finish renaming system/selinux to system/selinuxutil

This commit is contained in:
Chris PeBenito 2005-06-14 20:48:34 +00:00
parent ff7bc148e4
commit 5e0da6a03e
25 changed files with 298 additions and 298 deletions

View File

@ -56,7 +56,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(dmesg_t) seutil_newrole_sigchld(dmesg_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -95,12 +95,12 @@ allow rpm_t rpm_var_lib_t:dir rw_dir_perms;
kernel_read_system_state(rpm_t) kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctl(rpm_t) kernel_read_kernel_sysctl(rpm_t)
kernel_get_selinuxfs_mount_point(rpm_t) selinux_get_fs_mount(rpm_t)
kernel_validate_context(rpm_t) selinux_validate_context(rpm_t)
kernel_compute_access_vector(rpm_t) selinux_compute_access_vector(rpm_t)
kernel_compute_create_context(rpm_t) selinux_compute_create_context(rpm_t)
kernel_compute_relabel_context(rpm_t) selinux_compute_relabel_context(rpm_t)
kernel_compute_reachable_user_contexts(rpm_t) selinux_compute_user_contexts(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t) corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t) corenet_raw_sendrecv_all_if(rpm_t)
@ -149,8 +149,8 @@ libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t) logging_send_syslog_msg(rpm_t)
# allow compiling and loading new policy # allow compiling and loading new policy
selinux_manage_src_pol(rpm_t) seutil_manage_src_pol(rpm_t)
selinux_manage_binary_pol(rpm_t) seutil_manage_binary_pol(rpm_t)
sysnet_read_config(rpm_t) sysnet_read_config(rpm_t)
@ -245,12 +245,12 @@ allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctl(rpm_script_t) kernel_read_kernel_sysctl(rpm_script_t)
kernel_get_selinuxfs_mount_point(rpm_script_t) selinux_get_fs_mount(rpm_script_t)
kernel_validate_context(rpm_script_t) selinux_validate_context(rpm_script_t)
kernel_compute_access_vector(rpm_script_t) selinux_compute_access_vector(rpm_script_t)
kernel_compute_create_context(rpm_script_t) selinux_compute_create_context(rpm_script_t)
kernel_compute_relabel_context(rpm_script_t) selinux_compute_relabel_context(rpm_script_t)
kernel_compute_reachable_user_contexts(rpm_script_t) selinux_compute_user_contexts(rpm_script_t)
kernel_read_system_state(rpm_script_t) kernel_read_system_state(rpm_script_t)
# ideally we would not need this # ideally we would not need this
@ -303,8 +303,8 @@ miscfiles_read_localization(rpm_script_t)
modutils_domtrans_depmod(rpm_script_t) modutils_domtrans_depmod(rpm_script_t)
modutils_domtrans_insmod(rpm_script_t) modutils_domtrans_insmod(rpm_script_t)
selinux_domtrans_loadpol(rpm_script_t) seutil_domtrans_loadpol(rpm_script_t)
selinux_domtrans_restorecon(rpm_script_t) seutil_domtrans_restorecon(rpm_script_t)
userdom_use_all_user_fd(rpm_script_t) userdom_use_all_user_fd(rpm_script_t)
@ -347,14 +347,14 @@ allow sshd_t rpm_script_t:fd use;
# can transition to this domain, nor can it # can transition to this domain, nor can it
# really do anything useful. # really do anything useful.
kernel_get_selinuxfs_mount_point(rpmbuild_t) selinux_get_fs_mount(rpmbuild_t)
kernel_validate_context(rpmbuild_t) selinux_validate_context(rpmbuild_t)
kernel_compute_access_vector(rpmbuild_t) selinux_compute_access_vector(rpmbuild_t)
kernel_compute_create_context(rpmbuild_t) selinux_compute_create_context(rpmbuild_t)
kernel_compute_relabel_context(rpmbuild_t) selinux_compute_relabel_context(rpmbuild_t)
kernel_compute_reachable_user_contexts(rpmbuild_t) selinux_compute_user_contexts(rpmbuild_t)
selinux_read_src_pol(rpmbuild_t) seutil_read_src_pol(rpmbuild_t)
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -77,12 +77,12 @@ allow chfn_t self:msgq create_msgq_perms;
allow chfn_t self:msg { send receive }; allow chfn_t self:msg { send receive };
kernel_read_system_state(chfn_t) kernel_read_system_state(chfn_t)
kernel_get_selinuxfs_mount_point(chfn_t) selinux_get_fs_mount(chfn_t)
kernel_validate_context(chfn_t) selinux_validate_context(chfn_t)
kernel_compute_access_vector(chfn_t) selinux_compute_access_vector(chfn_t)
kernel_compute_create_context(chfn_t) selinux_compute_create_context(chfn_t)
kernel_compute_relabel_context(chfn_t) selinux_compute_relabel_context(chfn_t)
kernel_compute_reachable_user_contexts(chfn_t) selinux_compute_user_contexts(chfn_t)
term_use_all_user_ttys(chfn_t) term_use_all_user_ttys(chfn_t)
term_use_all_user_ptys(chfn_t) term_use_all_user_ptys(chfn_t)
@ -210,12 +210,12 @@ allow groupadd_t self:msgq create_msgq_perms;
allow groupadd_t self:msg { send receive }; allow groupadd_t self:msg { send receive };
# Allow access to context for shadow file # Allow access to context for shadow file
kernel_get_selinuxfs_mount_point(groupadd_t) selinux_get_fs_mount(groupadd_t)
kernel_validate_context(groupadd_t) selinux_validate_context(groupadd_t)
kernel_compute_access_vector(groupadd_t) selinux_compute_access_vector(groupadd_t)
kernel_compute_create_context(groupadd_t) selinux_compute_create_context(groupadd_t)
kernel_compute_relabel_context(groupadd_t) selinux_compute_relabel_context(groupadd_t)
kernel_compute_reachable_user_contexts(groupadd_t) selinux_compute_user_contexts(groupadd_t)
fs_getattr_xattr_fs(groupadd_t) fs_getattr_xattr_fs(groupadd_t)
@ -243,7 +243,7 @@ miscfiles_read_localization(groupadd_t)
auth_manage_shadow(groupadd_t) auth_manage_shadow(groupadd_t)
auth_rw_lastlog(groupadd_t) auth_rw_lastlog(groupadd_t)
selinux_read_config(groupadd_t) seutil_read_config(groupadd_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types groupadd_t; role sysadm_r types groupadd_t;
@ -285,12 +285,12 @@ allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms; allow passwd_t self:msgq create_msgq_perms;
allow passwd_t self:msg { send receive }; allow passwd_t self:msg { send receive };
kernel_get_selinuxfs_mount_point(passwd_t) selinux_get_fs_mount(passwd_t)
kernel_validate_context(passwd_t) selinux_validate_context(passwd_t)
kernel_compute_access_vector(passwd_t) selinux_compute_access_vector(passwd_t)
kernel_compute_create_context(passwd_t) selinux_compute_create_context(passwd_t)
kernel_compute_relabel_context(passwd_t) selinux_compute_relabel_context(passwd_t)
kernel_compute_reachable_user_contexts(passwd_t) selinux_compute_user_contexts(passwd_t)
# for SSP # for SSP
dev_read_urand(passwd_t) dev_read_urand(passwd_t)
@ -382,12 +382,12 @@ allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_var(sysadm_passwd_t) files_search_var(sysadm_passwd_t)
kernel_get_selinuxfs_mount_point(sysadm_passwd_t) selinux_get_fs_mount(sysadm_passwd_t)
kernel_validate_context(sysadm_passwd_t) selinux_validate_context(sysadm_passwd_t)
kernel_compute_access_vector(sysadm_passwd_t) selinux_compute_access_vector(sysadm_passwd_t)
kernel_compute_create_context(sysadm_passwd_t) selinux_compute_create_context(sysadm_passwd_t)
kernel_compute_relabel_context(sysadm_passwd_t) selinux_compute_relabel_context(sysadm_passwd_t)
kernel_compute_reachable_user_contexts(sysadm_passwd_t) selinux_compute_user_contexts(sysadm_passwd_t)
# for /proc/meminfo # for /proc/meminfo
kernel_read_system_state(sysadm_passwd_t) kernel_read_system_state(sysadm_passwd_t)
@ -474,12 +474,12 @@ allow useradd_t self:msgq create_msgq_perms;
allow useradd_t self:msg { send receive }; allow useradd_t self:msg { send receive };
# Allow access to context for shadow file # Allow access to context for shadow file
kernel_get_selinuxfs_mount_point(useradd_t) selinux_get_fs_mount(useradd_t)
kernel_validate_context(useradd_t) selinux_validate_context(useradd_t)
kernel_compute_access_vector(useradd_t) selinux_compute_access_vector(useradd_t)
kernel_compute_create_context(useradd_t) selinux_compute_create_context(useradd_t)
kernel_compute_relabel_context(useradd_t) selinux_compute_relabel_context(useradd_t)
kernel_compute_reachable_user_contexts(useradd_t) selinux_compute_user_contexts(useradd_t)
# for getting the number of groups # for getting the number of groups
kernel_read_kernel_sysctl(useradd_t) kernel_read_kernel_sysctl(useradd_t)
@ -505,7 +505,7 @@ corecmd_exec_sbin(useradd_t)
miscfiles_read_localization(useradd_t) miscfiles_read_localization(useradd_t)
selinux_read_config(useradd_t) seutil_read_config(useradd_t)
logging_send_syslog_msg(useradd_t) logging_send_syslog_msg(useradd_t)

View File

@ -136,8 +136,8 @@ logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t) miscfiles_read_localization(bootloader_t)
selinux_read_binary_pol(bootloader_t) seutil_read_binary_pol(bootloader_t)
selinux_read_loadpol(bootloader_t) seutil_read_loadpol(bootloader_t)
ifdef(`distro_debian', ` ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };

View File

@ -91,7 +91,7 @@ define(`cron_per_userdomain_template',`
logging_search_logs($1_crond_t) logging_search_logs($1_crond_t)
selinux_read_config($1_crond_t) seutil_read_config($1_crond_t)
miscfiles_read_localization($1_crond_t) miscfiles_read_localization($1_crond_t)
@ -224,18 +224,18 @@ define(`cron_admin_template',`
#allow $1_crontab_t user_cron_spool_t:file unlink; #allow $1_crontab_t user_cron_spool_t:file unlink;
# Manipulate other users crontab. # Manipulate other users crontab.
kernel_get_selinuxfs_mount_point($1_crontab_t) selinux_get_fs_mount($1_crontab_t)
kernel_validate_context($1_crontab_t) selinux_validate_context($1_crontab_t)
kernel_compute_access_vector($1_crontab_t) selinux_compute_access_vector($1_crontab_t)
kernel_compute_create_context($1_crontab_t) selinux_compute_create_context($1_crontab_t)
kernel_compute_relabel_context($1_crontab_t) selinux_compute_relabel_context($1_crontab_t)
kernel_compute_reachable_user_contexts($1_crontab_t) selinux_compute_user_contexts($1_crontab_t)
tunable_policy(`fcron_crond', ` tunable_policy(`fcron_crond', `
# fcron wants an instant update of a crontab change for the administrator # fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u # also crontab does a security check for crontab -u
allow $1_crontab_t self:process setfscreate; allow $1_crontab_t self:process setfscreate;
kernel_get_selinuxfs_mount_point($1_crontab_t) selinux_get_fs_mount($1_crontab_t)
') ')
') ')

View File

@ -77,12 +77,12 @@ allow crond_t system_cron_spool_t:file r_file_perms;
kernel_read_kernel_sysctl(crond_t) kernel_read_kernel_sysctl(crond_t)
dev_read_sysfs(crond_t) dev_read_sysfs(crond_t)
kernel_get_selinuxfs_mount_point(crond_t) selinux_get_fs_mount(crond_t)
kernel_validate_context(crond_t) selinux_validate_context(crond_t)
kernel_compute_access_vector(crond_t) selinux_compute_access_vector(crond_t)
kernel_compute_create_context(crond_t) selinux_compute_create_context(crond_t)
kernel_compute_relabel_context(crond_t) selinux_compute_relabel_context(crond_t)
kernel_compute_reachable_user_contexts(crond_t) selinux_compute_user_contexts(crond_t)
dev_read_urand(crond_t) dev_read_urand(crond_t)
@ -109,9 +109,9 @@ libs_use_shared_libs(crond_t)
logging_send_syslog_msg(crond_t) logging_send_syslog_msg(crond_t)
selinux_read_config(crond_t) seutil_read_config(crond_t)
selinux_read_default_contexts(crond_t) seutil_read_default_contexts(crond_t)
selinux_newrole_sigchld(crond_t) seutil_newrole_sigchld(crond_t)
miscfiles_read_localization(crond_t) miscfiles_read_localization(crond_t)
@ -287,18 +287,18 @@ miscfiles_read_localization(system_crond_t)
miscfiles_read_man_pages(system_crond_t) miscfiles_read_man_pages(system_crond_t)
miscfiles_rw_man_cache(system_crond_t) miscfiles_rw_man_cache(system_crond_t)
selinux_read_config(system_crond_t) seutil_read_config(system_crond_t)
tunable_policy(`cron_can_relabel',` tunable_policy(`cron_can_relabel',`
selinux_domtrans_setfiles(system_crond_t) seutil_domtrans_setfiles(system_crond_t)
',` ',`
kernel_get_selinuxfs_mount_point(system_crond_t) selinux_get_fs_mount(system_crond_t)
kernel_validate_context(system_crond_t) selinux_validate_context(system_crond_t)
kernel_compute_access_vector(system_crond_t) selinux_compute_access_vector(system_crond_t)
kernel_compute_create_context(system_crond_t) selinux_compute_create_context(system_crond_t)
kernel_compute_relabel_context(system_crond_t) selinux_compute_relabel_context(system_crond_t)
kernel_compute_reachable_user_contexts(system_crond_t) selinux_compute_user_contexts(system_crond_t)
selinux_read_file_contexts(system_crond_t) seutil_read_file_contexts(system_crond_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -43,12 +43,12 @@ files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir })
kernel_read_system_state(remote_login_t) kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctl(remote_login_t) kernel_read_kernel_sysctl(remote_login_t)
kernel_get_selinuxfs_mount_point(remote_login_t) selinux_get_fs_mount(remote_login_t)
kernel_validate_context(remote_login_t) selinux_validate_context(remote_login_t)
kernel_compute_access_vector(remote_login_t) selinux_compute_access_vector(remote_login_t)
kernel_compute_create_context(remote_login_t) selinux_compute_create_context(remote_login_t)
kernel_compute_relabel_context(remote_login_t) selinux_compute_relabel_context(remote_login_t)
kernel_compute_reachable_user_contexts(remote_login_t) selinux_compute_user_contexts(remote_login_t)
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand(remote_login_t) dev_read_urand(remote_login_t)
@ -69,8 +69,8 @@ libs_use_shared_libs(remote_login_t)
logging_send_syslog_msg(remote_login_t) logging_send_syslog_msg(remote_login_t)
selinux_read_config(remote_login_t) seutil_read_config(remote_login_t)
selinux_read_default_contexts(remote_login_t) seutil_read_default_contexts(remote_login_t)
auth_domtrans_chk_passwd(remote_login_t) auth_domtrans_chk_passwd(remote_login_t)
auth_dontaudit_read_shadow(remote_login_t) auth_dontaudit_read_shadow(remote_login_t)

View File

@ -95,7 +95,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(sendmail_t) seutil_newrole_sigchld(sendmail_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -55,7 +55,7 @@ define(`authlogin_per_userdomain_template',`
miscfiles_read_localization($1_chkpwd_t) miscfiles_read_localization($1_chkpwd_t)
selinux_read_config($1_chkpwd_t) seutil_read_config($1_chkpwd_t)
#can_ypbind($1_chkpwd_t) #can_ypbind($1_chkpwd_t)
#can_kerberos($1_chkpwd_t) #can_kerberos($1_chkpwd_t)
@ -88,7 +88,7 @@ define(`authlogin_per_userdomain_template',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_use_newrole_fd($1_chkpwd_t) seutil_use_newrole_fd($1_chkpwd_t)
') ')
') dnl end authlogin_per_userdomain_template ') dnl end authlogin_per_userdomain_template

View File

@ -165,7 +165,7 @@ libs_use_shared_libs(pam_console_t)
logging_send_syslog_msg(pam_console_t) logging_send_syslog_msg(pam_console_t)
selinux_read_file_contexts(pam_console_t) seutil_read_file_contexts(pam_console_t)
userdom_dontaudit_use_unpriv_user_fd(pam_console_t) userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
@ -185,7 +185,7 @@ optional_policy(`hotplug.te', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(pam_console_t) seutil_newrole_sigchld(pam_console_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
@ -250,7 +250,7 @@ logging_send_syslog_msg(system_chkpwd_t)
miscfiles_read_localization(system_chkpwd_t) miscfiles_read_localization(system_chkpwd_t)
selinux_read_config(system_chkpwd_t) seutil_read_config(system_chkpwd_t)
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow system_chkpwd_t self:udp_socket create_socket_perms; allow system_chkpwd_t self:udp_socket create_socket_perms;

View File

@ -64,7 +64,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(hwclock_t) seutil_newrole_sigchld(hwclock_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -166,7 +166,7 @@ define(`files_relabel_all_files',`
allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
# satisfy the assertions: # satisfy the assertions:
selinux_relabelto_binary_pol($1) seutil_relabelto_binary_pol($1)
') ')
define(`files_relabel_all_files_depend',` define(`files_relabel_all_files_depend',`
@ -206,7 +206,7 @@ define(`files_manage_all_files',`
allow $1 { file_type $2 }:sock_file create_file_perms; allow $1 { file_type $2 }:sock_file create_file_perms;
# satisfy the assertions: # satisfy the assertions:
selinux_write_binary_pol($1) seutil_write_binary_pol($1)
bootloader_manage_kernel_modules($1) bootloader_manage_kernel_modules($1)
') ')

View File

@ -80,7 +80,7 @@ optional_policy(`hotplug.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(hostname_t) seutil_newrole_sigchld(hostname_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -140,7 +140,7 @@ optional_policy(`mta.te', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(hotplug_t) seutil_newrole_sigchld(hotplug_t)
') ')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`

View File

@ -88,7 +88,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
# Run init scripts. # Run init scripts.
domain_auto_trans(init_t,initrc_exec_t,initrc_t) domain_auto_trans(init_t,initrc_exec_t,initrc_t)
kernel_set_boolean(init_t) selinux_set_boolean(init_t)
kernel_read_system_state(init_t) kernel_read_system_state(init_t)
dev_read_sysfs(init_t) dev_read_sysfs(init_t)
kernel_share_state(init_t) kernel_share_state(init_t)
@ -123,7 +123,7 @@ libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t) logging_send_syslog_msg(init_t)
logging_rw_generic_logs(init_t) logging_rw_generic_logs(init_t)
selinux_read_config(init_t) seutil_read_config(init_t)
miscfiles_read_localization(init_t) miscfiles_read_localization(init_t)
@ -184,7 +184,7 @@ dev_read_sysfs(initrc_t)
dev_rw_sysfs(initrc_t) dev_rw_sysfs(initrc_t)
kernel_read_all_sysctl(initrc_t) kernel_read_all_sysctl(initrc_t)
kernel_rw_all_sysctl(initrc_t) kernel_rw_all_sysctl(initrc_t)
kernel_get_selinux_enforcement_mode(initrc_t) selinux_get_enforce_mode(initrc_t)
dev_list_usbfs(initrc_t) dev_list_usbfs(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t) kernel_dontaudit_getattr_message_if(initrc_t)
@ -283,7 +283,7 @@ miscfiles_read_localization(initrc_t)
modutils_read_module_conf(initrc_t) modutils_read_module_conf(initrc_t)
selinux_read_config(initrc_t) seutil_read_config(initrc_t)
sysnet_read_config(initrc_t) sysnet_read_config(initrc_t)
@ -308,7 +308,7 @@ ifdef(`distro_redhat',`
kernel_dontaudit_use_fd(initrc_t) kernel_dontaudit_use_fd(initrc_t)
files_dontaudit_read_root_file(initrc_t) files_dontaudit_read_root_file(initrc_t)
kernel_set_enforcement_mode(initrc_t) selinux_set_enforce_mode(initrc_t)
# Create and read /boot/kernel.h and /boot/System.map. # Create and read /boot/kernel.h and /boot/System.map.
# Redhat systems typically create this file at boot time. # Redhat systems typically create this file at boot time.

View File

@ -89,7 +89,7 @@ optional_policy(`modutils.te', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(iptables_t) seutil_newrole_sigchld(iptables_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -53,12 +53,12 @@ files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t) kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t) kernel_read_kernel_sysctl(local_login_t)
kernel_get_selinuxfs_mount_point(local_login_t) selinux_get_fs_mount(local_login_t)
kernel_validate_context(local_login_t) selinux_validate_context(local_login_t)
kernel_compute_access_vector(local_login_t) selinux_compute_access_vector(local_login_t)
kernel_compute_create_context(local_login_t) selinux_compute_create_context(local_login_t)
kernel_compute_relabel_context(local_login_t) selinux_compute_relabel_context(local_login_t)
kernel_compute_reachable_user_contexts(local_login_t) selinux_compute_user_contexts(local_login_t)
# for SSP/ProPolice # for SSP/ProPolice
dev_read_urand(local_login_t) dev_read_urand(local_login_t)
@ -95,8 +95,8 @@ logging_send_syslog_msg(local_login_t)
miscfiles_read_localization(local_login_t) miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t) seutil_read_config(local_login_t)
selinux_read_default_contexts(local_login_t) seutil_read_default_contexts(local_login_t)
userdom_spec_domtrans_all_users(local_login_t) userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t) userdom_signal_all_users(local_login_t)
@ -223,8 +223,8 @@ libs_use_shared_libs(sulogin_t)
logging_send_syslog_msg(sulogin_t) logging_send_syslog_msg(sulogin_t)
selinux_read_config(sulogin_t) seutil_read_config(sulogin_t)
selinux_read_default_contexts(sulogin_t) seutil_read_default_contexts(sulogin_t)
auth_read_shadow(sulogin_t) auth_read_shadow(sulogin_t)
@ -242,12 +242,12 @@ ifdef(`sulogin_no_pam', `
init_get_process_group(sulogin_t) init_get_process_group(sulogin_t)
', ` ', `
allow sulogin_t self:process setexec; allow sulogin_t self:process setexec;
kernel_get_selinuxfs_mount_point(sulogin_t) selinux_get_fs_mount(sulogin_t)
kernel_validate_context(sulogin_t) selinux_validate_context(sulogin_t)
kernel_compute_access_vector(sulogin_t) selinux_compute_access_vector(sulogin_t)
kernel_compute_create_context(sulogin_t) selinux_compute_create_context(sulogin_t)
kernel_compute_relabel_context(sulogin_t) selinux_compute_relabel_context(sulogin_t)
kernel_compute_reachable_user_contexts(sulogin_t) selinux_compute_user_contexts(sulogin_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -86,7 +86,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(auditd_t) seutil_newrole_sigchld(auditd_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
@ -250,7 +250,7 @@ ifdef(`targeted_policy', `
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(syslogd_t) seutil_newrole_sigchld(syslogd_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `

View File

@ -69,12 +69,12 @@ type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
files_create_etc_config(lvm_t,lvm_metadata_t,file) files_create_etc_config(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t) kernel_read_system_state(lvm_t)
kernel_get_selinuxfs_mount_point(lvm_t) selinux_get_fs_mount(lvm_t)
kernel_validate_context(lvm_t) selinux_validate_context(lvm_t)
kernel_compute_access_vector(lvm_t) selinux_compute_access_vector(lvm_t)
kernel_compute_create_context(lvm_t) selinux_compute_create_context(lvm_t)
kernel_compute_relabel_context(lvm_t) selinux_compute_relabel_context(lvm_t)
kernel_compute_reachable_user_contexts(lvm_t) selinux_compute_user_contexts(lvm_t)
kernel_read_kernel_sysctl(lvm_t) kernel_read_kernel_sysctl(lvm_t)
dev_read_sysfs(lvm_t) dev_read_sysfs(lvm_t)
# Read /sys/block. Device mapper metadata is kept there. # Read /sys/block. Device mapper metadata is kept there.
@ -132,9 +132,9 @@ logging_send_syslog_msg(lvm_t)
miscfiles_read_localization(lvm_t) miscfiles_read_localization(lvm_t)
selinux_read_config(lvm_t) seutil_read_config(lvm_t)
selinux_read_file_contexts(lvm_t) seutil_read_file_contexts(lvm_t)
selinux_newrole_sigchld(lvm_t) seutil_newrole_sigchld(lvm_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# this is from the initrd: # this is from the initrd:

View File

@ -2,7 +2,7 @@
## <summary>Policy for SELinux policy and userland applications.</summary> ## <summary>Policy for SELinux policy and userland applications.</summary>
####################################### #######################################
## <interface name="selinux_domtrans_checkpol"> ## <interface name="seutil_domtrans_checkpol">
## <description> ## <description>
## Execute checkpolicy in the checkpolicy domain. ## Execute checkpolicy in the checkpolicy domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_domtrans_checkpol',` define(`seutil_domtrans_checkpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`selinux_domtrans_checkpol',`
allow checkpolicy_t $1:process sigchld; allow checkpolicy_t $1:process sigchld;
') ')
define(`selinux_domtrans_checkpol_depend',` define(`seutil_domtrans_checkpol_depend',`
type checkpolicy_t, checkpolicy_exec_t; type checkpolicy_t, checkpolicy_exec_t;
class file rx_file_perms class file rx_file_perms
@ -35,7 +35,7 @@ define(`selinux_domtrans_checkpol_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_checkpol"> ## <interface name="seutil_run_checkpol">
## <description> ## <description>
## Execute checkpolicy in the checkpolicy domain, and ## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain, ## allow the specified role the checkpolicy domain,
@ -53,15 +53,15 @@ define(`selinux_domtrans_checkpol_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_checkpol',` define(`seutil_run_checkpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
selinux_domtrans_checkpol($1) seutil_domtrans_checkpol($1)
role $2 types checkpolicy_t; role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl }; allow checkpolicy_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_checkpol_depend',` define(`seutil_run_checkpol_depend',`
type checkpolicy_t; type checkpolicy_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -69,22 +69,22 @@ define(`selinux_run_checkpol_depend',`
####################################### #######################################
# #
# selinux_exec_checkpol(domain) # seutil_exec_checkpol(domain)
# #
define(`selinux_exec_checkpol',` define(`seutil_exec_checkpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
can_exec($1,checkpolicy_exec_t) can_exec($1,checkpolicy_exec_t)
') ')
define(`selinux_exec_checkpol_depend',` define(`seutil_exec_checkpol_depend',`
type checkpolicy_exec_t; type checkpolicy_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
####################################### #######################################
## <interface name="selinux_domtrans_loadpol"> ## <interface name="seutil_domtrans_loadpol">
## <description> ## <description>
## Execute load_policy in the load_policy domain. ## Execute load_policy in the load_policy domain.
## </description> ## </description>
@ -93,7 +93,7 @@ define(`selinux_exec_checkpol_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_domtrans_loadpol',` define(`seutil_domtrans_loadpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_exec_t:file rx_file_perms;
@ -107,7 +107,7 @@ define(`selinux_domtrans_loadpol',`
allow load_policy_t $1:process sigchld; allow load_policy_t $1:process sigchld;
') ')
define(`selinux_domtrans_loadpol_depend',` define(`seutil_domtrans_loadpol_depend',`
type load_policy_t, load_policy_exec_t; type load_policy_t, load_policy_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -117,7 +117,7 @@ define(`selinux_domtrans_loadpol_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_loadpol"> ## <interface name="seutil_run_loadpol">
## <description> ## <description>
## Execute load_policy in the load_policy domain, and ## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain, ## allow the specified role the load_policy domain,
@ -135,15 +135,15 @@ define(`selinux_domtrans_loadpol_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_loadpol',` define(`seutil_run_loadpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
selinux_domtrans_loadpol($1) seutil_domtrans_loadpol($1)
role $2 types load_policy_t; role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl }; allow load_policy_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_loadpol_depend',` define(`seutil_run_loadpol_depend',`
type load_policy_t; type load_policy_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -151,15 +151,15 @@ define(`selinux_run_loadpol_depend',`
####################################### #######################################
# #
# selinux_exec_loadpol(domain) # seutil_exec_loadpol(domain)
# #
define(`selinux_exec_loadpol',` define(`seutil_exec_loadpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
can_exec($1,load_policy_exec_t) can_exec($1,load_policy_exec_t)
') ')
define(`selinux_exec_loadpol_depend',` define(`seutil_exec_loadpol_depend',`
type load_policy_exec_t; type load_policy_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
@ -167,22 +167,22 @@ define(`selinux_exec_loadpol_depend',`
####################################### #######################################
# #
# selinux_read_loadpol(domain) # seutil_read_loadpol(domain)
# #
define(`selinux_read_loadpol',` define(`seutil_read_loadpol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 load_policy_exec_t:file r_file_perms; allow $1 load_policy_exec_t:file r_file_perms;
') ')
define(`selinux_read_loadpol_depend',` define(`seutil_read_loadpol_depend',`
type load_policy_exec_t; type load_policy_exec_t;
class file r_file_perms class file r_file_perms
') ')
####################################### #######################################
## <interface name="selinux_domtrans_newrole"> ## <interface name="seutil_domtrans_newrole">
## <description> ## <description>
## Execute newrole in the load_policy domain. ## Execute newrole in the load_policy domain.
## </description> ## </description>
@ -191,7 +191,7 @@ define(`selinux_read_loadpol_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_domtrans_newrole',` define(`seutil_domtrans_newrole',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_exec_t:file rx_file_perms;
@ -205,7 +205,7 @@ define(`selinux_domtrans_newrole',`
allow newrole_t $1:process sigchld; allow newrole_t $1:process sigchld;
') ')
define(`selinux_domtrans_newrole_depend',` define(`seutil_domtrans_newrole_depend',`
type newrole_t, newrole_exec_t; type newrole_t, newrole_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -215,7 +215,7 @@ define(`selinux_domtrans_newrole_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_newrole"> ## <interface name="seutil_run_newrole">
## <description> ## <description>
## Execute newrole in the newrole domain, and ## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain, ## allow the specified role the newrole domain,
@ -232,15 +232,15 @@ define(`selinux_domtrans_newrole_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_newrole',` define(`seutil_run_newrole',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
selinux_domtrans_newrole($1) seutil_domtrans_newrole($1)
role $2 types newrole_t; role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl }; allow newrole_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_newrole_depend',` define(`seutil_run_newrole_depend',`
type newrole_t; type newrole_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -248,22 +248,22 @@ define(`selinux_run_newrole_depend',`
####################################### #######################################
# #
# selinux_exec_newrole(domain) # seutil_exec_newrole(domain)
# #
define(`selinux_exec_newrole',` define(`seutil_exec_newrole',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
can_exec($1,newrole_exec_t) can_exec($1,newrole_exec_t)
') ')
define(`selinux_exec_newrole_depend',` define(`seutil_exec_newrole_depend',`
type newrole_t, newrole_exec_t; type newrole_t, newrole_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
######################################## ########################################
## <interface name="selinux_dontaudit_newrole_signal"> ## <interface name="seutil_dontaudit_newrole_signal">
## <description> ## <description>
## Do not audit the caller attempts to send ## Do not audit the caller attempts to send
## a signal to newrole. ## a signal to newrole.
@ -273,13 +273,13 @@ define(`selinux_exec_newrole_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_dontaudit_newrole_signal',` define(`seutil_dontaudit_newrole_signal',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
dontaudit $1 newrole_t:process signal; dontaudit $1 newrole_t:process signal;
') ')
define(`selinux_dontaudit_newrole_signal_depend',` define(`seutil_dontaudit_newrole_signal_depend',`
type newrole_t; type newrole_t;
class process signal; class process signal;
@ -287,15 +287,15 @@ define(`selinux_dontaudit_newrole_signal_depend',`
####################################### #######################################
# #
# selinux_newrole_sigchld(domain) # seutil_newrole_sigchld(domain)
# #
define(`selinux_newrole_sigchld',` define(`seutil_newrole_sigchld',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 newrole_t:process sigchld; allow $1 newrole_t:process sigchld;
') ')
define(`selinux_newrole_sigchld_depend',` define(`seutil_newrole_sigchld_depend',`
type newrole_t; type newrole_t;
class process sigchld; class process sigchld;
@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
####################################### #######################################
# #
# selinux_use_newrole_fd(domain) # seutil_use_newrole_fd(domain)
# #
define(`selinux_use_newrole_fd',` define(`seutil_use_newrole_fd',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 newrole_t:fd use; allow $1 newrole_t:fd use;
') ')
define(`selinux_use_newrole_fd_depend',` define(`seutil_use_newrole_fd_depend',`
type newrole_t; type newrole_t;
class fd use; class fd use;
') ')
####################################### #######################################
## <interface name="selinux_domtrans_restorecon"> ## <interface name="seutil_domtrans_restorecon">
## <description> ## <description>
## Execute restorecon in the restorecon domain. ## Execute restorecon in the restorecon domain.
## </description> ## </description>
@ -327,7 +327,7 @@ define(`selinux_use_newrole_fd_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_domtrans_restorecon',` define(`seutil_domtrans_restorecon',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_exec_t:file rx_file_perms;
@ -341,7 +341,7 @@ define(`selinux_domtrans_restorecon',`
allow restorecon_t $1:process sigchld; allow restorecon_t $1:process sigchld;
') ')
define(`selinux_domtrans_restorecon_depend',` define(`seutil_domtrans_restorecon_depend',`
type restorecon_t, restorecon_exec_t; type restorecon_t, restorecon_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -351,7 +351,7 @@ define(`selinux_domtrans_restorecon_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_restorecon"> ## <interface name="seutil_run_restorecon">
## <description> ## <description>
## Execute restorecon in the restorecon domain, and ## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain, ## allow the specified role the restorecon domain,
@ -368,15 +368,15 @@ define(`selinux_domtrans_restorecon_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_restorecon',` define(`seutil_run_restorecon',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
selinux_domtrans_restorecon($1) seutil_domtrans_restorecon($1)
role $2 types restorecon_t; role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl }; allow restorecon_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_restorecon_depend',` define(`seutil_run_restorecon_depend',`
type restorecon_t; type restorecon_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -384,21 +384,21 @@ define(`selinux_run_restorecon_depend',`
####################################### #######################################
# #
# selinux_exec_restorecon(domain) # seutil_exec_restorecon(domain)
# #
define(`selinux_exec_restorecon',` define(`seutil_exec_restorecon',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
can_exec($1,restorecon_exec_t) can_exec($1,restorecon_exec_t)
') ')
define(`selinux_exec_restorecon_depend',` define(`seutil_exec_restorecon_depend',`
type restorecon_t, restorecon_exec_t; type restorecon_t, restorecon_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
######################################## ########################################
## <interface name="selinux_domtrans_runinit"> ## <interface name="seutil_domtrans_runinit">
## <description> ## <description>
## Execute run_init in the run_init domain. ## Execute run_init in the run_init domain.
## </description> ## </description>
@ -407,7 +407,7 @@ define(`selinux_exec_restorecon_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_domtrans_runinit',` define(`seutil_domtrans_runinit',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_exec_t:file rx_file_perms;
@ -421,7 +421,7 @@ define(`selinux_domtrans_runinit',`
allow run_init_t $1:process sigchld; allow run_init_t $1:process sigchld;
') ')
define(`selinux_domtrans_runinit_depend',` define(`seutil_domtrans_runinit_depend',`
type run_init_t, run_init_exec_t; type run_init_t, run_init_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -431,7 +431,7 @@ define(`selinux_domtrans_runinit_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_runinit"> ## <interface name="seutil_run_runinit">
## <description> ## <description>
## Execute run_init in the run_init domain, and ## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain, ## allow the specified role the run_init domain,
@ -448,15 +448,15 @@ define(`selinux_domtrans_runinit_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_runinit',` define(`seutil_run_runinit',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
selinux_domtrans_runinit($1) seutil_domtrans_runinit($1)
role $2 types run_init_t; role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl }; allow run_init_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_runinit_depend',` define(`seutil_run_runinit_depend',`
type run_init_t; type run_init_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -464,22 +464,22 @@ define(`selinux_run_runinit_depend',`
######################################## ########################################
# #
# selinux_use_runinit_fd(domain) # seutil_use_runinit_fd(domain)
# #
define(`selinux_use_runinit_fd',` define(`seutil_use_runinit_fd',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 run_init_t:fd use; allow $1 run_init_t:fd use;
') ')
define(`selinux_use_runinit_fd_depend',` define(`seutil_use_runinit_fd_depend',`
type run_init_t; type run_init_t;
class fd use; class fd use;
') ')
######################################## ########################################
## <interface name="selinux_domtrans_setfiles"> ## <interface name="seutil_domtrans_setfiles">
## <description> ## <description>
## Execute setfiles in the setfiles domain. ## Execute setfiles in the setfiles domain.
## </description> ## </description>
@ -488,7 +488,7 @@ define(`selinux_use_runinit_fd_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_domtrans_setfiles',` define(`seutil_domtrans_setfiles',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_exec_t:file rx_file_perms;
@ -502,7 +502,7 @@ define(`selinux_domtrans_setfiles',`
allow setfiles_t $1:process sigchld; allow setfiles_t $1:process sigchld;
') ')
define(`selinux_domtrans_setfiles_depend',` define(`seutil_domtrans_setfiles_depend',`
type setfiles_t, setfiles_exec_t; type setfiles_t, setfiles_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -512,7 +512,7 @@ define(`selinux_domtrans_setfiles_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_setfiles"> ## <interface name="seutil_run_setfiles">
## <description> ## <description>
## Execute setfiles in the setfiles domain, and ## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain, ## allow the specified role the setfiles domain,
@ -529,15 +529,15 @@ define(`selinux_domtrans_setfiles_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_setfiles',` define(`seutil_run_setfiles',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
selinux_domtrans_setfiles($1) seutil_domtrans_setfiles($1)
role $2 types setfiles_t; role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl }; allow setfiles_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_setfiles_depend',` define(`seutil_run_setfiles_depend',`
type setfiles_t; type setfiles_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -545,15 +545,15 @@ define(`selinux_run_setfiles_depend',`
####################################### #######################################
# #
# selinux_exec_setfiles(domain) # seutil_exec_setfiles(domain)
# #
define(`selinux_exec_setfiles',` define(`seutil_exec_setfiles',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
can_exec($1,setfiles_exec_t) can_exec($1,setfiles_exec_t)
') ')
define(`selinux_exec_setfiles_depend',` define(`seutil_exec_setfiles_depend',`
type setfiles_exec_t; type setfiles_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
@ -561,16 +561,16 @@ define(`selinux_exec_setfiles_depend',`
######################################## ########################################
# #
# selinux_read_config(domain) # seutil_read_config(domain)
# #
define(`selinux_read_config',` define(`seutil_read_config',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:dir r_dir_perms;
allow $1 selinux_config_t:file r_file_perms; allow $1 selinux_config_t:file r_file_perms;
') ')
define(`selinux_read_config_depend',` define(`seutil_read_config_depend',`
type selinux_config_t; type selinux_config_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -579,9 +579,9 @@ define(`selinux_read_config_depend',`
######################################## ########################################
# #
# selinux_read_default_contexts(domain) # seutil_read_default_contexts(domain)
# #
define(`selinux_read_default_contexts',` define(`seutil_read_default_contexts',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 selinux_config_t:dir search; allow $1 selinux_config_t:dir search;
@ -589,7 +589,7 @@ define(`selinux_read_default_contexts',`
allow $1 default_context_t:file r_file_perms; allow $1 default_context_t:file r_file_perms;
') ')
define(`selinux_read_default_contexts_depend',` define(`seutil_read_default_contexts_depend',`
type selinux_config_t, default_context_t; type selinux_config_t, default_context_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -598,9 +598,9 @@ define(`selinux_read_default_contexts_depend',`
######################################## ########################################
# #
# selinux_read_file_contexts(domain) # seutil_read_file_contexts(domain)
# #
define(`selinux_read_file_contexts',` define(`seutil_read_file_contexts',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 selinux_config_t:dir search; allow $1 selinux_config_t:dir search;
@ -608,7 +608,7 @@ define(`selinux_read_file_contexts',`
allow $1 file_context_t:file r_file_perms; allow $1 file_context_t:file r_file_perms;
') ')
define(`selinux_read_file_contexts_depend',` define(`seutil_read_file_contexts_depend',`
type selinux_config_t, file_context_t; type selinux_config_t, file_context_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
######################################## ########################################
# #
# selinux_read_binary_pol(domain) # seutil_read_binary_pol(domain)
# #
define(`selinux_read_binary_pol',` define(`seutil_read_binary_pol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms; allow $1 policy_config_t:file r_file_perms;
') ')
define(`selinux_read_binary_pol_depend',` define(`seutil_read_binary_pol_depend',`
type policy_config_t; type policy_config_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -635,9 +635,9 @@ define(`selinux_read_binary_pol_depend',`
######################################## ########################################
# #
# selinux_write_binary_pol(domain) # seutil_write_binary_pol(domain)
# #
define(`selinux_write_binary_pol',` define(`seutil_write_binary_pol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:dir rw_dir_perms;
@ -645,7 +645,7 @@ define(`selinux_write_binary_pol',`
typeattribute $1 can_write_binary_policy; typeattribute $1 can_write_binary_policy;
') ')
define(`selinux_write_binary_pol_depend',` define(`seutil_write_binary_pol_depend',`
attribute can_write_binary_policy; attribute can_write_binary_policy;
type policy_config_t; type policy_config_t;
@ -655,7 +655,7 @@ define(`selinux_write_binary_pol_depend',`
') ')
######################################## ########################################
## <interface name="selinux_relabelto_binary_pol"> ## <interface name="seutil_relabelto_binary_pol">
## <description> ## <description>
## Allow the caller to relabel a file to the binary policy type. ## Allow the caller to relabel a file to the binary policy type.
## </description> ## </description>
@ -664,14 +664,14 @@ define(`selinux_write_binary_pol_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_relabelto_binary_pol',` define(`seutil_relabelto_binary_pol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
allow $1 policy_config_t:file relabelto; allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy; typeattribute $1 can_relabelto_binary_policy;
') ')
define(`selinux_relabelto_binary_pol_depend',` define(`seutil_relabelto_binary_pol_depend',`
attribute can_relabelto_binary_policy; attribute can_relabelto_binary_policy;
type policy_config_t; type policy_config_t;
@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_pol_depend',`
######################################## ########################################
# #
# selinux_manage_binary_pol(domain) # seutil_manage_binary_pol(domain)
# #
define(`selinux_manage_binary_pol',` define(`seutil_manage_binary_pol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -693,7 +693,7 @@ define(`selinux_manage_binary_pol',`
typeattribute $1 can_write_binary_policy; typeattribute $1 can_write_binary_policy;
') ')
define(`selinux_manage_binary_pol_depend',` define(`seutil_manage_binary_pol_depend',`
attribute can_write_binary_policy; attribute can_write_binary_policy;
type selinux_config_t, policy_config_t; type selinux_config_t, policy_config_t;
@ -703,9 +703,9 @@ define(`selinux_manage_binary_pol_depend',`
######################################## ########################################
# #
# selinux_read_src_pol(domain) # seutil_read_src_pol(domain)
# #
define(`selinux_read_src_pol',` define(`seutil_read_src_pol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -714,7 +714,7 @@ define(`selinux_read_src_pol',`
allow $1 policy_src_t:file r_file_perms; allow $1 policy_src_t:file r_file_perms;
') ')
define(`selinux_read_src_pol_depend',` define(`seutil_read_src_pol_depend',`
type selinux_config_t, policy_src_t; type selinux_config_t, policy_src_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -723,9 +723,9 @@ define(`selinux_read_src_pol_depend',`
######################################## ########################################
# #
# selinux_manage_src_pol(domain) # seutil_manage_src_pol(domain)
# #
define(`selinux_manage_src_pol',` define(`seutil_manage_src_pol',`
gen_require(`$0'_depend) gen_require(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -734,7 +734,7 @@ define(`selinux_manage_src_pol',`
allow $1 policy_src_t:file create_file_perms; allow $1 policy_src_t:file create_file_perms;
') ')
define(`selinux_manage_src_pol_depend',` define(`seutil_manage_src_pol_depend',`
type selinux_config_t, policy_src_t; type selinux_config_t, policy_src_t;
class dir create_dir_perms; class dir create_dir_perms;

View File

@ -149,9 +149,9 @@ allow load_policy_t selinux_config_t:dir r_dir_perms;
allow load_policy_t selinux_config_t:file r_file_perms; allow load_policy_t selinux_config_t:file r_file_perms;
allow load_policy_t selinux_config_t:lnk_file r_file_perms; allow load_policy_t selinux_config_t:lnk_file r_file_perms;
kernel_get_selinuxfs_mount_point(load_policy_t) selinux_get_fs_mount(load_policy_t)
kernel_load_policy(load_policy_t) selinux_load_policy(load_policy_t)
kernel_set_boolean(load_policy_t) selinux_set_boolean(load_policy_t)
fs_getattr_xattr_fs(load_policy_t) fs_getattr_xattr_fs(load_policy_t)
@ -196,12 +196,12 @@ allow newrole_t { selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(newrole_t) kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctl(newrole_t) kernel_read_kernel_sysctl(newrole_t)
kernel_get_selinuxfs_mount_point(newrole_t) selinux_get_fs_mount(newrole_t)
kernel_validate_context(newrole_t) selinux_validate_context(newrole_t)
kernel_compute_access_vector(newrole_t) selinux_compute_access_vector(newrole_t)
kernel_compute_create_context(newrole_t) selinux_compute_create_context(newrole_t)
kernel_compute_relabel_context(newrole_t) selinux_compute_relabel_context(newrole_t)
kernel_compute_reachable_user_contexts(newrole_t) selinux_compute_user_contexts(newrole_t)
dev_read_urand(newrole_t) dev_read_urand(newrole_t)
@ -280,12 +280,12 @@ allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_
kernel_use_fd(restorecon_t) kernel_use_fd(restorecon_t)
kernel_read_system_state(restorecon_t) kernel_read_system_state(restorecon_t)
kernel_get_selinuxfs_mount_point(restorecon_t) selinux_get_fs_mount(restorecon_t)
kernel_validate_context(restorecon_t) selinux_validate_context(restorecon_t)
kernel_compute_access_vector(restorecon_t) selinux_compute_access_vector(restorecon_t)
kernel_compute_create_context(restorecon_t) selinux_compute_create_context(restorecon_t)
kernel_compute_relabel_context(restorecon_t) selinux_compute_relabel_context(restorecon_t)
kernel_compute_reachable_user_contexts(restorecon_t) selinux_compute_user_contexts(restorecon_t)
fs_getattr_xattr_fs(restorecon_t) fs_getattr_xattr_fs(restorecon_t)
@ -343,12 +343,12 @@ allow restorecon_t kernel_t:fifo_file { read write };
# Run_init local policy # Run_init local policy
# #
kernel_get_selinuxfs_mount_point(run_init_t) selinux_get_fs_mount(run_init_t)
kernel_validate_context(run_init_t) selinux_validate_context(run_init_t)
kernel_compute_access_vector(run_init_t) selinux_compute_access_vector(run_init_t)
kernel_compute_create_context(run_init_t) selinux_compute_create_context(run_init_t)
kernel_compute_relabel_context(run_init_t) selinux_compute_relabel_context(run_init_t)
kernel_compute_reachable_user_contexts(run_init_t) selinux_compute_user_contexts(run_init_t)
ifdef(`targeted_policy',`',` ifdef(`targeted_policy',`',`
allow run_init_t self:process setexec; allow run_init_t self:process setexec;
@ -385,8 +385,8 @@ ifdef(`targeted_policy',`',`
libs_use_ld_so(run_init_t) libs_use_ld_so(run_init_t)
libs_use_shared_libs(run_init_t) libs_use_shared_libs(run_init_t)
selinux_read_config(run_init_t) seutil_read_config(run_init_t)
selinux_read_default_contexts(run_init_t) seutil_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t) miscfiles_read_localization(run_init_t)
@ -414,12 +414,12 @@ allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms; allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
kernel_read_system_state(setfiles_t) kernel_read_system_state(setfiles_t)
kernel_get_selinuxfs_mount_point(setfiles_t) selinux_get_fs_mount(setfiles_t)
kernel_validate_context(setfiles_t) selinux_validate_context(setfiles_t)
kernel_compute_access_vector(setfiles_t) selinux_compute_access_vector(setfiles_t)
kernel_compute_create_context(setfiles_t) selinux_compute_create_context(setfiles_t)
kernel_compute_relabel_context(setfiles_t) selinux_compute_relabel_context(setfiles_t)
kernel_compute_reachable_user_contexts(setfiles_t) selinux_compute_user_contexts(setfiles_t)
fs_getattr_xattr_fs(setfiles_t) fs_getattr_xattr_fs(setfiles_t)

View File

@ -157,7 +157,7 @@ optional_policy(`nscd.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_sigchld(dhcpc_t) seutil_newrole_sigchld(dhcpc_t)
') ')
optional_policy(`udev.te',` optional_policy(`udev.te',`
@ -285,7 +285,7 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t) miscfiles_read_localization(ifconfig_t)
selinux_use_runinit_fd(ifconfig_t) seutil_use_runinit_fd(ifconfig_t)
userdom_use_all_user_fd(ifconfig_t) userdom_use_all_user_fd(ifconfig_t)

View File

@ -71,12 +71,12 @@ kernel_read_hotplug_sysctl(udev_t)
kernel_read_modprobe_sysctl(udev_t) kernel_read_modprobe_sysctl(udev_t)
kernel_read_kernel_sysctl(udev_t) kernel_read_kernel_sysctl(udev_t)
dev_read_sysfs(udev_t) dev_read_sysfs(udev_t)
kernel_get_selinuxfs_mount_point(udev_t) selinux_get_fs_mount(udev_t)
kernel_validate_context(udev_t) selinux_validate_context(udev_t)
kernel_compute_access_vector(udev_t) selinux_compute_access_vector(udev_t)
kernel_compute_create_context(udev_t) selinux_compute_create_context(udev_t)
kernel_compute_relabel_context(udev_t) selinux_compute_relabel_context(udev_t)
kernel_compute_reachable_user_contexts(udev_t) selinux_compute_user_contexts(udev_t)
dev_manage_dev_nodes(udev_t) dev_manage_dev_nodes(udev_t)
@ -107,10 +107,10 @@ miscfiles_read_localization(udev_t)
modutils_domtrans_insmod(udev_t) modutils_domtrans_insmod(udev_t)
selinux_read_config(udev_t) seutil_read_config(udev_t)
selinux_read_default_contexts(udev_t) seutil_read_default_contexts(udev_t)
selinux_read_file_contexts(udev_t) seutil_read_file_contexts(udev_t)
selinux_domtrans_restorecon(udev_t) seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t) sysnet_domtrans_ifconfig(udev_t)

View File

@ -102,7 +102,7 @@ define(`base_user_domain',`
per_userdomain_templates($1) per_userdomain_templates($1)
kernel_read_kernel_sysctl($1_t) kernel_read_kernel_sysctl($1_t)
kernel_get_selinuxfs_mount_point($1_t) selinux_get_fs_mount($1_t)
# Very permissive allowing every domain to see every type: # Very permissive allowing every domain to see every type:
kernel_get_sysvipc_info($1_t) kernel_get_sysvipc_info($1_t)
# Find CDROM devices: # Find CDROM devices:
@ -170,7 +170,7 @@ define(`base_user_domain',`
miscfiles_read_localization($1_t) miscfiles_read_localization($1_t)
miscfiles_rw_man_cache($1_t) miscfiles_rw_man_cache($1_t)
selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_rw_spool($1_t) mta_rw_spool($1_t)
@ -475,10 +475,10 @@ define(`user_domain_template', `
miscfiles_read_man_pages($1_t) miscfiles_read_man_pages($1_t)
selinux_read_config($1_t) seutil_read_config($1_t)
# Allow users to execute checkpolicy without a domain transition # Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file # so it can be used without privilege to write real binary policy file
selinux_exec_checkpol($1_t) seutil_exec_checkpol($1_t)
tunable_policy(`user_dmesg',` tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t) kernel_read_ring_buffer($1_t)
@ -500,7 +500,7 @@ define(`user_domain_template', `
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
# for when the network connection is killed # for when the network connection is killed
selinux_dontaudit_newrole_signal($1_t) seutil_dontaudit_newrole_signal($1_t)
') ')
# Need the following rule to allow users to run vpnc # Need the following rule to allow users to run vpnc
@ -664,16 +664,16 @@ define(`admin_domain_template',`
kernel_read_ring_buffer($1_t) kernel_read_ring_buffer($1_t)
kernel_get_sysvipc_info($1_t) kernel_get_sysvipc_info($1_t)
kernel_rw_all_sysctl($1_t) kernel_rw_all_sysctl($1_t)
kernel_set_enforcement_mode($1_t) selinux_set_enforce_mode($1_t)
kernel_set_boolean($1_t) selinux_set_boolean($1_t)
kernel_set_security_parameters($1_t) selinux_set_parameters($1_t)
# Get security policy decisions: # Get security policy decisions:
kernel_get_selinuxfs_mount_point($1_t) selinux_get_fs_mount($1_t)
kernel_validate_context($1_t) selinux_validate_context($1_t)
kernel_compute_access_vector($1_t) selinux_compute_access_vector($1_t)
kernel_compute_create_context($1_t) selinux_compute_create_context($1_t)
kernel_compute_relabel_context($1_t) selinux_compute_relabel_context($1_t)
kernel_compute_reachable_user_contexts($1_t) selinux_compute_user_contexts($1_t)
# signal unlabeled processes: # signal unlabeled processes:
kernel_kill_unlabeled($1_t) kernel_kill_unlabeled($1_t)
kernel_signal_unlabeled($1_t) kernel_signal_unlabeled($1_t)
@ -722,14 +722,14 @@ define(`admin_domain_template',`
modutils_domtrans_insmod($1_t) modutils_domtrans_insmod($1_t)
selinux_read_config($1_t) seutil_read_config($1_t)
# The following rule is temporary until such time that a complete # The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator # policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs. # cannot directly manipulate policy files with arbitrary programs.
selinux_manage_src_pol($1_t) seutil_manage_src_pol($1_t)
# Violates the goal of limiting write access to checkpolicy. # Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
selinux_manage_binary_pol($1_t) seutil_manage_binary_pol($1_t)
optional_policy(`cron.te',` optional_policy(`cron.te',`
cron_admin_template($1) cron_admin_template($1)

View File

@ -112,12 +112,12 @@ optional_policy(`rpm.te',`
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal) seutil_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal) seutil_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
optional_policy(`targeted_policy',`',` optional_policy(`targeted_policy',`',`
selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal) seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
') ')
') ')