diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index cb9c184e..7b329843 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -371,7 +371,7 @@ $(POLXML): $(DETECTED_MODS:.te=.if) $(foreach dir,$(ALL_LAYERS),$(dir)/$(LAYERXM
@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
$(verbose) echo '' > $@
$(verbose) echo '' >> $@
- $(verbose) $(GENXML) -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
+ $(verbose) $(GENXML) -w -m $(LAYERXML) -t $(GLOBALTUN) -b $(GLOBALBOOL) -o $(DOCS) $(ALL_LAYERS) >> $@
$(verbose) if test -x $(XMLLINT) && test -f $(XMLDTD); then \
$(XMLLINT) --noout --path $(dir $(XMLDTD)) --dtdvalid $(XMLDTD) $@ ;\
fi
diff --git a/refpolicy/policy/modules/admin/quota.if b/refpolicy/policy/modules/admin/quota.if
index 8f4dd73c..8d3bac70 100644
--- a/refpolicy/policy/modules/admin/quota.if
+++ b/refpolicy/policy/modules/admin/quota.if
@@ -73,6 +73,17 @@ interface(`quota_dontaudit_getattr_db',`
dontaudit $1 quota_db_t:file getattr;
')
+########################################
+##
+## Create, read, write, and delete quota
+## flag files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
interface(`quota_manage_flags',`
gen_require(`
type quota_flag_t;
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index e51472d8..e4ed9370 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -1,5 +1,33 @@
## Run shells with substitute user and group
+#######################################
+##
+## Restricted su domain template.
+##
+##
+##
+## This template creates a derived domain which is allowed
+## to change the linux user id, to run shells as a different
+## user.
+##
+##
+##
+##
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+##
+##
+##
+##
+## The type of the user domain.
+##
+##
+##
+##
+## The role associated with the user domain.
+##
+##
+#
template(`su_restricted_domain_template', `
gen_require(`
type su_exec_t;
diff --git a/refpolicy/policy/modules/kernel/corecommands.if b/refpolicy/policy/modules/kernel/corecommands.if
index 93d38c36..dc642b39 100644
--- a/refpolicy/policy/modules/kernel/corecommands.if
+++ b/refpolicy/policy/modules/kernel/corecommands.if
@@ -49,6 +49,7 @@ interface(`corecmd_executable_file',`
## Alias type for bin_t.
##
##
+#
interface(`corecmd_bin_alias',`
ifdef(`targeted_policy',`
gen_require(`
@@ -71,6 +72,7 @@ interface(`corecmd_bin_alias',`
## The domain for which bin_t is an entrypoint.
##
##
+#
interface(`corecmd_bin_entry_type',`
gen_require(`
type bin_t;
@@ -89,6 +91,7 @@ interface(`corecmd_bin_entry_type',`
## The domain for which sbin programs are an entrypoint.
##
##
+#
interface(`corecmd_sbin_entry_type',`
gen_require(`
type sbin_t;
@@ -106,6 +109,7 @@ interface(`corecmd_sbin_entry_type',`
## The domain for which the shell is an entrypoint.
##
##
+#
interface(`corecmd_shell_entry_type',`
gen_require(`
type shell_exec_t;
@@ -115,8 +119,14 @@ interface(`corecmd_shell_entry_type',`
')
########################################
-#
-# corecmd_search_bin(domain)
+##
+## Search the contents of bin directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_search_bin',`
gen_require(`
@@ -127,8 +137,14 @@ interface(`corecmd_search_bin',`
')
########################################
-#
-# corecmd_list_bin(domain)
+##
+## List the contents of bin directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_list_bin',`
gen_require(`
@@ -233,8 +249,15 @@ interface(`corecmd_read_bin_sockets',`
')
########################################
-#
-# corecmd_exec_bin(domain)
+##
+## Execute generic programs in bin directories,
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_exec_bin',`
gen_require(`
@@ -395,8 +418,14 @@ interface(`corecmd_bin_domtrans',`
')
########################################
-#
-# corecmd_search_sbin(domain)
+##
+## Search the contents of sbin directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_search_sbin',`
gen_require(`
@@ -426,8 +455,14 @@ interface(`corecmd_dontaudit_search_sbin',`
')
########################################
-#
-# corecmd_list_sbin(domain)
+##
+## List the contents of sbin directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_list_sbin',`
gen_require(`
@@ -438,8 +473,14 @@ interface(`corecmd_list_sbin',`
')
########################################
-#
-# corecmd_getattr_sbin_files(domain)
+##
+## Get the attributes of sbin files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_getattr_sbin_files',`
gen_require(`
@@ -450,8 +491,15 @@ interface(`corecmd_getattr_sbin_files',`
')
########################################
-#
-# corecmd_dontaudit_getattr_sbin_files(domain)
+##
+## Do not audit attempts to get the attibutes
+## of sbin files.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`corecmd_dontaudit_getattr_sbin_files',`
gen_require(`
@@ -538,8 +586,15 @@ interface(`corecmd_read_sbin_sockets',`
')
########################################
-#
-# corecmd_exec_sbin(domain)
+##
+## Execute generic programs in sbin directories,
+## in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_exec_sbin',`
gen_require(`
@@ -724,8 +779,14 @@ interface(`corecmd_check_exec_shell',`
')
########################################
-#
-# corecmd_exec_shell(domain)
+##
+## Execute a shell in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_exec_shell',`
gen_require(`
@@ -738,8 +799,14 @@ interface(`corecmd_exec_shell',`
')
########################################
-#
-# corecmd_exec_ls(domain)
+##
+## Execute ls in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_exec_ls',`
gen_require(`
@@ -826,8 +893,14 @@ interface(`corecmd_shell_domtrans',`
')
########################################
-#
-# corecmd_exec_chroot(domain)
+##
+## Execute chroot in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`corecmd_exec_chroot',`
gen_require(`
diff --git a/refpolicy/policy/modules/kernel/domain.if b/refpolicy/policy/modules/kernel/domain.if
index 95822fb8..3de65303 100644
--- a/refpolicy/policy/modules/kernel/domain.if
+++ b/refpolicy/policy/modules/kernel/domain.if
@@ -103,8 +103,15 @@ interface(`domain_entry_file',`
')
########################################
-#
-# domain_interactive_fd(domain)
+##
+## Make the file descriptors of the specified
+## domain for interactive use (widely inheritable)
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_interactive_fd',`
gen_require(`
@@ -115,8 +122,25 @@ interface(`domain_interactive_fd',`
')
########################################
-#
-# domain_dyntrans_type(domain)
+##
+## Allow the specified domain to perform
+## dynamic transitions.
+##
+##
+##
+## Allow the specified domain to perform
+## dynamic transitions.
+##
+##
+## This violates process tranquility, and it
+## is strongly suggested that this not be used.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_dyntrans_type',`
gen_require(`
@@ -309,8 +333,15 @@ interface(`domain_cron_exemption_target',`
')
########################################
-#
-# domain_use_interactive_fds(domain)
+##
+## Inherit and use file descriptors from
+## domains with interactive programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_use_interactive_fds',`
gen_require(`
@@ -321,8 +352,16 @@ interface(`domain_use_interactive_fds',`
')
########################################
-#
-# domain_dontaudit_use_interactive_fds(domain)
+##
+## Do not audit attempts to inherit file
+## descriptors from domains with interactive
+## programs.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_dontaudit_use_interactive_fds',`
gen_require(`
@@ -353,8 +392,14 @@ interface(`domain_sigchld_interactive_fds',`
')
########################################
-#
-# domain_setpriority_all_domains(domain)
+##
+## Set the nice level of all domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_setpriority_all_domains',`
gen_require(`
@@ -370,7 +415,7 @@ interface(`domain_setpriority_all_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -388,7 +433,7 @@ interface(`domain_signal_all_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -406,7 +451,7 @@ interface(`domain_signull_all_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -424,7 +469,7 @@ interface(`domain_sigstop_all_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -442,7 +487,7 @@ interface(`domain_sigchld_all_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -674,7 +719,7 @@ interface(`domain_dontaudit_ptrace_confined_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -699,7 +744,7 @@ interface(`domain_dontaudit_read_all_domains_state',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -717,7 +762,7 @@ interface(`domain_dontaudit_list_all_domains_state',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -736,7 +781,7 @@ interface(`domain_getsession_all_domains',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -813,7 +858,7 @@ interface(`domain_dontaudit_getattr_all_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -832,7 +877,7 @@ interface(`domain_dontaudit_getattr_all_tcp_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -851,7 +896,7 @@ interface(`domain_dontaudit_getattr_all_udp_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -870,7 +915,7 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -889,7 +934,7 @@ interface(`domain_dontaudit_getattr_all_key_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -908,7 +953,7 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -927,7 +972,7 @@ interface(`domain_dontaudit_getattr_all_raw_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -946,7 +991,7 @@ interface(`domain_dontaudit_rw_all_key_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -965,7 +1010,7 @@ interface(`domain_dontaudit_getattr_all_dgram_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -984,7 +1029,7 @@ interface(`domain_dontaudit_getattr_all_stream_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1017,8 +1062,14 @@ interface(`domain_getattr_all_entry_files',`
')
########################################
-#
-# domain_read_all_entry_files(domain)
+##
+## Read the entry point files for all domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_read_all_entry_files',`
gen_require(`
@@ -1030,8 +1081,15 @@ interface(`domain_read_all_entry_files',`
')
########################################
-#
-# domain_exec_all_entry_files(domain)
+##
+## Execute the entry point files for all
+## domains in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`domain_exec_all_entry_files',`
gen_require(`
@@ -1106,7 +1164,7 @@ interface(`domain_mmap_all_entry_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1125,7 +1183,7 @@ interface(`domain_entry_file_spec_domtrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -1156,8 +1214,24 @@ interface(`domain_unconfined',`
#
########################################
-#
-# domain_trans(source_domain,entrypoint_file,target_domain)
+##
+## Specified domain transition requiring setexeccon.
+##
+##
+##
+## Domain to transition from.
+##
+##
+##
+##
+## Type of program to execute.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
#
template(`domain_trans',`
allow $1 $2:file { getattr read execute };
@@ -1166,8 +1240,24 @@ template(`domain_trans',`
')
########################################
-#
-# domain_auto_trans(source_domain,entrypoint_file,target_domain)
+##
+## Automatic domain transition by type_transition.
+##
+##
+##
+## Domain to transition from.
+##
+##
+##
+##
+## Type of program to execute.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
#
template(`domain_auto_trans',`
domain_trans($1,$2,$3)
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index 5f5a8973..1ec9f574 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -39,8 +39,15 @@ interface(`files_type',`
')
########################################
-#
-# files_lock_file(type)
+##
+## Make the specified type usable for
+## lock files.
+##
+##
+##
+## Type to be used for lock files.
+##
+##
#
interface(`files_lock_file',`
gen_require(`
@@ -52,8 +59,15 @@ interface(`files_lock_file',`
')
########################################
-#
-# files_mountpoint(type)
+##
+## Make the specified type usable for
+## filesystem mount points.
+##
+##
+##
+## Type to be used for mount points.
+##
+##
#
interface(`files_mountpoint',`
gen_require(`
@@ -65,8 +79,15 @@ interface(`files_mountpoint',`
')
########################################
-#
-# files_pid_file(type)
+##
+## Make the specified type usable for
+## runtime process ID files.
+##
+##
+##
+## Type to be used for PID files.
+##
+##
#
interface(`files_pid_file',`
gen_require(`
@@ -862,8 +883,15 @@ interface(`files_manage_all_files',`
')
########################################
-#
-# files_search_all(domain)
+##
+## Search the contents of all directories on
+## extended attribute filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_search_all',`
gen_require(`
@@ -874,8 +902,15 @@ interface(`files_search_all',`
')
########################################
-#
-# files_list_all(domain)
+##
+## List the contents of all directories on
+## extended attribute filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_list_all',`
gen_require(`
@@ -886,8 +921,16 @@ interface(`files_list_all',`
')
########################################
-#
-# files_dontaudit_search_all_dirs(domain)
+##
+## Do not audit attempts to search the
+## contents of any directories on extended
+## attribute filesystems.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_dontaudit_search_all_dirs',`
gen_require(`
@@ -897,9 +940,15 @@ interface(`files_dontaudit_search_all_dirs',`
dontaudit $1 file_type:dir search;
')
-#######################################
-#
-# files_relabelto_all_file_type_fs(domain)
+########################################
+##
+## Relabel a filesystem to the type of a file.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_relabelto_all_file_type_fs',`
gen_require(`
@@ -909,9 +958,15 @@ interface(`files_relabelto_all_file_type_fs',`
allow $1 file_type:filesystem relabelto;
')
-#######################################
-#
-# files_mount_all_file_type_fs(domain)
+########################################
+##
+## Mount all filesystems with the type of a file.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_mount_all_file_type_fs',`
gen_require(`
@@ -921,9 +976,15 @@ interface(`files_mount_all_file_type_fs',`
allow $1 file_type:filesystem mount;
')
-#######################################
-#
-# files_unmount_all_file_type_fs(domain)
+########################################
+##
+## Unmount all filesystems with the type of a file.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_unmount_all_file_type_fs',`
gen_require(`
@@ -934,8 +995,14 @@ interface(`files_unmount_all_file_type_fs',`
')
########################################
-#
-# files_mounton_all_mountpoints(domain)
+##
+## Mount a filesystem on all mount points.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_mounton_all_mountpoints',`
gen_require(`
@@ -965,8 +1032,14 @@ interface(`files_getattr_all_mountpoints',`
')
########################################
-#
-# files_list_root(domain)
+##
+## List the contents of the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_list_root',`
gen_require(`
@@ -980,7 +1053,7 @@ interface(`files_list_root',`
########################################
##
## Create an object in the root directory, with a private
-## type.
+## type using a type transition.
##
##
##
@@ -1008,8 +1081,15 @@ interface(`files_root_filetrans',`
')
########################################
-#
-# files_dontaudit_read_root_files(domain)
+##
+## Do not audit attempts to read files in
+## the root directory.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`files_dontaudit_read_root_files',`
gen_require(`
@@ -1020,8 +1100,15 @@ interface(`files_dontaudit_read_root_files',`
')
########################################
-#
-# files_dontaudit_rw_root_files(domain)
+##
+## Do not audit attempts to read or write
+## files in the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_dontaudit_rw_root_files',`
gen_require(`
@@ -1032,8 +1119,15 @@ interface(`files_dontaudit_rw_root_files',`
')
########################################
-#
-# files_dontaudit_rw_root_chr_files(domain)
+##
+## Do not audit attempts to read or write
+## character device nodes in the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_dontaudit_rw_root_chr_files',`
gen_require(`
@@ -1044,8 +1138,14 @@ interface(`files_dontaudit_rw_root_chr_files',`
')
########################################
-#
-# files_delete_root_dir_entry(domain)
+##
+## Remove entries from the root directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_delete_root_dir_entry',`
gen_require(`
@@ -1056,8 +1156,14 @@ interface(`files_delete_root_dir_entry',`
')
########################################
-#
-# files_unmount_rootfs(domain)
+##
+## Unmount a rootfs filesystem.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_unmount_rootfs',`
gen_require(`
@@ -1546,8 +1652,14 @@ interface(`files_read_default_pipes',`
')
########################################
-#
-# files_search_etc(domain)
+##
+## Search the contents of /etc directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_search_etc',`
gen_require(`
@@ -1576,8 +1688,14 @@ interface(`files_setattr_etc_dirs',`
')
########################################
-#
-# files_list_etc(domain)
+##
+## List the contents of /etc directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_list_etc',`
gen_require(`
@@ -1588,8 +1706,14 @@ interface(`files_list_etc',`
')
########################################
-#
-# files_read_etc_files(domain)
+##
+## Read generic files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_read_etc_files',`
gen_require(`
@@ -1602,8 +1726,14 @@ interface(`files_read_etc_files',`
')
########################################
-#
-# files_rw_etc_files(domain)
+##
+## Read and write generic files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_rw_etc_files',`
gen_require(`
@@ -1616,8 +1746,15 @@ interface(`files_rw_etc_files',`
')
########################################
-#
-# files_manage_etc_files(domain)
+##
+## Create, read, write, and delete generic
+## files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_manage_etc_files',`
gen_require(`
@@ -1649,8 +1786,14 @@ interface(`files_delete_etc_files',`
')
########################################
-#
-# files_exec_etc_files(domain)
+##
+## Execute generic files in /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_exec_etc_files',`
gen_require(`
@@ -1683,8 +1826,25 @@ interface(`files_relabel_etc_files',`
')
########################################
-#
-# files_etc_filetrans(domain,privatetype,class(es))
+##
+## Create objects in /etc with a private
+## type using a type_transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Private file type.
+##
+##
+##
+##
+## Object classes to be created.
+##
+##
#
interface(`files_etc_filetrans',`
gen_require(`
@@ -1696,10 +1856,20 @@ interface(`files_etc_filetrans',`
')
########################################
-#
-# files_create_boot_flag(domain)
-#
-# /halt, /.autofsck, etc
+##
+## Create a boot flag.
+##
+##
+##
+## Create a boot flag, such as
+## /.autorelabel and /.autofsck.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_create_boot_flag',`
gen_require(`
@@ -2219,8 +2389,14 @@ interface(`files_manage_lost_found',`
')
########################################
-#
-# files_search_mnt(domain)
+##
+## Search the contents of /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_search_mnt',`
gen_require(`
@@ -2249,8 +2425,14 @@ interface(`files_dontaudit_search_mnt',`
')
########################################
-#
-# files_list_mnt(domain)
+##
+## List the contents of /mnt.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_list_mnt',`
gen_require(`
@@ -2812,8 +2994,25 @@ interface(`files_setattr_all_tmp_dirs',`
')
########################################
-#
-# files_tmp_filetrans(domain,private_type,object class(es))
+##
+## Create an object in the tmp directories, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
#
interface(`files_tmp_filetrans',`
gen_require(`
@@ -2825,8 +3024,14 @@ interface(`files_tmp_filetrans',`
')
########################################
-#
-# files_purge_tmp(domain)
+##
+## Delete the contents of /tmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_purge_tmp',`
gen_require(`
@@ -2838,8 +3043,14 @@ interface(`files_purge_tmp',`
')
########################################
-#
-# files_search_usr(domain)
+##
+## Search the content of /etc.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_search_usr',`
gen_require(`
@@ -2888,8 +3099,14 @@ interface(`files_getattr_usr_files',`
')
########################################
-#
-# files_read_usr_files(domain)
+##
+## Read generic files in /usr.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_read_usr_files',`
gen_require(`
@@ -3009,8 +3226,14 @@ interface(`files_exec_usr_src_files',`
')
########################################
-#
-# files_dontaudit_search_src(domain)
+##
+## Do not audit attempts to search /usr/src.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`files_dontaudit_search_src',`
gen_require(`
@@ -3021,8 +3244,14 @@ interface(`files_dontaudit_search_src',`
')
########################################
-#
-# files_read_usr_src_files(domain)
+##
+## Read files in /usr/src.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_read_usr_src_files',`
gen_require(`
@@ -3439,8 +3668,15 @@ interface(`files_read_var_lib_symlinks',`
# in some way. They really neeed their own types.
########################################
-#
-# files_manage_urandom_seed(domain)
+##
+## Create, read, write, and delete the
+## pseudorandom number generator seed.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_manage_urandom_seed',`
gen_require(`
@@ -3531,8 +3767,14 @@ interface(`files_rw_lock_dirs',`
')
########################################
-#
-# files_getattr_generic_locks(domain)
+##
+## Get the attributes of generic lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_getattr_generic_locks',`
gen_require(`
@@ -3545,21 +3787,34 @@ interface(`files_getattr_generic_locks',`
')
########################################
-#
-# files_manage_generic_locks(domain)
+##
+## Create, read, write, and delete generic
+## lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_manage_generic_locks',`
gen_require(`
type var_lock_t;
')
- allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
- allow $1 var_lock_t:file { getattr create read write setattr unlink };
+ allow $1 var_lock_t:dir rw_dir_perms;
+ allow $1 var_lock_t:file manage_file_perms;
')
########################################
-#
-# files_delete_all_locks(domain)
+##
+## Delete all lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_delete_all_locks',`
gen_require(`
@@ -3593,8 +3848,25 @@ interface(`files_read_all_locks',`
')
########################################
-#
-# files_lock_filetrans(domain,private_type,[object class(es)])
+##
+## Create an object in the locks directory, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
#
interface(`files_lock_filetrans',`
gen_require(`
@@ -3626,8 +3898,15 @@ interface(`files_dontaudit_getattr_pid_dirs',`
')
########################################
-#
-# files_search_pids(domain)
+##
+## Search the contents of runtime process
+## ID directories (/var/run).
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_search_pids',`
gen_require(`
@@ -3658,8 +3937,15 @@ interface(`files_dontaudit_search_pids',`
')
########################################
-#
-# files_list_pids(domain)
+##
+## List the contents of the runtime process
+## ID directories (/var/run).
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_list_pids',`
gen_require(`
@@ -3671,8 +3957,25 @@ interface(`files_list_pids',`
')
########################################
-#
-# files_pid_filetrans(domain,pidfile,[object class(es)])
+##
+## Create an object in the process ID directory, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
#
interface(`files_pid_filetrans',`
gen_require(`
@@ -3685,8 +3988,14 @@ interface(`files_pid_filetrans',`
')
########################################
-#
-# files_rw_generic_pids(domain)
+##
+## Read and write generic process ID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_rw_generic_pids',`
gen_require(`
@@ -3735,8 +4044,14 @@ interface(`files_dontaudit_ioctl_all_pids',`
')
########################################
-#
-# files_read_all_pids(domain)
+##
+## Read all process ID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_read_all_pids',`
gen_require(`
@@ -3769,8 +4084,14 @@ interface(`files_mounton_all_poly_members',`
')
########################################
-#
-# files_delete_all_pids(domain)
+##
+## Delete all process IDs.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_delete_all_pids',`
gen_require(`
@@ -3787,8 +4108,14 @@ interface(`files_delete_all_pids',`
')
########################################
-#
-# files_delete_all_pid_dirs(domain)
+##
+## Delete all process ID directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_delete_all_pid_dirs',`
gen_require(`
@@ -3801,8 +4128,15 @@ interface(`files_delete_all_pid_dirs',`
')
########################################
-#
-# files_search_spool(domain)
+##
+## Search the contents of generic spool
+## directories (/var/spool).
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_search_spool',`
gen_require(`
@@ -3833,8 +4167,15 @@ interface(`files_dontaudit_search_spool',`
')
########################################
-#
-# files_list_spool(domain)
+##
+## List the contents of generic spool
+## (/var/spool) directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_list_spool',`
gen_require(`
@@ -3846,8 +4187,15 @@ interface(`files_list_spool',`
')
########################################
-#
-# files_manage_generic_spool_dirs(domain)
+##
+## Create, read, write, and delete generic
+## spool directories (/var/spool).
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_manage_generic_spool_dirs',`
gen_require(`
@@ -3859,8 +4207,14 @@ interface(`files_manage_generic_spool_dirs',`
')
########################################
-#
-# files_read_generic_spool(domain)
+##
+## Read generic spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_read_generic_spool',`
gen_require(`
@@ -3873,8 +4227,15 @@ interface(`files_read_generic_spool',`
')
########################################
-#
-# files_manage_generic_spool(domain)
+##
+## Create, read, write, and delete generic
+## spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`files_manage_generic_spool',`
gen_require(`
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 77772546..643a4a25 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -9,7 +9,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -29,7 +29,7 @@ interface(`fs_type',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -113,7 +113,7 @@ interface(`fs_exec_noxattr',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -134,7 +134,7 @@ interface(`fs_mount_xattr_fs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -154,7 +154,7 @@ interface(`fs_remount_xattr_fs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -174,8 +174,7 @@ interface(`fs_unmount_xattr_fs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -196,7 +195,7 @@ interface(`fs_getattr_xattr_fs',`
##
##
##
-## The type of the domain to not audit.
+## Domain to not audit.
##
##
#
@@ -216,7 +215,7 @@ interface(`fs_dontaudit_getattr_xattr_fs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -235,7 +234,7 @@ interface(`fs_relabelfrom_xattr_fs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -254,7 +253,7 @@ interface(`fs_get_xattr_fs_quotas',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -272,7 +271,7 @@ interface(`fs_set_xattr_fs_quotas',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -292,7 +291,7 @@ interface(`fs_mount_autofs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -310,7 +309,7 @@ interface(`fs_remount_autofs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -329,8 +328,7 @@ interface(`fs_unmount_autofs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -349,7 +347,7 @@ interface(`fs_getattr_autofs',`
##
##
##
-## The type of the domain performing this action.
+## Domain allowed access.
##
##
#
@@ -368,7 +366,7 @@ interface(`fs_search_auto_mountpoints',`
##
##
##
-## The type of the domain performing this action.
+## Domain allowed access.
##
##
#
@@ -387,7 +385,7 @@ interface(`fs_list_auto_mountpoints',`
##
##
##
-## The type of the domain performing this action.
+## Domain to not audit.
##
##
#
@@ -403,16 +401,25 @@ interface(`fs_dontaudit_list_auto_mountpoints',`
##
## Register an interpreter for new binary
## file types, using the kernel binfmt_misc
-## support. A common use for this is to
+## support.
+##
+##
+##
+## Register an interpreter for new binary
+## file types, using the kernel binfmt_misc
+## support.
+##
+##
+## A common use for this is to
## register a JVM as an interpreter for
## Java byte code. Registered binaries
## can be directly executed on a command line
## without specifying the interpreter.
-##
+##
+##
##
##
-## The type of the domain registering
-## the interpreter.
+## Domain allowed access.
##
##
#
@@ -431,7 +438,7 @@ interface(`fs_register_binary_executable_type',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -450,7 +457,7 @@ interface(`fs_mount_cifs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -468,7 +475,7 @@ interface(`fs_remount_cifs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -487,8 +494,7 @@ interface(`fs_unmount_cifs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -640,7 +646,7 @@ interface(`fs_read_noxattr_fs_symlinks',`
##
##
##
-## The type of the domain to not audit.
+## Domain to not audit.
##
##
#
@@ -659,7 +665,7 @@ interface(`fs_dontaudit_read_cifs_files',`
##
##
##
-## The type of the domain to not audit.
+## Domain to not audit.
##
##
#
@@ -677,7 +683,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -698,7 +704,7 @@ interface(`fs_read_cifs_symlinks',`
##
##
##
-## The type of the domain executing the files.
+## Domain allowed access.
##
##
#
@@ -718,7 +724,7 @@ interface(`fs_exec_cifs_files',`
##
##
##
-## The type of the domain managing the directories.
+## Domain allowed access.
##
##
#
@@ -738,7 +744,7 @@ interface(`fs_manage_cifs_dirs',`
##
##
##
-## The type of the domain managing the directories.
+## Domain allowed access.
##
##
#
@@ -757,7 +763,7 @@ interface(`fs_dontaudit_manage_cifs_dirs',`
##
##
##
-## The type of the domain managing the files.
+## Domain allowed access.
##
##
#
@@ -797,7 +803,7 @@ interface(`fs_dontaudit_manage_cifs_files',`
##
##
##
-## The type of the domain managing the symbolic links.
+## Domain allowed access.
##
##
#
@@ -817,7 +823,7 @@ interface(`fs_manage_cifs_symlinks',`
##
##
##
-## The type of the domain managing the pipes.
+## Domain allowed access.
##
##
#
@@ -837,7 +843,7 @@ interface(`fs_manage_cifs_named_pipes',`
##
##
##
-## The type of the domain managing the sockets.
+## Domain allowed access.
##
##
#
@@ -876,7 +882,7 @@ interface(`fs_manage_cifs_named_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -902,7 +908,7 @@ interface(`fs_cifs_domtrans',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -922,7 +928,7 @@ interface(`fs_mount_dos_fs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -941,7 +947,7 @@ interface(`fs_remount_dos_fs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -960,8 +966,7 @@ interface(`fs_unmount_dos_fs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -980,7 +985,7 @@ interface(`fs_getattr_dos_fs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1054,7 +1059,7 @@ interface(`fs_list_inotifyfs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1074,7 +1079,7 @@ interface(`fs_mount_iso9660_fs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1093,7 +1098,7 @@ interface(`fs_remount_iso9660_fs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1112,8 +1117,7 @@ interface(`fs_unmount_iso9660_fs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -1152,7 +1156,7 @@ interface(`fs_read_iso9660_files',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1171,7 +1175,7 @@ interface(`fs_mount_nfs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1189,7 +1193,7 @@ interface(`fs_remount_nfs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1207,8 +1211,7 @@ interface(`fs_unmount_nfs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -1301,7 +1304,7 @@ interface(`fs_read_nfs_files',`
##
##
##
-## The type of the domain to not audit.
+## Domain to not audit.
##
##
#
@@ -1338,7 +1341,7 @@ interface(`fs_write_nfs_files',`
##
##
##
-## The type of the domain executing the files.
+## Domain allowed access.
##
##
#
@@ -1358,7 +1361,7 @@ interface(`fs_exec_nfs_files',`
##
##
##
-## The type of the domain to not audit.
+## Domain to not audit.
##
##
#
@@ -1376,7 +1379,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1395,7 +1398,7 @@ interface(`fs_read_nfs_symlinks',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1414,7 +1417,7 @@ interface(`fs_getattr_rpc_dirs',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1523,7 +1526,7 @@ interface(`fs_read_removable_symlinks',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1542,7 +1545,7 @@ interface(`fs_list_rpc',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1561,7 +1564,7 @@ interface(`fs_read_rpc_files',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1580,7 +1583,7 @@ interface(`fs_read_rpc_symlinks',`
##
##
##
-## The type of the domain reading the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1600,7 +1603,7 @@ interface(`fs_read_rpc_sockets',`
##
##
##
-## The type of the domain managing the directories.
+## Domain allowed access.
##
##
#
@@ -1639,7 +1642,7 @@ interface(`fs_dontaudit_manage_nfs_dirs',`
##
##
##
-## The type of the domain managing the files.
+## Domain allowed access.
##
##
#
@@ -1679,7 +1682,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
##
##
##
-## The type of the domain managing the symbolic links.
+## Domain allowed access.
##
##
#
@@ -1699,7 +1702,7 @@ interface(`fs_manage_nfs_symlinks',`
##
##
##
-## The type of the domain managing the pipes.
+## Domain allowed access.
##
##
#
@@ -1719,7 +1722,7 @@ interface(`fs_manage_nfs_named_pipes',`
##
##
##
-## The type of the domain managing the sockets.
+## Domain allowed access.
##
##
#
@@ -1758,7 +1761,7 @@ interface(`fs_manage_nfs_named_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -1783,7 +1786,7 @@ interface(`fs_nfs_domtrans',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1802,7 +1805,7 @@ interface(`fs_mount_nfsd_fs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1820,7 +1823,7 @@ interface(`fs_remount_nfsd_fs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1839,8 +1842,7 @@ interface(`fs_unmount_nfsd_fs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -1858,8 +1860,7 @@ interface(`fs_getattr_nfsd_fs',`
##
##
##
-## The type of the domain doing the
-## search on nfsd directories.
+## Domain allowed access.
##
##
#
@@ -1877,8 +1878,7 @@ interface(`fs_search_nfsd_fs',`
##
##
##
-## The type of the domain doing the
-## read or write on nfsd files.
+## Domain allowed access.
##
##
#
@@ -1896,7 +1896,7 @@ interface(`fs_rw_nfsd_fs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1915,7 +1915,7 @@ interface(`fs_mount_ramfs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1933,7 +1933,7 @@ interface(`fs_remount_ramfs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -1951,8 +1951,7 @@ interface(`fs_unmount_ramfs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -2177,7 +2176,7 @@ interface(`fs_manage_ramfs_sockets',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2196,7 +2195,7 @@ interface(`fs_mount_romfs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2214,7 +2213,7 @@ interface(`fs_remount_romfs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2233,8 +2232,7 @@ interface(`fs_unmount_romfs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -2252,7 +2250,7 @@ interface(`fs_getattr_romfs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2271,7 +2269,7 @@ interface(`fs_mount_rpc_pipefs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2289,7 +2287,7 @@ interface(`fs_remount_rpc_pipefs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2308,8 +2306,7 @@ interface(`fs_unmount_rpc_pipefs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -2327,7 +2324,7 @@ interface(`fs_getattr_rpc_pipefs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2345,7 +2342,7 @@ interface(`fs_mount_tmpfs',`
##
##
##
-## The type of the domain remounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2363,7 +2360,7 @@ interface(`fs_remount_tmpfs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2382,8 +2379,7 @@ interface(`fs_unmount_tmpfs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -2543,8 +2539,25 @@ interface(`fs_manage_tmpfs_dirs',`
')
########################################
-#
-# fs_tmpfs_filetrans(domain,derivedtype,class)
+##
+## Create an object in a tmpfs filesystem, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
#
interface(`fs_tmpfs_filetrans',`
gen_require(`
@@ -2600,7 +2613,7 @@ interface(`fs_manage_auto_mountpoints',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2619,7 +2632,7 @@ interface(`fs_rw_tmpfs_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2638,7 +2651,7 @@ interface(`fs_read_tmpfs_symlinks',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2657,7 +2670,7 @@ interface(`fs_rw_tmpfs_chr_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2676,7 +2689,7 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2695,7 +2708,7 @@ interface(`fs_relabel_tmpfs_chr_file',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2714,7 +2727,7 @@ interface(`fs_rw_tmpfs_blk_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2734,7 +2747,7 @@ interface(`fs_relabel_tmpfs_blk_file',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2754,7 +2767,7 @@ interface(`fs_manage_tmpfs_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2774,7 +2787,7 @@ interface(`fs_manage_tmpfs_symlinks',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2794,7 +2807,7 @@ interface(`fs_manage_tmpfs_sockets',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2814,7 +2827,7 @@ interface(`fs_manage_tmpfs_chr_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -2833,7 +2846,7 @@ interface(`fs_manage_tmpfs_blk_files',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2852,7 +2865,7 @@ interface(`fs_mount_all_fs',`
##
##
##
-## The type of the domain mounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2870,7 +2883,7 @@ interface(`fs_remount_all_fs',`
##
##
##
-## The type of the domain unmounting the filesystem.
+## Domain allowed access.
##
##
#
@@ -2889,8 +2902,7 @@ interface(`fs_unmount_all_fs',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -2909,7 +2921,7 @@ interface(`fs_getattr_all_fs',`
##
##
##
-## The type of the domain to not audit.
+## Domain to not audit.
##
##
#
@@ -2963,8 +2975,7 @@ interface(`fs_set_all_quotas',`
##
##
##
-## The type of the domain doing the
-## getattr on the filesystem.
+## Domain allowed access.
##
##
#
@@ -3229,4 +3240,3 @@ interface(`fs_relabelfrom_noxattr_fs',`
allow $1 noxattrfs:blk_file { getattr relabelfrom };
allow $1 noxattrfs:chr_file { getattr relabelfrom };
')
-
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 926fe6c6..07df5384 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -1538,8 +1538,15 @@ interface(`kernel_rw_irq_sysctls',`
')
########################################
-#
-# kernel_read_rpc_sysctls(domain)
+##
+## Read RPC sysctls.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
#
interface(`kernel_read_rpc_sysctls',`
gen_require(`
@@ -1553,8 +1560,15 @@ interface(`kernel_read_rpc_sysctls',`
')
########################################
-#
-# kernel_rw_rpc_sysctls(domain)
+##
+## Read and write RPC sysctls.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
#
interface(`kernel_rw_rpc_sysctls',`
gen_require(`
@@ -1914,7 +1928,7 @@ interface(`kernel_dontaudit_getattr_unlabeled_chr_files',`
##
##
##
-## The process type relabeling the objects.
+## Domain allowed access.
##
##
#
@@ -1932,7 +1946,7 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
##
##
##
-## The process type relabeling the objects.
+## Domain allowed access.
##
##
#
@@ -1951,7 +1965,7 @@ interface(`kernel_relabelfrom_unlabeled_files',`
##
##
##
-## The process type relabeling the objects.
+## Domain allowed access.
##
##
#
@@ -1970,7 +1984,7 @@ interface(`kernel_relabelfrom_unlabeled_symlinks',`
##
##
##
-## The process type relabeling the objects.
+## Domain allowed access.
##
##
#
@@ -1989,7 +2003,7 @@ interface(`kernel_relabelfrom_unlabeled_pipes',`
##
##
##
-## The process type relabeling the objects.
+## Domain allowed access.
##
##
#
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index b0d0784e..70f6fdfc 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -300,9 +300,15 @@ template(`mta_admin_template',`
')
')
-#######################################
-#
-# mta_mailserver(domain,entrypointtype)
+########################################
+##
+## Make the specified domain usable for a mail server.
+##
+##
+##
+## Type to be used as a mail server domain.
+##
+##
#
interface(`mta_mailserver',`
gen_require(`
@@ -439,9 +445,15 @@ interface(`mta_mailserver_user_agent',`
')
')
-#######################################
-#
-# mta_send_mail(domain)
+########################################
+##
+## Send mail from the system.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_send_mail',`
gen_require(`
@@ -462,9 +474,15 @@ interface(`mta_send_mail',`
allow mta_user_agent $1:fifo_file { read write };
')
-#######################################
-#
-# mta_exec(domain)
+########################################
+##
+## Execute sendmail in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_exec',`
gen_require(`
@@ -533,9 +551,15 @@ interface(`mta_etc_filetrans_aliases',`
files_etc_filetrans($1,etc_aliases_t, file)
')
-#######################################
-#
-# mta_rw_aliases(domain)
+########################################
+##
+## Read and write mail aliases.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_rw_aliases',`
gen_require(`
@@ -604,9 +628,15 @@ interface(`mta_dontaudit_read_spool_symlinks',`
dontaudit $1 mail_spool_t:lnk_file read;
')
-#######################################
-#
-# mta_getattr_spool(domain)
+########################################
+##
+## Get the attributes of mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_getattr_spool',`
gen_require(`
@@ -619,6 +649,17 @@ interface(`mta_getattr_spool',`
allow $1 mail_spool_t:file getattr;
')
+########################################
+##
+## Do not audit attempts to get the attributes
+## of mail spool files.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
interface(`mta_dontaudit_getattr_spool_files',`
gen_require(`
type mail_spool_t;
@@ -661,9 +702,15 @@ interface(`mta_spool_filetrans',`
type_transition $1 mail_spool_t:$3 $2;
')
-#######################################
-#
-# mta_rw_spool(domain)
+########################################
+##
+## Read and write the mail spool.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_rw_spool',`
gen_require(`
@@ -717,9 +764,15 @@ interface(`mta_delete_spool',`
allow $1 mail_spool_t:file unlink;
')
-#######################################
-#
-# mta_manage_spool(domain)
+########################################
+##
+## Create, read, write, and delete mail spool files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_manage_spool',`
gen_require(`
@@ -751,9 +804,16 @@ interface(`mta_dontaudit_rw_queue',`
dontaudit $1 mqueue_spool_t:file { getattr read write };
')
-#######################################
-#
-# mta_manage_queue(domain)
+########################################
+##
+## Create, read, write, and delete
+## mail queue files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`mta_manage_queue',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 4c4e40be..5c7a18a6 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -162,7 +162,7 @@ template(`authlogin_per_userdomain_template',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -216,7 +216,7 @@ interface(`auth_login_entry_type',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -245,7 +245,7 @@ interface(`auth_domtrans_login_program',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -294,7 +294,7 @@ interface(`auth_domtrans_chk_passwd',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -332,7 +332,7 @@ interface(`auth_dontaudit_getattr_shadow',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -345,6 +345,25 @@ interface(`auth_read_shadow',`
auth_tunable_read_shadow($1)
')
+########################################
+##
+## Pass shadow assertion for reading.
+##
+##
+##
+## Pass shadow assertion for reading.
+## This should only be used with
+## auth_tunable_read_shadow(), and
+## only exists because typeattribute
+## does not work in conditionals.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
interface(`auth_can_read_shadow_passwords',`
gen_require(`
attribute can_read_shadow_passwords;
@@ -353,6 +372,24 @@ interface(`auth_can_read_shadow_passwords',`
typeattribute $1 can_read_shadow_passwords;
')
+########################################
+##
+## Read the shadow password file.
+##
+##
+##
+## Read the shadow password file. This
+## should only be used in a conditional;
+## it does not pass the reading shadow
+## assertion.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
interface(`auth_tunable_read_shadow',`
gen_require(`
type shadow_t;
@@ -387,7 +424,7 @@ interface(`auth_dontaudit_read_shadow',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -402,9 +439,16 @@ interface(`auth_rw_shadow',`
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
')
-#######################################
-#
-# auth_manage_shadow(domain)
+########################################
+##
+## Create, read, write, and delete the shadow
+## password file.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_manage_shadow',`
gen_require(`
@@ -418,7 +462,7 @@ interface(`auth_manage_shadow',`
#######################################
##
-## Automatic transition to shadow from etc.
+## Automatic transition from etc to shadow.
##
##
##
@@ -497,9 +541,15 @@ interface(`auth_append_faillog',`
allow $1 faillog_t:file { getattr append };
')
-#######################################
-#
-# auth_rw_faillog(domain)
+########################################
+##
+## Read and write the login failure log.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_rw_faillog',`
gen_require(`
@@ -573,7 +623,7 @@ interface(`auth_rw_lastlog',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -596,7 +646,7 @@ interface(`auth_domtrans_pam',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -626,7 +676,7 @@ interface(`auth_run_pam',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -645,7 +695,7 @@ interface(`auth_exec_pam',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -660,9 +710,15 @@ interface(`auth_manage_var_auth',`
allow $1 var_auth_t:lnk_file rw_file_perms;
')
-#######################################
-#
-# auth_read_pam_pid(domain)
+########################################
+##
+## Read PAM PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_read_pam_pid',`
gen_require(`
@@ -677,7 +733,7 @@ interface(`auth_read_pam_pid',`
#######################################
##
-## Do not audit attemps to read PAM pid files.
+## Do not audit attemps to read PAM PID files.
##
##
##
@@ -699,7 +755,7 @@ interface(`auth_dontaudit_read_pam_pid',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -720,7 +776,7 @@ interface(`auth_delete_pam_pid',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -734,9 +790,15 @@ interface(`auth_manage_pam_pid',`
allow $1 pam_var_run_t:file create_file_perms;
')
-#######################################
-#
-# auth_domtrans_pam_console(domain)
+########################################
+##
+## Execute pam_console with a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_domtrans_pam_console',`
gen_require(`
@@ -758,7 +820,7 @@ interface(`auth_domtrans_pam_console',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -772,9 +834,16 @@ interface(`auth_search_pam_console_data',`
allow $1 pam_var_console_t:dir search_dir_perms;
')
-#######################################
-#
-# auth_list_pam_console_data(domain)
+########################################
+##
+## List the contents of the pam_console
+## data directory.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_list_pam_console_data',`
gen_require(`
@@ -786,9 +855,15 @@ interface(`auth_list_pam_console_data',`
allow $1 pam_var_console_t:dir r_dir_perms;
')
-#######################################
-#
-# auth_read_pam_console_data(domain)
+########################################
+##
+## Read pam_console data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_read_pam_console_data',`
gen_require(`
@@ -801,9 +876,16 @@ interface(`auth_read_pam_console_data',`
allow $1 pam_var_console_t:file r_file_perms;
')
-#######################################
-#
-# auth_manage_pam_console_data(domain)
+########################################
+##
+## Create, read, write, and delete
+## pam_console data files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_manage_pam_console_data',`
gen_require(`
@@ -971,7 +1053,7 @@ interface(`auth_manage_all_files_except_shadow',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -994,7 +1076,7 @@ interface(`auth_domtrans_utempter',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -1036,9 +1118,15 @@ interface(`auth_dontaudit_exec_utempter',`
dontaudit $1 utempter_exec_t:file { execute execute_no_trans };
')
-#######################################
-#
-# auth_setattr_login_records(domain)
+########################################
+##
+## Set the attributes of login record files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_setattr_login_records',`
gen_require(`
@@ -1049,9 +1137,15 @@ interface(`auth_setattr_login_records',`
logging_search_logs($1)
')
-#######################################
-#
-# auth_read_login_records(domain)
+########################################
+##
+## Read login records files (/var/log/wtmp).
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_read_login_records',`
gen_require(`
@@ -1062,9 +1156,16 @@ interface(`auth_read_login_records',`
allow $1 wtmp_t:file r_file_perms;
')
-#######################################
-#
-# auth_dontaudit_write_login_records(domain)
+########################################
+##
+## Do not audit attempts to write to
+## login records files.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`auth_dontaudit_write_login_records',`
gen_require(`
@@ -1110,9 +1211,15 @@ interface(`auth_write_login_records',`
allow $1 wtmp_t:file { write lock };
')
-#######################################
-#
-# auth_rw_login_records(domain)
+########################################
+##
+## Read and write login records.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_rw_login_records',`
gen_require(`
@@ -1123,9 +1230,16 @@ interface(`auth_rw_login_records',`
logging_search_logs($1)
')
-#######################################
-#
-# auth_log_filetrans_login_records(domain)
+########################################
+##
+## Create a login records in the log directory
+## using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_log_filetrans_login_records',`
gen_require(`
@@ -1135,9 +1249,16 @@ interface(`auth_log_filetrans_login_records',`
logging_log_filetrans($1,wtmp_t,file)
')
-#######################################
-#
-# auth_manage_login_records(domain)
+########################################
+##
+## Create, read, write, and delete login
+## records files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`auth_manage_login_records',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/hostname.if b/refpolicy/policy/modules/system/hostname.if
index 94f02336..d7a30906 100644
--- a/refpolicy/policy/modules/system/hostname.if
+++ b/refpolicy/policy/modules/system/hostname.if
@@ -6,7 +6,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -31,7 +31,7 @@ interface(`hostname_domtrans',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -56,14 +56,14 @@ interface(`hostname_run',`
')
########################################
-##
-## Execute hostname in the caller domain.
-##
-##
+##
+## Execute hostname in the caller domain.
+##
+##
##
-## The type of the process performing this action.
-##
-##
+## Domain allowed access.
+##
+##
#
interface(`hostname_exec',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if
index 3aa11c9b..e9e0ee9b 100644
--- a/refpolicy/policy/modules/system/hotplug.if
+++ b/refpolicy/policy/modules/system/hotplug.if
@@ -3,9 +3,15 @@
## connection and disconnection of devices at runtime.
##
-#######################################
-#
-# hotplug_domtrans(domain)
+########################################
+##
+## Execute hotplug with a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`hotplug_domtrans',`
gen_require(`
@@ -21,9 +27,15 @@ interface(`hotplug_domtrans',`
allow hotplug_t $1:process sigchld;
')
-#######################################
-#
-# hotplug_exec(domain)
+########################################
+##
+## Execute hotplug in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`hotplug_exec',`
gen_require(`
@@ -34,9 +46,15 @@ interface(`hotplug_exec',`
can_exec($1,hotplug_exec_t)
')
-#######################################
-#
-# hotplug_use_fds(domain)
+########################################
+##
+## Inherit and use hotplug file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`hotplug_use_fds',`
gen_require(`
@@ -46,9 +64,16 @@ interface(`hotplug_use_fds',`
allow $1 hotplug_t:fd use;
')
-#######################################
-#
-# hotplug_dontaudit_use_fds(domain)
+########################################
+##
+## Do not audit attempts to inherit
+## hotplug file descriptors.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`hotplug_dontaudit_use_fds',`
gen_require(`
@@ -59,8 +84,15 @@ interface(`hotplug_dontaudit_use_fds',`
')
########################################
-#
-# hotplug_dontaudit_search_config(domain)
+##
+## Do not audit attempts to search the
+## hotplug configuration directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`hotplug_dontaudit_search_config',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 766933dc..3cf76fa4 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -150,8 +150,14 @@ interface(`init_system_domain',`
')
########################################
-#
-# init_domtrans(domain)
+##
+## Execute init (/sbin/init) with a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_domtrans',`
gen_require(`
@@ -186,8 +192,14 @@ interface(`init_exec',`
')
########################################
-#
-# init_getpgid(domain)
+##
+## Get the process group of init.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_getpgid',`
gen_require(`
@@ -243,8 +255,14 @@ interface(`init_sigchld',`
')
########################################
-#
-# init_use_fds(domain)
+##
+## Inherit and use file descriptors from init.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_use_fds',`
gen_require(`
@@ -258,8 +276,15 @@ interface(`init_use_fds',`
')
########################################
-#
-# init_dontaudit_use_fds(domain)
+##
+## Do not audit attempts to inherit file
+## descriptors from init.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_dontaudit_use_fds',`
gen_require(`
@@ -295,8 +320,14 @@ interface(`init_udp_send',`
')
########################################
-#
-# init_getattr_initctl(domain)
+##
+## Get the attributes of initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_getattr_initctl',`
gen_require(`
@@ -307,8 +338,15 @@ interface(`init_getattr_initctl',`
')
########################################
-#
-# init_dontaudit_getattr_initctl(domain)
+##
+## Do not audit attempts to get the
+## attributes of initctl.
+##
+##
+##
+## Domain to not audit.
+##
+##
#
interface(`init_dontaudit_getattr_initctl',`
gen_require(`
@@ -319,8 +357,14 @@ interface(`init_dontaudit_getattr_initctl',`
')
########################################
-#
-# init_write_initctl(domain)
+##
+## Write to initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_write_initctl',`
gen_require(`
@@ -332,8 +376,14 @@ interface(`init_write_initctl',`
')
########################################
-#
-# init_rw_initctl(domain)
+##
+## Read and write initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_rw_initctl',`
gen_require(`
@@ -345,8 +395,15 @@ interface(`init_rw_initctl',`
')
########################################
-#
-# init_dontaudit_rw_initctl(domain)
+##
+## Do not audit attempts to read and
+## write initctl.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_dontaudit_rw_initctl',`
gen_require(`
@@ -376,8 +433,14 @@ interface(`init_script_file_entry_type',`
')
########################################
-#
-# init_domtrans_script(domain)
+##
+## Execute init scripts with a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_domtrans_script',`
gen_require(`
@@ -503,8 +566,14 @@ interface(`init_getattr_script_files',`
')
########################################
-#
-# init_exec_script_files(domain)
+##
+## Execute init scripts in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_exec_script_files',`
gen_require(`
@@ -543,8 +612,14 @@ interface(`init_read_script_state',`
')
########################################
-#
-# init_use_script_fds(domain)
+##
+## Inherit and use init script file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_use_script_fds',`
gen_require(`
@@ -555,8 +630,15 @@ interface(`init_use_script_fds',`
')
########################################
-#
-# init_dontaudit_use_script_fds(domain)
+##
+## Do not audit attempts to inherit
+## init script file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_dontaudit_use_script_fds',`
gen_require(`
@@ -567,8 +649,14 @@ interface(`init_dontaudit_use_script_fds',`
')
########################################
-#
-# init_getpgid_script(domain)
+##
+## Get the process group ID of init scripts.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_getpgid_script',`
gen_require(`
@@ -864,8 +952,14 @@ interface(`init_getattr_utmp',`
')
########################################
-#
-# init_read_utmp(domain)
+##
+## Read utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_read_utmp',`
gen_require(`
@@ -877,8 +971,14 @@ interface(`init_read_utmp',`
')
########################################
-#
-# init_dontaudit_write_utmp(domain)
+##
+## Do not audit attempts to write utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_dontaudit_write_utmp',`
gen_require(`
@@ -927,8 +1027,14 @@ interface(`init_dontaudit_lock_utmp',`
')
########################################
-#
-# init_rw_utmp(domain)
+##
+## Read and write utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_rw_utmp',`
gen_require(`
@@ -940,8 +1046,14 @@ interface(`init_rw_utmp',`
')
########################################
-#
-# init_dontaudit_rw_utmp(domain)
+##
+## Do not audit attempts to read and write utmp.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`init_dontaudit_rw_utmp',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index 3a5eb647..05f05b1b 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -72,7 +72,7 @@ interface(`logging_domtrans_auditctl',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -102,7 +102,7 @@ interface(`logging_run_auditctl',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -121,8 +121,25 @@ interface(`logging_domtrans_syslog',`
')
########################################
-#
-# logging_log_filetrans(domain,privatetype,[class(es)])
+##
+## Create an object in the log directory, with a private
+## type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to be created.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
#
interface(`logging_log_filetrans',`
gen_require(`
@@ -134,9 +151,15 @@ interface(`logging_log_filetrans',`
type_transition $1 var_log_t:$3 $2;
')
-#######################################
-#
-# logging_send_syslog_msg(domain)
+########################################
+##
+## Send system log messages.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_send_syslog_msg',`
gen_require(`
@@ -183,7 +206,7 @@ interface(`logging_read_audit_config',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -239,7 +262,7 @@ interface(`logging_list_logs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -252,9 +275,16 @@ interface(`logging_rw_generic_log_dirs',`
allow $1 var_log_t:dir rw_dir_perms;
')
-#######################################
-#
-# logging_dontaudit_getattr_all_logs(domain)
+########################################
+##
+## Do not audit attempts to get the atttributes
+## of any log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_dontaudit_getattr_all_logs',`
gen_require(`
@@ -264,9 +294,15 @@ interface(`logging_dontaudit_getattr_all_logs',`
dontaudit $1 logfile:file getattr;
')
-#######################################
-#
-# logging_append_all_logs(domain)
+########################################
+##
+## Append to all log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_append_all_logs',`
gen_require(`
@@ -279,9 +315,15 @@ interface(`logging_append_all_logs',`
allow $1 logfile:file { getattr append };
')
-#######################################
-#
-# logging_read_all_logs(domain)
+########################################
+##
+## Read all log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_read_all_logs',`
gen_require(`
@@ -300,7 +342,7 @@ interface(`logging_read_all_logs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -316,9 +358,15 @@ interface(`logging_exec_all_logs',`
can_exec($1,logfile)
')
-#######################################
-#
-# logging_manage_all_logs(domain)
+########################################
+##
+## Create, read, write, and delete all log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_manage_all_logs',`
gen_require(`
@@ -331,9 +379,15 @@ interface(`logging_manage_all_logs',`
allow $1 logfile:file create_file_perms;
')
-#######################################
-#
-# logging_read_generic_logs(domain)
+########################################
+##
+## Read generic log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_read_generic_logs',`
gen_require(`
@@ -345,9 +399,15 @@ interface(`logging_read_generic_logs',`
allow $1 var_log_t:file r_file_perms;
')
-#######################################
-#
-# logging_write_generic_logs(domain)
+########################################
+##
+## Write generic log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`logging_write_generic_logs',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if
index 05238434..b1dca236 100644
--- a/refpolicy/policy/modules/system/modutils.if
+++ b/refpolicy/policy/modules/system/modutils.if
@@ -6,7 +6,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -26,7 +26,7 @@ interface(`modutils_read_module_deps',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -50,7 +50,7 @@ interface(`modutils_read_module_config',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -68,7 +68,7 @@ interface(`modutils_rename_module_config',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -94,7 +94,7 @@ interface(`modutils_domtrans_insmod_uncond',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -117,7 +117,7 @@ interface(`modutils_domtrans_insmod',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -142,8 +142,14 @@ interface(`modutils_run_insmod',`
')
########################################
-#
-# modutils_exec_insmod(domain)
+##
+## Execute insmod in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`modutils_exec_insmod',`
gen_require(`
@@ -160,7 +166,7 @@ interface(`modutils_exec_insmod',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -184,7 +190,7 @@ interface(`modutils_domtrans_depmod',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -209,8 +215,14 @@ interface(`modutils_run_depmod',`
')
########################################
-#
-# modutils_exec_depmod(domain)
+##
+## Execute depmod in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`modutils_exec_depmod',`
gen_require(`
@@ -227,7 +239,7 @@ interface(`modutils_exec_depmod',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -251,7 +263,7 @@ interface(`modutils_domtrans_update_mods',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -276,8 +288,14 @@ interface(`modutils_run_update_mods',`
')
########################################
-#
-# modutils_exec_update_mods(domain)
+##
+## Execute update_modules in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`modutils_exec_update_mods',`
gen_require(`
diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if
index c812f6b6..4e2f51bb 100644
--- a/refpolicy/policy/modules/system/selinuxutil.if
+++ b/refpolicy/policy/modules/system/selinuxutil.if
@@ -6,7 +6,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -33,7 +33,7 @@ interface(`seutil_domtrans_checkpolicy',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -57,9 +57,15 @@ interface(`seutil_run_checkpolicy',`
allow checkpolicy_t $3:chr_file rw_term_perms;
')
-#######################################
-#
-# seutil_exec_checkpolicy(domain)
+########################################
+##
+## Execute checkpolicy in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_exec_checkpolicy',`
gen_require(`
@@ -77,7 +83,7 @@ interface(`seutil_exec_checkpolicy',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -100,11 +106,10 @@ interface(`seutil_domtrans_loadpolicy',`
## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain,
## and use the caller's terminal.
-## Has a SIGCHLD signal backchannel.
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -128,9 +133,15 @@ interface(`seutil_run_loadpolicy',`
allow load_policy_t $3:chr_file rw_term_perms;
')
-#######################################
-#
-# seutil_exec_loadpolicy(domain)
+########################################
+##
+## Execute load_policy in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_exec_loadpolicy',`
gen_require(`
@@ -141,9 +152,15 @@ interface(`seutil_exec_loadpolicy',`
can_exec($1,load_policy_exec_t)
')
-#######################################
-#
-# seutil_read_loadpolicy(domain)
+########################################
+##
+## Read the load_policy program file.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_read_loadpolicy',`
gen_require(`
@@ -160,7 +177,7 @@ interface(`seutil_read_loadpolicy',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -187,7 +204,7 @@ interface(`seutil_domtrans_newrole',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -211,9 +228,15 @@ interface(`seutil_run_newrole',`
allow newrole_t $3:chr_file rw_term_perms;
')
-#######################################
-#
-# seutil_exec_newrole(domain)
+########################################
+##
+## Execute newrole in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_exec_newrole',`
gen_require(`
@@ -232,7 +255,7 @@ interface(`seutil_exec_newrole',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -244,9 +267,15 @@ interface(`seutil_dontaudit_signal_newrole',`
dontaudit $1 newrole_t:process signal;
')
-#######################################
-#
-# seutil_sigchld_newrole(domain)
+########################################
+##
+## Send a SIGCHLD signal to newrole.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_sigchld_newrole',`
gen_require(`
@@ -256,9 +285,15 @@ interface(`seutil_sigchld_newrole',`
allow $1 newrole_t:process sigchld;
')
-#######################################
-#
-# seutil_use_newrole_fds(domain)
+########################################
+##
+## Inherit and use newrole file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_use_newrole_fds',`
gen_require(`
@@ -274,7 +309,7 @@ interface(`seutil_use_newrole_fds',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -300,7 +335,7 @@ interface(`seutil_domtrans_restorecon',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -324,9 +359,15 @@ interface(`seutil_run_restorecon',`
allow restorecon_t $3:chr_file rw_term_perms;
')
-#######################################
-#
-# seutil_exec_restorecon(domain)
+########################################
+##
+## Execute restorecon in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_exec_restorecon',`
gen_require(`
@@ -343,7 +384,7 @@ interface(`seutil_exec_restorecon',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -399,7 +440,7 @@ interface(`seutil_init_script_domtrans_runinit',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -443,7 +484,7 @@ interface(`seutil_run_runinit',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -470,8 +511,14 @@ interface(`seutil_init_script_run_runinit',`
')
########################################
-#
-# seutil_use_runinit_fds(domain)
+##
+## Inherit and use run_init file descriptors.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_use_runinit_fds',`
gen_require(`
@@ -487,7 +534,7 @@ interface(`seutil_use_runinit_fds',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -514,7 +561,7 @@ interface(`seutil_domtrans_setfiles',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -538,9 +585,15 @@ interface(`seutil_run_setfiles',`
allow setfiles_t $3:chr_file rw_term_perms;
')
-#######################################
-#
-# seutil_exec_setfiles(domain)
+########################################
+##
+## Execute setfiles in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_exec_setfiles',`
gen_require(`
@@ -592,8 +645,14 @@ interface(`seutil_dontaudit_read_config',`
')
########################################
-#
-# seutil_read_config(domain)
+##
+## Read the general SELinux configuration files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_read_config',`
gen_require(`
@@ -613,7 +672,7 @@ interface(`seutil_read_config',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -634,7 +693,7 @@ interface(`seutil_manage_selinux_config',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -649,8 +708,14 @@ interface(`seutil_search_default_contexts',`
########################################
-#
-# seutil_read_default_contexts(domain)
+##
+## Read the default_contexts files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_read_default_contexts',`
gen_require(`
@@ -665,8 +730,14 @@ interface(`seutil_read_default_contexts',`
')
########################################
-#
-# seutil_read_file_contexts(domain)
+##
+## Read the file_contexts files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_read_file_contexts',`
gen_require(`
@@ -724,8 +795,14 @@ interface(`seutil_manage_file_contexts',`
')
########################################
-#
-# seutil_read_bin_policy(domain)
+##
+## Read the SELinux binary policy.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_read_bin_policy',`
gen_require(`
@@ -739,8 +816,14 @@ interface(`seutil_read_bin_policy',`
')
########################################
-#
-# seutil_create_bin_policy(domain)
+##
+## Create the SELinux binary policy.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_create_bin_policy',`
gen_require(`
@@ -761,7 +844,7 @@ interface(`seutil_create_bin_policy',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -776,8 +859,15 @@ interface(`seutil_relabelto_bin_policy',`
')
########################################
-#
-# seutil_manage_bin_policy(domain)
+##
+## Create, read, write, and delete the SELinux
+## binary policy.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_manage_bin_policy',`
gen_require(`
@@ -793,8 +883,14 @@ interface(`seutil_manage_bin_policy',`
')
########################################
-#
-# seutil_read_src_policy(domain)
+##
+## Read SELinux policy source files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_read_src_policy',`
gen_require(`
@@ -808,8 +904,15 @@ interface(`seutil_read_src_policy',`
')
########################################
-#
-# seutil_manage_src_policy(domain)
+##
+## Create, read, write, and delete SELinux
+## policy source files.
+##
+##
+##
+## Domain allowed access.
+##
+##
#
interface(`seutil_manage_src_policy',`
gen_require(`
@@ -855,7 +958,7 @@ interface(`seutil_domtrans_semanage',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -909,7 +1012,7 @@ interface(`seutil_manage_module_store',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -929,7 +1032,7 @@ interface(`seutil_get_semanage_read_lock',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#