel_context(useradd_t)
|
||||
kernel_compute_reachable_user_contexts(useradd_t)
|
||||
selinux_get_fs_mount(useradd_t)
|
||||
selinux_validate_context(useradd_t)
|
||||
selinux_compute_access_vector(useradd_t)
|
||||
selinux_compute_create_context(useradd_t)
|
||||
selinux_compute_relabel_context(useradd_t)
|
||||
selinux_compute_user_contexts(useradd_t)
|
||||
# for getting the number of groups
|
||||
kernel_read_kernel_sysctl(useradd_t)
|
||||
|
||||
@ -505,7 +505,7 @@ corecmd_exec_sbin(useradd_t)
|
||||
|
||||
miscfiles_read_localization(useradd_t)
|
||||
|
||||
selinux_read_config(useradd_t)
|
||||
seutil_read_config(useradd_t)
|
||||
|
||||
logging_send_syslog_msg(useradd_t)
|
||||
|
||||
|
||||
@ -136,8 +136,8 @@ logging_rw_generic_logs(bootloader_t)
|
||||
|
||||
miscfiles_read_localization(bootloader_t)
|
||||
|
||||
selinux_read_binary_pol(bootloader_t)
|
||||
selinux_read_loadpol(bootloader_t)
|
||||
seutil_read_binary_pol(bootloader_t)
|
||||
seutil_read_loadpol(bootloader_t)
|
||||
|
||||
ifdef(`distro_debian', `
|
||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
|
||||
@ -91,7 +91,7 @@ define(`cron_per_userdomain_template',`
|
||||
|
||||
logging_search_logs($1_crond_t)
|
||||
|
||||
selinux_read_config($1_crond_t)
|
||||
seutil_read_config($1_crond_t)
|
||||
|
||||
miscfiles_read_localization($1_crond_t)
|
||||
|
||||
@ -224,18 +224,18 @@ define(`cron_admin_template',`
|
||||
#allow $1_crontab_t user_cron_spool_t:file unlink;
|
||||
|
||||
# Manipulate other users crontab.
|
||||
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
||||
kernel_validate_context($1_crontab_t)
|
||||
kernel_compute_access_vector($1_crontab_t)
|
||||
kernel_compute_create_context($1_crontab_t)
|
||||
kernel_compute_relabel_context($1_crontab_t)
|
||||
kernel_compute_reachable_user_contexts($1_crontab_t)
|
||||
selinux_get_fs_mount($1_crontab_t)
|
||||
selinux_validate_context($1_crontab_t)
|
||||
selinux_compute_access_vector($1_crontab_t)
|
||||
selinux_compute_create_context($1_crontab_t)
|
||||
selinux_compute_relabel_context($1_crontab_t)
|
||||
selinux_compute_user_contexts($1_crontab_t)
|
||||
|
||||
tunable_policy(`fcron_crond', `
|
||||
# fcron wants an instant update of a crontab change for the administrator
|
||||
# also crontab does a security check for crontab -u
|
||||
allow $1_crontab_t self:process setfscreate;
|
||||
kernel_get_selinuxfs_mount_point($1_crontab_t)
|
||||
selinux_get_fs_mount($1_crontab_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
@ -77,12 +77,12 @@ allow crond_t system_cron_spool_t:file r_file_perms;
|
||||
|
||||
kernel_read_kernel_sysctl(crond_t)
|
||||
dev_read_sysfs(crond_t)
|
||||
kernel_get_selinuxfs_mount_point(crond_t)
|
||||
kernel_validate_context(crond_t)
|
||||
kernel_compute_access_vector(crond_t)
|
||||
kernel_compute_create_context(crond_t)
|
||||
kernel_compute_relabel_context(crond_t)
|
||||
kernel_compute_reachable_user_contexts(crond_t)
|
||||
selinux_get_fs_mount(crond_t)
|
||||
selinux_validate_context(crond_t)
|
||||
selinux_compute_access_vector(crond_t)
|
||||
selinux_compute_create_context(crond_t)
|
||||
selinux_compute_relabel_context(crond_t)
|
||||
selinux_compute_user_contexts(crond_t)
|
||||
|
||||
dev_read_urand(crond_t)
|
||||
|
||||
@ -109,9 +109,9 @@ libs_use_shared_libs(crond_t)
|
||||
|
||||
logging_send_syslog_msg(crond_t)
|
||||
|
||||
selinux_read_config(crond_t)
|
||||
selinux_read_default_contexts(crond_t)
|
||||
selinux_newrole_sigchld(crond_t)
|
||||
seutil_read_config(crond_t)
|
||||
seutil_read_default_contexts(crond_t)
|
||||
seutil_newrole_sigchld(crond_t)
|
||||
|
||||
miscfiles_read_localization(crond_t)
|
||||
|
||||
@ -287,18 +287,18 @@ miscfiles_read_localization(system_crond_t)
|
||||
miscfiles_read_man_pages(system_crond_t)
|
||||
miscfiles_rw_man_cache(system_crond_t)
|
||||
|
||||
selinux_read_config(system_crond_t)
|
||||
seutil_read_config(system_crond_t)
|
||||
|
||||
tunable_policy(`cron_can_relabel',`
|
||||
selinux_domtrans_setfiles(system_crond_t)
|
||||
seutil_domtrans_setfiles(system_crond_t)
|
||||
',`
|
||||
kernel_get_selinuxfs_mount_point(system_crond_t)
|
||||
kernel_validate_context(system_crond_t)
|
||||
kernel_compute_access_vector(system_crond_t)
|
||||
kernel_compute_create_context(system_crond_t)
|
||||
kernel_compute_relabel_context(system_crond_t)
|
||||
kernel_compute_reachable_user_contexts(system_crond_t)
|
||||
selinux_read_file_contexts(system_crond_t)
|
||||
selinux_get_fs_mount(system_crond_t)
|
||||
selinux_validate_context(system_crond_t)
|
||||
selinux_compute_access_vector(system_crond_t)
|
||||
selinux_compute_create_context(system_crond_t)
|
||||
selinux_compute_relabel_context(system_crond_t)
|
||||
selinux_compute_user_contexts(system_crond_t)
|
||||
seutil_read_file_contexts(system_crond_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -43,12 +43,12 @@ files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(remote_login_t)
|
||||
kernel_read_kernel_sysctl(remote_login_t)
|
||||
kernel_get_selinuxfs_mount_point(remote_login_t)
|
||||
kernel_validate_context(remote_login_t)
|
||||
kernel_compute_access_vector(remote_login_t)
|
||||
kernel_compute_create_context(remote_login_t)
|
||||
kernel_compute_relabel_context(remote_login_t)
|
||||
kernel_compute_reachable_user_contexts(remote_login_t)
|
||||
selinux_get_fs_mount(remote_login_t)
|
||||
selinux_validate_context(remote_login_t)
|
||||
selinux_compute_access_vector(remote_login_t)
|
||||
selinux_compute_create_context(remote_login_t)
|
||||
selinux_compute_relabel_context(remote_login_t)
|
||||
selinux_compute_user_contexts(remote_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(remote_login_t)
|
||||
@ -69,8 +69,8 @@ libs_use_shared_libs(remote_login_t)
|
||||
|
||||
logging_send_syslog_msg(remote_login_t)
|
||||
|
||||
selinux_read_config(remote_login_t)
|
||||
selinux_read_default_contexts(remote_login_t)
|
||||
seutil_read_config(remote_login_t)
|
||||
seutil_read_default_contexts(remote_login_t)
|
||||
|
||||
auth_domtrans_chk_passwd(remote_login_t)
|
||||
auth_dontaudit_read_shadow(remote_login_t)
|
||||
|
||||
@ -95,7 +95,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(sendmail_t)
|
||||
seutil_newrole_sigchld(sendmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -55,7 +55,7 @@ define(`authlogin_per_userdomain_template',`
|
||||
|
||||
miscfiles_read_localization($1_chkpwd_t)
|
||||
|
||||
selinux_read_config($1_chkpwd_t)
|
||||
seutil_read_config($1_chkpwd_t)
|
||||
|
||||
#can_ypbind($1_chkpwd_t)
|
||||
#can_kerberos($1_chkpwd_t)
|
||||
@ -88,7 +88,7 @@ define(`authlogin_per_userdomain_template',`
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_use_newrole_fd($1_chkpwd_t)
|
||||
seutil_use_newrole_fd($1_chkpwd_t)
|
||||
')
|
||||
|
||||
') dnl end authlogin_per_userdomain_template
|
||||
|
||||
@ -165,7 +165,7 @@ libs_use_shared_libs(pam_console_t)
|
||||
|
||||
logging_send_syslog_msg(pam_console_t)
|
||||
|
||||
selinux_read_file_contexts(pam_console_t)
|
||||
seutil_read_file_contexts(pam_console_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
|
||||
|
||||
@ -185,7 +185,7 @@ optional_policy(`hotplug.te', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(pam_console_t)
|
||||
seutil_newrole_sigchld(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
@ -250,7 +250,7 @@ logging_send_syslog_msg(system_chkpwd_t)
|
||||
|
||||
miscfiles_read_localization(system_chkpwd_t)
|
||||
|
||||
selinux_read_config(system_chkpwd_t)
|
||||
seutil_read_config(system_chkpwd_t)
|
||||
|
||||
tunable_policy(`use_dns',`
|
||||
allow system_chkpwd_t self:udp_socket create_socket_perms;
|
||||
|
||||
@ -64,7 +64,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(hwclock_t)
|
||||
seutil_newrole_sigchld(hwclock_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -166,7 +166,7 @@ define(`files_relabel_all_files',`
|
||||
allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
|
||||
|
||||
# satisfy the assertions:
|
||||
selinux_relabelto_binary_pol($1)
|
||||
seutil_relabelto_binary_pol($1)
|
||||
')
|
||||
|
||||
define(`files_relabel_all_files_depend',`
|
||||
@ -206,7 +206,7 @@ define(`files_manage_all_files',`
|
||||
allow $1 { file_type $2 }:sock_file create_file_perms;
|
||||
|
||||
# satisfy the assertions:
|
||||
selinux_write_binary_pol($1)
|
||||
seutil_write_binary_pol($1)
|
||||
bootloader_manage_kernel_modules($1)
|
||||
')
|
||||
|
||||
|
||||
@ -80,7 +80,7 @@ optional_policy(`hotplug.te',`
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(hostname_t)
|
||||
seutil_newrole_sigchld(hostname_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -140,7 +140,7 @@ optional_policy(`mta.te', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(hotplug_t)
|
||||
seutil_newrole_sigchld(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
|
||||
@ -88,7 +88,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
|
||||
# Run init scripts.
|
||||
domain_auto_trans(init_t,initrc_exec_t,initrc_t)
|
||||
|
||||
kernel_set_boolean(init_t)
|
||||
selinux_set_boolean(init_t)
|
||||
kernel_read_system_state(init_t)
|
||||
dev_read_sysfs(init_t)
|
||||
kernel_share_state(init_t)
|
||||
@ -123,7 +123,7 @@ libs_rw_ld_so_cache(init_t)
|
||||
logging_send_syslog_msg(init_t)
|
||||
logging_rw_generic_logs(init_t)
|
||||
|
||||
selinux_read_config(init_t)
|
||||
seutil_read_config(init_t)
|
||||
|
||||
miscfiles_read_localization(init_t)
|
||||
|
||||
@ -184,7 +184,7 @@ dev_read_sysfs(initrc_t)
|
||||
dev_rw_sysfs(initrc_t)
|
||||
kernel_read_all_sysctl(initrc_t)
|
||||
kernel_rw_all_sysctl(initrc_t)
|
||||
kernel_get_selinux_enforcement_mode(initrc_t)
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
dev_list_usbfs(initrc_t)
|
||||
# for lsof which is used by alsa shutdown:
|
||||
kernel_dontaudit_getattr_message_if(initrc_t)
|
||||
@ -283,7 +283,7 @@ miscfiles_read_localization(initrc_t)
|
||||
|
||||
modutils_read_module_conf(initrc_t)
|
||||
|
||||
selinux_read_config(initrc_t)
|
||||
seutil_read_config(initrc_t)
|
||||
|
||||
sysnet_read_config(initrc_t)
|
||||
|
||||
@ -308,7 +308,7 @@ ifdef(`distro_redhat',`
|
||||
kernel_dontaudit_use_fd(initrc_t)
|
||||
files_dontaudit_read_root_file(initrc_t)
|
||||
|
||||
kernel_set_enforcement_mode(initrc_t)
|
||||
selinux_set_enforce_mode(initrc_t)
|
||||
|
||||
# Create and read /boot/kernel.h and /boot/System.map.
|
||||
# Redhat systems typically create this file at boot time.
|
||||
|
||||
@ -89,7 +89,7 @@ optional_policy(`modutils.te', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(iptables_t)
|
||||
seutil_newrole_sigchld(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -53,12 +53,12 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctl(local_login_t)
|
||||
kernel_get_selinuxfs_mount_point(local_login_t)
|
||||
kernel_validate_context(local_login_t)
|
||||
kernel_compute_access_vector(local_login_t)
|
||||
kernel_compute_create_context(local_login_t)
|
||||
kernel_compute_relabel_context(local_login_t)
|
||||
kernel_compute_reachable_user_contexts(local_login_t)
|
||||
selinux_get_fs_mount(local_login_t)
|
||||
selinux_validate_context(local_login_t)
|
||||
selinux_compute_access_vector(local_login_t)
|
||||
selinux_compute_create_context(local_login_t)
|
||||
selinux_compute_relabel_context(local_login_t)
|
||||
selinux_compute_user_contexts(local_login_t)
|
||||
|
||||
# for SSP/ProPolice
|
||||
dev_read_urand(local_login_t)
|
||||
@ -95,8 +95,8 @@ logging_send_syslog_msg(local_login_t)
|
||||
|
||||
miscfiles_read_localization(local_login_t)
|
||||
|
||||
selinux_read_config(local_login_t)
|
||||
selinux_read_default_contexts(local_login_t)
|
||||
seutil_read_config(local_login_t)
|
||||
seutil_read_default_contexts(local_login_t)
|
||||
|
||||
userdom_spec_domtrans_all_users(local_login_t)
|
||||
userdom_signal_all_users(local_login_t)
|
||||
@ -223,8 +223,8 @@ libs_use_shared_libs(sulogin_t)
|
||||
|
||||
logging_send_syslog_msg(sulogin_t)
|
||||
|
||||
selinux_read_config(sulogin_t)
|
||||
selinux_read_default_contexts(sulogin_t)
|
||||
seutil_read_config(sulogin_t)
|
||||
seutil_read_default_contexts(sulogin_t)
|
||||
|
||||
auth_read_shadow(sulogin_t)
|
||||
|
||||
@ -242,12 +242,12 @@ ifdef(`sulogin_no_pam', `
|
||||
init_get_process_group(sulogin_t)
|
||||
', `
|
||||
allow sulogin_t self:process setexec;
|
||||
kernel_get_selinuxfs_mount_point(sulogin_t)
|
||||
kernel_validate_context(sulogin_t)
|
||||
kernel_compute_access_vector(sulogin_t)
|
||||
kernel_compute_create_context(sulogin_t)
|
||||
kernel_compute_relabel_context(sulogin_t)
|
||||
kernel_compute_reachable_user_contexts(sulogin_t)
|
||||
selinux_get_fs_mount(sulogin_t)
|
||||
selinux_validate_context(sulogin_t)
|
||||
selinux_compute_access_vector(sulogin_t)
|
||||
selinux_compute_create_context(sulogin_t)
|
||||
selinux_compute_relabel_context(sulogin_t)
|
||||
selinux_compute_user_contexts(sulogin_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
@ -86,7 +86,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(auditd_t)
|
||||
seutil_newrole_sigchld(auditd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
@ -250,7 +250,7 @@ ifdef(`targeted_policy', `
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(syslogd_t)
|
||||
seutil_newrole_sigchld(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
|
||||
@ -69,12 +69,12 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
|
||||
files_create_etc_config(lvm_t,lvm_metadata_t,file)
|
||||
|
||||
kernel_read_system_state(lvm_t)
|
||||
kernel_get_selinuxfs_mount_point(lvm_t)
|
||||
kernel_validate_context(lvm_t)
|
||||
kernel_compute_access_vector(lvm_t)
|
||||
kernel_compute_create_context(lvm_t)
|
||||
kernel_compute_relabel_context(lvm_t)
|
||||
kernel_compute_reachable_user_contexts(lvm_t)
|
||||
selinux_get_fs_mount(lvm_t)
|
||||
selinux_validate_context(lvm_t)
|
||||
selinux_compute_access_vector(lvm_t)
|
||||
selinux_compute_create_context(lvm_t)
|
||||
selinux_compute_relabel_context(lvm_t)
|
||||
selinux_compute_user_contexts(lvm_t)
|
||||
kernel_read_kernel_sysctl(lvm_t)
|
||||
dev_read_sysfs(lvm_t)
|
||||
# Read /sys/block. Device mapper metadata is kept there.
|
||||
@ -132,9 +132,9 @@ logging_send_syslog_msg(lvm_t)
|
||||
|
||||
miscfiles_read_localization(lvm_t)
|
||||
|
||||
selinux_read_config(lvm_t)
|
||||
selinux_read_file_contexts(lvm_t)
|
||||
selinux_newrole_sigchld(lvm_t)
|
||||
seutil_read_config(lvm_t)
|
||||
seutil_read_file_contexts(lvm_t)
|
||||
seutil_newrole_sigchld(lvm_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
# this is from the initrd:
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
## <summary>Policy for SELinux policy and userland applications.</summary>
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_checkpol">
|
||||
## <interface name="seutil_domtrans_checkpol">
|
||||
## <description>
|
||||
## Execute checkpolicy in the checkpolicy domain.
|
||||
## </description>
|
||||
@ -11,7 +11,7 @@
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_checkpol',`
|
||||
define(`seutil_domtrans_checkpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
||||
@ -25,7 +25,7 @@ define(`selinux_domtrans_checkpol',`
|
||||
allow checkpolicy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_checkpol_depend',`
|
||||
define(`seutil_domtrans_checkpol_depend',`
|
||||
type checkpolicy_t, checkpolicy_exec_t;
|
||||
|
||||
class file rx_file_perms
|
||||
@ -35,7 +35,7 @@ define(`selinux_domtrans_checkpol_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_checkpol">
|
||||
## <interface name="seutil_run_checkpol">
|
||||
## <description>
|
||||
## Execute checkpolicy in the checkpolicy domain, and
|
||||
## allow the specified role the checkpolicy domain,
|
||||
@ -53,15 +53,15 @@ define(`selinux_domtrans_checkpol_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_checkpol',`
|
||||
define(`seutil_run_checkpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_checkpol($1)
|
||||
seutil_domtrans_checkpol($1)
|
||||
role $2 types checkpolicy_t;
|
||||
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_checkpol_depend',`
|
||||
define(`seutil_run_checkpol_depend',`
|
||||
type checkpolicy_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
@ -69,22 +69,22 @@ define(`selinux_run_checkpol_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_checkpol(domain)
|
||||
# seutil_exec_checkpol(domain)
|
||||
#
|
||||
define(`selinux_exec_checkpol',`
|
||||
define(`seutil_exec_checkpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,checkpolicy_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_checkpol_depend',`
|
||||
define(`seutil_exec_checkpol_depend',`
|
||||
type checkpolicy_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_loadpol">
|
||||
## <interface name="seutil_domtrans_loadpol">
|
||||
## <description>
|
||||
## Execute load_policy in the load_policy domain.
|
||||
## </description>
|
||||
@ -93,7 +93,7 @@ define(`selinux_exec_checkpol_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_loadpol',`
|
||||
define(`seutil_domtrans_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 load_policy_exec_t:file rx_file_perms;
|
||||
@ -107,7 +107,7 @@ define(`selinux_domtrans_loadpol',`
|
||||
allow load_policy_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_loadpol_depend',`
|
||||
define(`seutil_domtrans_loadpol_depend',`
|
||||
type load_policy_t, load_policy_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
@ -117,7 +117,7 @@ define(`selinux_domtrans_loadpol_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_loadpol">
|
||||
## <interface name="seutil_run_loadpol">
|
||||
## <description>
|
||||
## Execute load_policy in the load_policy domain, and
|
||||
## allow the specified role the load_policy domain,
|
||||
@ -135,15 +135,15 @@ define(`selinux_domtrans_loadpol_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_loadpol',`
|
||||
define(`seutil_run_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_loadpol($1)
|
||||
seutil_domtrans_loadpol($1)
|
||||
role $2 types load_policy_t;
|
||||
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_loadpol_depend',`
|
||||
define(`seutil_run_loadpol_depend',`
|
||||
type load_policy_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
@ -151,15 +151,15 @@ define(`selinux_run_loadpol_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_loadpol(domain)
|
||||
# seutil_exec_loadpol(domain)
|
||||
#
|
||||
define(`selinux_exec_loadpol',`
|
||||
define(`seutil_exec_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,load_policy_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_loadpol_depend',`
|
||||
define(`seutil_exec_loadpol_depend',`
|
||||
type load_policy_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
@ -167,22 +167,22 @@ define(`selinux_exec_loadpol_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_read_loadpol(domain)
|
||||
# seutil_read_loadpol(domain)
|
||||
#
|
||||
define(`selinux_read_loadpol',`
|
||||
define(`seutil_read_loadpol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 load_policy_exec_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_loadpol_depend',`
|
||||
define(`seutil_read_loadpol_depend',`
|
||||
type load_policy_exec_t;
|
||||
|
||||
class file r_file_perms
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_newrole">
|
||||
## <interface name="seutil_domtrans_newrole">
|
||||
## <description>
|
||||
## Execute newrole in the load_policy domain.
|
||||
## </description>
|
||||
@ -191,7 +191,7 @@ define(`selinux_read_loadpol_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_newrole',`
|
||||
define(`seutil_domtrans_newrole',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 newrole_exec_t:file rx_file_perms;
|
||||
@ -205,7 +205,7 @@ define(`selinux_domtrans_newrole',`
|
||||
allow newrole_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_newrole_depend',`
|
||||
define(`seutil_domtrans_newrole_depend',`
|
||||
type newrole_t, newrole_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
@ -215,7 +215,7 @@ define(`selinux_domtrans_newrole_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_newrole">
|
||||
## <interface name="seutil_run_newrole">
|
||||
## <description>
|
||||
## Execute newrole in the newrole domain, and
|
||||
## allow the specified role the newrole domain,
|
||||
@ -232,15 +232,15 @@ define(`selinux_domtrans_newrole_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_newrole',`
|
||||
define(`seutil_run_newrole',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_newrole($1)
|
||||
seutil_domtrans_newrole($1)
|
||||
role $2 types newrole_t;
|
||||
allow newrole_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_newrole_depend',`
|
||||
define(`seutil_run_newrole_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
@ -248,22 +248,22 @@ define(`selinux_run_newrole_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_newrole(domain)
|
||||
# seutil_exec_newrole(domain)
|
||||
#
|
||||
define(`selinux_exec_newrole',`
|
||||
define(`seutil_exec_newrole',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,newrole_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_newrole_depend',`
|
||||
define(`seutil_exec_newrole_depend',`
|
||||
type newrole_t, newrole_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_dontaudit_newrole_signal">
|
||||
## <interface name="seutil_dontaudit_newrole_signal">
|
||||
## <description>
|
||||
## Do not audit the caller attempts to send
|
||||
## a signal to newrole.
|
||||
@ -273,13 +273,13 @@ define(`selinux_exec_newrole_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_dontaudit_newrole_signal',`
|
||||
define(`seutil_dontaudit_newrole_signal',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
dontaudit $1 newrole_t:process signal;
|
||||
')
|
||||
|
||||
define(`selinux_dontaudit_newrole_signal_depend',`
|
||||
define(`seutil_dontaudit_newrole_signal_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class process signal;
|
||||
@ -287,15 +287,15 @@ define(`selinux_dontaudit_newrole_signal_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_newrole_sigchld(domain)
|
||||
# seutil_newrole_sigchld(domain)
|
||||
#
|
||||
define(`selinux_newrole_sigchld',`
|
||||
define(`seutil_newrole_sigchld',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 newrole_t:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_newrole_sigchld_depend',`
|
||||
define(`seutil_newrole_sigchld_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class process sigchld;
|
||||
@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_use_newrole_fd(domain)
|
||||
# seutil_use_newrole_fd(domain)
|
||||
#
|
||||
define(`selinux_use_newrole_fd',`
|
||||
define(`seutil_use_newrole_fd',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 newrole_t:fd use;
|
||||
')
|
||||
|
||||
define(`selinux_use_newrole_fd_depend',`
|
||||
define(`seutil_use_newrole_fd_depend',`
|
||||
type newrole_t;
|
||||
|
||||
class fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <interface name="selinux_domtrans_restorecon">
|
||||
## <interface name="seutil_domtrans_restorecon">
|
||||
## <description>
|
||||
## Execute restorecon in the restorecon domain.
|
||||
## </description>
|
||||
@ -327,7 +327,7 @@ define(`selinux_use_newrole_fd_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_restorecon',`
|
||||
define(`seutil_domtrans_restorecon',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 restorecon_exec_t:file rx_file_perms;
|
||||
@ -341,7 +341,7 @@ define(`selinux_domtrans_restorecon',`
|
||||
allow restorecon_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_restorecon_depend',`
|
||||
define(`seutil_domtrans_restorecon_depend',`
|
||||
type restorecon_t, restorecon_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
@ -351,7 +351,7 @@ define(`selinux_domtrans_restorecon_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_restorecon">
|
||||
## <interface name="seutil_run_restorecon">
|
||||
## <description>
|
||||
## Execute restorecon in the restorecon domain, and
|
||||
## allow the specified role the restorecon domain,
|
||||
@ -368,15 +368,15 @@ define(`selinux_domtrans_restorecon_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_restorecon',`
|
||||
define(`seutil_run_restorecon',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_restorecon($1)
|
||||
seutil_domtrans_restorecon($1)
|
||||
role $2 types restorecon_t;
|
||||
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_restorecon_depend',`
|
||||
define(`seutil_run_restorecon_depend',`
|
||||
type restorecon_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
@ -384,21 +384,21 @@ define(`selinux_run_restorecon_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_restorecon(domain)
|
||||
# seutil_exec_restorecon(domain)
|
||||
#
|
||||
define(`selinux_exec_restorecon',`
|
||||
define(`seutil_exec_restorecon',`
|
||||
gen_require(`$0'_depend)
|
||||
can_exec($1,restorecon_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_restorecon_depend',`
|
||||
define(`seutil_exec_restorecon_depend',`
|
||||
type restorecon_t, restorecon_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_domtrans_runinit">
|
||||
## <interface name="seutil_domtrans_runinit">
|
||||
## <description>
|
||||
## Execute run_init in the run_init domain.
|
||||
## </description>
|
||||
@ -407,7 +407,7 @@ define(`selinux_exec_restorecon_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_runinit',`
|
||||
define(`seutil_domtrans_runinit',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 run_init_exec_t:file rx_file_perms;
|
||||
@ -421,7 +421,7 @@ define(`selinux_domtrans_runinit',`
|
||||
allow run_init_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_runinit_depend',`
|
||||
define(`seutil_domtrans_runinit_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
@ -431,7 +431,7 @@ define(`selinux_domtrans_runinit_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_runinit">
|
||||
## <interface name="seutil_run_runinit">
|
||||
## <description>
|
||||
## Execute run_init in the run_init domain, and
|
||||
## allow the specified role the run_init domain,
|
||||
@ -448,15 +448,15 @@ define(`selinux_domtrans_runinit_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_runinit',`
|
||||
define(`seutil_run_runinit',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_runinit($1)
|
||||
seutil_domtrans_runinit($1)
|
||||
role $2 types run_init_t;
|
||||
allow run_init_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_runinit_depend',`
|
||||
define(`seutil_run_runinit_depend',`
|
||||
type run_init_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
@ -464,22 +464,22 @@ define(`selinux_run_runinit_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_use_runinit_fd(domain)
|
||||
# seutil_use_runinit_fd(domain)
|
||||
#
|
||||
define(`selinux_use_runinit_fd',`
|
||||
define(`seutil_use_runinit_fd',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 run_init_t:fd use;
|
||||
')
|
||||
|
||||
define(`selinux_use_runinit_fd_depend',`
|
||||
define(`seutil_use_runinit_fd_depend',`
|
||||
type run_init_t;
|
||||
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_domtrans_setfiles">
|
||||
## <interface name="seutil_domtrans_setfiles">
|
||||
## <description>
|
||||
## Execute setfiles in the setfiles domain.
|
||||
## </description>
|
||||
@ -488,7 +488,7 @@ define(`selinux_use_runinit_fd_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_domtrans_setfiles',`
|
||||
define(`seutil_domtrans_setfiles',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 setfiles_exec_t:file rx_file_perms;
|
||||
@ -502,7 +502,7 @@ define(`selinux_domtrans_setfiles',`
|
||||
allow setfiles_t $1:process sigchld;
|
||||
')
|
||||
|
||||
define(`selinux_domtrans_setfiles_depend',`
|
||||
define(`seutil_domtrans_setfiles_depend',`
|
||||
type setfiles_t, setfiles_exec_t;
|
||||
|
||||
class file rx_file_perms;
|
||||
@ -512,7 +512,7 @@ define(`selinux_domtrans_setfiles_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_run_setfiles">
|
||||
## <interface name="seutil_run_setfiles">
|
||||
## <description>
|
||||
## Execute setfiles in the setfiles domain, and
|
||||
## allow the specified role the setfiles domain,
|
||||
@ -529,15 +529,15 @@ define(`selinux_domtrans_setfiles_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_run_setfiles',`
|
||||
define(`seutil_run_setfiles',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
selinux_domtrans_setfiles($1)
|
||||
seutil_domtrans_setfiles($1)
|
||||
role $2 types setfiles_t;
|
||||
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
define(`selinux_run_setfiles_depend',`
|
||||
define(`seutil_run_setfiles_depend',`
|
||||
type setfiles_t;
|
||||
|
||||
class chr_file { getattr read write ioctl };
|
||||
@ -545,15 +545,15 @@ define(`selinux_run_setfiles_depend',`
|
||||
|
||||
#######################################
|
||||
#
|
||||
# selinux_exec_setfiles(domain)
|
||||
# seutil_exec_setfiles(domain)
|
||||
#
|
||||
define(`selinux_exec_setfiles',`
|
||||
define(`seutil_exec_setfiles',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
can_exec($1,setfiles_exec_t)
|
||||
')
|
||||
|
||||
define(`selinux_exec_setfiles_depend',`
|
||||
define(`seutil_exec_setfiles_depend',`
|
||||
type setfiles_exec_t;
|
||||
|
||||
class file { rx_file_perms execute_no_trans };
|
||||
@ -561,16 +561,16 @@ define(`selinux_exec_setfiles_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_config(domain)
|
||||
# seutil_read_config(domain)
|
||||
#
|
||||
define(`selinux_read_config',`
|
||||
define(`seutil_read_config',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 selinux_config_t:dir r_dir_perms;
|
||||
allow $1 selinux_config_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_config_depend',`
|
||||
define(`seutil_read_config_depend',`
|
||||
type selinux_config_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -579,9 +579,9 @@ define(`selinux_read_config_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_default_contexts(domain)
|
||||
# seutil_read_default_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_default_contexts',`
|
||||
define(`seutil_read_default_contexts',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 selinux_config_t:dir search;
|
||||
@ -589,7 +589,7 @@ define(`selinux_read_default_contexts',`
|
||||
allow $1 default_context_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_default_contexts_depend',`
|
||||
define(`seutil_read_default_contexts_depend',`
|
||||
type selinux_config_t, default_context_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -598,9 +598,9 @@ define(`selinux_read_default_contexts_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_file_contexts(domain)
|
||||
# seutil_read_file_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_file_contexts',`
|
||||
define(`seutil_read_file_contexts',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 selinux_config_t:dir search;
|
||||
@ -608,7 +608,7 @@ define(`selinux_read_file_contexts',`
|
||||
allow $1 file_context_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_file_contexts_depend',`
|
||||
define(`seutil_read_file_contexts_depend',`
|
||||
type selinux_config_t, file_context_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_binary_pol(domain)
|
||||
# seutil_read_binary_pol(domain)
|
||||
#
|
||||
define(`selinux_read_binary_pol',`
|
||||
define(`seutil_read_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 policy_config_t:dir r_dir_perms;
|
||||
allow $1 policy_config_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_binary_pol_depend',`
|
||||
define(`seutil_read_binary_pol_depend',`
|
||||
type policy_config_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -635,9 +635,9 @@ define(`selinux_read_binary_pol_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_write_binary_pol(domain)
|
||||
# seutil_write_binary_pol(domain)
|
||||
#
|
||||
define(`selinux_write_binary_pol',`
|
||||
define(`seutil_write_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 policy_config_t:dir rw_dir_perms;
|
||||
@ -645,7 +645,7 @@ define(`selinux_write_binary_pol',`
|
||||
typeattribute $1 can_write_binary_policy;
|
||||
')
|
||||
|
||||
define(`selinux_write_binary_pol_depend',`
|
||||
define(`seutil_write_binary_pol_depend',`
|
||||
attribute can_write_binary_policy;
|
||||
|
||||
type policy_config_t;
|
||||
@ -655,7 +655,7 @@ define(`selinux_write_binary_pol_depend',`
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="selinux_relabelto_binary_pol">
|
||||
## <interface name="seutil_relabelto_binary_pol">
|
||||
## <description>
|
||||
## Allow the caller to relabel a file to the binary policy type.
|
||||
## </description>
|
||||
@ -664,14 +664,14 @@ define(`selinux_write_binary_pol_depend',`
|
||||
## </parameter>
|
||||
## </interface>
|
||||
#
|
||||
define(`selinux_relabelto_binary_pol',`
|
||||
define(`seutil_relabelto_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
allow $1 policy_config_t:file relabelto;
|
||||
typeattribute $1 can_relabelto_binary_policy;
|
||||
')
|
||||
|
||||
define(`selinux_relabelto_binary_pol_depend',`
|
||||
define(`seutil_relabelto_binary_pol_depend',`
|
||||
attribute can_relabelto_binary_policy;
|
||||
|
||||
type policy_config_t;
|
||||
@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_pol_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_manage_binary_pol(domain)
|
||||
# seutil_manage_binary_pol(domain)
|
||||
#
|
||||
define(`selinux_manage_binary_pol',`
|
||||
define(`seutil_manage_binary_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
# FIXME: search etc_t:dir
|
||||
@ -693,7 +693,7 @@ define(`selinux_manage_binary_pol',`
|
||||
typeattribute $1 can_write_binary_policy;
|
||||
')
|
||||
|
||||
define(`selinux_manage_binary_pol_depend',`
|
||||
define(`seutil_manage_binary_pol_depend',`
|
||||
attribute can_write_binary_policy;
|
||||
|
||||
type selinux_config_t, policy_config_t;
|
||||
@ -703,9 +703,9 @@ define(`selinux_manage_binary_pol_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_src_pol(domain)
|
||||
# seutil_read_src_pol(domain)
|
||||
#
|
||||
define(`selinux_read_src_pol',`
|
||||
define(`seutil_read_src_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
# FIXME: search etc_t:dir
|
||||
@ -714,7 +714,7 @@ define(`selinux_read_src_pol',`
|
||||
allow $1 policy_src_t:file r_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_read_src_pol_depend',`
|
||||
define(`seutil_read_src_pol_depend',`
|
||||
type selinux_config_t, policy_src_t;
|
||||
|
||||
class dir r_dir_perms;
|
||||
@ -723,9 +723,9 @@ define(`selinux_read_src_pol_depend',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# selinux_manage_src_pol(domain)
|
||||
# seutil_manage_src_pol(domain)
|
||||
#
|
||||
define(`selinux_manage_src_pol',`
|
||||
define(`seutil_manage_src_pol',`
|
||||
gen_require(`$0'_depend)
|
||||
|
||||
# FIXME: search etc_t:dir
|
||||
@ -734,7 +734,7 @@ define(`selinux_manage_src_pol',`
|
||||
allow $1 policy_src_t:file create_file_perms;
|
||||
')
|
||||
|
||||
define(`selinux_manage_src_pol_depend',`
|
||||
define(`seutil_manage_src_pol_depend',`
|
||||
type selinux_config_t, policy_src_t;
|
||||
|
||||
class dir create_dir_perms;
|
||||
|
||||
@ -149,9 +149,9 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
|
||||
allow load_policy_t selinux_config_t:file r_file_perms;
|
||||
allow load_policy_t selinux_config_t:lnk_file r_file_perms;
|
||||
|
||||
kernel_get_selinuxfs_mount_point(load_policy_t)
|
||||
kernel_load_policy(load_policy_t)
|
||||
kernel_set_boolean(load_policy_t)
|
||||
selinux_get_fs_mount(load_policy_t)
|
||||
selinux_load_policy(load_policy_t)
|
||||
selinux_set_boolean(load_policy_t)
|
||||
|
||||
fs_getattr_xattr_fs(load_policy_t)
|
||||
|
||||
@ -196,12 +196,12 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(newrole_t)
|
||||
kernel_read_kernel_sysctl(newrole_t)
|
||||
kernel_get_selinuxfs_mount_point(newrole_t)
|
||||
kernel_validate_context(newrole_t)
|
||||
kernel_compute_access_vector(newrole_t)
|
||||
kernel_compute_create_context(newrole_t)
|
||||
kernel_compute_relabel_context(newrole_t)
|
||||
kernel_compute_reachable_user_contexts(newrole_t)
|
||||
selinux_get_fs_mount(newrole_t)
|
||||
selinux_validate_context(newrole_t)
|
||||
selinux_compute_access_vector(newrole_t)
|
||||
selinux_compute_create_context(newrole_t)
|
||||
selinux_compute_relabel_context(newrole_t)
|
||||
selinux_compute_user_contexts(newrole_t)
|
||||
|
||||
dev_read_urand(newrole_t)
|
||||
|
||||
@ -280,12 +280,12 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
|
||||
|
||||
kernel_use_fd(restorecon_t)
|
||||
kernel_read_system_state(restorecon_t)
|
||||
kernel_get_selinuxfs_mount_point(restorecon_t)
|
||||
kernel_validate_context(restorecon_t)
|
||||
kernel_compute_access_vector(restorecon_t)
|
||||
kernel_compute_create_context(restorecon_t)
|
||||
kernel_compute_relabel_context(restorecon_t)
|
||||
kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
selinux_get_fs_mount(restorecon_t)
|
||||
selinux_validate_context(restorecon_t)
|
||||
selinux_compute_access_vector(restorecon_t)
|
||||
selinux_compute_create_context(restorecon_t)
|
||||
selinux_compute_relabel_context(restorecon_t)
|
||||
selinux_compute_user_contexts(restorecon_t)
|
||||
|
||||
fs_getattr_xattr_fs(restorecon_t)
|
||||
|
||||
@ -343,12 +343,12 @@ allow restorecon_t kernel_t:fifo_file { read write };
|
||||
# Run_init local policy
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_context(run_init_t)
|
||||
kernel_compute_access_vector(run_init_t)
|
||||
kernel_compute_create_context(run_init_t)
|
||||
kernel_compute_relabel_context(run_init_t)
|
||||
kernel_compute_reachable_user_contexts(run_init_t)
|
||||
selinux_get_fs_mount(run_init_t)
|
||||
selinux_validate_context(run_init_t)
|
||||
selinux_compute_access_vector(run_init_t)
|
||||
selinux_compute_create_context(run_init_t)
|
||||
selinux_compute_relabel_context(run_init_t)
|
||||
selinux_compute_user_contexts(run_init_t)
|
||||
|
||||
ifdef(`targeted_policy',`',`
|
||||
allow run_init_t self:process setexec;
|
||||
@ -385,8 +385,8 @@ ifdef(`targeted_policy',`',`
|
||||
libs_use_ld_so(run_init_t)
|
||||
libs_use_shared_libs(run_init_t)
|
||||
|
||||
selinux_read_config(run_init_t)
|
||||
selinux_read_default_contexts(run_init_t)
|
||||
seutil_read_config(run_init_t)
|
||||
seutil_read_default_contexts(run_init_t)
|
||||
|
||||
miscfiles_read_localization(run_init_t)
|
||||
|
||||
@ -414,12 +414,12 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
|
||||
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
|
||||
|
||||
kernel_read_system_state(setfiles_t)
|
||||
kernel_get_selinuxfs_mount_point(setfiles_t)
|
||||
kernel_validate_context(setfiles_t)
|
||||
kernel_compute_access_vector(setfiles_t)
|
||||
kernel_compute_create_context(setfiles_t)
|
||||
kernel_compute_relabel_context(setfiles_t)
|
||||
kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
selinux_get_fs_mount(setfiles_t)
|
||||
selinux_validate_context(setfiles_t)
|
||||
selinux_compute_access_vector(setfiles_t)
|
||||
selinux_compute_create_context(setfiles_t)
|
||||
selinux_compute_relabel_context(setfiles_t)
|
||||
selinux_compute_user_contexts(setfiles_t)
|
||||
|
||||
fs_getattr_xattr_fs(setfiles_t)
|
||||
|
||||
|
||||
@ -157,7 +157,7 @@ optional_policy(`nscd.te',`
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(dhcpc_t)
|
||||
seutil_newrole_sigchld(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te',`
|
||||
@ -285,7 +285,7 @@ logging_send_syslog_msg(ifconfig_t)
|
||||
|
||||
miscfiles_read_localization(ifconfig_t)
|
||||
|
||||
selinux_use_runinit_fd(ifconfig_t)
|
||||
seutil_use_runinit_fd(ifconfig_t)
|
||||
|
||||
userdom_use_all_user_fd(ifconfig_t)
|
||||
|
||||
|
||||
@ -71,12 +71,12 @@ kernel_read_hotplug_sysctl(udev_t)
|
||||
kernel_read_modprobe_sysctl(udev_t)
|
||||
kernel_read_kernel_sysctl(udev_t)
|
||||
dev_read_sysfs(udev_t)
|
||||
kernel_get_selinuxfs_mount_point(udev_t)
|
||||
kernel_validate_context(udev_t)
|
||||
kernel_compute_access_vector(udev_t)
|
||||
kernel_compute_create_context(udev_t)
|
||||
kernel_compute_relabel_context(udev_t)
|
||||
kernel_compute_reachable_user_contexts(udev_t)
|
||||
selinux_get_fs_mount(udev_t)
|
||||
selinux_validate_context(udev_t)
|
||||
selinux_compute_access_vector(udev_t)
|
||||
selinux_compute_create_context(udev_t)
|
||||
selinux_compute_relabel_context(udev_t)
|
||||
selinux_compute_user_contexts(udev_t)
|
||||
|
||||
dev_manage_dev_nodes(udev_t)
|
||||
|
||||
@ -107,10 +107,10 @@ miscfiles_read_localization(udev_t)
|
||||
|
||||
modutils_domtrans_insmod(udev_t)
|
||||
|
||||
selinux_read_config(udev_t)
|
||||
selinux_read_default_contexts(udev_t)
|
||||
selinux_read_file_contexts(udev_t)
|
||||
selinux_domtrans_restorecon(udev_t)
|
||||
seutil_read_config(udev_t)
|
||||
seutil_read_default_contexts(udev_t)
|
||||
seutil_read_file_contexts(udev_t)
|
||||
seutil_domtrans_restorecon(udev_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(udev_t)
|
||||
|
||||
|
||||
@ -102,7 +102,7 @@ define(`base_user_domain',`
|
||||
per_userdomain_templates($1)
|
||||
|
||||
kernel_read_kernel_sysctl($1_t)
|
||||
kernel_get_selinuxfs_mount_point($1_t)
|
||||
selinux_get_fs_mount($1_t)
|
||||
# Very permissive allowing every domain to see every type:
|
||||
kernel_get_sysvipc_info($1_t)
|
||||
# Find CDROM devices:
|
||||
@ -170,7 +170,7 @@ define(`base_user_domain',`
|
||||
miscfiles_read_localization($1_t)
|
||||
miscfiles_rw_man_cache($1_t)
|
||||
|
||||
selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
|
||||
|
||||
mta_rw_spool($1_t)
|
||||
|
||||
@ -475,10 +475,10 @@ define(`user_domain_template', `
|
||||
|
||||
miscfiles_read_man_pages($1_t)
|
||||
|
||||
selinux_read_config($1_t)
|
||||
seutil_read_config($1_t)
|
||||
# Allow users to execute checkpolicy without a domain transition
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
selinux_exec_checkpol($1_t)
|
||||
seutil_exec_checkpol($1_t)
|
||||
|
||||
tunable_policy(`user_dmesg',`
|
||||
kernel_read_ring_buffer($1_t)
|
||||
@ -500,7 +500,7 @@ define(`user_domain_template', `
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
# for when the network connection is killed
|
||||
selinux_dontaudit_newrole_signal($1_t)
|
||||
seutil_dontaudit_newrole_signal($1_t)
|
||||
')
|
||||
|
||||
# Need the following rule to allow users to run vpnc
|
||||
@ -664,16 +664,16 @@ define(`admin_domain_template',`
|
||||
kernel_read_ring_buffer($1_t)
|
||||
kernel_get_sysvipc_info($1_t)
|
||||
kernel_rw_all_sysctl($1_t)
|
||||
kernel_set_enforcement_mode($1_t)
|
||||
kernel_set_boolean($1_t)
|
||||
kernel_set_security_parameters($1_t)
|
||||
selinux_set_enforce_mode($1_t)
|
||||
selinux_set_boolean($1_t)
|
||||
selinux_set_parameters($1_t)
|
||||
# Get security policy decisions:
|
||||
kernel_get_selinuxfs_mount_point($1_t)
|
||||
kernel_validate_context($1_t)
|
||||
kernel_compute_access_vector($1_t)
|
||||
kernel_compute_create_context($1_t)
|
||||
kernel_compute_relabel_context($1_t)
|
||||
kernel_compute_reachable_user_contexts($1_t)
|
||||
selinux_get_fs_mount($1_t)
|
||||
selinux_validate_context($1_t)
|
||||
selinux_compute_access_vector($1_t)
|
||||
selinux_compute_create_context($1_t)
|
||||
selinux_compute_relabel_context($1_t)
|
||||
selinux_compute_user_contexts($1_t)
|
||||
# signal unlabeled processes:
|
||||
kernel_kill_unlabeled($1_t)
|
||||
kernel_signal_unlabeled($1_t)
|
||||
@ -722,14 +722,14 @@ define(`admin_domain_template',`
|
||||
|
||||
modutils_domtrans_insmod($1_t)
|
||||
|
||||
selinux_read_config($1_t)
|
||||
seutil_read_config($1_t)
|
||||
# The following rule is temporary until such time that a complete
|
||||
# policy management infrastructure is in place so that an administrator
|
||||
# cannot directly manipulate policy files with arbitrary programs.
|
||||
selinux_manage_src_pol($1_t)
|
||||
seutil_manage_src_pol($1_t)
|
||||
# Violates the goal of limiting write access to checkpolicy.
|
||||
# But presently necessary for installing the file_contexts file.
|
||||
selinux_manage_binary_pol($1_t)
|
||||
seutil_manage_binary_pol($1_t)
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_admin_template($1)
|
||||
|
||||
@ -112,12 +112,12 @@ optional_policy(`rpm.te',`
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||
selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
|
||||
optional_policy(`targeted_policy',`',`
|
||||
selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
')
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user