clean up interfaces for new binary module optional structure
This commit is contained in:
Chris PeBenito
parent
f1578d05a9
commit
bd202fe157
|
|
@ -134,7 +134,9 @@ load: tmp/load
|
|||
# Construct a monolithic policy.conf
|
||||
#
|
||||
policy.conf: $(POLICY_SECTIONS)
|
||||
$(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp
|
||||
$(QUIET) # checkpolicy can use the #line directives provided by m4 -s
|
||||
$(QUIET) # for error reporting:
|
||||
$(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp
|
||||
$(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@
|
||||
$(QUIET) # the ordering of these ocontexts matters:
|
||||
$(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true
|
||||
|
|
@ -157,7 +159,7 @@ tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/co
|
|||
echo "define(\`$$i')" >> $@ ;\
|
||||
done
|
||||
$(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \
|
||||
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@
|
||||
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
|
||||
|
||||
tmp/all_interfaces.conf: $(ALL_INTERFACES)
|
||||
@test -d tmp || mkdir -p tmp
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# consoletype_transition(domain)
|
||||
#
|
||||
define(`consoletype_transition',`
|
||||
requires_block_template(consoletype_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 consoletype_exec_t:file { getattr read execute };
|
||||
allow $1 consoletype_t:process transition;
|
||||
type_transition $1 consoletype_exec_t:file consoletype_t;
|
||||
|
|
@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# consoletype_execute(domain)
|
||||
#
|
||||
define(`consoletype_execute',`
|
||||
requires_block_template(consoletype_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_install_kernel(domain,[`optional'])
|
||||
# bootloader_install_kernel(domain)
|
||||
#
|
||||
define(`bootloader_install_kernel',`
|
||||
requires_block_template(bootloader_install_kernel_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read write add_name };
|
||||
allow $1 boot_t:file { getattr read write create };
|
||||
allow $1 boot_t:lnk_file { getattr read create unlink };
|
||||
|
|
@ -20,10 +20,10 @@ class lnk_file { getattr read create unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_install_initrd(domain,[`optional'])
|
||||
# bootloader_install_initrd(domain)
|
||||
#
|
||||
define(`bootloader_install_initrd',`
|
||||
requires_block_template(bootloader_install_initrd_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read write add_name };
|
||||
allow $1 boot_t:file { getattr read write create };
|
||||
allow $1 boot_t:lnk_file { getattr read create unlink };
|
||||
|
|
@ -38,10 +38,10 @@ class lnk_file { getattr read create unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_install_kernel_symbol_table(domain,[`optional'])
|
||||
# bootloader_install_kernel_symbol_table(domain)
|
||||
#
|
||||
define(`bootloader_install_kernel_symbol_table',`
|
||||
requires_block_template(bootloader_install_kernel_symbol_table_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read write add_name };
|
||||
allow $1 system_map_t:file { getattr read write create };
|
||||
')
|
||||
|
|
@ -54,10 +54,10 @@ class file { getattr read write create };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_read_kernel_symbol_table(domain,[`optional'])
|
||||
# bootloader_read_kernel_symbol_table(domain)
|
||||
#
|
||||
define(`bootloader_read_kernel_symbol_table',`
|
||||
requires_block_template(bootloader_read_kernel_symbol_table_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read };
|
||||
allow $1 system_map_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -70,10 +70,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_remove_kernel(domain,[`optional'])
|
||||
# bootloader_remove_kernel(domain)
|
||||
#
|
||||
define(`bootloader_remove_kernel',`
|
||||
requires_block_template(bootloader_remove_kernel_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read write remove_name };
|
||||
allow $1 boot_t:file { getattr unlink };
|
||||
')
|
||||
|
|
@ -86,10 +86,10 @@ class file { getattr unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_remove_kernel_symbol_table(domain,[`optional'])
|
||||
# bootloader_remove_kernel_symbol_table(domain)
|
||||
#
|
||||
define(`bootloader_remove_kernel_symbol_table',`
|
||||
requires_block_template(bootloader_remove_kernel_symbol_table_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read write remove_name };
|
||||
allow $1 system_map_t:file { getattr unlink };
|
||||
')
|
||||
|
|
@ -102,10 +102,10 @@ class file { getattr unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_read_config(domain,[`optional'])
|
||||
# bootloader_read_config(domain)
|
||||
#
|
||||
define(`bootloader_read_config',`
|
||||
requires_block_template(bootloader_read_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bootloader_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -116,10 +116,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_modify_config(domain,[`optional'])
|
||||
# bootloader_modify_config(domain)
|
||||
#
|
||||
define(`bootloader_modify_bootloader_config',`
|
||||
requires_block_template(bootloader_modify_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bootloader_etc_t:file { getattr read write append };
|
||||
')
|
||||
|
||||
|
|
@ -130,10 +130,10 @@ class file { getattr read write append };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_create_runtime_data(domain,[`optional'])
|
||||
# bootloader_create_runtime_data(domain)
|
||||
#
|
||||
define(`bootloader_create_runtime_data',`
|
||||
requires_block_template(bootloader_create_runtime_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 boot_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 boot_runtime_t:file { getattr create read write append unlink };
|
||||
type_transition $1 boot_t:file boot_runtime_t;
|
||||
|
|
@ -147,10 +147,10 @@ class file { getattr create read write append unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_list_kernel_modules(domain,[`optional'])
|
||||
# bootloader_list_kernel_modules(domain)
|
||||
#
|
||||
define(`bootloader_list_kernel_modules',`
|
||||
requires_block_template(bootloader_list_kernel_modules_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 modules_object_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
|
|
@ -161,10 +161,10 @@ class dir { getattr search read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_read_kernel_modules(domain,[`optional'])
|
||||
# bootloader_read_kernel_modules(domain)
|
||||
#
|
||||
define(`bootloader_read_kernel_modules',`
|
||||
requires_block_template(bootloader_read_kernel_modules_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 modules_object_t:dir { getattr search read };
|
||||
allow $1 modules_object_t:{ lnk_file file } { getattr read };
|
||||
')
|
||||
|
|
@ -178,10 +178,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_modify_kernel_modules(domain,[`optional'])
|
||||
# bootloader_modify_kernel_modules(domain)
|
||||
#
|
||||
define(`bootloader_modify_kernel_modules',`
|
||||
requires_block_template(bootloader_modify_kernel_modules_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 modules_object_t:file { getattr create read write setattr unlink };
|
||||
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
|
@ -194,10 +194,10 @@ class dir { getattr search read write add_name remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)],[`optional'])
|
||||
# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)])
|
||||
#
|
||||
define(`bootloader_create_private_module_dir_entry',`
|
||||
requires_block_template(bootloader_create_private_module_dir_entry_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 modules_object_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 modules_object_t:file $2;
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_make_device_node(type,[`optional'])
|
||||
# devices_make_device_node(type)
|
||||
#
|
||||
define(`devices_make_device_node',`
|
||||
requires_block_template(devices_make_device_node_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 device_node;
|
||||
filesystem_associate($1,optional)
|
||||
filesystem_tmpfs_associate($1,optional)
|
||||
|
|
@ -19,10 +19,10 @@ filesystem_tmpfs_associate_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_manage_all_devices_labels(type,[`optional'])
|
||||
# devices_manage_all_devices_labels(domain)
|
||||
#
|
||||
define(`devices_manage_all_devices_labels',`
|
||||
requires_block_template(devices_manage_all_devices_labels_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_node:dir { getattr relabelfrom };
|
||||
allow $1 device_node:file { getattr relabelfrom };
|
||||
allow $1 device_node:lnk_file { getattr relabelfrom };
|
||||
|
|
@ -46,10 +46,10 @@ class chr_file { getattr relabelfrom relabelto };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_list_device_nodes(type,[`optional'])
|
||||
# devices_list_device_nodes(domain)
|
||||
#
|
||||
define(`devices_list_device_nodes',`
|
||||
requires_block_template(devices_list_device_nodes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 device_t:lnk_file { getattr read };
|
||||
')
|
||||
|
|
@ -62,10 +62,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_ignore_list_device_nodes(type,[`optional'])
|
||||
# devices_ignore_list_device_nodes(domain)
|
||||
#
|
||||
define(`devices_ignore_list_device_nodes',`
|
||||
requires_block_template(devices_ignore_list_device_nodes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 device_t:dir { getattr read search };
|
||||
')
|
||||
|
||||
|
|
@ -76,10 +76,10 @@ class dir { getattr read search };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_manage_device_nodes(type,[`optional'])
|
||||
# devices_manage_device_nodes(domain)
|
||||
#
|
||||
define(`devices_manage_device_nodes',`
|
||||
requires_block_template(devices_manage_device_nodes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow udev_t device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
|
||||
allow udev_t device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow udev_t device_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
|
|
@ -107,10 +107,10 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_ignore_modify_generic_devices(type,[`optional'])
|
||||
# devices_ignore_modify_generic_devices(domain)
|
||||
#
|
||||
define(`devices_ignore_modify_generic_devices',`
|
||||
requires_block_template(devices_ignore_modify_generic_devices_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
|
||||
')
|
||||
|
||||
|
|
@ -122,10 +122,10 @@ class blk_file { getattr read write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_create_dev_entry(domain,file,objectclass(es),[`optional'])
|
||||
# devices_create_dev_entry(domain,file,objectclass(es))
|
||||
#
|
||||
define(`devices_create_dev_entry',`
|
||||
requires_block_template(devices_set_dev_entry_depend,$4)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr search read write add_name remove_name };
|
||||
type_transition $1 device_t:$3 $2;
|
||||
')
|
||||
|
|
@ -137,10 +137,10 @@ class dir { getattr search read write add_name remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_all_block_device_attributes(domain,[`optional'])
|
||||
# devices_get_all_block_device_attributes(domain)
|
||||
#
|
||||
define(`devices_get_all_block_device_attributes',`
|
||||
requires_block_template(devices_get_all_block_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_node:blk_file getattr;
|
||||
')
|
||||
|
||||
|
|
@ -151,10 +151,10 @@ class blk_file getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_all_character_device_attributes(domain,[`optional'])
|
||||
# devices_get_all_character_device_attributes(domain)
|
||||
#
|
||||
define(`devices_get_all_character_device_attributes',`
|
||||
requires_block_template(devices_get_all_character_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_node:chr_file getattr;
|
||||
')
|
||||
|
||||
|
|
@ -165,10 +165,10 @@ class chr_file getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_set_all_block_device_attributes(domain,[`optional'])
|
||||
# devices_set_all_block_device_attributes(domain)
|
||||
#
|
||||
define(`devices_set_all_block_device_attributes',`
|
||||
requires_block_template(devices_set_all_block_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_node:blk_file setattr;
|
||||
')
|
||||
|
||||
|
|
@ -179,10 +179,10 @@ class blk_file setattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_set_all_character_device_attributes(domain,[`optional'])
|
||||
# devices_set_all_character_device_attributes(domain)
|
||||
#
|
||||
define(`devices_set_all_character_device_attributes',`
|
||||
requires_block_template(devices_set_all_character_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_node:chr_file setattr;
|
||||
')
|
||||
|
||||
|
|
@ -193,10 +193,10 @@ class chr_file setattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_raw_read_memory(domain,[`optional'])
|
||||
# devices_raw_read_memory(domain)
|
||||
#
|
||||
define(`devices_raw_read_memory',`
|
||||
requires_block_template(devices_raw_read_memory_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 memory_raw_read;
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 memory_device_t:chr_file { getattr read ioctl };
|
||||
|
|
@ -213,10 +213,10 @@ class capability sys_rawio;
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_raw_write_memory(domain,[`optional'])
|
||||
# devices_raw_write_memory(domain)
|
||||
#
|
||||
define(`devices_raw_write_memory',`
|
||||
requires_block_template(devices_raw_write_memory_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 memory_raw_write
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 memory_device_t:chr_file write;
|
||||
|
|
@ -233,10 +233,10 @@ class capability sys_rawio;
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_random_data(domain,[`optional'])
|
||||
# devices_get_random_data(domain)
|
||||
#
|
||||
define(`devices_get_random_data',`
|
||||
requires_block_template(devices_get_random_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 random_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -249,10 +249,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_pseudorandom_data(domain,[`optional'])
|
||||
# devices_get_pseudorandom_data(domain)
|
||||
#
|
||||
define(`devices_get_pseudorandom_data',`
|
||||
requires_block_template(devices_get_pseudorandom_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 urandom_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -265,10 +265,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_add_entropy(domain,[`optional'])
|
||||
# devices_add_entropy(domain)
|
||||
#
|
||||
define(`devices_add_entropy',`
|
||||
requires_block_template(devices_add_entropy_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 random_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -281,10 +281,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_set_pseudorandom_seed(domain,[`optional'])
|
||||
# devices_set_pseudorandom_seed(domain)
|
||||
#
|
||||
define(`devices_set_pseudorandom_seed',`
|
||||
requires_block_template(devices_set_pseudorandom_seed_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 urandom_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -297,10 +297,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_discard_data_stream(domain,[`optional'])
|
||||
# devices_discard_data_stream(domain)
|
||||
#
|
||||
define(`devices_discard_data_stream',`
|
||||
requires_block_template(devices_discard_data_stream_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 null_device_t:chr_file { getattr append write };
|
||||
')
|
||||
|
|
@ -313,10 +313,10 @@ class chr_file { getattr append write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_zeros(domain,[`optional'])
|
||||
# devices_get_zeros(domain)
|
||||
#
|
||||
define(`devices_get_zeros',`
|
||||
requires_block_template(devices_get_zeros_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 zero_device_t:chr_file { getattr read };
|
||||
')
|
||||
|
|
@ -329,10 +329,10 @@ class chr_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_read_realtime_clock(domain,[`optional'])
|
||||
# devices_read_realtime_clock(domain)
|
||||
#
|
||||
define(`devices_read_realtime_clock',`
|
||||
requires_block_template(devices_read_realtime_clock_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 clock_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -345,10 +345,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_record_sound_input(domain,[`optional'])
|
||||
# devices_record_sound_input(domain)
|
||||
#
|
||||
define(`devices_record_sound_input',`
|
||||
requires_block_template(devices_record_sound_input_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 sound_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -361,10 +361,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_play_sound(domain,[`optional'])
|
||||
# devices_play_sound(domain)
|
||||
#
|
||||
define(`devices_play_sound',`
|
||||
requires_block_template(devices_play_sound_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 sound_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -377,10 +377,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_read_sound_mixer_levels(domain,[`optional'])
|
||||
# devices_read_sound_mixer_levels(domain)
|
||||
#
|
||||
define(`devices_read_sound_mixer_levels',`
|
||||
requires_block_template(devices_read_sound_mixer_levels_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 sound_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -393,10 +393,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_write_sound_mixer_levels(domain,[`optional'])
|
||||
# devices_write_sound_mixer_levels(domain)
|
||||
#
|
||||
define(`devices_write_sound_mixer_levels',`
|
||||
requires_block_template(devices_write_sound_mixer_levels_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 sound_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -409,10 +409,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_direct_agp_access(domain,[`optional'])
|
||||
# devices_direct_agp_access(domain)
|
||||
#
|
||||
define(`devices_direct_agp_access',`
|
||||
requires_block_template(devices_direct_agp_access_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 agp_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
|
@ -425,10 +425,10 @@ class chr_file { getattr read write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_use_direct_rendering_interface(domain,[`optional'])
|
||||
# devices_use_direct_rendering_interface(domain)
|
||||
#
|
||||
define(`devices_use_direct_rendering_interface',`
|
||||
requires_block_template(devices_use_direct_rendering_interface_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 dri_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -441,10 +441,10 @@ class chr_file { getattr read write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_read_mtrr(domain,[`optional'])
|
||||
# devices_read_mtrr(domain)
|
||||
#
|
||||
define(`devices_read_mtrr',`
|
||||
requires_block_template(devices_read_mtrr_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 mtrr_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -457,10 +457,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_write_mtrr(domain,[`optional'])
|
||||
# devices_write_mtrr(domain)
|
||||
#
|
||||
define(`devices_write_mtrr',`
|
||||
requires_block_template(devices_write_mtrr_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -472,10 +472,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_read_framebuffer(domain,[`optional'])
|
||||
# devices_read_framebuffer(domain)
|
||||
#
|
||||
define(`devices_read_framebuffer',`
|
||||
requires_block_template(devices_read_framebuffer_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 framebuf_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -488,10 +488,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_write_framebuffer(domain,[`optional'])
|
||||
# devices_write_framebuffer(domain)
|
||||
#
|
||||
define(`devices_write_framebuffer',`
|
||||
requires_block_template(devices_write_framebuffer_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 framebuf_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -504,10 +504,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_read_misc(domain,[`optional'])
|
||||
# devices_read_misc(domain)
|
||||
#
|
||||
define(`devices_read_misc',`
|
||||
requires_block_template(devices_read_misc_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 misc_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -520,10 +520,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_write_misc(domain,[`optional'])
|
||||
# devices_write_misc(domain)
|
||||
#
|
||||
define(`devices_write_misc',`
|
||||
requires_block_template(devices_write_misc_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 misc_device_t:chr_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -536,10 +536,10 @@ class chr_file { getattr write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_mouse_input(domain,[`optional'])
|
||||
# devices_get_mouse_input(domain)
|
||||
#
|
||||
define(`devices_get_mouse_input',`
|
||||
requires_block_template(devices_get_mouse_input_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 mouse_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -552,10 +552,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_input_event(domain,[`optional'])
|
||||
# devices_get_input_event(domain)
|
||||
#
|
||||
define(`devices_get_input_event',`
|
||||
requires_block_template(devices_get_input_event_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 event_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -568,10 +568,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_get_cpuid(domain,[`optional'])
|
||||
# devices_get_cpuid(domain)
|
||||
#
|
||||
define(`devices_get_cpuid',`
|
||||
requires_block_template(devices_get_cpuid_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 cpu_device_t:chr_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -584,10 +584,10 @@ class chr_file { getattr read ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_load_cpu_microcode(domain,[`optional'])
|
||||
# devices_load_cpu_microcode(domain)
|
||||
#
|
||||
define(`devices_load_cpu_microcode',`
|
||||
requires_block_template(devices_load_cpu_microcode_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 cpu_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
|
@ -600,10 +600,10 @@ class chr_file { getattr read write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_use_scanner(domain,[`optional'])
|
||||
# devices_use_scanner(domain)
|
||||
#
|
||||
define(`devices_use_scanner',`
|
||||
requires_block_template(devices_use_scanner_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 scanner_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
|
@ -616,10 +616,10 @@ class chr_file { getattr read write ioctl };
|
|||
|
||||
########################################
|
||||
#
|
||||
# devices_control_system_powermanagement(domain,[`optional'])
|
||||
# devices_control_system_powermanagement(domain)
|
||||
#
|
||||
define(`devices_control_system_powermanagement',`
|
||||
requires_block_template(devices_control_system_powermanagement_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 device_t:dir { getattr read search };
|
||||
allow $1 power_device_t:chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_make_filesystem(type,[`optional'])
|
||||
# filesystem_make_filesystem(type)
|
||||
#
|
||||
define(`filesystem_make_filesystem',`
|
||||
requires_block_template(filesystem_make_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 fs_type;
|
||||
')
|
||||
|
||||
|
|
@ -15,10 +15,10 @@ attribute fs_type;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_associate(type,[`optional'])
|
||||
# filesystem_associate(type)
|
||||
#
|
||||
define(`filesystem_associate',`
|
||||
requires_block_template(filesystem_associate_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_t:filesystem associate;
|
||||
')
|
||||
|
||||
|
|
@ -29,10 +29,10 @@ class filesystem associate;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_noxattr_associate(type,[`optional'])
|
||||
# filesystem_noxattr_associate(type)
|
||||
#
|
||||
define(`filesystem_noxattr_associate',`
|
||||
requires_block_template(filesystem_noxattr_associate_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 autofs_t:filesystem associate;
|
||||
allow $1 cifs_t:filesystem associate;
|
||||
allow $1 dosfs_t:filesystem associate;
|
||||
|
|
@ -49,10 +49,10 @@ class filesystem associate;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_persistent_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_persistent_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_persistent_filesystem',`
|
||||
requires_block_template(filesystem_mount_persistent_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -63,10 +63,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_persistent_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_persistent_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_persistent_filesystem',`
|
||||
requires_block_template(filesystem_remount_persistent_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -77,10 +77,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_persistent_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_persistent_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_persistent_filesystem',`
|
||||
requires_block_template(filesystem_unmount_persistent_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -91,10 +91,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_persistent_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_persistent_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_persistent_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_persistent_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -105,10 +105,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_ignore_get_persistent_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_ignore_get_persistent_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_ignore_get_persistent_filesystem_attributes',`
|
||||
requires_block_template(filesystem_ignore_get_persistent_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 fs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -119,10 +119,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_automount_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_automount_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_automount_filesystem',`
|
||||
requires_block_template(filesystem_mount_automount_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 autofs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -133,10 +133,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_automount_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_automount_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_automount_filesystem',`
|
||||
requires_block_template(filesystem_remount_automount_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 autofs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -147,10 +147,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_automount_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_automount_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_automount_filesystem',`
|
||||
requires_block_template(filesystem_unmount_automount_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 autofs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -161,10 +161,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_automount_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_automount_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_automount_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_automount_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 autofs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -175,10 +175,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_register_binary_executable_type(domain,[`optional'])
|
||||
# filesystem_register_binary_executable_type(domain)
|
||||
#
|
||||
define(`filesystem_register_binary_executable_type',`
|
||||
requires_block_template(filesystem_register_binary_executable_type_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 binfmt_misc_fs_t:dir { getattr search };
|
||||
allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
|
||||
')
|
||||
|
|
@ -191,10 +191,10 @@ class file { getattr ioctl write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_windows_network_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_windows_network_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_windows_network_filesystem',`
|
||||
requires_block_template(filesystem_mount_windows_network_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 cifs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -205,10 +205,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_windows_network_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_windows_network_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_windows_network_filesystem',`
|
||||
requires_block_template(filesystem_remount_windows_network_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 cifs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -219,10 +219,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_windows_network_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_windows_network_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_windows_network_filesystem',`
|
||||
requires_block_template(filesystem_unmount_windows_network_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 cifs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -233,10 +233,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_windows_network_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_windows_network_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_windows_network_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_windows_network_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 cifs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -247,10 +247,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_dos_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_dos_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_dos_filesystem',`
|
||||
requires_block_template(filesystem_mount_dos_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 dosfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -261,10 +261,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_dos_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_dos_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_dos_filesystem',`
|
||||
requires_block_template(filesystem_remount_dos_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 dosfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -275,10 +275,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_dos_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_dos_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_dos_filesystem',`
|
||||
requires_block_template(filesystem_unmount_dos_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 dosfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -289,10 +289,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_dos_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_dos_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_dos_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_dos_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 dosfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -303,10 +303,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_cd_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_cd_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_cd_filesystem',`
|
||||
requires_block_template(filesystem_mount_cd_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 iso9660_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -317,10 +317,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_cd_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_cd_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_cd_filesystem',`
|
||||
requires_block_template(filesystem_remount_cd_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 iso9660_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -331,10 +331,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_cd_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_cd_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_cd_filesystem',`
|
||||
requires_block_template(filesystem_unmount_cd_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 iso9660_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -345,10 +345,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_cd_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_cd_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_cd_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_cd_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 iso9660_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -359,10 +359,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_nfs_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_nfs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_nfs_filesystem',`
|
||||
requires_block_template(filesystem_mount_nfs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -373,10 +373,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_nfs_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_nfs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_nfs_filesystem',`
|
||||
requires_block_template(filesystem_remount_nfs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -387,10 +387,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_nfs_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_nfs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_nfs_filesystem',`
|
||||
requires_block_template(filesystem_unmount_nfs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -401,10 +401,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_nfs_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_nfs_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_nfs_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_nfs_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -415,10 +415,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_nfsd_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_nfsd_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_nfsd_filesystem',`
|
||||
requires_block_template(filesystem_mount_nfsd_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfsd_fs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -429,10 +429,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_nfsd_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_nfsd_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_nfsd_filesystem',`
|
||||
requires_block_template(filesystem_remount_nfsd_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfsd_fs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -443,10 +443,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_nfsd_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_nfsd_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_nfsd_filesystem',`
|
||||
requires_block_template(filesystem_unmount_nfsd_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfsd_fs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -457,10 +457,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_nfsd_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_nfsd_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_nfsd_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_nfsd_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 nfsd_fs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -471,10 +471,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_ram_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_ram_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_ram_filesystem',`
|
||||
requires_block_template(filesystem_mount_ram_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 ramfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -485,10 +485,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_ram_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_ram_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_ram_filesystem',`
|
||||
requires_block_template(filesystem_remount_ram_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 ramfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -499,10 +499,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_ram_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_ram_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_ram_filesystem',`
|
||||
requires_block_template(filesystem_unmount_ram_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 ramfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -513,10 +513,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_ram_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_ram_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_ram_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_ram_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 ramfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -527,10 +527,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_rom_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_rom_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_rom_filesystem',`
|
||||
requires_block_template(filesystem_mount_rom_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 romfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -541,10 +541,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_rom_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_rom_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_rom_filesystem',`
|
||||
requires_block_template(filesystem_remount_rom_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 romfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -555,10 +555,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_rom_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_rom_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_rom_filesystem',`
|
||||
requires_block_template(filesystem_unmount_rom_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 romfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -569,10 +569,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_rom_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_rom_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_rom_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_rom_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 romfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -583,10 +583,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_rpc_pipefs_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_rpc_pipefs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_rpc_pipefs_filesystem',`
|
||||
requires_block_template(filesystem_mount_rpc_pipefs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 rpc_pipefs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -597,10 +597,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_rpc_pipefs_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_rpc_pipefs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_rpc_pipefs_filesystem',`
|
||||
requires_block_template(filesystem_remount_rpc_pipefs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 rpc_pipefs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -611,10 +611,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_rpc_pipefs_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_rpc_pipefs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_rpc_pipefs_filesystem',`
|
||||
requires_block_template(filesystem_unmount_rpc_pipefs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 rpc_pipefs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -625,10 +625,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_rpc_pipefs_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_rpc_pipefs_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_rpc_pipefs_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_rpc_pipefs_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 rpc_pipefs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -639,10 +639,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_tmpfs_filesystem(domain,[`optional'])
|
||||
# filesystem_mount_tmpfs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_mount_tmpfs_filesystem',`
|
||||
requires_block_template(filesystem_mount_tmpfs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -653,10 +653,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_tmpfs_filesystem(domain,[`optional'])
|
||||
# filesystem_remount_tmpfs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_remount_tmpfs_filesystem',`
|
||||
requires_block_template(filesystem_remount_tmpfs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfs_t:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -667,10 +667,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_tmpfs_filesystem(domain,[`optional'])
|
||||
# filesystem_unmount_tmpfs_filesystem(domain)
|
||||
#
|
||||
define(`filesystem_unmount_tmpfs_filesystem',`
|
||||
requires_block_template(filesystem_unmount_tmpfs_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfs_t:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -681,10 +681,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_tmpfs_filesystem_attributes(domain,[`optional'])
|
||||
# filesystem_get_tmpfs_filesystem_attributes(domain)
|
||||
#
|
||||
define(`filesystem_get_tmpfs_filesystem_attributes',`
|
||||
requires_block_template(filesystem_get_tmpfs_filesystem_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfs_t:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
@ -695,10 +695,10 @@ class filesystem getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_tmpfs_associate(type,[`optional'])
|
||||
# filesystem_tmpfs_associate(type)
|
||||
#
|
||||
define(`filesystem_tmpfs_associate',`
|
||||
requires_block_template(filesystem_tmpfs_associate_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfs_t:filesystem associate;
|
||||
')
|
||||
|
||||
|
|
@ -709,10 +709,10 @@ class filesystem associate;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_create_private_tmpfs_data(domain,derivedtype,[class],[`optional'])
|
||||
# filesystem_create_private_tmpfs_data(domain,derivedtype,[class])
|
||||
#
|
||||
define(`filesystem_create_private_tmpfs_data',`
|
||||
requires_block_template(filesystem_create_private_tmpfs_data_depend,$4)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfs_t:dir { getattr search read write add_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 tmpfs_t:file $2;
|
||||
|
|
@ -728,10 +728,10 @@ class dir { getattr search read write add_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_mount_all_filesystems(type,[`optional'])
|
||||
# filesystem_mount_all_filesystems(type)
|
||||
#
|
||||
define(`filesystem_mount_all_filesystems',`
|
||||
requires_block_template(filesystem_mount_all_filesystems_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_type:filesystem mount;
|
||||
')
|
||||
|
||||
|
|
@ -742,10 +742,10 @@ class filesystem mount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_remount_all_filesystems(type,[`optional'])
|
||||
# filesystem_remount_all_filesystems(type)
|
||||
#
|
||||
define(`filesystem_remount_all_filesystems',`
|
||||
requires_block_template(filesystem_remount_all_filesystems_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_type:filesystem remount;
|
||||
')
|
||||
|
||||
|
|
@ -756,10 +756,10 @@ class filesystem remount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_unmount_all_filesystems(type,[`optional'])
|
||||
# filesystem_unmount_all_filesystems(type)
|
||||
#
|
||||
define(`filesystem_unmount_all_filesystems',`
|
||||
requires_block_template(filesystem_unmount_all_filesystems_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_type:filesystem unmount;
|
||||
')
|
||||
|
||||
|
|
@ -770,10 +770,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# filesystem_get_all_filesystems_attributes(type,[`optional'])
|
||||
# filesystem_get_all_filesystems_attributes(type)
|
||||
#
|
||||
define(`filesystem_get_all_filesystems_attributes',`
|
||||
requires_block_template(filesystem_get_all_filesystems_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 fs_type:filesystem getattr;
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_share_state(domain,[`optional'])
|
||||
# kernel_share_state(domain)
|
||||
#
|
||||
define(`kernel_share_state',`
|
||||
requires_block_template(kernel_share_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow kernel_t $1:process share;
|
||||
')
|
||||
|
||||
|
|
@ -16,10 +16,10 @@ class process share;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_use_file_descriptors(domain,[`optional'])
|
||||
# kernel_use_file_descriptors(domain)
|
||||
#
|
||||
define(`kernel_use_file_descriptors',`
|
||||
requires_block_template(kernel_use_file_descriptors_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 kernel_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -30,10 +30,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_ignore_use_file_descriptors(domain,[`optional'])
|
||||
# kernel_ignore_use_file_descriptors(domain)
|
||||
#
|
||||
define(`kernel_ignore_use_file_descriptors',`
|
||||
requires_block_template(kernel_ignore_use_file_descriptors_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 kernel_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -44,10 +44,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_make_root_filesystem_mountpoint(domain,[`optional'])
|
||||
# kernel_make_root_filesystem_mountpoint(domain)
|
||||
#
|
||||
define(`kernel_make_root_filesystem_mountpoint',`
|
||||
requires_block_template(kernel_make_root_filesystem_mountpoint_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow kernel_t $1:dir mounton;
|
||||
')
|
||||
|
||||
|
|
@ -58,10 +58,10 @@ class dir mounton;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_load_module(domain,[`optional'])
|
||||
# kernel_load_module(domain)
|
||||
#
|
||||
define(`kernel_load_module',`
|
||||
requires_block_template(kernel_load_module_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 self:capability sys_module;
|
||||
typeattribute $1 can_load_kernmodule;
|
||||
')
|
||||
|
|
@ -73,10 +73,10 @@ class capability sys_module;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_kill_unlabeled_process(domain,[`optional'])
|
||||
# kernel_kill_unlabeled_process(domain)
|
||||
#
|
||||
define(`kernel_kill_unlabeled_process',`
|
||||
requires_block_template(kernel_kill_unlabeled_process_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 unlabeled_t:process sigkill;
|
||||
')
|
||||
|
||||
|
|
@ -87,10 +87,10 @@ class process sigkill;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_relabel_unlabeled_object(domain,[`optional'])
|
||||
# kernel_relabel_unlabeled_object(domain)
|
||||
#
|
||||
define(`kernel_relabel_unlabeled_object',`
|
||||
requires_block_template(kernel_relabel_unlabeled_object_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom };
|
||||
')
|
||||
|
||||
|
|
@ -107,10 +107,10 @@ class blk_file { getattr relabelfrom };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_get_selinux_enforcement_mode(domain,[`optional'])
|
||||
# kernel_get_selinux_enforcement_mode(domain)
|
||||
#
|
||||
define(`kernel_get_selinux_enforcement_mode',`
|
||||
requires_block_template(kernel_get_selinux_enforcement_mode_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -123,10 +123,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_set_selinux_enforcement_mode(domain,[`optional'])
|
||||
# kernel_set_selinux_enforcement_mode(domain)
|
||||
#
|
||||
define(`kernel_set_selinux_enforcement_mode',`
|
||||
requires_block_template(kernel_set_selinux_enforcement_mode_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security setenforce;
|
||||
|
|
@ -144,10 +144,10 @@ class security setenforce;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_load_selinux_policy(domain,[`optional'])
|
||||
# kernel_load_selinux_policy(domain)
|
||||
#
|
||||
define(`kernel_load_selinux_policy',`
|
||||
requires_block_template(kernel_load_selinux_policy_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security load_policy;
|
||||
|
|
@ -165,10 +165,10 @@ class security load_policy;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_set_selinux_boolean(domain,[booltype],[`optional'])
|
||||
# kernel_set_selinux_boolean(domain,[booltype])
|
||||
#
|
||||
define(`kernel_set_selinux_boolean',`
|
||||
requires_block_template(kernel_set_selinux_boolean_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
ifelse(`$2',`',`
|
||||
allow $1 security_t:dir { getattr search read };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
|
|
@ -190,10 +190,10 @@ class security setbool;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_setsecparam(domain,[`optional'])
|
||||
# kernel_setsecparam(domain)
|
||||
#
|
||||
define(`kernel_setsecparam',`
|
||||
requires_block_template(kernel_setsecparam_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security setsecparam;
|
||||
|
|
@ -211,10 +211,10 @@ class security setsecparam;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_validate_selinux_context(domain,[`optional'])
|
||||
# kernel_validate_selinux_context(domain)
|
||||
#
|
||||
define(`kernel_validate_selinux_context',`
|
||||
requires_block_template(kernel_validate_selinux_context_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security check_context;
|
||||
|
|
@ -229,10 +229,10 @@ class security check_context;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_selinux_av(domain,[`optional'])
|
||||
# kernel_compute_selinux_av(domain)
|
||||
#
|
||||
define(`kernel_compute_selinux_av',`
|
||||
requires_block_template(kernel_compute_selinux_av_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_av;
|
||||
|
|
@ -247,10 +247,10 @@ class security compute_av;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_selinux_create(domain,[`optional'])
|
||||
# kernel_compute_selinux_create(domain)
|
||||
#
|
||||
define(`kernel_compute_create',`
|
||||
requires_block_template(kernel_compute_create_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_create;
|
||||
|
|
@ -265,10 +265,10 @@ class security compute_create;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_relabel(domain,[`optional'])
|
||||
# kernel_compute_relabel(domain)
|
||||
#
|
||||
define(`kernel_compute_relabel',`
|
||||
requires_block_template(kernel_compute_relabel_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_relabel;
|
||||
|
|
@ -283,10 +283,10 @@ class security compute_relabel;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_compute_reachable_user_contexts(domain,[`optional'])
|
||||
# kernel_compute_reachable_user_contexts(domain)
|
||||
#
|
||||
define(`kernel_compute_reachable_user_contexts',`
|
||||
requires_block_template(kernel_compute_reachable_user_contexts_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 security_t:dir { read search getattr };
|
||||
allow $1 security_t:file { getattr read write };
|
||||
allow $1 security_t:security compute_user;
|
||||
|
|
@ -301,10 +301,10 @@ class security compute_user;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_ring_buffer(domain,[`optional'])
|
||||
# kernel_read_ring_buffer(domain)
|
||||
#
|
||||
define(`kernel_read_ring_buffer',`
|
||||
requires_block_template(kernel_read_ring_buffer_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 kernel_t:system syslog_read;
|
||||
')
|
||||
|
||||
|
|
@ -315,10 +315,10 @@ class system syslog_read;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_change_ring_buffer_level(domain,[`optional'])
|
||||
# kernel_change_ring_buffer_level(domain)
|
||||
#
|
||||
define(`kernel_change_ring_buffer_level',`
|
||||
requires_block_template(kernel_change_ring_buffer_level_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 kernel_t:system syslog_console;
|
||||
')
|
||||
|
||||
|
|
@ -329,10 +329,10 @@ class system syslog_console;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_clear_ring_buffer(domain,[`optional'])
|
||||
# kernel_clear_ring_buffer(domain)
|
||||
#
|
||||
define(`kernel_clear_ring_buffer',`
|
||||
requires_block_template(kernel_clear_ring_buffer_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 kernel_t:system syslog_mod;
|
||||
')
|
||||
|
||||
|
|
@ -343,10 +343,10 @@ class system syslog_mod;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_get_sysvipc_info(domain,[`optional'])
|
||||
# kernel_get_sysvipc_info(domain)
|
||||
#
|
||||
define(`kernel_get_sysvipc_info',`
|
||||
requires_block_template(kernel_get_sysvipc_info_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 kernel_t:system ipc_info;
|
||||
')
|
||||
|
||||
|
|
@ -357,10 +357,10 @@ class system ipc_info;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_get_selinuxfs_mount_point(domain,[`optional'])
|
||||
# kernel_get_selinuxfs_mount_point(domain)
|
||||
#
|
||||
define(`kernel_get_selinuxfs_mount_point',`
|
||||
requires_block_template(kernel_get_selinuxfs_mount_point_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_t:lnk_file read;
|
||||
allow $1 self:dir search;
|
||||
|
|
@ -376,10 +376,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_system_state(domain,[`optional'])
|
||||
# kernel_read_system_state(domain)
|
||||
#
|
||||
define(`kernel_read_system_state',`
|
||||
requires_block_template(kernel_read_system_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir { getattr search read };
|
||||
allow $1 proc_t:{ lnk_file file } { getattr read };
|
||||
')
|
||||
|
|
@ -396,7 +396,7 @@ class file { getattr read };
|
|||
# kernel_ignore_read_system_state(domain)
|
||||
#
|
||||
define(`kernel_ignore_read_system_state',`
|
||||
requires_block_template(kernel_ignore_read_system_state_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:file read;
|
||||
')
|
||||
|
||||
|
|
@ -407,10 +407,10 @@ class file read;
|
|||
|
||||
#######################################
|
||||
#
|
||||
# kernel_read_software_raid_state(domain,[`optional'])
|
||||
# kernel_read_software_raid_state(domain)
|
||||
#
|
||||
define(`kernel_read_software_raid_state',`
|
||||
requires_block_template(kernel_read_software_raid_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir { getattr search read };
|
||||
allow $1 proc_mdstat_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -423,10 +423,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_get_core_interface_attributes(domain,[`optional'])
|
||||
# kernel_get_core_interface_attributes(domain)
|
||||
#
|
||||
define(`kernel_get_core_interface_attributes',`
|
||||
requires_block_template(kernel_get_core_interface_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir { getattr search read };
|
||||
allow $1 proc_kcore_t:file getattr;
|
||||
')
|
||||
|
|
@ -439,10 +439,10 @@ class file getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_messages(domain,[`optional'])
|
||||
# kernel_read_messages(domain)
|
||||
#
|
||||
define(`kernel_read_messages',`
|
||||
requires_block_template(kernel_read_messages_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_kmsg_t:file { getattr read };
|
||||
typeattribute $1 can_receive_kernel_messages;
|
||||
|
|
@ -457,10 +457,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_get_message_interface_attributes(domain,[`optional'])
|
||||
# kernel_get_message_interface_attributes(domain)
|
||||
#
|
||||
define(`kernel_get_message_interface_attributes',`
|
||||
requires_block_template(kernel_get_message_interface_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_kmsg_t:file getattr;
|
||||
')
|
||||
|
|
@ -476,7 +476,7 @@ class file getattr;
|
|||
# kernel_ignore_get_message_interface_attributes(domain)
|
||||
#
|
||||
define(`kernel_ignore_get_message_interface_attributes',`
|
||||
requires_block_template(kernel_ignore_get_message_interface_attributes_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 proc_kmsg_t:file getattr;
|
||||
')
|
||||
|
||||
|
|
@ -487,10 +487,10 @@ class file getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_network_state(domain,[`optional'])
|
||||
# kernel_read_network_state(domain)
|
||||
#
|
||||
define(`kernel_read_network_state',`
|
||||
requires_block_template(kernel_read_network_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_net_t:dir { getattr search read };
|
||||
allow $1 proc_net_t:file { getattr read };
|
||||
|
|
@ -504,10 +504,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_device_sysctl(domain,[`optional'])
|
||||
# kernel_read_device_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_device_sysctl',`
|
||||
requires_block_template(kernel_read_device_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_dev_t:dir { getattr search read };
|
||||
|
|
@ -522,10 +522,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_device_sysctl(domain,[`optional'])
|
||||
# kernel_modify_device_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_device_sysctl',`
|
||||
requires_block_template(kernel_modify_device_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_dev_t:file { getattr read write };
|
||||
|
|
@ -539,10 +539,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_virtual_memory_sysctl(domain,[`optional'])
|
||||
# kernel_read_virtual_memory_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_virtual_memory_sysctl',`
|
||||
requires_block_template(kernel_read_virtual_memory_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_vm_t:file { getattr read };
|
||||
|
|
@ -556,10 +556,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_virtual_memory_sysctl(domain,[`optional'])
|
||||
# kernel_modify_virtual_memory_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_virtual_memory_sysctl',`
|
||||
requires_block_template(kernel_modify_virtual_memory_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_vm_t:file { getattr read write };
|
||||
|
|
@ -573,10 +573,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_network_sysctl(domain,[`optional'])
|
||||
# kernel_read_network_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_network_sysctl',`
|
||||
requires_block_template(kernel_read_network_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_net_t:dir { getattr search read };
|
||||
|
|
@ -591,10 +591,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_network_sysctl(domain,[`optional'])
|
||||
# kernel_modify_network_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_network_sysctl',`
|
||||
requires_block_template(kernel_modify_network_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_net_t:dir { getattr search read };
|
||||
|
|
@ -609,10 +609,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_unix_sysctl(domain,[`optional'])
|
||||
# kernel_read_unix_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_unix_sysctl',`
|
||||
requires_block_template(kernel_read_unix_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_net_t:dir { getattr search read };
|
||||
|
|
@ -627,10 +627,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_unix_sysctl(domain,[`optional'])
|
||||
# kernel_modify_unix_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_unix_sysctl',`
|
||||
requires_block_template(kernel_modify_unix_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_net_t:dir { getattr search read };
|
||||
|
|
@ -645,10 +645,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_hotplug_sysctl(domain,[`optional'])
|
||||
# kernel_read_hotplug_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_hotplug_sysctl',`
|
||||
requires_block_template(kernel_read_hotplug_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
||||
|
|
@ -663,10 +663,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_hotplug_sysctl(domain,[`optional'])
|
||||
# kernel_modify_hotplug_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_hotplug_sysctl',`
|
||||
requires_block_template(kernel_modify_hotplug_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
||||
|
|
@ -681,10 +681,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_modprobe_sysctl(domain,[`optional'])
|
||||
# kernel_read_modprobe_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_modprobe_sysctl',`
|
||||
requires_block_template(kernel_read_modprobe_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
||||
|
|
@ -699,10 +699,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_modprobe_sysctl(domain,[`optional'])
|
||||
# kernel_modify_modprobe_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_modprobe_sysctl',`
|
||||
requires_block_template(kernel_modify_modprobe_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
||||
|
|
@ -717,10 +717,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_kernel_sysctl(domain,[`optional'])
|
||||
# kernel_read_kernel_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_kernel_sysctl',`
|
||||
requires_block_template(kernel_read_kernel_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
||||
|
|
@ -735,10 +735,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_kernel_sysctl(domain,[`optional'])
|
||||
# kernel_modify_kernel_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_kernel_sysctl',`
|
||||
requires_block_template(kernel_modify_kernel_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_kernel_t:dir { getattr search read };
|
||||
|
|
@ -753,10 +753,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_filesystem_sysctl(domain,[`optional'])
|
||||
# kernel_read_filesystem_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_filesystem_sysctl',`
|
||||
requires_block_template(kernel_read_filesystem_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_fs_t:dir { getattr search read };
|
||||
|
|
@ -771,10 +771,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_filesystem_sysctl(domain,[`optional'])
|
||||
# kernel_modify_filesystem_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_filesystem_sysctl',`
|
||||
requires_block_template(kernel_modify_filesystem_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_t:dir { getattr search read };
|
||||
allow $1 sysctl_fs_t:dir { getattr search read };
|
||||
|
|
@ -789,10 +789,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_irq_sysctl(domain,[`optional'])
|
||||
# kernel_read_irq_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_irq_sysctl',`
|
||||
requires_block_template(kernel_read_irq_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_irq_t:dir { getattr search read };
|
||||
allow $1 sysctl_irq_t:file { getattr read };
|
||||
|
|
@ -806,10 +806,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_irq_sysctl(domain,[`optional'])
|
||||
# kernel_modify_irq_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_irq_sysctl',`
|
||||
requires_block_template(kernel_modify_irq_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 sysctl_irq_t:dir { getattr search read };
|
||||
allow $1 sysctl_irq_t:file { getattr read write };
|
||||
|
|
@ -823,10 +823,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_rpc_sysctl(domain,[`optional'])
|
||||
# kernel_read_rpc_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_rpc_sysctl',`
|
||||
requires_block_template(kernel_read_rpc_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_net_t:dir search;
|
||||
allow $1 sysctl_rpc_t:dir { getattr search read };
|
||||
|
|
@ -841,10 +841,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_rpc_sysctl(domain,[`optional'])
|
||||
# kernel_modify_rpc_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_rpc_sysctl',`
|
||||
requires_block_template(kernel_modify_rpc_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_net_t:dir search;
|
||||
allow $1 sysctl_rpc_t:dir { getattr search read };
|
||||
|
|
@ -859,10 +859,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_all_sysctl(domain,[`optional'])
|
||||
# kernel_read_all_sysctl(domain)
|
||||
#
|
||||
define(`kernel_read_all_sysctl',`
|
||||
requires_block_template(kernel_read_all_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
kernel_read_device_sysctl($1,optional)
|
||||
kernel_read_virtual_memory_sysctl($1,optional)
|
||||
kernel_read_network_sysctl($1,optional)
|
||||
|
|
@ -890,10 +890,10 @@ kernel_read_rpc_sysctl_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_all_sysctl(domain,[`optional'])
|
||||
# kernel_modify_all_sysctl(domain)
|
||||
#
|
||||
define(`kernel_modify_all_sysctl',`
|
||||
requires_block_template(kernel_modify_all_sysctl_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
kernel_modify_device_sysctl($1,optional)
|
||||
kernel_modify_virtual_memory_sysctl($1,optional)
|
||||
kernel_modify_network_sysctl($1,optional)
|
||||
|
|
@ -921,10 +921,10 @@ kernel_modify_rpc_sysctl_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_hardware_state(domain,[`optional'])
|
||||
# kernel_read_hardware_state(domain)
|
||||
#
|
||||
define(`kernel_read_hardware_state',`
|
||||
requires_block_template(kernel_read_hardware_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 sysfs_t:dir { getattr search read };
|
||||
allow $1 sysfs_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
|
@ -938,10 +938,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_hardware_config_option(domain,[`optional'])
|
||||
# kernel_modify_hardware_config_option(domain)
|
||||
#
|
||||
define(`kernel_modify_hardware_config_option',`
|
||||
requires_block_template(kernel_modify_hardware_config_option_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 sysfs_t:dir { getattr search read };
|
||||
allow $1 sysfs_t:lnk_file { getattr read };
|
||||
allow $1 sysfs_t:file { getattr read write };
|
||||
|
|
@ -956,10 +956,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_list_usb_hardware(domain,[`optional'])
|
||||
# kernel_list_usb_hardware(domain)
|
||||
#
|
||||
define(`kernel_list_usb_hardware',`
|
||||
requires_block_template(kernel_list_usb_hardware_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 usbfs_t:dir { getattr search read };
|
||||
allow $1 usbfs_t:lnk_file { getattr read };
|
||||
allow $1 usbfs_t:file getattr;
|
||||
|
|
@ -974,10 +974,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_usb_hardware_state(domain,[`optional'])
|
||||
# kernel_read_usb_hardware_state(domain)
|
||||
#
|
||||
define(`kernel_read_usb_hardware_state',`
|
||||
requires_block_template(kernel_read_usb_hardware_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 usbfs_t:dir { getattr search read };
|
||||
allow $1 usbfs_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
|
@ -991,10 +991,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_modify_usb_hardware_config_option(domain,[`optional'])
|
||||
# kernel_modify_usb_hardware_config_option(domain)
|
||||
#
|
||||
define(`kernel_modify_usb_hardware_config_option',`
|
||||
requires_block_template(kernel_modify_usb_hardware_config_option_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 usbfs_t:dir { getattr search read };
|
||||
allow $1 usbfs_t:lnk_file { getattr read };
|
||||
allow $1 usbfs_t:file { getattr read write };
|
||||
|
|
@ -1018,10 +1018,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_transition_from(domain,entrypoint,[`optional'])
|
||||
# kernel_transition_from(domain,entrypoint)
|
||||
#
|
||||
define(`kernel_transition_from',`
|
||||
requires_block_template(kernel_transition_from_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow kernel_t $2:file { getattr read execute };
|
||||
allow kernel_t $1:process transition;
|
||||
type_transition kernel_t $2:process $1;
|
||||
|
|
@ -1036,10 +1036,10 @@ class process transition;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_sigchld_from(domain,[`optional'])
|
||||
# kernel_sigchld_from(domain)
|
||||
#
|
||||
define(`kernel_sigchld_from',`
|
||||
requires_block_template(kernel_sigchld_from_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow kernel_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -1050,10 +1050,10 @@ class process sigchld;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_unlabeled_sigchld_from(domain,[`optional'])
|
||||
# kernel_unlabeled_sigchld_from(domain)
|
||||
#
|
||||
define(`kernel_unlabeled_sigchld_from',`
|
||||
requires_block_template(kernel_unlabeled_sigchld_from_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow unlabeled_t $1:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -1064,10 +1064,10 @@ class process sigchld;
|
|||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_directory_from(domain,[`optional'])
|
||||
# kernel_read_directory_from(domain)
|
||||
#
|
||||
define(`kernel_read_directory_from',`
|
||||
requires_block_template(kernel_read_directory_from_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow kernel_t $1:dir { getattr search read };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_raw_read_fixed_disk(domain,[`optional'])
|
||||
# storage_raw_read_fixed_disk(domain)
|
||||
#
|
||||
define(`storage_raw_read_fixed_disk',`
|
||||
requires_block_template(storage_raw_read_fixed_disk_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 fixed_disk_raw_read;
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
|
||||
|
|
@ -20,10 +20,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_raw_write_fixed_disk(domain,[`optional'])
|
||||
# storage_raw_write_fixed_disk(domain)
|
||||
#
|
||||
define(`storage_raw_write_fixed_disk',`
|
||||
requires_block_template(storage_raw_write_fixed_disk_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 fixed_disk_raw_write;
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
||||
|
|
@ -38,10 +38,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_get_fixed_disk_attributes(domain,[`optional'])
|
||||
# storage_get_fixed_disk_attributes(domain)
|
||||
#
|
||||
define(`storage_get_fixed_disk_attributes',`
|
||||
requires_block_template(storage_get_fixed_disk_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||
')
|
||||
|
|
@ -54,10 +54,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_set_fixed_disk_attributes(domain,[`optional'])
|
||||
# storage_set_fixed_disk_attributes(domain)
|
||||
#
|
||||
define(`storage_set_fixed_disk_attributes',`
|
||||
requires_block_template(storage_set_fixed_disk_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||
')
|
||||
|
|
@ -70,10 +70,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_read_scsi_generic(domain,[`optional'])
|
||||
# storage_read_scsi_generic(domain)
|
||||
#
|
||||
define(`storage_read_scsi_generic',`
|
||||
requires_block_template(storage_read_scsi_generic_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 scsi_generic_read;
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
|
||||
|
|
@ -88,10 +88,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_write_scsi_generic(domain,[`optional'])
|
||||
# storage_write_scsi_generic(domain)
|
||||
#
|
||||
define(`storage_write_scsi_generic',`
|
||||
requires_block_template(storage_write_scsi_generic_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 scsi_generic_write;
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
||||
|
|
@ -106,10 +106,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_get_scsi_generic_attributes(domain,[`optional'])
|
||||
# storage_get_scsi_generic_attributes(domain)
|
||||
#
|
||||
define(`storage_get_scsi_generic_attributes',`
|
||||
requires_block_template(storage_get_scsi_generic_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||
')
|
||||
|
|
@ -122,10 +122,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_set_scsi_generic_attributes(domain,[`optional'])
|
||||
# storage_set_scsi_generic_attributes(domain)
|
||||
#
|
||||
define(`storage_set_scsi_generic_attributes',`
|
||||
requires_block_template(storage_set_scsi_generic_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 scsi_generic_device_t:blk_file setattr;
|
||||
')
|
||||
|
|
@ -138,10 +138,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_raw_read_removable_device(domain,[`optional'])
|
||||
# storage_raw_read_removable_device(domain)
|
||||
#
|
||||
define(`storage_raw_read_removable_device',`
|
||||
requires_block_template(storage_raw_read_removable_device_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 removable_device_t:blk_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -154,10 +154,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_raw_write_removable_device(domain,[`optional'])
|
||||
# storage_raw_write_removable_device(domain)
|
||||
#
|
||||
define(`storage_raw_write_removable_device',`
|
||||
requires_block_template(storage_raw_write_removable_device_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -170,10 +170,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_get_removable_device_attributes(domain,[`optional'])
|
||||
# storage_get_removable_device_attributes(domain)
|
||||
#
|
||||
define(`storage_get_removable_device_attributes',`
|
||||
requires_block_template(storage_get_removable_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 removable_device_t:blk_file getattr;
|
||||
')
|
||||
|
|
@ -186,10 +186,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_set_removable_device_attributes(domain,[`optional'])
|
||||
# storage_set_removable_device_attributes(domain)
|
||||
#
|
||||
define(`storage_set_removable_device_attributes',`
|
||||
requires_block_template(storage_set_removable_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 removable_device_t:blk_file setattr;
|
||||
')
|
||||
|
|
@ -202,10 +202,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_read_tape_device(domain,[`optional'])
|
||||
# storage_read_tape_device(domain)
|
||||
#
|
||||
define(`storage_read_tape_device',`
|
||||
requires_block_template(storage_read_tape_device_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 tape_device_t:blk_file { getattr read ioctl };
|
||||
')
|
||||
|
|
@ -218,10 +218,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_write_tape_device(domain,[`optional'])
|
||||
# storage_write_tape_device(domain)
|
||||
#
|
||||
define(`storage_write_tape_device',`
|
||||
requires_block_template(storage_write_tape_device_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
||||
')
|
||||
|
|
@ -234,10 +234,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_get_tape_device_attributes(domain,[`optional'])
|
||||
# storage_get_tape_device_attributes(domain)
|
||||
#
|
||||
define(`storage_get_tape_device_attributes',`
|
||||
requires_block_template(storage_get_tape_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 tape_device_t:blk_file getattr;
|
||||
')
|
||||
|
|
@ -250,10 +250,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# storage_set_tape_device_attributes(domain,[`optional'])
|
||||
# storage_set_tape_device_attributes(domain)
|
||||
#
|
||||
define(`storage_set_tape_device_attributes',`
|
||||
requires_block_template(storage_set_tape_device_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 tape_device_t:blk_file setattr;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_make_pseudoterminal(domain,ptytype,[`optional'])
|
||||
# terminal_make_pseudoterminal(domain,ptytype)
|
||||
#
|
||||
define(`terminal_make_pseudoterminal',`
|
||||
requires_block_template(terminal_make_pseudoterminal_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 ptmx_t:chr_file { getattr read write };
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
|
|
@ -30,7 +30,7 @@ devices_list_device_nodes_depend
|
|||
# terminal_use_all_terminals(domain)
|
||||
#
|
||||
define(`terminal_use_all_terminals',`
|
||||
requires_block_template(terminal_use_all_terminals_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write };
|
||||
|
|
@ -48,7 +48,7 @@ class chr_file { read write };
|
|||
# terminal_get_all_users_physical_terminal_attributes(domain)
|
||||
#
|
||||
define(`terminal_get_all_users_physical_terminal_attributes',`
|
||||
requires_block_template(terminal_get_all_users_physical_terminal_attributes_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file getattr;
|
||||
')
|
||||
|
|
@ -63,7 +63,7 @@ class chr_file getattr;
|
|||
# terminal_use_all_users_physical_terminals(domain)
|
||||
#
|
||||
define(`terminal_use_all_users_physical_terminals',`
|
||||
requires_block_template(terminal_use_all_users_physical_terminals_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file { read write };
|
||||
')
|
||||
|
|
@ -78,7 +78,7 @@ class chr_file { read write };
|
|||
# terminal_ignore_use_all_users_physical_terminals(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_all_users_physical_terminals',`
|
||||
requires_block_template(terminal_ignore_use_all_users_physical_terminals_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 ttynode:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -92,7 +92,7 @@ class chr_file { read write };
|
|||
# terminal_get_all_users_pseudoterminal_attributes(domain)
|
||||
#
|
||||
define(`terminal_get_all_users_pseudoterminal_attributes',`
|
||||
requires_block_template(terminal_get_all_users_pseudoterminal_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
allow $1 ptynode:chr_file getattr;
|
||||
|
|
@ -109,7 +109,7 @@ class chr_file getattr;
|
|||
# terminal_use_all_users_pseudoterminals(domain)
|
||||
#
|
||||
define(`terminal_use_all_users_pseudoterminals',`
|
||||
requires_block_template(terminal_use_all_users_pseudoterminals_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr read search };
|
||||
allow $1 ptynode:chr_file { read write };
|
||||
|
|
@ -126,7 +126,7 @@ class chr_file { read write };
|
|||
# terminal_ignore_use_all_users_pseudoterminals(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_all_users_pseudoterminals',`
|
||||
requires_block_template(terminal_ignore_use_all_users_pseudoterminals_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 ptynode:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -137,10 +137,10 @@ class chr_file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_use_console(domain,[`optional'])
|
||||
# terminal_use_console(domain)
|
||||
#
|
||||
define(`terminal_use_console',`
|
||||
requires_block_template(terminal_use_console_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 console_device_t:chr_file { read write };
|
||||
')
|
||||
|
|
@ -153,10 +153,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_ignore_use_console(domain,[`optional'])
|
||||
# terminal_ignore_use_console(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_console',`
|
||||
requires_block_template(terminal_ignore_use_console_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 console_device_t:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -167,10 +167,10 @@ class chr_file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_set_console_attributes(domain,[`optional'])
|
||||
# terminal_set_console_attributes(domain)
|
||||
#
|
||||
define(`terminal_set_console_attributes',`
|
||||
requires_block_template(terminal_set_console_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 console_device_t:chr_file setattr;
|
||||
')
|
||||
|
|
@ -183,10 +183,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_use_controlling_terminal(domain,[`optional'])
|
||||
# terminal_use_controlling_terminal(domain)
|
||||
#
|
||||
define(`terminal_use_controlling_terminal',`
|
||||
requires_block_template(terminal_use_controlling_terminal_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 devtty_t:chr_file { read write };
|
||||
')
|
||||
|
|
@ -202,7 +202,7 @@ devices_list_device_nodes_depend
|
|||
# terminal_reset_physical_terminal_labels(domain)
|
||||
#
|
||||
define(`terminal_reset_physical_terminal_labels',`
|
||||
requires_block_template(terminal_reset_physical_terminal_labels_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file relabelfrom;
|
||||
allow $1 tty_device_t:chr_file relabelto;
|
||||
|
|
@ -220,7 +220,7 @@ devices_list_device_nodes_depend
|
|||
# terminal_use_general_physical_terminal(domain)
|
||||
#
|
||||
define(`terminal_use_general_physical_terminal',`
|
||||
requires_block_template(terminal_use_general_physical_terminal_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 tty_device_t:chr_file { read write };
|
||||
')
|
||||
|
|
@ -235,7 +235,7 @@ class chr_file { read write };
|
|||
# terminal_ignore_use_general_physical_terminal(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_general_physical_terminal',`
|
||||
requires_block_template(terminal_ignore_use_general_physical_terminal_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 tty_device_t:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -246,10 +246,10 @@ class chr_file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_list_pseudoterminals(domain,[`optional'])
|
||||
# terminal_list_pseudoterminals(domain)
|
||||
#
|
||||
define(`terminal_list_pseudoterminals',`
|
||||
requires_block_template(terminal_list_pseudoterminals_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
')
|
||||
|
|
@ -262,10 +262,10 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_ignore_list_pseudoterminals(domain,[`optional'])
|
||||
# terminal_ignore_list_pseudoterminals(domain)
|
||||
#
|
||||
define(`terminal_ignore_list_pseudoterminals',`
|
||||
requires_block_template(terminal_ignore_list_pseudoterminals_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 devpts_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
|
|
@ -279,7 +279,7 @@ class dir { getattr search read };
|
|||
# terminal_use_general_pseudoterminal(domain)
|
||||
#
|
||||
define(`terminal_use_general_pseudoterminal',`
|
||||
requires_block_template(terminal_use_general_pseudoterminal_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:chr_file { read write };
|
||||
')
|
||||
|
|
@ -294,7 +294,7 @@ class chr_file { read write };
|
|||
# terminal_ignore_use_general_pseudoterminal(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_general_pseudoterminal',`
|
||||
requires_block_template(terminal_ignore_use_general_pseudoterminal_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 devpts_t:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
# mta_per_userdomain_template(userdomain_prefix)
|
||||
#
|
||||
define(`mta_per_userdomain_template',`
|
||||
requires_block_template(mta_per_userdomain_template_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
type $1_mail_t;
|
||||
domain_make_domain($1_mail_t)
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
# authlogin_per_userdomain_template(userdomain_prefix)
|
||||
#
|
||||
define(`authlogin_per_userdomain_template',`
|
||||
requires_block_template(authlogin_per_userdomain_template_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
type $1_chkpwd_t; # , nscd_client_domain;
|
||||
domain_make_domain($1_chkpwd_t)
|
||||
|
|
@ -79,7 +79,7 @@ class unix_dgram_socket { create read getattr write setattr append bind connect
|
|||
# authlogin_make_login_program_entrypoint(domain)
|
||||
#
|
||||
define(`authlogin_make_login_program_entrypoint',`
|
||||
requires_block_template(authlogin_make_login_program_entrypoint_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
domain_make_entrypoint_file($1,login_exec_t)
|
||||
')
|
||||
|
||||
|
|
@ -93,7 +93,7 @@ domain_make_entrypoint_file_depend
|
|||
# authlogin_check_password_transition(domain)
|
||||
#
|
||||
define(`authlogin_check_password_transition',`
|
||||
requires_block_template(authlogin_check_password_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 chkpwd_exec_t:file { getattr read execute };
|
||||
allow $1 system_chkpwd_t:process transition;
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
|
|
@ -115,7 +115,7 @@ class process transition;
|
|||
# authlogin_modify_login_records(domain)
|
||||
#
|
||||
define(`authlogin_modify_login_records',`
|
||||
requires_block_template(authlogin_modify_login_records_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
# FIXME: search var_log_t
|
||||
allow $1 wtmp_t:file { getattr read write setattr };
|
||||
|
|
@ -131,7 +131,7 @@ class file { getattr read write setattr };
|
|||
# authlogin_read_shadow_passwords(domain)
|
||||
#
|
||||
define(`authlogin_read_shadow_passwords',`
|
||||
requires_block_template(authlogin_read_shadow_passwords_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
# FIXME: read etc_t dir
|
||||
allow $1 shadow_t:file { getattr read };
|
||||
typeattribute $1 can_read_shadow_passwords;
|
||||
|
|
@ -148,7 +148,7 @@ class file { getattr read };
|
|||
# authlogin_ignore_read_shadow_passwords(domain)
|
||||
#
|
||||
define(`authlogin_ignore_read_shadow_passwords',`
|
||||
requires_block_template(authlogin_ignore_read_shadow_passwords_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 shadow_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -162,7 +162,7 @@ class file { getattr read };
|
|||
# authlogin_modify_shadow_passwords(domain)
|
||||
#
|
||||
define(`authlogin_modify_shadow_passwords',`
|
||||
requires_block_template(authlogin_modify_shadow_passwords_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
# FIXME: read etc_t dir
|
||||
allow $1 shadow_t:file { getattr read write };
|
||||
typeattribute $1 can_read_shadow_passwords;
|
||||
|
|
@ -181,7 +181,7 @@ class file { getattr read write };
|
|||
# authlogin_modify_last_login_log(domain)
|
||||
#
|
||||
define(`authlogin_modify_last_login_log',`
|
||||
requires_block_template(authlogin_modify_last_login_log_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lastlog_t:file { getattr read write setattr };
|
||||
')
|
||||
|
||||
|
|
@ -195,7 +195,7 @@ class file { getattr read write setattr };
|
|||
# authlogin_pam_read_runtime_data(domain)
|
||||
#
|
||||
define(`authlogin_pam_read_runtime_data',`
|
||||
requires_block_template(authlogin_pam_read_runtime_data_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_run_t:dir { getattr search read };
|
||||
|
|
@ -213,7 +213,7 @@ class file { getattr read };
|
|||
# authlogin_pam_remove_runtime_data(domain)
|
||||
#
|
||||
define(`authlogin_pam_remove_runtime_data',`
|
||||
requires_block_template(authlogin_pam_remove_runtime_data_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
#######################################
|
||||
#
|
||||
# corecommands_make_shell_entrypoint(type,[`optional'])
|
||||
# corecommands_make_shell_entrypoint(type)
|
||||
#
|
||||
define(`corecommands_make_shell_entrypoint',`
|
||||
requires_block_template(corecommands_make_shell_entrypoint_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
domain_make_entrypoint_file($1,shell_exec_t)
|
||||
')
|
||||
|
||||
|
|
@ -16,10 +16,10 @@ domain_make_entrypoint_file_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# corecommands_execute_general_programs(domain,[`optional']
|
||||
# corecommands_execute_general_programs(domain
|
||||
#
|
||||
define(`corecommands_execute_general_programs',`
|
||||
requires_block_template(corecommands_execute_general_programs_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 bin_t:file { getattr read execute execute_no_trans };
|
||||
|
|
@ -34,10 +34,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# corecommands_execute_system_programs(domain,[`optional']
|
||||
# corecommands_execute_system_programs(domain
|
||||
#
|
||||
define(`corecommands_execute_system_programs',`
|
||||
requires_block_template(corecommands_execute_system_programs_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 sbin_t:dir { getattr search read };
|
||||
allow $1 sbin_t:lnk_file { getattr read };
|
||||
allow $1 sbin_t:file { getattr read execute execute_no_trans };
|
||||
|
|
@ -52,10 +52,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# corecommands_execute_shell(domain,[`optional']
|
||||
# corecommands_execute_shell(domain
|
||||
#
|
||||
define(`corecommands_execute_shell',`
|
||||
requires_block_template(corecommands_execute_shell_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 bin_t:dir { getattr search read };
|
||||
allow $1 bin_t:lnk_file { getattr read };
|
||||
allow $1 shell_exec_t:file { getattr read execute execute_no_trans };
|
||||
|
|
@ -70,10 +70,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# corecommands_chroot(domain,[`optional']
|
||||
# corecommands_chroot(domain
|
||||
#
|
||||
define(`corecommands_chroot',`
|
||||
requires_block_template(corecommands_chroot_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
|
||||
# could go to a generic chroot priv:
|
||||
allow $1 self:capability sys_chroot;
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_make_base_domain(domain,[`optional'])
|
||||
# domain_make_base_domain(domain)
|
||||
#
|
||||
define(`domain_make_base_domain',`
|
||||
requires_block_template(domain_make_base_domain_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
# mark as a domain
|
||||
typeattribute $1 domain;
|
||||
|
|
@ -27,10 +27,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_make_domain(domain,[`optional'])
|
||||
# domain_make_domain(domain)
|
||||
#
|
||||
define(`domain_make_domain',`
|
||||
requires_block_template(domain_make_domain_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
domain_make_base_domain($1,optional)
|
||||
|
||||
|
|
@ -46,10 +46,10 @@ init_send_sigchld_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_make_entrypoint_file(domain,entrypointfile,[`optional'])
|
||||
# domain_make_entrypoint_file(domain,entrypointfile)
|
||||
#
|
||||
define(`domain_make_entrypoint_file',`
|
||||
requires_block_template(domain_make_entrypoint_file_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 $2:file entrypoint;
|
||||
files_make_file($2,$3)
|
||||
typeattribute $1 entry_type;
|
||||
|
|
@ -62,10 +62,10 @@ class file entrypoint;
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_make_init_domain(domain,entrypointfile,[`optional'])
|
||||
# domain_make_init_domain(domain,entrypointfile)
|
||||
#
|
||||
define(`domain_make_init_domain',`
|
||||
requires_block_template(domain_make_init_domain_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
domain_make_domain($1,optional)
|
||||
domain_make_entrypoint_file($1,$2,optional)
|
||||
typeattribute $1 init_domain;
|
||||
|
|
@ -82,10 +82,10 @@ domain_make_entrypoint_file_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_make_daemon_domain(domain,entrypointfile,[`optional'])
|
||||
# domain_make_daemon_domain(domain,entrypointfile)
|
||||
#
|
||||
define(`domain_make_daemon_domain',`
|
||||
requires_block_template(domain_make_daemon_domain_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
domain_make_domain($1,optional)
|
||||
domain_make_entrypoint_file($1,$2,optional)
|
||||
typeattribute $1 daemon_domain;
|
||||
|
|
@ -102,10 +102,10 @@ domain_make_entrypoint_file_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_make_file_descriptors_widely_inheritable(domain,[`optional'])
|
||||
# domain_make_file_descriptors_widely_inheritable(domain)
|
||||
#
|
||||
define(`domain_make_file_descriptors_widely_inheritable',`
|
||||
requires_block_template(domain_make_file_descriptors_widely_inheritable_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 privfd;
|
||||
')
|
||||
|
||||
|
|
@ -115,10 +115,10 @@ attribute privfd;
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_use_widely_inheritable_file_descriptors(domain,[`optional'])
|
||||
# domain_use_widely_inheritable_file_descriptors(domain)
|
||||
#
|
||||
define(`domain_use_widely_inheritable_file_descriptors',`
|
||||
requires_block_template(domain_use_widely_inheritable_file_descriptors_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 privfd:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -129,10 +129,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_ignore_use_widely_inheritable_file_descriptors(domain,[`optional'])
|
||||
# domain_ignore_use_widely_inheritable_file_descriptors(domain)
|
||||
#
|
||||
define(`domain_ignore_use_widely_inheritable_file_descriptors',`
|
||||
requires_block_template(domain_ignore_use_widely_inheritable_file_descriptors_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 privfd:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -143,10 +143,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_all_init_domains_transition(domain,[`optional'])
|
||||
# domain_all_init_domains_transition(domain)
|
||||
#
|
||||
define(`domain_all_init_domains_transition',`
|
||||
requires_block_template(domain_all_init_domains_transition_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 init_domain:process transition;
|
||||
allow $1 init_domain_entry:file { getattr read execute };
|
||||
dontaudit $1 daemon_domain:process { noatsecure siginh rlimitinh };
|
||||
|
|
@ -160,10 +160,10 @@ class file { getattr read execute };
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_all_daemon_domains_transition(domain,[`optional'])
|
||||
# domain_all_daemon_domains_transition(domain)
|
||||
#
|
||||
define(`domain_all_daemon_domains_transition',`
|
||||
requires_block_template(domain_all_daemon_domains_transition_depend,$3)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 daemon_domain:process transition;
|
||||
allow $1 daemon_domain_entry:file { getattr read execute };
|
||||
allow init_domain $1:fd use;
|
||||
|
|
@ -178,10 +178,10 @@ class file { getattr read execute };
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_signal_all_domains(domain,[`optional'])
|
||||
# domain_signal_all_domains(domain)
|
||||
#
|
||||
define(`domain_signal_all_domains',`
|
||||
requires_block_template(domain_signal_all_domains_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 domain:process signal;
|
||||
')
|
||||
|
||||
|
|
@ -192,10 +192,10 @@ class process signal;
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_kill_all_domains(domain,[`optional'])
|
||||
# domain_kill_all_domains(domain)
|
||||
#
|
||||
define(`domain_kill_all_domains',`
|
||||
requires_block_template(domain_kill_all_domains_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 domain:process sigkill;
|
||||
allow $1 self:capability kill;
|
||||
')
|
||||
|
|
@ -208,10 +208,10 @@ class capability kill;
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_read_all_domains_process_state(domain,[`optional'])
|
||||
# domain_read_all_domains_process_state(domain)
|
||||
#
|
||||
define(`domain_read_all_domains_process_state',`
|
||||
requires_block_template(domain_read_all_domains_process_state_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 domain:dir { getattr search read };
|
||||
allow $1 domain:lnk_file { getattr read };
|
||||
allow $1 domain:file { getattr read };
|
||||
|
|
@ -228,10 +228,10 @@ class process { getattr getsession };
|
|||
|
||||
########################################
|
||||
#
|
||||
# domain_execute_all_entrypoint_programs(domain,[`optional'])
|
||||
# domain_execute_all_entrypoint_programs(domain)
|
||||
#
|
||||
define(`domain_execute_all_entrypoint_programs',`
|
||||
requires_block_template(domain_execute_all_entrypoint_programs_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 entry_type:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_make_file(type,[`optional'])
|
||||
# files_make_file(type)
|
||||
#
|
||||
define(`files_make_file',`
|
||||
requires_block_template(files_make_file_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 file_type;
|
||||
filesystem_associate($1,optional)
|
||||
filesystem_noxattr_associate($1,optional)
|
||||
|
|
@ -19,10 +19,10 @@ filesystem_noxattr_associate_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_make_mountpoint(type,[`optional'])
|
||||
# files_make_mountpoint(type)
|
||||
#
|
||||
define(`files_make_mountpoint',`
|
||||
requires_block_template(files_make_mountpoint_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 mountpoint;
|
||||
')
|
||||
|
||||
|
|
@ -32,10 +32,10 @@ attribute mountpoint;
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_get_all_file_attributes(type,[`optional'])
|
||||
# files_get_all_file_attributes(type)
|
||||
#
|
||||
define(`files_get_all_file_attributes',`
|
||||
requires_block_template(files_get_all_file_attributes_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_type:dir { search getattr };
|
||||
allow $1 file_type:file getattr;
|
||||
allow $1 file_type:lnk_file getattr;
|
||||
|
|
@ -54,10 +54,10 @@ class sock_file getattr;
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_manage_all_files_labels(type,[`optional'])
|
||||
# files_manage_all_files_labels(type)
|
||||
#
|
||||
define(`files_manage_all_files_labels',`
|
||||
requires_block_template(files_manage_all_files_labels_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_type:dir { getattr relabelfrom relabelto };
|
||||
allow $1 file_type:file { getattr relabelfrom relabelto };
|
||||
allow $1 file_type:lnk_file { getattr relabelfrom relabelto };
|
||||
|
|
@ -83,7 +83,7 @@ class chr_file relabelfrom;
|
|||
# files_search_all_directories(domain)
|
||||
#
|
||||
define(`files_search_all_directories',`
|
||||
requires_block_template(files_search_all_directories_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_type:dir search;
|
||||
')
|
||||
|
||||
|
|
@ -97,7 +97,7 @@ class dir search;
|
|||
# files_ignore_search_all_directories(domain)
|
||||
#
|
||||
define(`files_ignore_search_all_directories',`
|
||||
requires_block_template(files_ignore_search_all_directories_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 file_type:dir search;
|
||||
')
|
||||
|
||||
|
|
@ -108,10 +108,10 @@ class dir search;
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_read_all_directories(type,[`optional'])
|
||||
# files_read_all_directories(type)
|
||||
#
|
||||
define(`files_read_all_directories',`
|
||||
requires_block_template(files_read_all_directories_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 file_type:dir { getattr search read };
|
||||
')
|
||||
|
||||
|
|
@ -122,10 +122,10 @@ class dir { getattr search read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_mount_on_all_mountpoints(type,[`optional'])
|
||||
# files_mount_on_all_mountpoints(type)
|
||||
#
|
||||
define(`files_mount_on_all_mountpoints',`
|
||||
requires_block_template(files_mount_on_all_mountpoints_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 mountpoint:dir { getattr search mounton };
|
||||
')
|
||||
|
||||
|
|
@ -136,10 +136,10 @@ class dir { getattr search mounton };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_read_root_dir(domain,[`optional'])
|
||||
# files_read_root_dir(domain)
|
||||
#
|
||||
define(`files_read_root_dir',`
|
||||
requires_block_template(files_read_root_dir_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read };
|
||||
allow $1 root_t:lnk_file { getattr read };
|
||||
')
|
||||
|
|
@ -152,10 +152,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_create_root_dir_entry(domain,[`optional'])
|
||||
# files_create_root_dir_entry(domain)
|
||||
#
|
||||
define(`files_create_root_dir_entry',`
|
||||
requires_block_template(files_create_root_dir_entry_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read write add_name };
|
||||
')
|
||||
|
||||
|
|
@ -169,7 +169,7 @@ class dir { getattr search read write add_name };
|
|||
# files_ignore_read_rootfs_file(domain)
|
||||
#
|
||||
define(`files_ignore_read_rootfs_file',`
|
||||
requires_block_template(files_ignore_read_rootfs_file_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 root_t:file read;
|
||||
')
|
||||
|
||||
|
|
@ -180,10 +180,10 @@ class file read;
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_ignore_modify_rootfs_file(domain,[`optional'])
|
||||
# files_ignore_modify_rootfs_file(domain)
|
||||
#
|
||||
define(`files_ignore_modify_rootfs_file',`
|
||||
requires_block_template(files_ignore_modify_rootfs_file_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 root_t:file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -194,10 +194,10 @@ class file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_ignore_modify_rootfs_device(domain,[`optional'])
|
||||
# files_ignore_modify_rootfs_device(domain)
|
||||
#
|
||||
define(`files_ignore_modify_rootfs_device',`
|
||||
requires_block_template(files_ignore_modify_rootfs_device_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 root_t:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -208,10 +208,10 @@ class chr_file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_create_private_root_dir_entry(domain,privatetype,[class(es)],[`optional'])
|
||||
# files_create_private_root_dir_entry(domain,privatetype,[class(es)])
|
||||
#
|
||||
define(`files_create_private_root_dir_entry',`
|
||||
requires_block_template(files_create_private_root_dir_entry_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 root_t:file $2;
|
||||
|
|
@ -227,10 +227,10 @@ class dir { getattr search read write add_name remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_remove_root_dir_entry(domain,[`optional'])
|
||||
# files_remove_root_dir_entry(domain)
|
||||
#
|
||||
define(`files_remove_root_dir_entry',`
|
||||
requires_block_template(files_remove_root_dir_entry_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read write remove_name };
|
||||
')
|
||||
|
||||
|
|
@ -241,10 +241,10 @@ class dir { getattr search read write remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_unmount_root_filesystem(domain,[`optional'])
|
||||
# files_unmount_root_filesystem(domain)
|
||||
#
|
||||
define(`files_unmount_root_filesystem',`
|
||||
requires_block_template(files_unmount_root_filesystem_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:filesystem unmount;
|
||||
')
|
||||
|
||||
|
|
@ -255,10 +255,10 @@ class filesystem unmount;
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_read_general_system_config(type,[`optional'])
|
||||
# files_read_general_system_config(type)
|
||||
#
|
||||
define(`files_read_general_system_config',`
|
||||
requires_block_template(files_read_general_system_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 etc_t:dir { getattr search read };
|
||||
allow $1 etc_t:file { getattr read };
|
||||
allow $1 etc_t:lnk_file { getattr read };
|
||||
|
|
@ -273,10 +273,10 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_execute_system_config_script(domain,[`optional'])
|
||||
# files_execute_system_config_script(domain)
|
||||
#
|
||||
define(`files_execute_system_config_script',`
|
||||
requires_block_template(files_execute_system_config_script_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 etc_t:dir { getattr search read };
|
||||
allow $1 etc_t:lnk_file { getattr read };
|
||||
allow $1 etc_t:file { getattr read execute execute_no_trans };
|
||||
|
|
@ -291,12 +291,12 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_create_boot_flag(type,[`optional'])
|
||||
# files_create_boot_flag(type)
|
||||
#
|
||||
# /halt, /.autofsck, etc
|
||||
#
|
||||
define(`files_create_boot_flag',`
|
||||
requires_block_template(files_create_boot_flag_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 root_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 etc_runtime_t:file { create read write setattr unlink };
|
||||
type_transition $1 root_t:file etc_runtime_t;
|
||||
|
|
@ -310,10 +310,10 @@ class file { create read write setattr };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_create_runtime_system_config(type,[`optional'])
|
||||
# files_create_runtime_system_config(type)
|
||||
#
|
||||
define(`files_create_runtime_system_config',`
|
||||
requires_block_template(files_create_runtime_system_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 etc_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 etc_runtime_t:file { create read write setattr unlink };
|
||||
type_transition $1 etc_t:file etc_runtime_t;
|
||||
|
|
@ -327,10 +327,10 @@ class file { create read write setattr };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_read_runtime_system_config(domain,[`optional'])
|
||||
# files_read_runtime_system_config(domain)
|
||||
#
|
||||
define(`files_read_runtime_system_config',`
|
||||
requires_block_template(files_read_runtime_system_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 etc_t:dir { getattr search read };
|
||||
allow $1 etc_runtime_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -343,10 +343,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_create_private_config(domain,privatetype,[class(es)],[`optional'])
|
||||
# files_create_private_config(domain,privatetype,[class(es)])
|
||||
#
|
||||
define(`files_create_private_config',`
|
||||
requires_block_template(files_create_private_config_depend,$4)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 etc_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 etc_t:file $2;
|
||||
|
|
@ -362,10 +362,10 @@ class dir { getattr search read write add_name remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_list_home_directories(type,[`optional'])
|
||||
# files_list_home_directories(type)
|
||||
#
|
||||
define(`files_list_home_directories',`
|
||||
requires_block_template(files_list_home_directories_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 home_root_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
|
|
@ -376,10 +376,10 @@ class dir { getattr search read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
|
||||
# files_create_private_tmp_data(domain,private_type,[object class(es)])
|
||||
#
|
||||
define(`files_create_private_tmp_data',`
|
||||
requires_block_template(files_create_private_tmp_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmp_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 tmp_t:file $2;
|
||||
|
|
@ -397,10 +397,10 @@ class dir { getattr search read write add_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_tmp_data(domain,[`optional'])
|
||||
# files_remove_all_tmp_data(domain)
|
||||
#
|
||||
define(`files_remove_all_tmp_data',`
|
||||
requires_block_template(files_remove_all_tmp_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
|
||||
allow $1 tmpfile:file { getattr unlink };
|
||||
allow $1 tmpfile:lnk_file { getattr unlink };
|
||||
|
|
@ -419,10 +419,10 @@ class sock_file { getattr unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_read_general_application_resources(domain,[`optional'])
|
||||
# files_read_general_application_resources(domain)
|
||||
#
|
||||
define(`files_read_general_application_resources',`
|
||||
requires_block_template(files_read_general_application_resources_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 usr_t:dir { getattr search read };
|
||||
allow $1 usr_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
|
@ -439,7 +439,7 @@ class lnk_file { getattr read };
|
|||
# files_read_system_source_code(domain)
|
||||
#
|
||||
define(`files_read_system_source_code',`
|
||||
requires_block_template(files_read_system_source_code_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 usr_t:dir search;
|
||||
allow $1 src_t:dir { getattr search read };
|
||||
allow $1 src_t:{ file lnk_file } { getattr read };
|
||||
|
|
@ -457,7 +457,7 @@ class lnk_file { getattr read };
|
|||
# files_search_system_state_data_directory(domain)
|
||||
#
|
||||
define(`files_search_system_state_data_directory',`
|
||||
requires_block_template(files_search_system_state_data_directory_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
')
|
||||
|
||||
|
|
@ -471,7 +471,7 @@ class dir search;
|
|||
# files_manage_pseudorandom_saved_seed(domain)
|
||||
#
|
||||
define(`files_manage_pseudorandom_saved_seed',`
|
||||
requires_block_template(files_manage_pseudorandom_saved_seed_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
||||
|
|
@ -485,10 +485,10 @@ class file { getattr create read write setattr unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_manage_system_lock_files(domain,[`optional'])
|
||||
# files_manage_system_lock_files(domain)
|
||||
#
|
||||
define(`files_manage_system_lock_files',`
|
||||
requires_block_template(files_manage_system_lock_files_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||
allow $1 var_lock_t:file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
|
@ -501,10 +501,10 @@ class file { getattr create read write setattr unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_lock_files(domain,[`optional'])
|
||||
# files_remove_all_lock_files(domain)
|
||||
#
|
||||
define(`files_remove_all_lock_files',`
|
||||
requires_block_template(files_remove_all_lock_files_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lockfile:dir { getattr search read write add_name remove_name };
|
||||
allow $1 lockfile:file { getattr unlink };
|
||||
')
|
||||
|
|
@ -520,7 +520,7 @@ class file { getattr unlink };
|
|||
# files_search_runtime_data_directory(domain)
|
||||
#
|
||||
define(`files_search_runtime_data_directory',`
|
||||
requires_block_template(files_search_runtime_data_directory_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir search;
|
||||
')
|
||||
|
|
@ -535,7 +535,7 @@ class dir search;
|
|||
# files_read_runtime_data_directory(domain)
|
||||
#
|
||||
define(`files_read_runtime_data_directory',`
|
||||
requires_block_template(files_read_runtime_data_directory_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir { getattr search read };
|
||||
')
|
||||
|
|
@ -550,7 +550,7 @@ class dir { getattr search read };
|
|||
# files_create_daemon_runtime_data(domain,pidfile,[object class(es)])
|
||||
#
|
||||
define(`files_create_daemon_runtime_data',`
|
||||
requires_block_template(files_create_daemon_runtime_data_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
|
|
@ -569,10 +569,10 @@ class dir { getattr search read write add_name remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_modify_system_runtime_data(domain,[`optional'])
|
||||
# files_modify_system_runtime_data(domain)
|
||||
#
|
||||
define(`files_modify_system_runtime_data',`
|
||||
requires_block_template(files_modify_system_runtime_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir { getattr search read };
|
||||
allow $1 var_run_t:file { getattr read write };
|
||||
|
|
@ -586,10 +586,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_daemon_runtime_data(domain,[`optional'])
|
||||
# files_remove_all_daemon_runtime_data(domain)
|
||||
#
|
||||
define(`files_remove_all_daemon_runtime_data',`
|
||||
requires_block_template(files_remove_all_daemon_runtime_data_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
|
||||
allow $1 var_run_t:dir rmdir;
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
#######################################
|
||||
#
|
||||
# getty_transition(domain,[`optional'])
|
||||
# getty_transition(domain)
|
||||
#
|
||||
define(`getty_transition',`
|
||||
requires_block_template(getty_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 getty_exec_t:file { getattr read execute };
|
||||
allow $1 getty_t:process transition;
|
||||
type_transition $1 getty_exec_t:file getty_t;
|
||||
|
|
@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# getty_read_log_file(domain,[`optional'])
|
||||
# getty_read_log_file(domain)
|
||||
#
|
||||
define(`getty_read_log_file',`
|
||||
requires_block_template(getty_read_log_file_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 getty_log_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -34,10 +34,10 @@ class file { getattr read };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# getty_read_config_file(domain,[`optional'])
|
||||
# getty_read_config_file(domain)
|
||||
#
|
||||
define(`getty_read_config_file',`
|
||||
requires_block_template(getty_read_config_file_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 getty_etc_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -48,10 +48,10 @@ class file { getattr read };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# getty_modify_config_file(domain,[`optional'])
|
||||
# getty_modify_config_file(domain)
|
||||
#
|
||||
define(`getty_modify_config_file',`
|
||||
requires_block_template(getty_modify_config_file_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 getty_etc_t:file { getattr read write };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# hotplug_transition(domain)
|
||||
#
|
||||
define(`hotplug_transition',`
|
||||
requires_block_template(hotplug_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 hotplug_exec_t:file { getattr read execute };
|
||||
allow $1 hotplug_t:process transition;
|
||||
type_transition $1 hotplug_exec_t:file hotplug_t;
|
||||
|
|
@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# hotplug_execute(domain)
|
||||
#
|
||||
define(`hotplug_execute',`
|
||||
requires_block_template(hotplug_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -37,7 +37,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# hotplug_use_file_descriptors(domain)
|
||||
#
|
||||
define(`hotplug_use_file_descriptors',`
|
||||
requires_block_template(hotplug_use_file_descriptors_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 hotplug_t:fd use;
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# init_transition(domain)
|
||||
#
|
||||
define(`init_transition',`
|
||||
requires_block_template(init_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 init_exec_t:file { getattr read execute };
|
||||
allow $1 init_t:process transition;
|
||||
type_transition $1 init_exec_t:file init_t;
|
||||
|
|
@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# init_get_control_channel_attributes(domain)
|
||||
#
|
||||
define(`init_get_control_channel_attributes',`
|
||||
requires_block_template(init_get_control_channel_attributes_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 initctl_t:fifo_file getattr;
|
||||
')
|
||||
|
||||
|
|
@ -37,7 +37,7 @@ class fifo_file getattr;
|
|||
# init_use_control_channel(domain)
|
||||
#
|
||||
define(`init_use_control_channel',`
|
||||
requires_block_template(init_use_control_channel_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 initctl_t:fifo_file { getattr read write };
|
||||
devices_list_device_nodes($1)
|
||||
')
|
||||
|
|
@ -52,7 +52,7 @@ class fifo_file { getattr read write };
|
|||
# init_ignore_use_control_channel(domain)
|
||||
#
|
||||
define(`init_ignore_use_control_channel',`
|
||||
requires_block_template(init_ignore_use_control_channel_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 initctl_t:fifo_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -66,7 +66,7 @@ class fifo_file { read write };
|
|||
# init_sigchld(domain)
|
||||
#
|
||||
define(`init_sigchld',`
|
||||
requires_block_template(init_sigchld_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 init_t:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -80,7 +80,7 @@ class process sigchld;
|
|||
# init_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_use_file_descriptors',`
|
||||
requires_block_template(init_use_file_descriptors_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 init_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -94,7 +94,7 @@ class fd use;
|
|||
# init_ignore_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_ignore_use_file_descriptors',`
|
||||
requires_block_template(init_ignore_use_file_descriptors_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 init_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -108,7 +108,7 @@ class fd use;
|
|||
# init_script_transition(domain)
|
||||
#
|
||||
define(`init_script_transition',`
|
||||
requires_block_template(init_script_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 initrc_exec_t:file { getattr read execute };
|
||||
allow $1 initrc_t:process transition;
|
||||
type_transition $1 initrc_exec_t:process init_t;
|
||||
|
|
@ -121,12 +121,26 @@ class file { getattr read execute };
|
|||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_execute(domain)
|
||||
#
|
||||
define(`init_script_execute',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 initrc_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`init_script_execute_depend',`
|
||||
type initrc_exec_t;
|
||||
class file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_direct_admin_transition(role,domain)
|
||||
#
|
||||
define(`init_script_direct_admin_transition',`
|
||||
requires_block_template(init_script_direct_admin_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $2 initrc_exec_t:file { getattr read execute };
|
||||
allow $2 initrc_t:process transition;
|
||||
type_transition $2 initrc_exec_t:file init_t;
|
||||
|
|
@ -146,7 +160,7 @@ kernel_system_role_transition_depend
|
|||
# init_script_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_script_use_file_descriptors',`
|
||||
requires_block_template(init_script_use_file_descriptors_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 initrc_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -160,7 +174,7 @@ class fd use;
|
|||
# init_script_use_pseudoterminal(domain)
|
||||
#
|
||||
define(`init_script_use_pseudoterminal',`
|
||||
requires_block_template(init_script_use_pseudoterminal_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 initrc_devpts_t:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -174,7 +188,7 @@ class chr_file { read write };
|
|||
# init_script_read_runtime_data(domain)
|
||||
#
|
||||
define(`init_script_read_runtime_data',`
|
||||
requires_block_template(init_script_read_runtime_data_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_read_runtime_data_directory($1)
|
||||
allow $1 initrc_var_run_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -189,7 +203,7 @@ class file { getattr read };
|
|||
# init_script_modify_runtime_data(domain)
|
||||
#
|
||||
define(`init_script_modify_runtime_data',`
|
||||
requires_block_template(init_script_modify_runtime_data_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_read_runtime_data_directory($1)
|
||||
allow $1 initrc_var_run_t:file { getattr read write append };
|
||||
')
|
||||
|
|
@ -204,7 +218,7 @@ class file { getattr read write append };
|
|||
# init_script_ignore_modify_runtime_data(domain)
|
||||
#
|
||||
define(`init_script_ignore_modify_runtime_data',`
|
||||
requires_block_template(init_script_ignore_modify_runtime_data_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
||||
')
|
||||
|
||||
|
|
@ -212,3 +226,35 @@ define(`init_script_ignore_modify_runtime_data_depend',`
|
|||
type initrc_var_run_t;
|
||||
class file { getattr read write append };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_run_init_transition(domain)
|
||||
#
|
||||
define(`init_run_init_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_exec_t:file { getattr read execute };
|
||||
allow $1 run_init_t:process transition;
|
||||
type_transition $1 run_init_exec_t:file run_init_t;
|
||||
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`init_run_init_transition_depend',`
|
||||
type run_init_t, run_init_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_run_init_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_run_init_use_file_descriptors',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 run_init_t:fd use;
|
||||
')
|
||||
|
||||
define(`init_run_init_use_file_descriptors_depend',`
|
||||
type run_init_t;
|
||||
class fd use;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# iptables_transition(domain)
|
||||
#
|
||||
define(`iptables_transition',`
|
||||
requires_block_template(iptables_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 iptables_exec_t:file { getattr read execute };
|
||||
allow $1 iptables_t:process transition;
|
||||
type_transition $1 iptables_exec_t:file iptables_t;
|
||||
|
|
@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# iptables_execute(domain)
|
||||
#
|
||||
define(`iptables_execute',`
|
||||
requires_block_template(iptables_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 iptables_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_use_dynamic_loader(domain,[`optional']
|
||||
# libraries_use_dynamic_loader(domain
|
||||
#
|
||||
define(`libraries_use_dynamic_loader',`
|
||||
requires_block_template(libraries_use_dynamic_loader_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lib_t:dir { getattr read search };
|
||||
allow $1 lib_t:lnk_file { getattr read };
|
||||
allow $1 ld_so_t:lnk_file { getattr read };
|
||||
|
|
@ -22,10 +22,10 @@ class file { getattr read execute };
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_legacy_use_dynamic_loader(domain,[`optional']
|
||||
# libraries_legacy_use_dynamic_loader(domain
|
||||
#
|
||||
define(`libraries_legacy_use_dynamic_loader',`
|
||||
requires_block_template(libraries_legacy_use_dynamic_loader_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
libraries_use_dynamic_loader($1,optional)
|
||||
allow $1 ld_so_t:file execmod;
|
||||
allow $1 ld_so_cache_t:file execute;
|
||||
|
|
@ -39,10 +39,10 @@ class file { execute execmod };
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_modify_dynamic_loader_cache(domain,[`optional']
|
||||
# libraries_modify_dynamic_loader_cache(domain
|
||||
#
|
||||
define(`libraries_modify_dynamic_loader_cache',`
|
||||
requires_block_template(libraries_modify_dynamic_loader_cache_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 ld_so_cache_t:file { getattr read write };
|
||||
')
|
||||
|
||||
|
|
@ -53,10 +53,10 @@ class file { getattr read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_read_shared_libraries(domain,[`optional']
|
||||
# libraries_read_shared_libraries(domain
|
||||
#
|
||||
define(`libraries_read_shared_libraries',`
|
||||
requires_block_template(libraries_read_shared_libraries_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lib_t:dir { getattr read search };
|
||||
allow $1 lib_t:lnk_file { getattr read };
|
||||
allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read };
|
||||
|
|
@ -72,10 +72,10 @@ class file { getattr read execute };
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_legacy_read_shared_libraries(domain,[`optional']
|
||||
# libraries_legacy_read_shared_libraries(domain
|
||||
#
|
||||
define(`libraries_legacy_read_shared_libraries',`
|
||||
requires_block_template(libraries_legacy_read_shared_libraries_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
libraries_read_shared_libraries($1,optional)
|
||||
allow $1 { shlib_t texrel_shlib_t }:file execmod;
|
||||
')
|
||||
|
|
@ -88,10 +88,10 @@ libraries_read_shared_libraries_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_read_static_libraries(domain,[`optional']
|
||||
# libraries_read_static_libraries(domain
|
||||
#
|
||||
define(`libraries_read_static_libraries',`
|
||||
requires_block_template(libraries_read_static_libraries_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lib_t:dir { getattr read search };
|
||||
allow $1 lib_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
|
@ -105,10 +105,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# libraries_execute_library_scripts(domain,[`optional']
|
||||
# libraries_execute_library_scripts(domain
|
||||
#
|
||||
define(`libraries_execute_library_scripts',`
|
||||
requires_block_template(libraries_execute_library_scripts_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 lib_t:dir { getattr read search };
|
||||
allow $1 lib_t:lnk_file { getattr read };
|
||||
allow $1 lib_t:file { getattr read execute execute_no_trans };
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
#######################################
|
||||
#
|
||||
# locallogin_transition(domain,[`optional'])
|
||||
# locallogin_transition(domain)
|
||||
#
|
||||
define(`locallogin_transition',`
|
||||
requires_block_template(locallogin_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 login_exec_t:file { getattr read execute };
|
||||
allow $1 local_login_t:process transition;
|
||||
type_transition $1 login_exec_t:file local_login_t;
|
||||
|
|
@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# locallogin_use_file_descriptors(domain,[`optional'])
|
||||
# locallogin_use_file_descriptors(domain)
|
||||
#
|
||||
define(`locallogin_use_file_descriptors',`
|
||||
requires_block_template(locallogin_use_file_descriptors_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 local_login_t:fd use;
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# logging_make_log_file(domain)
|
||||
#
|
||||
define(`logging_make_log_file',`
|
||||
requires_block_template(logging_make_log_file_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_make_file($1)
|
||||
typeattribute $1 logfile;
|
||||
')
|
||||
|
|
@ -19,7 +19,7 @@ attribute logfile;
|
|||
# logging_send_system_log_message(domain)
|
||||
#
|
||||
define(`logging_send_system_log_message',`
|
||||
requires_block_template(logging_send_system_log_message_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 devlog_t:lnk_file read;
|
||||
allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
|
||||
# the type of socket depends on the syslog daemon
|
||||
|
|
@ -41,7 +41,7 @@ class unix_stream_socket { create read getattr write setattr append bind connect
|
|||
# logging_search_system_log_directory(domain)
|
||||
#
|
||||
define(`logging_search_system_log_directory',`
|
||||
requires_block_template(logging_search_system_log_directory_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir search;
|
||||
')
|
||||
|
|
@ -56,7 +56,7 @@ class dir search;
|
|||
# logging_append_all_logs(domain)
|
||||
#
|
||||
define(`logging_append_all_logs',`
|
||||
requires_block_template(logging_append_all_logs_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir { getattr search read };
|
||||
allow $1 logfile:file { getattr append };
|
||||
|
|
@ -74,7 +74,7 @@ class file { getattr append };
|
|||
# logging_read_all_logs(domain)
|
||||
#
|
||||
define(`logging_read_all_logs',`
|
||||
requires_block_template(logging_read_all_logs_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir { getattr search read };
|
||||
allow $1 logfile:file { getattr read };
|
||||
|
|
@ -92,7 +92,7 @@ class file { getattr read };
|
|||
# logging_modify_system_logs(domain)
|
||||
#
|
||||
define(`logging_modify_system_logs',`
|
||||
requires_block_template(logging_modify_system_logs_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir { getattr search read };
|
||||
allow $1 var_log_t:file { getattr read write append };
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# miscfiles_read_localization(domain,[`optional'])
|
||||
# miscfiles_read_localization(domain)
|
||||
#
|
||||
define(`miscfiles_read_localization',`
|
||||
requires_block_template(miscfiles_read_localization_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
# FIXME: $1 read etc_t:lnk_file here
|
||||
# FIXME: $1 search usr_t:dir here
|
||||
# FIXME: $1 read lib_t:file(?)
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_read_kernel_module_dependencies(domain,[`optional'])
|
||||
# modutils_read_kernel_module_dependencies(domain)
|
||||
#
|
||||
define(`modutils_read_kernel_module_dependencies',`
|
||||
requires_block_template(modutils_read_kernel_module_dependencies_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
bootloader_list_kernel_modules($1,optional)
|
||||
allow $1 modules_dep_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -19,10 +19,10 @@ bootloader_list_kernel_modules_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_read_kernel_module_loading_config(domain,[`optional'])
|
||||
# modutils_read_kernel_module_loading_config(domain)
|
||||
#
|
||||
define(`modutils_read_kernel_module_loading_config',`
|
||||
requires_block_template(modutils_read_kernel_module_loading_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 modules_conf_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -33,10 +33,10 @@ class file { getattr create read write setattr unlink };
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_insmod_transition(domain,[`optional'])
|
||||
# modutils_insmod_transition(domain)
|
||||
#
|
||||
define(`modutils_insmod_transition',`
|
||||
requires_block_template(modutils_insmod_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 insmod_exec_t:file { getattr read execute };
|
||||
allow $1 insmod_t:process transition;
|
||||
type_transition $1 insmod_exec_t:file insmod_t;
|
||||
|
|
@ -51,10 +51,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_insmod_execute(domain,[`optional'])
|
||||
# modutils_insmod_execute(domain)
|
||||
#
|
||||
define(`modutils_insmod_execute',`
|
||||
requires_block_template(modutils_insmod_execute_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 insmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -65,10 +65,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_depmod_transition(domain,[`optional'])
|
||||
# modutils_depmod_transition(domain)
|
||||
#
|
||||
define(`modutils_depmod_transition',`
|
||||
requires_block_template(modutils_depmod_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 depmod_exec_t:file { getattr read execute };
|
||||
allow $1 depmod_t:process transition;
|
||||
type_transition $1 depmod_exec_t:file depmod_t;
|
||||
|
|
@ -83,10 +83,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_depmod_execute(domain,[`optional'])
|
||||
# modutils_depmod_execute(domain)
|
||||
#
|
||||
define(`modutils_depmod_execute',`
|
||||
requires_block_template(modutils_depmod_execute_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 depmod_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -97,10 +97,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_update_modules_transition(domain,[`optional'])
|
||||
# modutils_update_modules_transition(domain)
|
||||
#
|
||||
define(`modutils_update_modules_transition',`
|
||||
requires_block_template(modutils_update_modules_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 update_modules_exec_t:file { getattr read execute };
|
||||
allow $1 update_modules_t:process transition;
|
||||
type_transition $1 update_modules_exec_t:file update_modules_t;
|
||||
|
|
@ -115,10 +115,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# modutils_update_modules_execute(domain,[`optional'])
|
||||
# modutils_update_modules_execute(domain)
|
||||
#
|
||||
define(`modutils_update_modules_execute',`
|
||||
requires_block_template(modutils_update_modules_execute_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
#######################################
|
||||
#
|
||||
# mount_transition(domain,[`optional'])
|
||||
# mount_transition(domain)
|
||||
#
|
||||
define(`mount_transition',`
|
||||
requires_block_template(mount_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 mount_exec_t:file { getattr read execute };
|
||||
allow $1 mount_t:process transition;
|
||||
type_transition $1 mount_exec_t:file mount_t;
|
||||
|
|
@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# mount_use_file_descriptors(domain,[`optional'])
|
||||
# mount_use_file_descriptors(domain)
|
||||
#
|
||||
define(`mount_use_file_descriptors',`
|
||||
requires_block_template(mount_use_file_descriptors_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 mount_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -34,10 +34,10 @@ class fd use;
|
|||
|
||||
#######################################
|
||||
#
|
||||
# mount_send_nfs_client_request(domain,[`optional'])
|
||||
# mount_send_nfs_client_request(domain)
|
||||
#
|
||||
define(`mount_send_nfs_client_request',`
|
||||
requires_block_template(mount_send_nfs_client_request_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown;
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# selinux_checkpolicy_transition(domain)
|
||||
#
|
||||
define(`selinux_checkpolicy_transition',`
|
||||
requires_block_template(selinux_checkpolicy_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 checkpolicy_exec_t:file { getattr read execute };
|
||||
allow $1 checkpolicy_t:process transition;
|
||||
type_transition $1 checkpolicy_exec_t:file checkpolicy_t;
|
||||
|
|
@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_checkpolicy_execute(domain)
|
||||
#
|
||||
define(`selinux_checkpolicy_execute',`
|
||||
requires_block_template(selinux_checkpolicy_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -37,7 +37,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_load_policy_transition(domain)
|
||||
#
|
||||
define(`selinux_load_policy_transition',`
|
||||
requires_block_template(selinux_load_policy_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 load_policy_exec_t:file { getattr read execute };
|
||||
allow $1 load_policy_t:process transition;
|
||||
type_transition $1 load_policy_exec_t:file load_policy_t;
|
||||
|
|
@ -55,7 +55,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_load_policy_execute(domain)
|
||||
#
|
||||
define(`selinux_load_policy_execute',`
|
||||
requires_block_template(selinux_load_policy_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -69,7 +69,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_read_load_policy_binary(domain)
|
||||
#
|
||||
define(`selinux_read_load_policy_binary',`
|
||||
requires_block_template(selinux_read_load_policy_binary_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 load_policy_exec_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -83,7 +83,7 @@ class file { getattr read };
|
|||
# newrole_transition(domain)
|
||||
#
|
||||
define(`selinux_newrole_transition',`
|
||||
requires_block_template(selinux_newrole_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_exec_t:file { getattr read execute };
|
||||
allow $1 newrole_t:process transition;
|
||||
type_transition $1 newrole_exec_t:file newrole_t;
|
||||
|
|
@ -101,7 +101,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_newrole_execute(domain)
|
||||
#
|
||||
define(`selinux_newrole_execute',`
|
||||
requires_block_template(selinux_newrole_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -115,7 +115,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_newrole_sigchld(domain)
|
||||
#
|
||||
define(`selinux_newrole_sigchld',`
|
||||
requires_block_template(selinux_newrole_sigchld_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_t:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -129,7 +129,7 @@ class process sigchld;
|
|||
# selinux_newrole_use_file_descriptors(domain)
|
||||
#
|
||||
define(`selinux_newrole_use_file_descriptors',`
|
||||
requires_block_template(selinux_newrole_use_file_descriptors_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -143,7 +143,7 @@ class fd use;
|
|||
# selinux_restorecon_transition(domain)
|
||||
#
|
||||
define(`selinux_restorecon_transition',`
|
||||
requires_block_template(selinux_restorecon_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 restorecon_exec_t:file { getattr read execute };
|
||||
allow $1 restorecon_t:process transition;
|
||||
type_transition $1 restorecon_exec_t:file restorecon_t;
|
||||
|
|
@ -161,7 +161,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_restorecon_execute(domain)
|
||||
#
|
||||
define(`selinux_restorecon_execute',`
|
||||
requires_block_template(selinux_restorecon_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -175,7 +175,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_setfiles_transition(domain)
|
||||
#
|
||||
define(`selinux_setfiles_transition',`
|
||||
requires_block_template(selinux_setfiles_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 setfiles_exec_t:file { getattr read execute };
|
||||
allow $1 setfiles_t:process transition;
|
||||
type_transition $1 setfiles_exec_t:file setfiles_t;
|
||||
|
|
@ -193,7 +193,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_setfiles_execute(domain)
|
||||
#
|
||||
define(`selinux_setfiles_execute',`
|
||||
requires_block_template(selinux_setfiles_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -204,10 +204,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_config(domain,[`optional'])
|
||||
# selinux_read_config(domain)
|
||||
#
|
||||
define(`selinux_read_config',`
|
||||
requires_block_template(selinux_read_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 selinux_config_t:dir { getattr search read };
|
||||
allow $1 selinux_config_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -220,10 +220,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_default_contexts(domain,[`optional'])
|
||||
# selinux_read_default_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_default_contexts',`
|
||||
requires_block_template(selinux_read_default_contexts_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 default_context_t:dir { getattr search read };
|
||||
allow $1 default_context_t:file { getattr read };
|
||||
|
|
@ -237,10 +237,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_file_contexts(domain,[`optional'])
|
||||
# selinux_read_file_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_file_contexts',`
|
||||
requires_block_template(selinux_read_file_contexts_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 file_context_t:dir { getattr search read };
|
||||
allow $1 file_context_t:file { getattr read };
|
||||
|
|
@ -254,10 +254,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_binary_policy(domain,[`optional'])
|
||||
# selinux_read_binary_policy(domain)
|
||||
#
|
||||
define(`selinux_read_binary_policy',`
|
||||
requires_block_template(selinux_read_binary_policy_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 policy_config_t:dir { getattr search read };
|
||||
allow $1 policy_config_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -270,10 +270,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_write_binary_policy(domain,[`optional'])
|
||||
# selinux_write_binary_policy(domain)
|
||||
#
|
||||
define(`selinux_write_binary_policy',`
|
||||
requires_block_template(selinux_write_binary_policy_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 policy_config_t:file { getattr create write unlink };
|
||||
typeattribute $1 can_write_binary_policy;
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
# selinux_checkpolicy_transition(domain)
|
||||
#
|
||||
define(`selinux_checkpolicy_transition',`
|
||||
requires_block_template(selinux_checkpolicy_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 checkpolicy_exec_t:file { getattr read execute };
|
||||
allow $1 checkpolicy_t:process transition;
|
||||
type_transition $1 checkpolicy_exec_t:file checkpolicy_t;
|
||||
|
|
@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_checkpolicy_execute(domain)
|
||||
#
|
||||
define(`selinux_checkpolicy_execute',`
|
||||
requires_block_template(selinux_checkpolicy_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -37,7 +37,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_load_policy_transition(domain)
|
||||
#
|
||||
define(`selinux_load_policy_transition',`
|
||||
requires_block_template(selinux_load_policy_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 load_policy_exec_t:file { getattr read execute };
|
||||
allow $1 load_policy_t:process transition;
|
||||
type_transition $1 load_policy_exec_t:file load_policy_t;
|
||||
|
|
@ -55,7 +55,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_load_policy_execute(domain)
|
||||
#
|
||||
define(`selinux_load_policy_execute',`
|
||||
requires_block_template(selinux_load_policy_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -69,7 +69,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_read_load_policy_binary(domain)
|
||||
#
|
||||
define(`selinux_read_load_policy_binary',`
|
||||
requires_block_template(selinux_read_load_policy_binary_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 load_policy_exec_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
@ -83,7 +83,7 @@ class file { getattr read };
|
|||
# newrole_transition(domain)
|
||||
#
|
||||
define(`selinux_newrole_transition',`
|
||||
requires_block_template(selinux_newrole_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_exec_t:file { getattr read execute };
|
||||
allow $1 newrole_t:process transition;
|
||||
type_transition $1 newrole_exec_t:file newrole_t;
|
||||
|
|
@ -101,7 +101,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_newrole_execute(domain)
|
||||
#
|
||||
define(`selinux_newrole_execute',`
|
||||
requires_block_template(selinux_newrole_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -115,7 +115,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_newrole_sigchld(domain)
|
||||
#
|
||||
define(`selinux_newrole_sigchld',`
|
||||
requires_block_template(selinux_newrole_sigchld_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_t:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -129,7 +129,7 @@ class process sigchld;
|
|||
# selinux_newrole_use_file_descriptors(domain)
|
||||
#
|
||||
define(`selinux_newrole_use_file_descriptors',`
|
||||
requires_block_template(selinux_newrole_use_file_descriptors_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 newrole_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -143,7 +143,7 @@ class fd use;
|
|||
# selinux_restorecon_transition(domain)
|
||||
#
|
||||
define(`selinux_restorecon_transition',`
|
||||
requires_block_template(selinux_restorecon_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 restorecon_exec_t:file { getattr read execute };
|
||||
allow $1 restorecon_t:process transition;
|
||||
type_transition $1 restorecon_exec_t:file restorecon_t;
|
||||
|
|
@ -161,7 +161,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_restorecon_execute(domain)
|
||||
#
|
||||
define(`selinux_restorecon_execute',`
|
||||
requires_block_template(selinux_restorecon_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -175,7 +175,7 @@ class file { getattr read execute execute_no_trans };
|
|||
# selinux_setfiles_transition(domain)
|
||||
#
|
||||
define(`selinux_setfiles_transition',`
|
||||
requires_block_template(selinux_setfiles_transition_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 setfiles_exec_t:file { getattr read execute };
|
||||
allow $1 setfiles_t:process transition;
|
||||
type_transition $1 setfiles_exec_t:file setfiles_t;
|
||||
|
|
@ -193,7 +193,7 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
# selinux_setfiles_execute(domain)
|
||||
#
|
||||
define(`selinux_setfiles_execute',`
|
||||
requires_block_template(selinux_setfiles_execute_depend)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
|
|
@ -204,10 +204,10 @@ class file { getattr read execute execute_no_trans };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_config(domain,[`optional'])
|
||||
# selinux_read_config(domain)
|
||||
#
|
||||
define(`selinux_read_config',`
|
||||
requires_block_template(selinux_read_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 selinux_config_t:dir { getattr search read };
|
||||
allow $1 selinux_config_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -220,10 +220,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_default_contexts(domain,[`optional'])
|
||||
# selinux_read_default_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_default_contexts',`
|
||||
requires_block_template(selinux_read_default_contexts_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 default_context_t:dir { getattr search read };
|
||||
allow $1 default_context_t:file { getattr read };
|
||||
|
|
@ -237,10 +237,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_file_contexts(domain,[`optional'])
|
||||
# selinux_read_file_contexts(domain)
|
||||
#
|
||||
define(`selinux_read_file_contexts',`
|
||||
requires_block_template(selinux_read_file_contexts_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 selinux_config_t:dir search;
|
||||
allow $1 file_context_t:dir { getattr search read };
|
||||
allow $1 file_context_t:file { getattr read };
|
||||
|
|
@ -254,10 +254,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_read_binary_policy(domain,[`optional'])
|
||||
# selinux_read_binary_policy(domain)
|
||||
#
|
||||
define(`selinux_read_binary_policy',`
|
||||
requires_block_template(selinux_read_binary_policy_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 policy_config_t:dir { getattr search read };
|
||||
allow $1 policy_config_t:file { getattr read };
|
||||
')
|
||||
|
|
@ -270,10 +270,10 @@ class file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# selinux_write_binary_policy(domain,[`optional'])
|
||||
# selinux_write_binary_policy(domain)
|
||||
#
|
||||
define(`selinux_write_binary_policy',`
|
||||
requires_block_template(selinux_write_binary_policy_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 policy_config_t:file { getattr create write unlink };
|
||||
typeattribute $1 can_write_binary_policy;
|
||||
|
|
|
|||
|
|
@ -1,9 +1,29 @@
|
|||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
|
||||
########################################
|
||||
#
|
||||
# sysnetwork_read_network_config(domain,[`optional'])
|
||||
# sysnetwork_ifconfig_transition(domain)
|
||||
#
|
||||
define(`sysnetwork_ifconfig_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 ifconfig_exec_t:file { getattr read execute };
|
||||
allow $1 ifconfig_t:process transition;
|
||||
type_transition $1 ifconfig_exec_t:file ifconfig_t;
|
||||
dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`sysnetwork_ifconfig_transition_depend',`
|
||||
type ifconfig_t, ifconfig_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# sysnetwork_read_network_config(domain)
|
||||
#
|
||||
define(`sysnetwork_read_network_config',`
|
||||
requires_block_template(sysnetwork_read_network_config_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
# FIXME: allow $1 etc_t:dir search;
|
||||
allow $1 net_conf_t:file { getattr read };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
#######################################
|
||||
#
|
||||
# udev_transition(domain,[`optional'])
|
||||
# udev_transition(domain)
|
||||
#
|
||||
define(`udev_transition',`
|
||||
requires_block_template(udev_transition_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 udev_exec_t:file { getattr read execute };
|
||||
allow $1 udev_t:process transition;
|
||||
type_transition $1 udev_exec_t:file udev_t;
|
||||
|
|
@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# udev_read_database(domain,[`optional'])
|
||||
# udev_read_database(domain)
|
||||
#
|
||||
define(`udev_read_database',`
|
||||
requires_block_template(udev_read_database_depend,$2)
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 udev_tdb_t:file { getattr read };
|
||||
')
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue