From bd202fe157672c93961e9ce7f32bfa1c7bb6b451 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 4 May 2005 13:19:47 +0000 Subject: [PATCH] clean up interfaces for new binary module optional structure --- refpolicy/Makefile | 6 +- refpolicy/policy/modules/admin/consoletype.if | 4 +- refpolicy/policy/modules/kernel/bootloader.if | 52 +-- .../policy/modules/kernel/corenetwork.if | 428 +++++++----------- refpolicy/policy/modules/kernel/devices.if | 152 +++---- refpolicy/policy/modules/kernel/filesystem.if | 220 ++++----- refpolicy/policy/modules/kernel/kernel.if | 240 +++++----- refpolicy/policy/modules/kernel/storage.if | 64 +-- refpolicy/policy/modules/kernel/terminal.if | 52 +-- refpolicy/policy/modules/services/mta.if | 2 +- refpolicy/policy/modules/system/authlogin.if | 20 +- .../policy/modules/system/corecommands.if | 20 +- refpolicy/policy/modules/system/domain.if | 56 +-- refpolicy/policy/modules/system/files.if | 126 +++--- refpolicy/policy/modules/system/getty.if | 16 +- refpolicy/policy/modules/system/hotplug.if | 6 +- refpolicy/policy/modules/system/init.if | 74 ++- refpolicy/policy/modules/system/iptables.if | 4 +- refpolicy/policy/modules/system/libraries.if | 28 +- refpolicy/policy/modules/system/locallogin.if | 8 +- refpolicy/policy/modules/system/logging.if | 12 +- refpolicy/policy/modules/system/miscfiles.if | 4 +- refpolicy/policy/modules/system/modutils.if | 32 +- refpolicy/policy/modules/system/mount.if | 12 +- refpolicy/policy/modules/system/selinux.if | 46 +- .../policy/modules/system/selinuxutil.if | 46 +- refpolicy/policy/modules/system/sysnetwork.if | 24 +- refpolicy/policy/modules/system/udev.if | 8 +- 28 files changed, 864 insertions(+), 898 deletions(-) diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 6e27e816..10fafa57 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -134,7 +134,9 @@ load: tmp/load # Construct a monolithic policy.conf # policy.conf: $(POLICY_SECTIONS) - $(QUIET) m4 $(M4PARAM) $^ > tmp/$@.tmp + $(QUIET) # checkpolicy can use the #line directives provided by m4 -s + $(QUIET) # for error reporting: + $(QUIET) m4 $(M4PARAM) -s $^ > tmp/$@.tmp $(QUIET) sed -e /^portcon/d -e /^nodecon/d -e /^netifcon/d < tmp/$@.tmp > $@ $(QUIET) # the ordering of these ocontexts matters: $(QUIET) grep ^portcon tmp/$@.tmp >> $@ || true @@ -157,7 +159,7 @@ tmp/generated_definitions.conf: $(ALL_MODULES) $(ALL_TE_FILES) $(BASE_MODULE)/co echo "define(\`$$i')" >> $@ ;\ done $(QUIET) m4 $(M4PARAM) -D interface_pass $(BASE_MODULE)/global.if $(BASE_MODULE)/corenetwork.if $(BASE_MODULE)/corenetwork.te \ - | sed -e 's/dollarsone/\$$1/g' -e 's/dollarstwo/\$$2/g' >> $@ + | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ tmp/all_interfaces.conf: $(ALL_INTERFACES) @test -d tmp || mkdir -p tmp diff --git a/refpolicy/policy/modules/admin/consoletype.if b/refpolicy/policy/modules/admin/consoletype.if index 0cd5e083..7640b70d 100644 --- a/refpolicy/policy/modules/admin/consoletype.if +++ b/refpolicy/policy/modules/admin/consoletype.if @@ -5,7 +5,7 @@ # consoletype_transition(domain) # define(`consoletype_transition',` -requires_block_template(consoletype_transition_depend) +requires_block_template(`$0'_depend) allow $1 consoletype_exec_t:file { getattr read execute }; allow $1 consoletype_t:process transition; type_transition $1 consoletype_exec_t:file consoletype_t; @@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh }; # consoletype_execute(domain) # define(`consoletype_execute',` -requires_block_template(consoletype_execute_depend) +requires_block_template(`$0'_depend) allow $1 consoletype_exec_t:file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/kernel/bootloader.if b/refpolicy/policy/modules/kernel/bootloader.if index d0ee49cb..114bb57d 100644 --- a/refpolicy/policy/modules/kernel/bootloader.if +++ b/refpolicy/policy/modules/kernel/bootloader.if @@ -2,10 +2,10 @@ ######################################## # -# bootloader_install_kernel(domain,[`optional']) +# bootloader_install_kernel(domain) # define(`bootloader_install_kernel',` -requires_block_template(bootloader_install_kernel_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read write add_name }; allow $1 boot_t:file { getattr read write create }; allow $1 boot_t:lnk_file { getattr read create unlink }; @@ -20,10 +20,10 @@ class lnk_file { getattr read create unlink }; ######################################## # -# bootloader_install_initrd(domain,[`optional']) +# bootloader_install_initrd(domain) # define(`bootloader_install_initrd',` -requires_block_template(bootloader_install_initrd_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read write add_name }; allow $1 boot_t:file { getattr read write create }; allow $1 boot_t:lnk_file { getattr read create unlink }; @@ -38,10 +38,10 @@ class lnk_file { getattr read create unlink }; ######################################## # -# bootloader_install_kernel_symbol_table(domain,[`optional']) +# bootloader_install_kernel_symbol_table(domain) # define(`bootloader_install_kernel_symbol_table',` -requires_block_template(bootloader_install_kernel_symbol_table_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read write add_name }; allow $1 system_map_t:file { getattr read write create }; ') @@ -54,10 +54,10 @@ class file { getattr read write create }; ######################################## # -# bootloader_read_kernel_symbol_table(domain,[`optional']) +# bootloader_read_kernel_symbol_table(domain) # define(`bootloader_read_kernel_symbol_table',` -requires_block_template(bootloader_read_kernel_symbol_table_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read }; allow $1 system_map_t:file { getattr read }; ') @@ -70,10 +70,10 @@ class file { getattr read }; ######################################## # -# bootloader_remove_kernel(domain,[`optional']) +# bootloader_remove_kernel(domain) # define(`bootloader_remove_kernel',` -requires_block_template(bootloader_remove_kernel_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read write remove_name }; allow $1 boot_t:file { getattr unlink }; ') @@ -86,10 +86,10 @@ class file { getattr unlink }; ######################################## # -# bootloader_remove_kernel_symbol_table(domain,[`optional']) +# bootloader_remove_kernel_symbol_table(domain) # define(`bootloader_remove_kernel_symbol_table',` -requires_block_template(bootloader_remove_kernel_symbol_table_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read write remove_name }; allow $1 system_map_t:file { getattr unlink }; ') @@ -102,10 +102,10 @@ class file { getattr unlink }; ######################################## # -# bootloader_read_config(domain,[`optional']) +# bootloader_read_config(domain) # define(`bootloader_read_config',` -requires_block_template(bootloader_read_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 bootloader_etc_t:file { getattr read }; ') @@ -116,10 +116,10 @@ class file { getattr read }; ######################################## # -# bootloader_modify_config(domain,[`optional']) +# bootloader_modify_config(domain) # define(`bootloader_modify_bootloader_config',` -requires_block_template(bootloader_modify_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 bootloader_etc_t:file { getattr read write append }; ') @@ -130,10 +130,10 @@ class file { getattr read write append }; ######################################## # -# bootloader_create_runtime_data(domain,[`optional']) +# bootloader_create_runtime_data(domain) # define(`bootloader_create_runtime_data',` -requires_block_template(bootloader_create_runtime_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 boot_t:dir { getattr search read write add_name remove_name }; allow $1 boot_runtime_t:file { getattr create read write append unlink }; type_transition $1 boot_t:file boot_runtime_t; @@ -147,10 +147,10 @@ class file { getattr create read write append unlink }; ######################################## # -# bootloader_list_kernel_modules(domain,[`optional']) +# bootloader_list_kernel_modules(domain) # define(`bootloader_list_kernel_modules',` -requires_block_template(bootloader_list_kernel_modules_depend,$2) +requires_block_template(`$0'_depend) allow $1 modules_object_t:dir { getattr search read }; ') @@ -161,10 +161,10 @@ class dir { getattr search read }; ######################################## # -# bootloader_read_kernel_modules(domain,[`optional']) +# bootloader_read_kernel_modules(domain) # define(`bootloader_read_kernel_modules',` -requires_block_template(bootloader_read_kernel_modules_depend,$2) +requires_block_template(`$0'_depend) allow $1 modules_object_t:dir { getattr search read }; allow $1 modules_object_t:{ lnk_file file } { getattr read }; ') @@ -178,10 +178,10 @@ class file { getattr read }; ######################################## # -# bootloader_modify_kernel_modules(domain,[`optional']) +# bootloader_modify_kernel_modules(domain) # define(`bootloader_modify_kernel_modules',` -requires_block_template(bootloader_modify_kernel_modules_depend,$2) +requires_block_template(`$0'_depend) allow $1 modules_object_t:file { getattr create read write setattr unlink }; allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; ') @@ -194,10 +194,10 @@ class dir { getattr search read write add_name remove_name }; ######################################## # -# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)],[`optional']) +# bootloader_create_private_module_dir_entry(domain,privatetype,[class(es)]) # define(`bootloader_create_private_module_dir_entry',` -requires_block_template(bootloader_create_private_module_dir_entry_depend,$2) +requires_block_template(`$0'_depend) allow $1 modules_object_t:dir { getattr search read write add_name remove_name }; ifelse(`$3',`',` type_transition $1 modules_object_t:file $2; diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if index b8447ed9..f7c50f4e 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.if +++ b/refpolicy/policy/modules/kernel/corenetwork.if @@ -2,10 +2,10 @@ ####################################### # -# corenetwork_network_tcp_on_general_interface(domain,[`optional']) +# corenetwork_network_tcp_on_general_interface(domain) # define(`corenetwork_network_tcp_on_general_interface',` -requires_block_template(`corenetwork_network_tcp_on_general_interface_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_t:netif { tcp_send tcp_recv }; ') @@ -16,40 +16,28 @@ class netif { tcp_send tcp_recv }; ####################################### # -# corenetwork_network_udp_on_general_interface(domain,[`optional']) +# corenetwork_network_udp_on_general_interface(domain) # define(`corenetwork_network_udp_on_general_interface',` -requires_block_template(`corenetwork_network_udp_on_general_interface_depend',$2) -corenetwork_send_udp_on_general_interface($1,$2) -corenetwork_receive_udp_on_general_interface($1,$2) -') - -define(`corenetwork_network_udp_on_general_interface_depend',` -corenetwork_send_udp_on_general_interface_depend -corenetwork_receive_udp_on_general_interface_depend +corenetwork_send_udp_on_general_interface($1) +corenetwork_receive_udp_on_general_interface($1) ') ####################################### # -# corenetwork_network_raw_on_general_interface(domain,[`optional']) +# corenetwork_network_raw_on_general_interface(domain) # define(`corenetwork_network_raw_on_general_interface',` -requires_block_template(`corenetwork_network_raw_on_general_interface_depend',$2) -corenetwork_send_raw_on_general_interface($1,$2) -corenetwork_receive_raw_on_general_interface($1,$2) -') - -define(`corenetwork_network_raw_on_general_interface_depend',` -corenetwork_send_raw_on_general_interface_depend -corenetwork_receive_raw_on_general_interface_depend +corenetwork_send_raw_on_general_interface($1) +corenetwork_receive_raw_on_general_interface($1) ') ####################################### # -# corenetwork_send_udp_on_general_interface(domain,[`optional']) +# corenetwork_send_udp_on_general_interface(domain) # define(`corenetwork_send_udp_on_general_interface',` -requires_block_template(`corenetwork_send_udp_on_general_interface_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_t:netif udp_send; ') @@ -60,10 +48,10 @@ class netif udp_send; ####################################### # -# corenetwork_receive_udp_on_general_interface(domain,[`optional']) +# corenetwork_receive_udp_on_general_interface(domain) # define(`corenetwork_receive_udp_on_general_interface',` -requires_block_template(`corenetwork_receive_udp_on_general_interface_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_t:netif udp_recv; ') @@ -74,10 +62,10 @@ class netif udp_recv; ####################################### # -# corenetwork_send_raw_on_general_interface(domain,[`optional']) +# corenetwork_send_raw_on_general_interface(domain) # define(`corenetwork_send_raw_on_general_interface',` -requires_block_template(`corenetwork_send_raw_on_general_interface_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_t:netif rawip_send; allow $1 self:capability net_raw; ') @@ -90,10 +78,10 @@ class capability net_raw; ####################################### # -# corenetwork_receive_raw_on_general_interface(domain,[`optional']) +# corenetwork_receive_raw_on_general_interface(domain) # define(`corenetwork_receive_raw_on_general_interface',` -requires_block_template(`corenetwork_receive_raw_on_general_interface_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_t:netif rawip_recv; ') @@ -104,10 +92,10 @@ class netif rawip_recv; ####################################### # -# corenetwork_network_tcp_on_all_interfaces(domain,[`optional']) +# corenetwork_network_tcp_on_all_interfaces(domain) # define(`corenetwork_network_tcp_on_all_interfaces',` -requires_block_template(`corenetwork_network_tcp_on_all_interfaces_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_type:netif { tcp_send tcp_recv }; ') @@ -118,40 +106,28 @@ class netif { tcp_send tcp_recv }; ####################################### # -# corenetwork_network_udp_on_all_interfaces(domain,[`optional']) +# corenetwork_network_udp_on_all_interfaces(domain) # define(`corenetwork_network_udp_on_all_interfaces',` -requires_block_template(`corenetwork_network_udp_on_all_interfaces_depend',$2) -corenetwork_send_udp_on_all_interfaces($1,$2) -corenetwork_receive_udp_on_all_interfaces($1,$2) -') - -define(`corenetwork_network_udp_on_all_interfaces_depend',` -corenetwork_send_udp_on_all_interfaces_depend -corenetwork_receive_udp_on_all_interfaces_depend +corenetwork_send_udp_on_all_interfaces($1) +corenetwork_receive_udp_on_all_interfaces($1) ') ####################################### # -# corenetwork_network_raw_on_all_interfaces(domain,[`optional']) +# corenetwork_network_raw_on_all_interfaces(domain) # define(`corenetwork_network_raw_on_all_interfaces',` -requires_block_template(`corenetwork_network_raw_on_all_interfaces_depend',$2) -corenetwork_send_raw_on_all_interfaces($1,$2) -corenetwork_receive_raw_on_all_interfaces($1,$2) -') - -define(`corenetwork_network_raw_on_all_interfaces_depend',` -corenetwork_send_raw_on_all_interfaces_depend -corenetwork_receive_raw_on_all_interfaces_depend +corenetwork_send_raw_on_all_interfaces($1) +corenetwork_receive_raw_on_all_interfaces($1) ') ####################################### # -# corenetwork_send_udp_on_all_interfaces(domain,[`optional']) +# corenetwork_send_udp_on_all_interfaces(domain) # define(`corenetwork_send_udp_on_all_interfaces',` -requires_block_template(`corenetwork_send_udp_on_all_interfaces_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_type:netif udp_send; ') @@ -162,10 +138,10 @@ class netif udp_send; ####################################### # -# corenetwork_send_raw_on_all_interfaces(domain,[`optional']) +# corenetwork_send_raw_on_all_interfaces(domain) # define(`corenetwork_send_raw_on_all_interfaces',` -requires_block_template(`corenetwork_send_raw_on_all_interfaces_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_type:netif rawip_send; allow $1 self:capability net_raw; ') @@ -178,10 +154,10 @@ class capability net_raw; ####################################### # -# corenetwork_receive_udp_on_all_interfaces(domain,[`optional']) +# corenetwork_receive_udp_on_all_interfaces(domain) # define(`corenetwork_receive_udp_on_all_interfaces',` -requires_block_template(`corenetwork_receive_udp_on_all_interfaces_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_type:netif udp_recv; ') @@ -192,10 +168,10 @@ class netif udp_recv; ####################################### # -# corenetwork_receive_raw_on_all_interfaces(domain,[`optional']) +# corenetwork_receive_raw_on_all_interfaces(domain) # define(`corenetwork_receive_raw_on_all_interfaces',` -requires_block_template(`corenetwork_receive_raw_on_all_interfaces_depend',$2) +requires_block_template(`$0'_depend) allow $1 netif_type:netif rawip_recv; ') @@ -206,10 +182,10 @@ class netif rawip_recv; ####################################### # -# corenetwork_network_tcp_on_general_node(domain,[`optional']) +# corenetwork_network_tcp_on_general_node(domain) # define(`corenetwork_network_tcp_on_general_node',` -requires_block_template(`corenetwork_network_tcp_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:node { tcp_send tcp_recv }; ') @@ -220,40 +196,28 @@ class node { tcp_send tcp_recv }; ####################################### # -# corenetwork_network_udp_on_general_node(domain,[`optional']) +# corenetwork_network_udp_on_general_node(domain) # define(`corenetwork_network_udp_on_general_node',` -requires_block_template(`corenetwork_network_udp_on_general_node_depend',$2) corenetwork_send_udp_on_general_node($1,$2) corenetwork_receive_udp_on_general_node($1,$2) ') -define(`corenetwork_network_udp_on_general_node_depend',` -corenetwork_send_udp_on_general_node_depend -corenetwork_receive_udp_on_general_node_depend -') - ####################################### # -# corenetwork_network_raw_on_general_node(domain,[`optional']) +# corenetwork_network_raw_on_general_node(domain) # define(`corenetwork_network_raw_on_general_node',` -requires_block_template(`corenetwork_network_raw_on_general_node_depend',$2) corenetwork_send_raw_on_general_node($1,$2) corenetwork_receive_raw_on_general_node($1,$2) ') -define(`corenetwork_network_raw_on_general_node_depend',` -corenetwork_send_raw_on_general_node_depend -corenetwork_receive_raw_on_general_node_depend -') - ####################################### # -# corenetwork_send_udp_on_general_node(domain,[`optional']) +# corenetwork_send_udp_on_general_node(domain) # define(`corenetwork_send_udp_on_general_node',` -requires_block_template(`corenetwork_send_udp_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:node udp_send; ') @@ -264,10 +228,10 @@ class node udp_send; ####################################### # -# corenetwork_receive_udp_on_general_node(domain,[`optional']) +# corenetwork_receive_udp_on_general_node(domain) # define(`corenetwork_receive_udp_on_general_node',` -requires_block_template(`corenetwork_receive_udp_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:node udp_recv; ') @@ -278,10 +242,10 @@ class node udp_recv; ####################################### # -# corenetwork_send_raw_on_general_node(domain,[`optional']) +# corenetwork_send_raw_on_general_node(domain) # define(`corenetwork_send_raw_on_general_node',` -requires_block_template(`corenetwork_send_raw_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:node rawip_send; allow $1 self:capability net_raw; ') @@ -294,10 +258,10 @@ class capability net_raw; ####################################### # -# corenetwork_receive_raw_on_general_node(domain,[`optional']) +# corenetwork_receive_raw_on_general_node(domain) # define(`corenetwork_receive_raw_on_general_node',` -requires_block_template(`corenetwork_receive_raw_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:node rawip_recv; ') @@ -308,10 +272,10 @@ class node rawip_recv; ####################################### # -# corenetwork_bind_tcp_on_general_node(domain,[`optional']) +# corenetwork_bind_tcp_on_general_node(domain) # define(`corenetwork_bind_tcp_on_general_node',` -requires_block_template(`corenetwork_bind_tcp_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:tcp_socket node_bind; ') @@ -322,10 +286,10 @@ class tcp_socket node_bind; ####################################### # -# corenetwork_bind_udp_on_general_node(domain,[`optional']) +# corenetwork_bind_udp_on_general_node(domain) # define(`corenetwork_bind_udp_on_general_node',` -requires_block_template(`corenetwork_bind_udp_on_general_node_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_t:udp_socket node_bind; ') @@ -336,10 +300,10 @@ class udp_socket node_bind; ####################################### # -# corenetwork_network_tcp_on_all_nodes(domain,[`optional']) +# corenetwork_network_tcp_on_all_nodes(domain) # define(`corenetwork_network_tcp_on_all_nodes',` -requires_block_template(`corenetwork_network_tcp_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:node { tcp_send tcp_recv }; ') @@ -350,40 +314,28 @@ class node { tcp_send tcp_recv }; ####################################### # -# corenetwork_network_udp_on_all_nodes(domain,[`optional']) +# corenetwork_network_udp_on_all_nodes(domain) # define(`corenetwork_network_udp_on_all_nodes',` -requires_block_template(`corenetwork_network_udp_on_all_nodes_depend',$2) -corenetwork_send_udp_on_all_nodes($1,optional) -corenetwork_receive_udp_on_all_nodes($1,optional) -') - -define(`corenetwork_network_udp_on_all_nodes_depend',` -corenetwork_send_udp_on_all_nodes_depend -corenetwork_receive_udp_on_all_nodes_depend +corenetwork_send_udp_on_all_nodes($1) +corenetwork_receive_udp_on_all_nodes($1) ') ####################################### # -# corenetwork_network_raw_on_all_nodes(domain,[`optional']) +# corenetwork_network_raw_on_all_nodes(domain) # define(`corenetwork_network_raw_on_all_nodes',` -requires_block_template(`corenetwork_network_raw_on_all_nodes_depend',$2) corenetwork_send_raw_on_all_nodes($1,optional) corenetwork_receive_raw_on_all_nodes($1,optional) ') -define(`corenetwork_network_raw_on_all_nodes_depend',` -corenetwork_send_raw_on_all_nodes_depend -corenetwork_receive_raw_on_all_nodes_depend -') - ####################################### # -# corenetwork_send_udp_on_all_nodes(domain,[`optional']) +# corenetwork_send_udp_on_all_nodes(domain) # define(`corenetwork_send_udp_on_all_nodes',` -requires_block_template(`corenetwork_send_udp_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:node udp_send; ') @@ -394,10 +346,10 @@ class node udp_send; ####################################### # -# corenetwork_receive_udp_on_all_nodes(domain,[`optional']) +# corenetwork_receive_udp_on_all_nodes(domain) # define(`corenetwork_receive_udp_on_all_nodes',` -requires_block_template(`corenetwork_receive_udp_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:node udp_recv; ') @@ -408,10 +360,10 @@ class node udp_recv; ####################################### # -# corenetwork_send_raw_on_all_nodes(domain,[`optional']) +# corenetwork_send_raw_on_all_nodes(domain) # define(`corenetwork_send_raw_on_all_nodes',` -requires_block_template(`corenetwork_send_raw_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:node rawip_send; allow $1 self:capability net_raw; ') @@ -424,10 +376,10 @@ class capability net_raw; ####################################### # -# corenetwork_receive_raw_on_all_nodes(domain,[`optional']) +# corenetwork_receive_raw_on_all_nodes(domain) # define(`corenetwork_receive_raw_on_all_nodes',` -requires_block_template(`corenetwork_receive_raw_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:node rawip_recv; ') @@ -438,24 +390,24 @@ class node rawip_recv; ####################################### # -# corenetwork_bind_tcp_on_all_nodes(domain,[`optional']) +# corenetwork_bind_tcp_on_all_nodes(domain) # define(`corenetwork_bind_tcp_on_all_nodes',` -requires_block_template(`corenetwork_bind_tcp_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:tcp_socket node_bind; ') -define(`corenetwork_bind_udp_on_all_nodes_depend',` +define(`corenetwork_bind_tcp_on_all_nodes_depend',` attribute node_type; class tcp_socket node_bind; ') ####################################### # -# corenetwork_bind_udp_on_all_nodes(domain,[`optional']) +# corenetwork_bind_udp_on_all_nodes(domain) # define(`corenetwork_bind_udp_on_all_nodes',` -requires_block_template(`corenetwork_bind_udp_on_all_nodes_depend',$2) +requires_block_template(`$0'_depend) allow $1 node_type:udp_socket node_bind; ') @@ -466,10 +418,10 @@ class udp_socket node_bind; ####################################### # -# corenetwork_network_tcp_on_general_port(domain,[`optional']) +# corenetwork_network_tcp_on_general_port(domain) # define(`corenetwork_network_tcp_on_general_port',` -requires_block_template(`corenetwork_network_tcp_on_general_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_t:tcp_socket { send_msg recv_msg }; ') @@ -480,25 +432,19 @@ class tcp_socket { send_msg recv_msg }; ####################################### # -# corenetwork_network_udp_on_general_port(domain,[`optional']) +# corenetwork_network_udp_on_general_port(domain) # define(`corenetwork_network_udp_on_general_port',` -requires_block_template(`corenetwork_network_udp_on_general_port_depend',$2) -corenetwork_send_udp_on_general_port($1,$2) -corenetwork_receive_udp_on_general_port($1,$2) -') - -define(`corenetwork_network_udp_on_general_port_depend',` -corenetwork_send_udp_on_general_port_depend -corenetwork_receive_udp_on_general_port_depend +corenetwork_send_udp_on_general_port($1) +corenetwork_receive_udp_on_general_port($1) ') ####################################### # -# corenetwork_send_udp_on_general_port(domain,[`optional']) +# corenetwork_send_udp_on_general_port(domain) # define(`corenetwork_send_udp_on_general_port',` -requires_block_template(`corenetwork_send_udp_on_general_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_t:udp_socket send_msg; ') @@ -509,10 +455,10 @@ class udp_socket send_msg; ####################################### # -# corenetwork_receive_udp_on_general_port(domain,[`optional']) +# corenetwork_receive_udp_on_general_port(domain) # define(`corenetwork_receive_udp_on_general_port',` -requires_block_template(`corenetwork_receive_udp_on_general_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_t:udp_socket recv_msg; ') @@ -523,10 +469,10 @@ class udp_socket recv_msg; ####################################### # -# corenetwork_bind_tcp_on_general_port(domain,[`optional']) +# corenetwork_bind_tcp_on_general_port(domain) # define(`corenetwork_bind_tcp_on_general_port',` -requires_block_template(`corenetwork_bind_tcp_on_general_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_t:tcp_socket name_bind; ') @@ -537,10 +483,10 @@ class tcp_socket name_bind; ####################################### # -# corenetwork_bind_udp_on_general_port(domain,[`optional']) +# corenetwork_bind_udp_on_general_port(domain) # define(`corenetwork_bind_udp_on_general_port',` -requires_block_template(`corenetwork_bind_udp_on_general_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_t:udp_socket name_bind; ') @@ -551,10 +497,10 @@ class udp_socket name_bind; ####################################### # -# corenetwork_network_tcp_on_all_ports(domain,[`optional']) +# corenetwork_network_tcp_on_all_ports(domain) # define(`corenetwork_network_tcp_on_all_ports',` -requires_block_template(`corenetwork_network_tcp_on_all_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_type:tcp_socket { send_msg recv_msg }; ') @@ -565,25 +511,19 @@ class tcp_socket { send_msg recv_msg }; ####################################### # -# corenetwork_network_udp_on_all_ports(domain,[`optional']) +# corenetwork_network_udp_on_all_ports(domain) # define(`corenetwork_network_udp_on_all_ports',` -requires_block_template(`corenetwork_network_udp_on_all_ports_depend',$2) -corenetwork_send_udp_on_all_ports($1,optional) -corenetwork_receive_udp_on_all_ports($1,optional) -') - -define(`corenetwork_network_udp_on_all_ports_depend',` -corenetwork_send_udp_on_all_ports_depend -corenetwork_receive_udp_on_all_ports_depend +corenetwork_send_udp_on_all_ports($1) +corenetwork_receive_udp_on_all_ports($1) ') ####################################### # -# corenetwork_send_udp_on_all_ports(domain,[`optional']) +# corenetwork_send_udp_on_all_ports(domain) # define(`corenetwork_send_udp_on_all_ports',` -requires_block_template(`corenetwork_send_udp_on_all_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_type:udp_socket send_msg; ') @@ -594,10 +534,10 @@ class udp_socket send_msg; ####################################### # -# corenetwork_receive_udp_on_all_ports(domain,[`optional']) +# corenetwork_receive_udp_on_all_ports(domain) # define(`corenetwork_receive_udp_on_all_ports',` -requires_block_template(`corenetwork_receive_udp_on_all_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_type:udp_socket recv_msg; ') @@ -611,21 +551,21 @@ class udp_socket recv_msg; # corenetwork_bind_tcp_on_all_ports(domain,[`optional']) # define(`corenetwork_bind_tcp_on_all_ports',` -requires_block_template(`corenetwork_bind_tcp_on_all_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_type:tcp_socket name_bind; ') -define(`corenetwork_bind_udp_on_all_ports_depend',` +define(`corenetwork_bind_tcp_on_all_ports_depend',` type port_type; class tcp_socket name_bind; ') ####################################### # -# corenetwork_bind_udp_on_all_ports(domain,[`optional']) +# corenetwork_bind_udp_on_all_ports(domain) # define(`corenetwork_bind_udp_on_all_ports',` -requires_block_template(`corenetwork_bind_udp_on_all_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 port_type:udp_socket name_bind; ') @@ -636,10 +576,10 @@ class udp_socket name_bind; ####################################### # -# corenetwork_network_tcp_on_reserved_port(domain,[`optional']) +# corenetwork_network_tcp_on_reserved_port(domain) # define(`corenetwork_network_tcp_on_reserved_port',` -requires_block_template(`corenetwork_network_tcp_on_reserved_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_t:tcp_socket { send_msg recv_msg }; ') @@ -650,25 +590,19 @@ class tcp_socket { send_msg recv_msg }; ####################################### # -# corenetwork_network_udp_on_reserved_port(domain,[`optional']) +# corenetwork_network_udp_on_reserved_port(domain) # define(`corenetwork_network_udp_on_reserved_port',` -requires_block_template(`corenetwork_network_udp_on_reserved_port_depend',$2) corenetwork_send_udp_on_reserved_port($1,$2) corenetwork_receive_udp_on_reserved_port($1,$2) ') -define(`corenetwork_network_udp_on_reserved_port_depend',` -corenetwork_send_udp_on_reserved_port_depend -corenetwork_receive_udp_on_reserved_port_depend -') - ####################################### # -# corenetwork_send_udp_on_reserved_port(domain,[`optional']) +# corenetwork_send_udp_on_reserved_port(domain) # define(`corenetwork_send_udp_on_reserved_port',` -requires_block_template(`corenetwork_send_udp_on_reserved_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_t:udp_socket send_msg; ') @@ -679,10 +613,10 @@ class udp_socket send_msg; ####################################### # -# corenetwork_receive_udp_on_reserved_port(domain,[`optional']) +# corenetwork_receive_udp_on_reserved_port(domain) # define(`corenetwork_receive_udp_on_reserved_port',` -requires_block_template(`corenetwork_receive_udp_on_reserved_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_t:udp_socket recv_msg; ') @@ -693,10 +627,10 @@ class udp_socket recv_msg; ####################################### # -# corenetwork_bind_tcp_on_reserved_port(domain,[`optional']) +# corenetwork_bind_tcp_on_reserved_port(domain) # define(`corenetwork_bind_tcp_on_reserved_port',` -requires_block_template(`corenetwork_bind_tcp_on_reserved_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; ') @@ -709,10 +643,10 @@ class capability net_bind_service; ####################################### # -# corenetwork_bind_udp_on_reserved_port(domain,[`optional']) +# corenetwork_bind_udp_on_reserved_port(domain) # define(`corenetwork_bind_udp_on_reserved_port',` -requires_block_template(`corenetwork_bind_udp_on_reserved_port_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; ') @@ -725,10 +659,10 @@ class capability net_bind_service; ####################################### # -# corenetwork_network_tcp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_network_tcp_on_all_reserved_ports(domain) # define(`corenetwork_network_tcp_on_all_reserved_ports',` -requires_block_template(`corenetwork_network_tcp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; ') @@ -739,25 +673,19 @@ class tcp_socket { send_msg recv_msg }; ####################################### # -# corenetwork_network_udp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_network_udp_on_all_reserved_ports(domain) # define(`corenetwork_network_udp_on_all_reserved_ports',` -requires_block_template(`corenetwork_network_udp_on_all_reserved_ports_depend',$2) corenetwork_send_udp_on_all_reserved_ports($1,optional) corenetwork_receive_udp_on_all_reserved_ports($1,optional) ') -define(`corenetwork_network_udp_on_all_reserved_ports_depend',` -corenetwork_send_udp_on_all_reserved_ports_depend -corenetwork_receive_udp_on_all_reserved_ports_depend -') - ####################################### # -# corenetwork_send_udp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_send_udp_on_all_reserved_ports(domain) # define(`corenetwork_send_udp_on_all_reserved_ports',` -requires_block_template(`corenetwork_send_udp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_type:udp_socket send_msg; ') @@ -768,10 +696,10 @@ class udp_socket send_msg; ####################################### # -# corenetwork_receive_udp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_receive_udp_on_all_reserved_ports(domain) # define(`corenetwork_receive_udp_on_all_reserved_ports',` -requires_block_template(`corenetwork_receive_udp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_type:udp_socket recv_msg; ') @@ -782,15 +710,15 @@ class udp_socket recv_msg; ####################################### # -# corenetwork_bind_tcp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_bind_tcp_on_all_reserved_ports(domain) # define(`corenetwork_bind_tcp_on_all_reserved_ports',` -requires_block_template(`corenetwork_bind_tcp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; ') -define(`corenetwork_bind_udp_on_all_reserved_ports_depend',` +define(`corenetwork_bind_tcp_on_all_reserved_ports_depend',` attribute reserved_port_type; class tcp_socket name_bind; class capability net_bind_service; @@ -798,10 +726,10 @@ class capability net_bind_service; ####################################### # -# corenetwork_bind_udp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_bind_udp_on_all_reserved_ports(domain) # define(`corenetwork_bind_udp_on_all_reserved_ports',` -requires_block_template(`corenetwork_bind_udp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) allow $1 reserved_port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; ') @@ -814,10 +742,10 @@ class self:capability net_bind_service; ####################################### # -# corenetwork_ignore_bind_tcp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_ignore_bind_tcp_on_all_reserved_ports(domain) # define(`corenetwork_ignore_bind_tcp_on_all_reserved_ports',` -requires_block_template(`corenetwork_ignore_bind_tcp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) dontaudit $1 reserved_port_type:tcp_socket name_bind; ') @@ -828,10 +756,10 @@ class tcp_socket name_bind; ####################################### # -# corenetwork_ignore_bind_udp_on_all_reserved_ports(domain,[`optional']) +# corenetwork_ignore_bind_udp_on_all_reserved_ports(domain) # define(`corenetwork_ignore_bind_udp_on_all_reserved_ports',` -requires_block_template(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',$2) +requires_block_template(`$0'_depend) dontaudit $1 reserved_port_type:udp_socket name_bind; ') @@ -864,10 +792,10 @@ define(`devices_make_device_node',`dnl') define(`create_netif_interfaces',`` ####################################### # -# corenetwork_network_tcp_on_$1_interface(domain,[`optional']) +# corenetwork_network_tcp_on_$1_interface(domain) # define(`corenetwork_network_tcp_on_$1_interface',` -requires_block_template(`corenetwork_network_tcp_on_$1_interface_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_netif_t:netif { tcp_send tcp_recv }; ') @@ -878,40 +806,28 @@ class netif { tcp_send tcp_recv }; ####################################### # -# corenetwork_network_udp_on_$1_interface(domain,[`optional']) +# corenetwork_network_udp_on_$1_interface(domain) # define(`corenetwork_network_udp_on_$1_interface',` -requires_block_template(`corenetwork_network_udp_on_$1_interface_depend',dollarstwo) corenetwork_send_udp_on_$1_interface(dollarsone,dollarstwo) corenetwork_receive_udp_on_$1_interface(dollarsone,dollarstwo) ') -define(`corenetwork_network_udp_on_$1_interface_depend',` -corenetwork_send_udp_on_$1_interface_depend -corenetwork_receive_udp_on_$1_interface_depend -') - ####################################### # -# corenetwork_network_raw_on_$1_interface(domain,[`optional']) +# corenetwork_network_raw_on_$1_interface(domain) # define(`corenetwork_network_raw_on_$1_interface',` -requires_block_template(`corenetwork_network_raw_on_$1_interface_depend',dollarstwo) corenetwork_send_raw_on_$1_interface(dollarsone,dollarstwo) corenetwork_receive_raw_on_$1_interface(dollarsone,dollarstwo) ') -define(`corenetwork_network_raw_on_$1_interface_depend',` -corenetwork_send_raw_on_$1_interface_depend -corenetwork_receive_raw_on_$1_interface_depend -') - ####################################### # -# corenetwork_send_udp_on_$1_interface(domain,[`optional']) +# corenetwork_send_udp_on_$1_interface(domain) # define(`corenetwork_send_udp_on_$1_interface',` -requires_block_template(`corenetwork_send_udp_on_$1_interface_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_netif_t:netif udp_send; ') @@ -922,10 +838,10 @@ class netif udp_send; ####################################### # -# corenetwork_receive_udp_on_$1_interface(domain,[`optional']) +# corenetwork_receive_udp_on_$1_interface(domain) # define(`corenetwork_receive_udp_on_$1_interface',` -requires_block_template(`corenetwork_receive_udp_on_$1_interface_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_netif_t:netif udp_recv; ') @@ -936,10 +852,10 @@ class netif udp_recv; ####################################### # -# corenetwork_send_raw_on_$1_interface(domain,[`optional']) +# corenetwork_send_raw_on_$1_interface(domain) # define(`corenetwork_send_raw_on_$1_interface',` -requires_block_template(`corenetwork_send_raw_on_$1_interface_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_netif_t:netif rawip_send; allow dollarsone self:capability net_raw; ') @@ -952,10 +868,10 @@ class capability net_raw; ####################################### # -# corenetwork_receive_raw_on_$1_interface(domain,[`optional']) +# corenetwork_receive_raw_on_$1_interface(domain) # define(`corenetwork_receive_raw_on_$1_interface',` -requires_block_template(`corenetwork_receive_raw_on_$1_interface_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_netif_t:netif rawip_recv; ') @@ -974,10 +890,10 @@ class netif rawip_recv; define(`create_node_interfaces',`` ####################################### # -# corenetwork_network_tcp_on_$1_node(domain,[`optional']) +# corenetwork_network_tcp_on_$1_node(domain) # define(`corenetwork_network_tcp_on_$1_node',` -requires_block_template(`corenetwork_network_tcp_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:node { tcp_send tcp_recv }; ') @@ -988,40 +904,28 @@ class node { tcp_send tcp_recv }; ####################################### # -# corenetwork_network_udp_on_$1_node(domain,[`optional']) +# corenetwork_network_udp_on_$1_node(domain) # define(`corenetwork_network_udp_on_$1_node',` -requires_block_template(`corenetwork_network_udp_on_$1_node_depend',dollarstwo) -corenetwork_send_udp_on_$1_node(dollarsone,dollarstwo) -corenetwork_receive_udp_on_$1_node(dollarsone,dollarstwo) -') - -define(`corenetwork_network_udp_on_$1_node_depend',` -corenetwork_send_udp_on_$1_node_depend -corenetwork_receive_udp_on_$1_node_depend +corenetwork_send_udp_on_$1_node(dollarsone) +corenetwork_receive_udp_on_$1_node(dollarsone) ') ####################################### # -# corenetwork_network_raw_on_$1_node(domain,[`optional']) +# corenetwork_network_raw_on_$1_node(domain) # define(`corenetwork_network_raw_on_$1_node',` -requires_block_template(`corenetwork_network_raw_on_$1_node_depend',dollarstwo) -corenetwork_send_raw_on_$1_node(dollarsone,dollarstwo) -corenetwork_receive_raw_on_$1_node(dollarsone,dollarstwo) -') - -define(`corenetwork_network_raw_on_$1_node_depend',` -corenetwork_send_raw_on_$1_node_depend -corenetwork_receive_raw_on_$1_node_depend +corenetwork_send_raw_on_$1_node(dollarsone) +corenetwork_receive_raw_on_$1_node(dollarsone) ') ####################################### # -# corenetwork_send_udp_on_$1_node(domain,[`optional']) +# corenetwork_send_udp_on_$1_node(domain) # define(`corenetwork_send_udp_on_$1_node',` -requires_block_template(`corenetwork_send_udp_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:node udp_send; ') @@ -1032,10 +936,10 @@ class node udp_send; ####################################### # -# corenetwork_receive_udp_on_$1_node(domain,[`optional']) +# corenetwork_receive_udp_on_$1_node(domain) # define(`corenetwork_receive_udp_on_$1_node',` -requires_block_template(`corenetwork_receive_udp_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:node udp_recv; ') @@ -1046,10 +950,10 @@ class node udp_recv; ####################################### # -# corenetwork_send_raw_on_$1_node(domain,[`optional']) +# corenetwork_send_raw_on_$1_node(domain) # define(`corenetwork_send_raw_on_$1_node',` -requires_block_template(`corenetwork_send_raw_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:node rawip_send; allow dollarsone self:capability net_raw; ') @@ -1062,10 +966,10 @@ class capability net_raw; ####################################### # -# corenetwork_receive_raw_on_$1_node(domain,[`optional']) +# corenetwork_receive_raw_on_$1_node(domain) # define(`corenetwork_receive_raw_on_$1_node',` -requires_block_template(`corenetwork_receive_raw_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:node rawip_recv; ') @@ -1076,10 +980,10 @@ class node rawip_recv; ####################################### # -# corenetwork_bind_tcp_on_$1_node(domain,[`optional']) +# corenetwork_bind_tcp_on_$1_node(domain) # define(`corenetwork_bind_tcp_on_$1_node',` -requires_block_template(`corenetwork_bind_tcp_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:tcp_socket node_bind; ') @@ -1090,10 +994,10 @@ class tcp_socket node_bind; ####################################### # -# corenetwork_bind_udp_on_$1_node(domain,[`optional']) +# corenetwork_bind_udp_on_$1_node(domain) # define(`corenetwork_bind_udp_on_$1_node',` -requires_block_template(`corenetwork_bind_udp_on_$1_node_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_node_t:udp_socket node_bind; ') @@ -1112,10 +1016,10 @@ class udp_socket node_bind; define(`create_port_interfaces',`` ####################################### # -# corenetwork_network_tcp_on_$1_port(domain,[`optional']) +# corenetwork_network_tcp_on_$1_port(domain) # define(`corenetwork_network_tcp_on_$1_port',` -requires_block_template(`corenetwork_network_tcp_on_$1_port_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg }; ') @@ -1126,25 +1030,19 @@ class tcp_socket { send_msg recv_msg }; ####################################### # -# corenetwork_network_udp_on_$1_port(domain,[`optional']) +# corenetwork_network_udp_on_$1_port(domain) # define(`corenetwork_network_udp_on_$1_port',` -requires_block_template(`corenetwork_network_udp_on_$1_port_depend',dollarstwo) corenetwork_send_udp_on_$1_port(dollarsone,dollarstwo) corenetwork_receive_udp_on_$1_port(dollarsone,dollarstwo) ') -define(`corenetwork_network_udp_on_$1_port_depend',` -corenetwork_send_udp_on_$1_port_depend -corenetwork_receive_udp_on_$1_port_depend -') - ####################################### # -# corenetwork_send_udp_on_$1_port(domain,[`optional']) +# corenetwork_send_udp_on_$1_port(domain) # define(`corenetwork_send_udp_on_$1_port',` -requires_block_template(`corenetwork_send_udp_on_$1_port_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_port_t:udp_socket send_msg; ') @@ -1155,10 +1053,10 @@ class udp_socket send_msg; ####################################### # -# corenetwork_receive_udp_on_$1_port(domain,[`optional']) +# corenetwork_receive_udp_on_$1_port(domain) # define(`corenetwork_receive_udp_on_$1_port',` -requires_block_template(`corenetwork_receive_udp_on_$1_port_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_port_t:udp recv_msg; ') @@ -1169,10 +1067,10 @@ class udp_socket recv_msg; ####################################### # -# corenetwork_bind_tcp_on_$1_port(domain,[`optional']) +# corenetwork_bind_tcp_on_$1_port(domain) # define(`corenetwork_bind_tcp_on_$1_port',` -requires_block_template(`corenetwork_bind_tcp_on_$1_port_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_port_t:tcp_socket name_bind; $2 ') @@ -1185,10 +1083,10 @@ $3 ####################################### # -# corenetwork_bind_udp_on_$1_port(domain,[`optional']) +# corenetwork_bind_udp_on_$1_port(domain) # define(`corenetwork_bind_udp_on_$1_port',` -requires_block_template(`corenetwork_bind_udp_on_$1_port_depend',dollarstwo) +requires_block_template(`dollarszero'_depend) allow dollarsone $1_port_t:udp_socket name_bind; $2 ') diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index a1db7452..b93c642f 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -2,10 +2,10 @@ ######################################## # -# devices_make_device_node(type,[`optional']) +# devices_make_device_node(type) # define(`devices_make_device_node',` -requires_block_template(devices_make_device_node_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 device_node; filesystem_associate($1,optional) filesystem_tmpfs_associate($1,optional) @@ -19,10 +19,10 @@ filesystem_tmpfs_associate_depend ######################################## # -# devices_manage_all_devices_labels(type,[`optional']) +# devices_manage_all_devices_labels(domain) # define(`devices_manage_all_devices_labels',` -requires_block_template(devices_manage_all_devices_labels_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_node:dir { getattr relabelfrom }; allow $1 device_node:file { getattr relabelfrom }; allow $1 device_node:lnk_file { getattr relabelfrom }; @@ -46,10 +46,10 @@ class chr_file { getattr relabelfrom relabelto }; ######################################## # -# devices_list_device_nodes(type,[`optional']) +# devices_list_device_nodes(domain) # define(`devices_list_device_nodes',` -requires_block_template(devices_list_device_nodes_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 device_t:lnk_file { getattr read }; ') @@ -62,10 +62,10 @@ class lnk_file { getattr read }; ######################################## # -# devices_ignore_list_device_nodes(type,[`optional']) +# devices_ignore_list_device_nodes(domain) # define(`devices_ignore_list_device_nodes',` -requires_block_template(devices_ignore_list_device_nodes_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 device_t:dir { getattr read search }; ') @@ -76,10 +76,10 @@ class dir { getattr read search }; ######################################## # -# devices_manage_device_nodes(type,[`optional']) +# devices_manage_device_nodes(domain) # define(`devices_manage_device_nodes',` -requires_block_template(devices_manage_device_nodes_depend,$2) +requires_block_template(`$0'_depend) allow udev_t device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; allow udev_t device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow udev_t device_t:lnk_file { create read getattr setattr link unlink rename }; @@ -107,10 +107,10 @@ class blk_file { create ioctl read getattr lock write setattr append link unlink ######################################## # -# devices_ignore_modify_generic_devices(type,[`optional']) +# devices_ignore_modify_generic_devices(domain) # define(`devices_ignore_modify_generic_devices',` -requires_block_template(devices_ignore_modify_generic_devices_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') @@ -122,10 +122,10 @@ class blk_file { getattr read write ioctl }; ######################################## # -# devices_create_dev_entry(domain,file,objectclass(es),[`optional']) +# devices_create_dev_entry(domain,file,objectclass(es)) # define(`devices_create_dev_entry',` -requires_block_template(devices_set_dev_entry_depend,$4) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr search read write add_name remove_name }; type_transition $1 device_t:$3 $2; ') @@ -137,10 +137,10 @@ class dir { getattr search read write add_name remove_name }; ######################################## # -# devices_get_all_block_device_attributes(domain,[`optional']) +# devices_get_all_block_device_attributes(domain) # define(`devices_get_all_block_device_attributes',` -requires_block_template(devices_get_all_block_device_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_node:blk_file getattr; ') @@ -151,10 +151,10 @@ class blk_file getattr; ######################################## # -# devices_get_all_character_device_attributes(domain,[`optional']) +# devices_get_all_character_device_attributes(domain) # define(`devices_get_all_character_device_attributes',` -requires_block_template(devices_get_all_character_device_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_node:chr_file getattr; ') @@ -165,10 +165,10 @@ class chr_file getattr; ######################################## # -# devices_set_all_block_device_attributes(domain,[`optional']) +# devices_set_all_block_device_attributes(domain) # define(`devices_set_all_block_device_attributes',` -requires_block_template(devices_set_all_block_device_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_node:blk_file setattr; ') @@ -179,10 +179,10 @@ class blk_file setattr; ######################################## # -# devices_set_all_character_device_attributes(domain,[`optional']) +# devices_set_all_character_device_attributes(domain) # define(`devices_set_all_character_device_attributes',` -requires_block_template(devices_set_all_character_device_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_node:chr_file setattr; ') @@ -193,10 +193,10 @@ class chr_file setattr; ######################################## # -# devices_raw_read_memory(domain,[`optional']) +# devices_raw_read_memory(domain) # define(`devices_raw_read_memory',` -requires_block_template(devices_raw_read_memory_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 memory_raw_read; allow $1 device_t:dir { getattr read search }; allow $1 memory_device_t:chr_file { getattr read ioctl }; @@ -213,10 +213,10 @@ class capability sys_rawio; ######################################## # -# devices_raw_write_memory(domain,[`optional']) +# devices_raw_write_memory(domain) # define(`devices_raw_write_memory',` -requires_block_template(devices_raw_write_memory_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 memory_raw_write allow $1 device_t:dir { getattr read search }; allow $1 memory_device_t:chr_file write; @@ -233,10 +233,10 @@ class capability sys_rawio; ######################################## # -# devices_get_random_data(domain,[`optional']) +# devices_get_random_data(domain) # define(`devices_get_random_data',` -requires_block_template(devices_get_random_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 random_device_t:chr_file { getattr read ioctl }; ') @@ -249,10 +249,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_get_pseudorandom_data(domain,[`optional']) +# devices_get_pseudorandom_data(domain) # define(`devices_get_pseudorandom_data',` -requires_block_template(devices_get_pseudorandom_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 urandom_device_t:chr_file { getattr read ioctl }; ') @@ -265,10 +265,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_add_entropy(domain,[`optional']) +# devices_add_entropy(domain) # define(`devices_add_entropy',` -requires_block_template(devices_add_entropy_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 random_device_t:chr_file { getattr write ioctl }; ') @@ -281,10 +281,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_set_pseudorandom_seed(domain,[`optional']) +# devices_set_pseudorandom_seed(domain) # define(`devices_set_pseudorandom_seed',` -requires_block_template(devices_set_pseudorandom_seed_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 urandom_device_t:chr_file { getattr write ioctl }; ') @@ -297,10 +297,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_discard_data_stream(domain,[`optional']) +# devices_discard_data_stream(domain) # define(`devices_discard_data_stream',` -requires_block_template(devices_discard_data_stream_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 null_device_t:chr_file { getattr append write }; ') @@ -313,10 +313,10 @@ class chr_file { getattr append write }; ######################################## # -# devices_get_zeros(domain,[`optional']) +# devices_get_zeros(domain) # define(`devices_get_zeros',` -requires_block_template(devices_get_zeros_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 zero_device_t:chr_file { getattr read }; ') @@ -329,10 +329,10 @@ class chr_file { getattr read }; ######################################## # -# devices_read_realtime_clock(domain,[`optional']) +# devices_read_realtime_clock(domain) # define(`devices_read_realtime_clock',` -requires_block_template(devices_read_realtime_clock_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 clock_device_t:chr_file { getattr read ioctl }; ') @@ -345,10 +345,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_record_sound_input(domain,[`optional']) +# devices_record_sound_input(domain) # define(`devices_record_sound_input',` -requires_block_template(devices_record_sound_input_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr read ioctl }; ') @@ -361,10 +361,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_play_sound(domain,[`optional']) +# devices_play_sound(domain) # define(`devices_play_sound',` -requires_block_template(devices_play_sound_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') @@ -377,10 +377,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_read_sound_mixer_levels(domain,[`optional']) +# devices_read_sound_mixer_levels(domain) # define(`devices_read_sound_mixer_levels',` -requires_block_template(devices_read_sound_mixer_levels_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr read ioctl }; ') @@ -393,10 +393,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_write_sound_mixer_levels(domain,[`optional']) +# devices_write_sound_mixer_levels(domain) # define(`devices_write_sound_mixer_levels',` -requires_block_template(devices_write_sound_mixer_levels_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') @@ -409,10 +409,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_direct_agp_access(domain,[`optional']) +# devices_direct_agp_access(domain) # define(`devices_direct_agp_access',` -requires_block_template(devices_direct_agp_access_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 agp_device_t:chr_file { getattr read write ioctl }; ') @@ -425,10 +425,10 @@ class chr_file { getattr read write ioctl }; ######################################## # -# devices_use_direct_rendering_interface(domain,[`optional']) +# devices_use_direct_rendering_interface(domain) # define(`devices_use_direct_rendering_interface',` -requires_block_template(devices_use_direct_rendering_interface_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 dri_device_t:chr_file { getattr read ioctl }; ') @@ -441,10 +441,10 @@ class chr_file { getattr read write ioctl }; ######################################## # -# devices_read_mtrr(domain,[`optional']) +# devices_read_mtrr(domain) # define(`devices_read_mtrr',` -requires_block_template(devices_read_mtrr_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 mtrr_device_t:chr_file { getattr read ioctl }; ') @@ -457,10 +457,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_write_mtrr(domain,[`optional']) +# devices_write_mtrr(domain) # define(`devices_write_mtrr',` -requires_block_template(devices_write_mtrr_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 mtrr_device_t:chr_file { getattr write ioctl }; ') @@ -472,10 +472,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_read_framebuffer(domain,[`optional']) +# devices_read_framebuffer(domain) # define(`devices_read_framebuffer',` -requires_block_template(devices_read_framebuffer_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 framebuf_device_t:chr_file { getattr read ioctl }; ') @@ -488,10 +488,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_write_framebuffer(domain,[`optional']) +# devices_write_framebuffer(domain) # define(`devices_write_framebuffer',` -requires_block_template(devices_write_framebuffer_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 framebuf_device_t:chr_file { getattr write ioctl }; ') @@ -504,10 +504,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_read_misc(domain,[`optional']) +# devices_read_misc(domain) # define(`devices_read_misc',` -requires_block_template(devices_read_misc_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 misc_device_t:chr_file { getattr read ioctl }; ') @@ -520,10 +520,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_write_misc(domain,[`optional']) +# devices_write_misc(domain) # define(`devices_write_misc',` -requires_block_template(devices_write_misc_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 misc_device_t:chr_file { getattr write ioctl }; ') @@ -536,10 +536,10 @@ class chr_file { getattr write ioctl }; ######################################## # -# devices_get_mouse_input(domain,[`optional']) +# devices_get_mouse_input(domain) # define(`devices_get_mouse_input',` -requires_block_template(devices_get_mouse_input_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 mouse_device_t:chr_file { getattr read ioctl }; ') @@ -552,10 +552,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_get_input_event(domain,[`optional']) +# devices_get_input_event(domain) # define(`devices_get_input_event',` -requires_block_template(devices_get_input_event_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 event_device_t:chr_file { getattr read ioctl }; ') @@ -568,10 +568,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_get_cpuid(domain,[`optional']) +# devices_get_cpuid(domain) # define(`devices_get_cpuid',` -requires_block_template(devices_get_cpuid_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 cpu_device_t:chr_file { getattr read ioctl }; ') @@ -584,10 +584,10 @@ class chr_file { getattr read ioctl }; ######################################## # -# devices_load_cpu_microcode(domain,[`optional']) +# devices_load_cpu_microcode(domain) # define(`devices_load_cpu_microcode',` -requires_block_template(devices_load_cpu_microcode_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 cpu_device_t:chr_file { getattr read write ioctl }; ') @@ -600,10 +600,10 @@ class chr_file { getattr read write ioctl }; ######################################## # -# devices_use_scanner(domain,[`optional']) +# devices_use_scanner(domain) # define(`devices_use_scanner',` -requires_block_template(devices_use_scanner_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 scanner_device_t:chr_file { getattr read write ioctl }; ') @@ -616,10 +616,10 @@ class chr_file { getattr read write ioctl }; ######################################## # -# devices_control_system_powermanagement(domain,[`optional']) +# devices_control_system_powermanagement(domain) # define(`devices_control_system_powermanagement',` -requires_block_template(devices_control_system_powermanagement_depend,$2) +requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 power_device_t:chr_file { getattr read write ioctl }; ') diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index a259c594..d9ca4b18 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2,10 +2,10 @@ ######################################## # -# filesystem_make_filesystem(type,[`optional']) +# filesystem_make_filesystem(type) # define(`filesystem_make_filesystem',` -requires_block_template(filesystem_make_filesystem_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 fs_type; ') @@ -15,10 +15,10 @@ attribute fs_type; ######################################## # -# filesystem_associate(type,[`optional']) +# filesystem_associate(type) # define(`filesystem_associate',` -requires_block_template(filesystem_associate_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_t:filesystem associate; ') @@ -29,10 +29,10 @@ class filesystem associate; ######################################## # -# filesystem_noxattr_associate(type,[`optional']) +# filesystem_noxattr_associate(type) # define(`filesystem_noxattr_associate',` -requires_block_template(filesystem_noxattr_associate_depend,$2) +requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem associate; allow $1 cifs_t:filesystem associate; allow $1 dosfs_t:filesystem associate; @@ -49,10 +49,10 @@ class filesystem associate; ######################################## # -# filesystem_mount_persistent_filesystem(domain,[`optional']) +# filesystem_mount_persistent_filesystem(domain) # define(`filesystem_mount_persistent_filesystem',` -requires_block_template(filesystem_mount_persistent_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_t:filesystem mount; ') @@ -63,10 +63,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_persistent_filesystem(domain,[`optional']) +# filesystem_remount_persistent_filesystem(domain) # define(`filesystem_remount_persistent_filesystem',` -requires_block_template(filesystem_remount_persistent_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_t:filesystem remount; ') @@ -77,10 +77,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_persistent_filesystem(domain,[`optional']) +# filesystem_unmount_persistent_filesystem(domain) # define(`filesystem_unmount_persistent_filesystem',` -requires_block_template(filesystem_unmount_persistent_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_t:filesystem mount; ') @@ -91,10 +91,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_persistent_filesystem_attributes(domain,[`optional']) +# filesystem_get_persistent_filesystem_attributes(domain) # define(`filesystem_get_persistent_filesystem_attributes',` -requires_block_template(filesystem_get_persistent_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_t:filesystem getattr; ') @@ -105,10 +105,10 @@ class filesystem getattr; ######################################## # -# filesystem_ignore_get_persistent_filesystem_attributes(domain,[`optional']) +# filesystem_ignore_get_persistent_filesystem_attributes(domain) # define(`filesystem_ignore_get_persistent_filesystem_attributes',` -requires_block_template(filesystem_ignore_get_persistent_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 fs_t:filesystem getattr; ') @@ -119,10 +119,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_automount_filesystem(domain,[`optional']) +# filesystem_mount_automount_filesystem(domain) # define(`filesystem_mount_automount_filesystem',` -requires_block_template(filesystem_mount_automount_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem mount; ') @@ -133,10 +133,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_automount_filesystem(domain,[`optional']) +# filesystem_remount_automount_filesystem(domain) # define(`filesystem_remount_automount_filesystem',` -requires_block_template(filesystem_remount_automount_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem remount; ') @@ -147,10 +147,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_automount_filesystem(domain,[`optional']) +# filesystem_unmount_automount_filesystem(domain) # define(`filesystem_unmount_automount_filesystem',` -requires_block_template(filesystem_unmount_automount_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem mount; ') @@ -161,10 +161,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_automount_filesystem_attributes(domain,[`optional']) +# filesystem_get_automount_filesystem_attributes(domain) # define(`filesystem_get_automount_filesystem_attributes',` -requires_block_template(filesystem_get_automount_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 autofs_t:filesystem getattr; ') @@ -175,10 +175,10 @@ class filesystem getattr; ######################################## # -# filesystem_register_binary_executable_type(domain,[`optional']) +# filesystem_register_binary_executable_type(domain) # define(`filesystem_register_binary_executable_type',` -requires_block_template(filesystem_register_binary_executable_type_depend,$2) +requires_block_template(`$0'_depend) allow $1 binfmt_misc_fs_t:dir { getattr search }; allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; ') @@ -191,10 +191,10 @@ class file { getattr ioctl write }; ######################################## # -# filesystem_mount_windows_network_filesystem(domain,[`optional']) +# filesystem_mount_windows_network_filesystem(domain) # define(`filesystem_mount_windows_network_filesystem',` -requires_block_template(filesystem_mount_windows_network_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem mount; ') @@ -205,10 +205,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_windows_network_filesystem(domain,[`optional']) +# filesystem_remount_windows_network_filesystem(domain) # define(`filesystem_remount_windows_network_filesystem',` -requires_block_template(filesystem_remount_windows_network_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem remount; ') @@ -219,10 +219,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_windows_network_filesystem(domain,[`optional']) +# filesystem_unmount_windows_network_filesystem(domain) # define(`filesystem_unmount_windows_network_filesystem',` -requires_block_template(filesystem_unmount_windows_network_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem mount; ') @@ -233,10 +233,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_windows_network_filesystem_attributes(domain,[`optional']) +# filesystem_get_windows_network_filesystem_attributes(domain) # define(`filesystem_get_windows_network_filesystem_attributes',` -requires_block_template(filesystem_get_windows_network_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 cifs_t:filesystem getattr; ') @@ -247,10 +247,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_dos_filesystem(domain,[`optional']) +# filesystem_mount_dos_filesystem(domain) # define(`filesystem_mount_dos_filesystem',` -requires_block_template(filesystem_mount_dos_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem mount; ') @@ -261,10 +261,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_dos_filesystem(domain,[`optional']) +# filesystem_remount_dos_filesystem(domain) # define(`filesystem_remount_dos_filesystem',` -requires_block_template(filesystem_remount_dos_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem remount; ') @@ -275,10 +275,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_dos_filesystem(domain,[`optional']) +# filesystem_unmount_dos_filesystem(domain) # define(`filesystem_unmount_dos_filesystem',` -requires_block_template(filesystem_unmount_dos_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem mount; ') @@ -289,10 +289,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_dos_filesystem_attributes(domain,[`optional']) +# filesystem_get_dos_filesystem_attributes(domain) # define(`filesystem_get_dos_filesystem_attributes',` -requires_block_template(filesystem_get_dos_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 dosfs_t:filesystem getattr; ') @@ -303,10 +303,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_cd_filesystem(domain,[`optional']) +# filesystem_mount_cd_filesystem(domain) # define(`filesystem_mount_cd_filesystem',` -requires_block_template(filesystem_mount_cd_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem mount; ') @@ -317,10 +317,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_cd_filesystem(domain,[`optional']) +# filesystem_remount_cd_filesystem(domain) # define(`filesystem_remount_cd_filesystem',` -requires_block_template(filesystem_remount_cd_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem remount; ') @@ -331,10 +331,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_cd_filesystem(domain,[`optional']) +# filesystem_unmount_cd_filesystem(domain) # define(`filesystem_unmount_cd_filesystem',` -requires_block_template(filesystem_unmount_cd_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem mount; ') @@ -345,10 +345,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_cd_filesystem_attributes(domain,[`optional']) +# filesystem_get_cd_filesystem_attributes(domain) # define(`filesystem_get_cd_filesystem_attributes',` -requires_block_template(filesystem_get_cd_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 iso9660_t:filesystem getattr; ') @@ -359,10 +359,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_nfs_filesystem(domain,[`optional']) +# filesystem_mount_nfs_filesystem(domain) # define(`filesystem_mount_nfs_filesystem',` -requires_block_template(filesystem_mount_nfs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem mount; ') @@ -373,10 +373,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_nfs_filesystem(domain,[`optional']) +# filesystem_remount_nfs_filesystem(domain) # define(`filesystem_remount_nfs_filesystem',` -requires_block_template(filesystem_remount_nfs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem remount; ') @@ -387,10 +387,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_nfs_filesystem(domain,[`optional']) +# filesystem_unmount_nfs_filesystem(domain) # define(`filesystem_unmount_nfs_filesystem',` -requires_block_template(filesystem_unmount_nfs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem mount; ') @@ -401,10 +401,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_nfs_filesystem_attributes(domain,[`optional']) +# filesystem_get_nfs_filesystem_attributes(domain) # define(`filesystem_get_nfs_filesystem_attributes',` -requires_block_template(filesystem_get_nfs_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfs_t:filesystem getattr; ') @@ -415,10 +415,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_nfsd_filesystem(domain,[`optional']) +# filesystem_mount_nfsd_filesystem(domain) # define(`filesystem_mount_nfsd_filesystem',` -requires_block_template(filesystem_mount_nfsd_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem mount; ') @@ -429,10 +429,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_nfsd_filesystem(domain,[`optional']) +# filesystem_remount_nfsd_filesystem(domain) # define(`filesystem_remount_nfsd_filesystem',` -requires_block_template(filesystem_remount_nfsd_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem remount; ') @@ -443,10 +443,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_nfsd_filesystem(domain,[`optional']) +# filesystem_unmount_nfsd_filesystem(domain) # define(`filesystem_unmount_nfsd_filesystem',` -requires_block_template(filesystem_unmount_nfsd_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem mount; ') @@ -457,10 +457,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_nfsd_filesystem_attributes(domain,[`optional']) +# filesystem_get_nfsd_filesystem_attributes(domain) # define(`filesystem_get_nfsd_filesystem_attributes',` -requires_block_template(filesystem_get_nfsd_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 nfsd_fs_t:filesystem getattr; ') @@ -471,10 +471,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_ram_filesystem(domain,[`optional']) +# filesystem_mount_ram_filesystem(domain) # define(`filesystem_mount_ram_filesystem',` -requires_block_template(filesystem_mount_ram_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem mount; ') @@ -485,10 +485,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_ram_filesystem(domain,[`optional']) +# filesystem_remount_ram_filesystem(domain) # define(`filesystem_remount_ram_filesystem',` -requires_block_template(filesystem_remount_ram_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem remount; ') @@ -499,10 +499,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_ram_filesystem(domain,[`optional']) +# filesystem_unmount_ram_filesystem(domain) # define(`filesystem_unmount_ram_filesystem',` -requires_block_template(filesystem_unmount_ram_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem mount; ') @@ -513,10 +513,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_ram_filesystem_attributes(domain,[`optional']) +# filesystem_get_ram_filesystem_attributes(domain) # define(`filesystem_get_ram_filesystem_attributes',` -requires_block_template(filesystem_get_ram_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 ramfs_t:filesystem getattr; ') @@ -527,10 +527,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_rom_filesystem(domain,[`optional']) +# filesystem_mount_rom_filesystem(domain) # define(`filesystem_mount_rom_filesystem',` -requires_block_template(filesystem_mount_rom_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem mount; ') @@ -541,10 +541,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_rom_filesystem(domain,[`optional']) +# filesystem_remount_rom_filesystem(domain) # define(`filesystem_remount_rom_filesystem',` -requires_block_template(filesystem_remount_rom_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem remount; ') @@ -555,10 +555,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_rom_filesystem(domain,[`optional']) +# filesystem_unmount_rom_filesystem(domain) # define(`filesystem_unmount_rom_filesystem',` -requires_block_template(filesystem_unmount_rom_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem mount; ') @@ -569,10 +569,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_rom_filesystem_attributes(domain,[`optional']) +# filesystem_get_rom_filesystem_attributes(domain) # define(`filesystem_get_rom_filesystem_attributes',` -requires_block_template(filesystem_get_rom_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 romfs_t:filesystem getattr; ') @@ -583,10 +583,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_rpc_pipefs_filesystem(domain,[`optional']) +# filesystem_mount_rpc_pipefs_filesystem(domain) # define(`filesystem_mount_rpc_pipefs_filesystem',` -requires_block_template(filesystem_mount_rpc_pipefs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem mount; ') @@ -597,10 +597,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_rpc_pipefs_filesystem(domain,[`optional']) +# filesystem_remount_rpc_pipefs_filesystem(domain) # define(`filesystem_remount_rpc_pipefs_filesystem',` -requires_block_template(filesystem_remount_rpc_pipefs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem remount; ') @@ -611,10 +611,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_rpc_pipefs_filesystem(domain,[`optional']) +# filesystem_unmount_rpc_pipefs_filesystem(domain) # define(`filesystem_unmount_rpc_pipefs_filesystem',` -requires_block_template(filesystem_unmount_rpc_pipefs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem mount; ') @@ -625,10 +625,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_rpc_pipefs_filesystem_attributes(domain,[`optional']) +# filesystem_get_rpc_pipefs_filesystem_attributes(domain) # define(`filesystem_get_rpc_pipefs_filesystem_attributes',` -requires_block_template(filesystem_get_rpc_pipefs_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 rpc_pipefs_t:filesystem getattr; ') @@ -639,10 +639,10 @@ class filesystem getattr; ######################################## # -# filesystem_mount_tmpfs_filesystem(domain,[`optional']) +# filesystem_mount_tmpfs_filesystem(domain) # define(`filesystem_mount_tmpfs_filesystem',` -requires_block_template(filesystem_mount_tmpfs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem mount; ') @@ -653,10 +653,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_tmpfs_filesystem(domain,[`optional']) +# filesystem_remount_tmpfs_filesystem(domain) # define(`filesystem_remount_tmpfs_filesystem',` -requires_block_template(filesystem_remount_tmpfs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem remount; ') @@ -667,10 +667,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_tmpfs_filesystem(domain,[`optional']) +# filesystem_unmount_tmpfs_filesystem(domain) # define(`filesystem_unmount_tmpfs_filesystem',` -requires_block_template(filesystem_unmount_tmpfs_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem mount; ') @@ -681,10 +681,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_tmpfs_filesystem_attributes(domain,[`optional']) +# filesystem_get_tmpfs_filesystem_attributes(domain) # define(`filesystem_get_tmpfs_filesystem_attributes',` -requires_block_template(filesystem_get_tmpfs_filesystem_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem getattr; ') @@ -695,10 +695,10 @@ class filesystem getattr; ######################################## # -# filesystem_tmpfs_associate(type,[`optional']) +# filesystem_tmpfs_associate(type) # define(`filesystem_tmpfs_associate',` -requires_block_template(filesystem_tmpfs_associate_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmpfs_t:filesystem associate; ') @@ -709,10 +709,10 @@ class filesystem associate; ######################################## # -# filesystem_create_private_tmpfs_data(domain,derivedtype,[class],[`optional']) +# filesystem_create_private_tmpfs_data(domain,derivedtype,[class]) # define(`filesystem_create_private_tmpfs_data',` -requires_block_template(filesystem_create_private_tmpfs_data_depend,$4) +requires_block_template(`$0'_depend) allow $1 tmpfs_t:dir { getattr search read write add_name }; ifelse(`$3',`',` type_transition $1 tmpfs_t:file $2; @@ -728,10 +728,10 @@ class dir { getattr search read write add_name }; ######################################## # -# filesystem_mount_all_filesystems(type,[`optional']) +# filesystem_mount_all_filesystems(type) # define(`filesystem_mount_all_filesystems',` -requires_block_template(filesystem_mount_all_filesystems_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_type:filesystem mount; ') @@ -742,10 +742,10 @@ class filesystem mount; ######################################## # -# filesystem_remount_all_filesystems(type,[`optional']) +# filesystem_remount_all_filesystems(type) # define(`filesystem_remount_all_filesystems',` -requires_block_template(filesystem_remount_all_filesystems_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_type:filesystem remount; ') @@ -756,10 +756,10 @@ class filesystem remount; ######################################## # -# filesystem_unmount_all_filesystems(type,[`optional']) +# filesystem_unmount_all_filesystems(type) # define(`filesystem_unmount_all_filesystems',` -requires_block_template(filesystem_unmount_all_filesystems_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_type:filesystem unmount; ') @@ -770,10 +770,10 @@ class filesystem unmount; ######################################## # -# filesystem_get_all_filesystems_attributes(type,[`optional']) +# filesystem_get_all_filesystems_attributes(type) # define(`filesystem_get_all_filesystems_attributes',` -requires_block_template(filesystem_get_all_filesystems_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 fs_type:filesystem getattr; ') diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if index baad0d90..5e7b5afe 100644 --- a/refpolicy/policy/modules/kernel/kernel.if +++ b/refpolicy/policy/modules/kernel/kernel.if @@ -2,10 +2,10 @@ ######################################## # -# kernel_share_state(domain,[`optional']) +# kernel_share_state(domain) # define(`kernel_share_state',` -requires_block_template(kernel_share_state_depend,$2) +requires_block_template(`$0'_depend) allow kernel_t $1:process share; ') @@ -16,10 +16,10 @@ class process share; ######################################## # -# kernel_use_file_descriptors(domain,[`optional']) +# kernel_use_file_descriptors(domain) # define(`kernel_use_file_descriptors',` -requires_block_template(kernel_use_file_descriptors_depend,$2) +requires_block_template(`$0'_depend) allow $1 kernel_t:fd use; ') @@ -30,10 +30,10 @@ class fd use; ######################################## # -# kernel_ignore_use_file_descriptors(domain,[`optional']) +# kernel_ignore_use_file_descriptors(domain) # define(`kernel_ignore_use_file_descriptors',` -requires_block_template(kernel_ignore_use_file_descriptors_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 kernel_t:fd use; ') @@ -44,10 +44,10 @@ class fd use; ######################################## # -# kernel_make_root_filesystem_mountpoint(domain,[`optional']) +# kernel_make_root_filesystem_mountpoint(domain) # define(`kernel_make_root_filesystem_mountpoint',` -requires_block_template(kernel_make_root_filesystem_mountpoint_depend,$2) +requires_block_template(`$0'_depend) allow kernel_t $1:dir mounton; ') @@ -58,10 +58,10 @@ class dir mounton; ######################################## # -# kernel_load_module(domain,[`optional']) +# kernel_load_module(domain) # define(`kernel_load_module',` -requires_block_template(kernel_load_module_depend,$2) +requires_block_template(`$0'_depend) allow $1 self:capability sys_module; typeattribute $1 can_load_kernmodule; ') @@ -73,10 +73,10 @@ class capability sys_module; ######################################## # -# kernel_kill_unlabeled_process(domain,[`optional']) +# kernel_kill_unlabeled_process(domain) # define(`kernel_kill_unlabeled_process',` -requires_block_template(kernel_kill_unlabeled_process_depend,$2) +requires_block_template(`$0'_depend) allow $1 unlabeled_t:process sigkill; ') @@ -87,10 +87,10 @@ class process sigkill; ######################################## # -# kernel_relabel_unlabeled_object(domain,[`optional']) +# kernel_relabel_unlabeled_object(domain) # define(`kernel_relabel_unlabeled_object',` -requires_block_template(kernel_relabel_unlabeled_object_depend,$2) +requires_block_template(`$0'_depend) allow $1 unlabeled_t:{ dir file lnk_file fifo_file sock_file chr_file blk_file } { getattr relabelfrom }; ') @@ -107,10 +107,10 @@ class blk_file { getattr relabelfrom }; ######################################## # -# kernel_get_selinux_enforcement_mode(domain,[`optional']) +# kernel_get_selinux_enforcement_mode(domain) # define(`kernel_get_selinux_enforcement_mode',` -requires_block_template(kernel_get_selinux_enforcement_mode_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read }; ') @@ -123,10 +123,10 @@ class file { getattr read }; ######################################## # -# kernel_set_selinux_enforcement_mode(domain,[`optional']) +# kernel_set_selinux_enforcement_mode(domain) # define(`kernel_set_selinux_enforcement_mode',` -requires_block_template(kernel_set_selinux_enforcement_mode_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setenforce; @@ -144,10 +144,10 @@ class security setenforce; ######################################## # -# kernel_load_selinux_policy(domain,[`optional']) +# kernel_load_selinux_policy(domain) # define(`kernel_load_selinux_policy',` -requires_block_template(kernel_load_selinux_policy_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security load_policy; @@ -165,10 +165,10 @@ class security load_policy; ######################################## # -# kernel_set_selinux_boolean(domain,[booltype],[`optional']) +# kernel_set_selinux_boolean(domain,[booltype]) # define(`kernel_set_selinux_boolean',` -requires_block_template(kernel_set_selinux_boolean_depend,$3) +requires_block_template(`$0'_depend) ifelse(`$2',`',` allow $1 security_t:dir { getattr search read }; allow $1 security_t:file { getattr read write }; @@ -190,10 +190,10 @@ class security setbool; ######################################## # -# kernel_setsecparam(domain,[`optional']) +# kernel_setsecparam(domain) # define(`kernel_setsecparam',` -requires_block_template(kernel_setsecparam_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setsecparam; @@ -211,10 +211,10 @@ class security setsecparam; ######################################## # -# kernel_validate_selinux_context(domain,[`optional']) +# kernel_validate_selinux_context(domain) # define(`kernel_validate_selinux_context',` -requires_block_template(kernel_validate_selinux_context_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security check_context; @@ -229,10 +229,10 @@ class security check_context; ######################################## # -# kernel_compute_selinux_av(domain,[`optional']) +# kernel_compute_selinux_av(domain) # define(`kernel_compute_selinux_av',` -requires_block_template(kernel_compute_selinux_av_depend) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_av; @@ -247,10 +247,10 @@ class security compute_av; ######################################## # -# kernel_compute_selinux_create(domain,[`optional']) +# kernel_compute_selinux_create(domain) # define(`kernel_compute_create',` -requires_block_template(kernel_compute_create_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_create; @@ -265,10 +265,10 @@ class security compute_create; ######################################## # -# kernel_compute_relabel(domain,[`optional']) +# kernel_compute_relabel(domain) # define(`kernel_compute_relabel',` -requires_block_template(kernel_compute_relabel_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_relabel; @@ -283,10 +283,10 @@ class security compute_relabel; ######################################## # -# kernel_compute_reachable_user_contexts(domain,[`optional']) +# kernel_compute_reachable_user_contexts(domain) # define(`kernel_compute_reachable_user_contexts',` -requires_block_template(kernel_compute_reachable_user_contexts_depend,$2) +requires_block_template(`$0'_depend) allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_user; @@ -301,10 +301,10 @@ class security compute_user; ######################################## # -# kernel_read_ring_buffer(domain,[`optional']) +# kernel_read_ring_buffer(domain) # define(`kernel_read_ring_buffer',` -requires_block_template(kernel_read_ring_buffer_depend,$2) +requires_block_template(`$0'_depend) allow $1 kernel_t:system syslog_read; ') @@ -315,10 +315,10 @@ class system syslog_read; ######################################## # -# kernel_change_ring_buffer_level(domain,[`optional']) +# kernel_change_ring_buffer_level(domain) # define(`kernel_change_ring_buffer_level',` -requires_block_template(kernel_change_ring_buffer_level_depend,$2) +requires_block_template(`$0'_depend) allow $1 kernel_t:system syslog_console; ') @@ -329,10 +329,10 @@ class system syslog_console; ######################################## # -# kernel_clear_ring_buffer(domain,[`optional']) +# kernel_clear_ring_buffer(domain) # define(`kernel_clear_ring_buffer',` -requires_block_template(kernel_clear_ring_buffer_depend,$2) +requires_block_template(`$0'_depend) allow $1 kernel_t:system syslog_mod; ') @@ -343,10 +343,10 @@ class system syslog_mod; ######################################## # -# kernel_get_sysvipc_info(domain,[`optional']) +# kernel_get_sysvipc_info(domain) # define(`kernel_get_sysvipc_info',` -requires_block_template(kernel_get_sysvipc_info_depend,$2) +requires_block_template(`$0'_depend) allow $1 kernel_t:system ipc_info; ') @@ -357,10 +357,10 @@ class system ipc_info; ######################################## # -# kernel_get_selinuxfs_mount_point(domain,[`optional']) +# kernel_get_selinuxfs_mount_point(domain) # define(`kernel_get_selinuxfs_mount_point',` -requires_block_template(kernel_get_selinuxfs_mount_point_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_t:lnk_file read; allow $1 self:dir search; @@ -376,10 +376,10 @@ class file { getattr read }; ######################################## # -# kernel_read_system_state(domain,[`optional']) +# kernel_read_system_state(domain) # define(`kernel_read_system_state',` -requires_block_template(kernel_read_system_state_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir { getattr search read }; allow $1 proc_t:{ lnk_file file } { getattr read }; ') @@ -396,7 +396,7 @@ class file { getattr read }; # kernel_ignore_read_system_state(domain) # define(`kernel_ignore_read_system_state',` -requires_block_template(kernel_ignore_read_system_state_depend) +requires_block_template(`$0'_depend) allow $1 proc_t:file read; ') @@ -407,10 +407,10 @@ class file read; ####################################### # -# kernel_read_software_raid_state(domain,[`optional']) +# kernel_read_software_raid_state(domain) # define(`kernel_read_software_raid_state',` -requires_block_template(kernel_read_software_raid_state_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir { getattr search read }; allow $1 proc_mdstat_t:file { getattr read }; ') @@ -423,10 +423,10 @@ class file { getattr read }; ######################################## # -# kernel_get_core_interface_attributes(domain,[`optional']) +# kernel_get_core_interface_attributes(domain) # define(`kernel_get_core_interface_attributes',` -requires_block_template(kernel_get_core_interface_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir { getattr search read }; allow $1 proc_kcore_t:file getattr; ') @@ -439,10 +439,10 @@ class file getattr; ######################################## # -# kernel_read_messages(domain,[`optional']) +# kernel_read_messages(domain) # define(`kernel_read_messages',` -requires_block_template(kernel_read_messages_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_kmsg_t:file { getattr read }; typeattribute $1 can_receive_kernel_messages; @@ -457,10 +457,10 @@ class file { getattr read }; ######################################## # -# kernel_get_message_interface_attributes(domain,[`optional']) +# kernel_get_message_interface_attributes(domain) # define(`kernel_get_message_interface_attributes',` -requires_block_template(kernel_get_message_interface_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_kmsg_t:file getattr; ') @@ -476,7 +476,7 @@ class file getattr; # kernel_ignore_get_message_interface_attributes(domain) # define(`kernel_ignore_get_message_interface_attributes',` -requires_block_template(kernel_ignore_get_message_interface_attributes_depend) +requires_block_template(`$0'_depend) dontaudit $1 proc_kmsg_t:file getattr; ') @@ -487,10 +487,10 @@ class file getattr; ######################################## # -# kernel_read_network_state(domain,[`optional']) +# kernel_read_network_state(domain) # define(`kernel_read_network_state',` -requires_block_template(kernel_read_network_state_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_net_t:dir { getattr search read }; allow $1 proc_net_t:file { getattr read }; @@ -504,10 +504,10 @@ class file { getattr read }; ######################################## # -# kernel_read_device_sysctl(domain,[`optional']) +# kernel_read_device_sysctl(domain) # define(`kernel_read_device_sysctl',` -requires_block_template(kernel_read_device_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_dev_t:dir { getattr search read }; @@ -522,10 +522,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_device_sysctl(domain,[`optional']) +# kernel_modify_device_sysctl(domain) # define(`kernel_modify_device_sysctl',` -requires_block_template(kernel_modify_device_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_dev_t:file { getattr read write }; @@ -539,10 +539,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_virtual_memory_sysctl(domain,[`optional']) +# kernel_read_virtual_memory_sysctl(domain) # define(`kernel_read_virtual_memory_sysctl',` -requires_block_template(kernel_read_virtual_memory_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_vm_t:file { getattr read }; @@ -556,10 +556,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_virtual_memory_sysctl(domain,[`optional']) +# kernel_modify_virtual_memory_sysctl(domain) # define(`kernel_modify_virtual_memory_sysctl',` -requires_block_template(kernel_modify_virtual_memory_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_vm_t:file { getattr read write }; @@ -573,10 +573,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_network_sysctl(domain,[`optional']) +# kernel_read_network_sysctl(domain) # define(`kernel_read_network_sysctl',` -requires_block_template(kernel_read_network_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_net_t:dir { getattr search read }; @@ -591,10 +591,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_network_sysctl(domain,[`optional']) +# kernel_modify_network_sysctl(domain) # define(`kernel_modify_network_sysctl',` -requires_block_template(kernel_modify_network_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_net_t:dir { getattr search read }; @@ -609,10 +609,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_unix_sysctl(domain,[`optional']) +# kernel_read_unix_sysctl(domain) # define(`kernel_read_unix_sysctl',` -requires_block_template(kernel_read_unix_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_net_t:dir { getattr search read }; @@ -627,10 +627,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_unix_sysctl(domain,[`optional']) +# kernel_modify_unix_sysctl(domain) # define(`kernel_modify_unix_sysctl',` -requires_block_template(kernel_modify_unix_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_net_t:dir { getattr search read }; @@ -645,10 +645,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_hotplug_sysctl(domain,[`optional']) +# kernel_read_hotplug_sysctl(domain) # define(`kernel_read_hotplug_sysctl',` -requires_block_template(kernel_read_hotplug_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_kernel_t:dir { getattr search read }; @@ -663,10 +663,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_hotplug_sysctl(domain,[`optional']) +# kernel_modify_hotplug_sysctl(domain) # define(`kernel_modify_hotplug_sysctl',` -requires_block_template(kernel_modify_hotplug_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_kernel_t:dir { getattr search read }; @@ -681,10 +681,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_modprobe_sysctl(domain,[`optional']) +# kernel_read_modprobe_sysctl(domain) # define(`kernel_read_modprobe_sysctl',` -requires_block_template(kernel_read_modprobe_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_kernel_t:dir { getattr search read }; @@ -699,10 +699,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_modprobe_sysctl(domain,[`optional']) +# kernel_modify_modprobe_sysctl(domain) # define(`kernel_modify_modprobe_sysctl',` -requires_block_template(kernel_modify_modprobe_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_kernel_t:dir { getattr search read }; @@ -717,10 +717,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_kernel_sysctl(domain,[`optional']) +# kernel_read_kernel_sysctl(domain) # define(`kernel_read_kernel_sysctl',` -requires_block_template(kernel_read_kernel_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_kernel_t:dir { getattr search read }; @@ -735,10 +735,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_kernel_sysctl(domain,[`optional']) +# kernel_modify_kernel_sysctl(domain) # define(`kernel_modify_kernel_sysctl',` -requires_block_template(kernel_modify_kernel_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_kernel_t:dir { getattr search read }; @@ -753,10 +753,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_filesystem_sysctl(domain,[`optional']) +# kernel_read_filesystem_sysctl(domain) # define(`kernel_read_filesystem_sysctl',` -requires_block_template(kernel_read_filesystem_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_fs_t:dir { getattr search read }; @@ -771,10 +771,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_filesystem_sysctl(domain,[`optional']) +# kernel_modify_filesystem_sysctl(domain) # define(`kernel_modify_filesystem_sysctl',` -requires_block_template(kernel_modify_filesystem_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_t:dir { getattr search read }; allow $1 sysctl_fs_t:dir { getattr search read }; @@ -789,10 +789,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_irq_sysctl(domain,[`optional']) +# kernel_read_irq_sysctl(domain) # define(`kernel_read_irq_sysctl',` -requires_block_template(kernel_read_irq_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_irq_t:dir { getattr search read }; allow $1 sysctl_irq_t:file { getattr read }; @@ -806,10 +806,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_irq_sysctl(domain,[`optional']) +# kernel_modify_irq_sysctl(domain) # define(`kernel_modify_irq_sysctl',` -requires_block_template(kernel_modify_irq_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 sysctl_irq_t:dir { getattr search read }; allow $1 sysctl_irq_t:file { getattr read write }; @@ -823,10 +823,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_rpc_sysctl(domain,[`optional']) +# kernel_read_rpc_sysctl(domain) # define(`kernel_read_rpc_sysctl',` -requires_block_template(kernel_read_rpc_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_net_t:dir search; allow $1 sysctl_rpc_t:dir { getattr search read }; @@ -841,10 +841,10 @@ class file { getattr read }; ######################################## # -# kernel_modify_rpc_sysctl(domain,[`optional']) +# kernel_modify_rpc_sysctl(domain) # define(`kernel_modify_rpc_sysctl',` -requires_block_template(kernel_modify_rpc_sysctl_depend,$2) +requires_block_template(`$0'_depend) allow $1 proc_t:dir search; allow $1 proc_net_t:dir search; allow $1 sysctl_rpc_t:dir { getattr search read }; @@ -859,10 +859,10 @@ class file { getattr read write }; ######################################## # -# kernel_read_all_sysctl(domain,[`optional']) +# kernel_read_all_sysctl(domain) # define(`kernel_read_all_sysctl',` -requires_block_template(kernel_read_all_sysctl_depend,$2) +requires_block_template(`$0'_depend) kernel_read_device_sysctl($1,optional) kernel_read_virtual_memory_sysctl($1,optional) kernel_read_network_sysctl($1,optional) @@ -890,10 +890,10 @@ kernel_read_rpc_sysctl_depend ######################################## # -# kernel_modify_all_sysctl(domain,[`optional']) +# kernel_modify_all_sysctl(domain) # define(`kernel_modify_all_sysctl',` -requires_block_template(kernel_modify_all_sysctl_depend,$2) +requires_block_template(`$0'_depend) kernel_modify_device_sysctl($1,optional) kernel_modify_virtual_memory_sysctl($1,optional) kernel_modify_network_sysctl($1,optional) @@ -921,10 +921,10 @@ kernel_modify_rpc_sysctl_depend ######################################## # -# kernel_read_hardware_state(domain,[`optional']) +# kernel_read_hardware_state(domain) # define(`kernel_read_hardware_state',` -requires_block_template(kernel_read_hardware_state_depend,$2) +requires_block_template(`$0'_depend) allow $1 sysfs_t:dir { getattr search read }; allow $1 sysfs_t:{ file lnk_file } { getattr read }; ') @@ -938,10 +938,10 @@ class lnk_file { getattr read }; ######################################## # -# kernel_modify_hardware_config_option(domain,[`optional']) +# kernel_modify_hardware_config_option(domain) # define(`kernel_modify_hardware_config_option',` -requires_block_template(kernel_modify_hardware_config_option_depend,$2) +requires_block_template(`$0'_depend) allow $1 sysfs_t:dir { getattr search read }; allow $1 sysfs_t:lnk_file { getattr read }; allow $1 sysfs_t:file { getattr read write }; @@ -956,10 +956,10 @@ class lnk_file { getattr read }; ######################################## # -# kernel_list_usb_hardware(domain,[`optional']) +# kernel_list_usb_hardware(domain) # define(`kernel_list_usb_hardware',` -requires_block_template(kernel_list_usb_hardware_depend,$2) +requires_block_template(`$0'_depend) allow $1 usbfs_t:dir { getattr search read }; allow $1 usbfs_t:lnk_file { getattr read }; allow $1 usbfs_t:file getattr; @@ -974,10 +974,10 @@ class lnk_file { getattr read }; ######################################## # -# kernel_read_usb_hardware_state(domain,[`optional']) +# kernel_read_usb_hardware_state(domain) # define(`kernel_read_usb_hardware_state',` -requires_block_template(kernel_read_usb_hardware_state_depend,$2) +requires_block_template(`$0'_depend) allow $1 usbfs_t:dir { getattr search read }; allow $1 usbfs_t:{ file lnk_file } { getattr read }; ') @@ -991,10 +991,10 @@ class lnk_file { getattr read }; ######################################## # -# kernel_modify_usb_hardware_config_option(domain,[`optional']) +# kernel_modify_usb_hardware_config_option(domain) # define(`kernel_modify_usb_hardware_config_option',` -requires_block_template(kernel_modify_usb_hardware_config_option_depend,$2) +requires_block_template(`$0'_depend) allow $1 usbfs_t:dir { getattr search read }; allow $1 usbfs_t:lnk_file { getattr read }; allow $1 usbfs_t:file { getattr read write }; @@ -1018,10 +1018,10 @@ class lnk_file { getattr read }; ######################################## # -# kernel_transition_from(domain,entrypoint,[`optional']) +# kernel_transition_from(domain,entrypoint) # define(`kernel_transition_from',` -requires_block_template(kernel_transition_from_depend,$3) +requires_block_template(`$0'_depend) allow kernel_t $2:file { getattr read execute }; allow kernel_t $1:process transition; type_transition kernel_t $2:process $1; @@ -1036,10 +1036,10 @@ class process transition; ######################################## # -# kernel_sigchld_from(domain,[`optional']) +# kernel_sigchld_from(domain) # define(`kernel_sigchld_from',` -requires_block_template(kernel_sigchld_from_depend,$2) +requires_block_template(`$0'_depend) allow kernel_t $1:process sigchld; ') @@ -1050,10 +1050,10 @@ class process sigchld; ######################################## # -# kernel_unlabeled_sigchld_from(domain,[`optional']) +# kernel_unlabeled_sigchld_from(domain) # define(`kernel_unlabeled_sigchld_from',` -requires_block_template(kernel_unlabeled_sigchld_from_depend,$2) +requires_block_template(`$0'_depend) allow unlabeled_t $1:process sigchld; ') @@ -1064,10 +1064,10 @@ class process sigchld; ######################################## # -# kernel_read_directory_from(domain,[`optional']) +# kernel_read_directory_from(domain) # define(`kernel_read_directory_from',` -requires_block_template(kernel_read_directory_from_depend,$2) +requires_block_template(`$0'_depend) allow kernel_t $1:dir { getattr search read }; ') diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index fdb0ec5c..ea971c4e 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -2,10 +2,10 @@ ######################################## # -# storage_raw_read_fixed_disk(domain,[`optional']) +# storage_raw_read_fixed_disk(domain) # define(`storage_raw_read_fixed_disk',` -requires_block_template(storage_raw_read_fixed_disk_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 fixed_disk_raw_read; devices_list_device_nodes($1,optional) allow $1 fixed_disk_device_t:blk_file { getattr read ioctl }; @@ -20,10 +20,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_raw_write_fixed_disk(domain,[`optional']) +# storage_raw_write_fixed_disk(domain) # define(`storage_raw_write_fixed_disk',` -requires_block_template(storage_raw_write_fixed_disk_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 fixed_disk_raw_write; devices_list_device_nodes($1,optional) allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; @@ -38,10 +38,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_get_fixed_disk_attributes(domain,[`optional']) +# storage_get_fixed_disk_attributes(domain) # define(`storage_get_fixed_disk_attributes',` -requires_block_template(storage_get_fixed_disk_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 fixed_disk_device_t:blk_file getattr; ') @@ -54,10 +54,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_set_fixed_disk_attributes(domain,[`optional']) +# storage_set_fixed_disk_attributes(domain) # define(`storage_set_fixed_disk_attributes',` -requires_block_template(storage_set_fixed_disk_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 fixed_disk_device_t:blk_file setattr; ') @@ -70,10 +70,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_read_scsi_generic(domain,[`optional']) +# storage_read_scsi_generic(domain) # define(`storage_read_scsi_generic',` -requires_block_template(storage_read_scsi_generic_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 scsi_generic_read; devices_list_device_nodes($1,optional) allow $1 scsi_generic_device_t:blk_file { getattr read ioctl }; @@ -88,10 +88,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_write_scsi_generic(domain,[`optional']) +# storage_write_scsi_generic(domain) # define(`storage_write_scsi_generic',` -requires_block_template(storage_write_scsi_generic_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 scsi_generic_write; devices_list_device_nodes($1,optional) allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; @@ -106,10 +106,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_get_scsi_generic_attributes(domain,[`optional']) +# storage_get_scsi_generic_attributes(domain) # define(`storage_get_scsi_generic_attributes',` -requires_block_template(storage_get_scsi_generic_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 scsi_generic_device_t:blk_file getattr; ') @@ -122,10 +122,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_set_scsi_generic_attributes(domain,[`optional']) +# storage_set_scsi_generic_attributes(domain) # define(`storage_set_scsi_generic_attributes',` -requires_block_template(storage_set_scsi_generic_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 scsi_generic_device_t:blk_file setattr; ') @@ -138,10 +138,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_raw_read_removable_device(domain,[`optional']) +# storage_raw_read_removable_device(domain) # define(`storage_raw_read_removable_device',` -requires_block_template(storage_raw_read_removable_device_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 removable_device_t:blk_file { getattr read ioctl }; ') @@ -154,10 +154,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_raw_write_removable_device(domain,[`optional']) +# storage_raw_write_removable_device(domain) # define(`storage_raw_write_removable_device',` -requires_block_template(storage_raw_write_removable_device_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 removable_device_t:blk_file { getattr write ioctl }; ') @@ -170,10 +170,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_get_removable_device_attributes(domain,[`optional']) +# storage_get_removable_device_attributes(domain) # define(`storage_get_removable_device_attributes',` -requires_block_template(storage_get_removable_device_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 removable_device_t:blk_file getattr; ') @@ -186,10 +186,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_set_removable_device_attributes(domain,[`optional']) +# storage_set_removable_device_attributes(domain) # define(`storage_set_removable_device_attributes',` -requires_block_template(storage_set_removable_device_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 removable_device_t:blk_file setattr; ') @@ -202,10 +202,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_read_tape_device(domain,[`optional']) +# storage_read_tape_device(domain) # define(`storage_read_tape_device',` -requires_block_template(storage_read_tape_device_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 tape_device_t:blk_file { getattr read ioctl }; ') @@ -218,10 +218,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_write_tape_device(domain,[`optional']) +# storage_write_tape_device(domain) # define(`storage_write_tape_device',` -requires_block_template(storage_write_tape_device_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 tape_device_t:blk_file { getattr write ioctl }; ') @@ -234,10 +234,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_get_tape_device_attributes(domain,[`optional']) +# storage_get_tape_device_attributes(domain) # define(`storage_get_tape_device_attributes',` -requires_block_template(storage_get_tape_device_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 tape_device_t:blk_file getattr; ') @@ -250,10 +250,10 @@ devices_list_device_nodes_depend ######################################## # -# storage_set_tape_device_attributes(domain,[`optional']) +# storage_set_tape_device_attributes(domain) # define(`storage_set_tape_device_attributes',` -requires_block_template(storage_set_tape_device_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 tape_device_t:blk_file setattr; ') diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index 4432acc4..208e193d 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -2,10 +2,10 @@ ######################################## # -# terminal_make_pseudoterminal(domain,ptytype,[`optional']) +# terminal_make_pseudoterminal(domain,ptytype) # define(`terminal_make_pseudoterminal',` -requires_block_template(terminal_make_pseudoterminal_depend,$3) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 ptmx_t:chr_file { getattr read write }; allow $1 devpts_t:dir { getattr search read }; @@ -30,7 +30,7 @@ devices_list_device_nodes_depend # terminal_use_all_terminals(domain) # define(`terminal_use_all_terminals',` -requires_block_template(terminal_use_all_terminals_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 devpts_t:dir { getattr search read }; allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write }; @@ -48,7 +48,7 @@ class chr_file { read write }; # terminal_get_all_users_physical_terminal_attributes(domain) # define(`terminal_get_all_users_physical_terminal_attributes',` -requires_block_template(terminal_get_all_users_physical_terminal_attributes_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file getattr; ') @@ -63,7 +63,7 @@ class chr_file getattr; # terminal_use_all_users_physical_terminals(domain) # define(`terminal_use_all_users_physical_terminals',` -requires_block_template(terminal_use_all_users_physical_terminals_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file { read write }; ') @@ -78,7 +78,7 @@ class chr_file { read write }; # terminal_ignore_use_all_users_physical_terminals(domain) # define(`terminal_ignore_use_all_users_physical_terminals',` -requires_block_template(terminal_ignore_use_all_users_physical_terminals_depend) +requires_block_template(`$0'_depend) dontaudit $1 ttynode:chr_file { read write }; ') @@ -92,7 +92,7 @@ class chr_file { read write }; # terminal_get_all_users_pseudoterminal_attributes(domain) # define(`terminal_get_all_users_pseudoterminal_attributes',` -requires_block_template(terminal_get_all_users_pseudoterminal_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 devpts_t:dir { getattr search read }; allow $1 ptynode:chr_file getattr; @@ -109,7 +109,7 @@ class chr_file getattr; # terminal_use_all_users_pseudoterminals(domain) # define(`terminal_use_all_users_pseudoterminals',` -requires_block_template(terminal_use_all_users_pseudoterminals_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 devpts_t:dir { getattr read search }; allow $1 ptynode:chr_file { read write }; @@ -126,7 +126,7 @@ class chr_file { read write }; # terminal_ignore_use_all_users_pseudoterminals(domain) # define(`terminal_ignore_use_all_users_pseudoterminals',` -requires_block_template(terminal_ignore_use_all_users_pseudoterminals_depend) +requires_block_template(`$0'_depend) dontaudit $1 ptynode:chr_file { read write }; ') @@ -137,10 +137,10 @@ class chr_file { read write }; ######################################## # -# terminal_use_console(domain,[`optional']) +# terminal_use_console(domain) # define(`terminal_use_console',` -requires_block_template(terminal_use_console_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 console_device_t:chr_file { read write }; ') @@ -153,10 +153,10 @@ devices_list_device_nodes_depend ######################################## # -# terminal_ignore_use_console(domain,[`optional']) +# terminal_ignore_use_console(domain) # define(`terminal_ignore_use_console',` -requires_block_template(terminal_ignore_use_console_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 console_device_t:chr_file { read write }; ') @@ -167,10 +167,10 @@ class chr_file { read write }; ######################################## # -# terminal_set_console_attributes(domain,[`optional']) +# terminal_set_console_attributes(domain) # define(`terminal_set_console_attributes',` -requires_block_template(terminal_set_console_attributes_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 console_device_t:chr_file setattr; ') @@ -183,10 +183,10 @@ devices_list_device_nodes_depend ######################################## # -# terminal_use_controlling_terminal(domain,[`optional']) +# terminal_use_controlling_terminal(domain) # define(`terminal_use_controlling_terminal',` -requires_block_template(terminal_use_controlling_terminal_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 devtty_t:chr_file { read write }; ') @@ -202,7 +202,7 @@ devices_list_device_nodes_depend # terminal_reset_physical_terminal_labels(domain) # define(`terminal_reset_physical_terminal_labels',` -requires_block_template(terminal_reset_physical_terminal_labels_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 ttynode:chr_file relabelfrom; allow $1 tty_device_t:chr_file relabelto; @@ -220,7 +220,7 @@ devices_list_device_nodes_depend # terminal_use_general_physical_terminal(domain) # define(`terminal_use_general_physical_terminal',` -requires_block_template(terminal_use_general_physical_terminal_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tty_device_t:chr_file { read write }; ') @@ -235,7 +235,7 @@ class chr_file { read write }; # terminal_ignore_use_general_physical_terminal(domain) # define(`terminal_ignore_use_general_physical_terminal',` -requires_block_template(terminal_ignore_use_general_physical_terminal_depend) +requires_block_template(`$0'_depend) dontaudit $1 tty_device_t:chr_file { read write }; ') @@ -246,10 +246,10 @@ class chr_file { read write }; ######################################## # -# terminal_list_pseudoterminals(domain,[`optional']) +# terminal_list_pseudoterminals(domain) # define(`terminal_list_pseudoterminals',` -requires_block_template(terminal_list_pseudoterminals_depend,$2) +requires_block_template(`$0'_depend) devices_list_device_nodes($1,optional) allow $1 devpts_t:dir { getattr search read }; ') @@ -262,10 +262,10 @@ devices_list_device_nodes_depend ######################################## # -# terminal_ignore_list_pseudoterminals(domain,[`optional']) +# terminal_ignore_list_pseudoterminals(domain) # define(`terminal_ignore_list_pseudoterminals',` -requires_block_template(terminal_ignore_list_pseudoterminals_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 devpts_t:dir { getattr search read }; ') @@ -279,7 +279,7 @@ class dir { getattr search read }; # terminal_use_general_pseudoterminal(domain) # define(`terminal_use_general_pseudoterminal',` -requires_block_template(terminal_use_general_pseudoterminal_depend) +requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 devpts_t:chr_file { read write }; ') @@ -294,7 +294,7 @@ class chr_file { read write }; # terminal_ignore_use_general_pseudoterminal(domain) # define(`terminal_ignore_use_general_pseudoterminal',` -requires_block_template(terminal_ignore_use_general_pseudoterminal_depend) +requires_block_template(`$0'_depend) dontaudit $1 devpts_t:chr_file { read write }; ') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index c38ca942..6b41ebb1 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -7,7 +7,7 @@ # mta_per_userdomain_template(userdomain_prefix) # define(`mta_per_userdomain_template',` -requires_block_template(mta_per_userdomain_template_depend) +requires_block_template(`$0'_depend) type $1_mail_t; domain_make_domain($1_mail_t) diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index d7982c40..8b097877 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -7,7 +7,7 @@ # authlogin_per_userdomain_template(userdomain_prefix) # define(`authlogin_per_userdomain_template',` -requires_block_template(authlogin_per_userdomain_template_depend) +requires_block_template(`$0'_depend) type $1_chkpwd_t; # , nscd_client_domain; domain_make_domain($1_chkpwd_t) @@ -79,7 +79,7 @@ class unix_dgram_socket { create read getattr write setattr append bind connect # authlogin_make_login_program_entrypoint(domain) # define(`authlogin_make_login_program_entrypoint',` -requires_block_template(authlogin_make_login_program_entrypoint_depend) +requires_block_template(`$0'_depend) domain_make_entrypoint_file($1,login_exec_t) ') @@ -93,7 +93,7 @@ domain_make_entrypoint_file_depend # authlogin_check_password_transition(domain) # define(`authlogin_check_password_transition',` -requires_block_template(authlogin_check_password_transition_depend) +requires_block_template(`$0'_depend) allow $1 chkpwd_exec_t:file { getattr read execute }; allow $1 system_chkpwd_t:process transition; dontaudit $1 shadow_t:file { getattr read }; @@ -115,7 +115,7 @@ class process transition; # authlogin_modify_login_records(domain) # define(`authlogin_modify_login_records',` -requires_block_template(authlogin_modify_login_records_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) # FIXME: search var_log_t allow $1 wtmp_t:file { getattr read write setattr }; @@ -131,7 +131,7 @@ class file { getattr read write setattr }; # authlogin_read_shadow_passwords(domain) # define(`authlogin_read_shadow_passwords',` -requires_block_template(authlogin_read_shadow_passwords_depend) +requires_block_template(`$0'_depend) # FIXME: read etc_t dir allow $1 shadow_t:file { getattr read }; typeattribute $1 can_read_shadow_passwords; @@ -148,7 +148,7 @@ class file { getattr read }; # authlogin_ignore_read_shadow_passwords(domain) # define(`authlogin_ignore_read_shadow_passwords',` -requires_block_template(authlogin_ignore_read_shadow_passwords_depend) +requires_block_template(`$0'_depend) dontaudit $1 shadow_t:file { getattr read }; ') @@ -162,7 +162,7 @@ class file { getattr read }; # authlogin_modify_shadow_passwords(domain) # define(`authlogin_modify_shadow_passwords',` -requires_block_template(authlogin_modify_shadow_passwords_depend) +requires_block_template(`$0'_depend) # FIXME: read etc_t dir allow $1 shadow_t:file { getattr read write }; typeattribute $1 can_read_shadow_passwords; @@ -181,7 +181,7 @@ class file { getattr read write }; # authlogin_modify_last_login_log(domain) # define(`authlogin_modify_last_login_log',` -requires_block_template(authlogin_modify_last_login_log_depend) +requires_block_template(`$0'_depend) allow $1 lastlog_t:file { getattr read write setattr }; ') @@ -195,7 +195,7 @@ class file { getattr read write setattr }; # authlogin_pam_read_runtime_data(domain) # define(`authlogin_pam_read_runtime_data',` -requires_block_template(authlogin_pam_read_runtime_data_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) files_search_runtime_data_directory($1) allow $1 pam_var_run_t:dir { getattr search read }; @@ -213,7 +213,7 @@ class file { getattr read }; # authlogin_pam_remove_runtime_data(domain) # define(`authlogin_pam_remove_runtime_data',` -requires_block_template(authlogin_pam_remove_runtime_data_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) files_search_runtime_data_directory($1) allow $1 pam_var_run_t:dir { getattr search read write remove_name }; diff --git a/refpolicy/policy/modules/system/corecommands.if b/refpolicy/policy/modules/system/corecommands.if index 478f7cb3..052c845b 100644 --- a/refpolicy/policy/modules/system/corecommands.if +++ b/refpolicy/policy/modules/system/corecommands.if @@ -2,10 +2,10 @@ ####################################### # -# corecommands_make_shell_entrypoint(type,[`optional']) +# corecommands_make_shell_entrypoint(type) # define(`corecommands_make_shell_entrypoint',` -requires_block_template(corecommands_make_shell_entrypoint_depend,$2) +requires_block_template(`$0'_depend) domain_make_entrypoint_file($1,shell_exec_t) ') @@ -16,10 +16,10 @@ domain_make_entrypoint_file_depend ######################################## # -# corecommands_execute_general_programs(domain,[`optional'] +# corecommands_execute_general_programs(domain # define(`corecommands_execute_general_programs',` -requires_block_template(corecommands_execute_general_programs_depend,$2) +requires_block_template(`$0'_depend) allow $1 bin_t:dir { getattr search read }; allow $1 bin_t:lnk_file { getattr read }; allow $1 bin_t:file { getattr read execute execute_no_trans }; @@ -34,10 +34,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# corecommands_execute_system_programs(domain,[`optional'] +# corecommands_execute_system_programs(domain # define(`corecommands_execute_system_programs',` -requires_block_template(corecommands_execute_system_programs_depend,$2) +requires_block_template(`$0'_depend) allow $1 sbin_t:dir { getattr search read }; allow $1 sbin_t:lnk_file { getattr read }; allow $1 sbin_t:file { getattr read execute execute_no_trans }; @@ -52,10 +52,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# corecommands_execute_shell(domain,[`optional'] +# corecommands_execute_shell(domain # define(`corecommands_execute_shell',` -requires_block_template(corecommands_execute_shell_depend,$2) +requires_block_template(`$0'_depend) allow $1 bin_t:dir { getattr search read }; allow $1 bin_t:lnk_file { getattr read }; allow $1 shell_exec_t:file { getattr read execute execute_no_trans }; @@ -70,10 +70,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# corecommands_chroot(domain,[`optional'] +# corecommands_chroot(domain # define(`corecommands_chroot',` -requires_block_template(corecommands_chroot_depend,$2) +requires_block_template(`$0'_depend) allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; # could go to a generic chroot priv: allow $1 self:capability sys_chroot; diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index c6c6c0c2..d3eec091 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -2,10 +2,10 @@ ######################################## # -# domain_make_base_domain(domain,[`optional']) +# domain_make_base_domain(domain) # define(`domain_make_base_domain',` -requires_block_template(domain_make_base_domain_depend,$2) +requires_block_template(`$0'_depend) # mark as a domain typeattribute $1 domain; @@ -27,10 +27,10 @@ class lnk_file { getattr read }; ######################################## # -# domain_make_domain(domain,[`optional']) +# domain_make_domain(domain) # define(`domain_make_domain',` -requires_block_template(domain_make_domain_depend,$2) +requires_block_template(`$0'_depend) domain_make_base_domain($1,optional) @@ -46,10 +46,10 @@ init_send_sigchld_depend ######################################## # -# domain_make_entrypoint_file(domain,entrypointfile,[`optional']) +# domain_make_entrypoint_file(domain,entrypointfile) # define(`domain_make_entrypoint_file',` -requires_block_template(domain_make_entrypoint_file_depend,$3) +requires_block_template(`$0'_depend) allow $1 $2:file entrypoint; files_make_file($2,$3) typeattribute $1 entry_type; @@ -62,10 +62,10 @@ class file entrypoint; ######################################## # -# domain_make_init_domain(domain,entrypointfile,[`optional']) +# domain_make_init_domain(domain,entrypointfile) # define(`domain_make_init_domain',` -requires_block_template(domain_make_init_domain_depend,$3) +requires_block_template(`$0'_depend) domain_make_domain($1,optional) domain_make_entrypoint_file($1,$2,optional) typeattribute $1 init_domain; @@ -82,10 +82,10 @@ domain_make_entrypoint_file_depend ######################################## # -# domain_make_daemon_domain(domain,entrypointfile,[`optional']) +# domain_make_daemon_domain(domain,entrypointfile) # define(`domain_make_daemon_domain',` -requires_block_template(domain_make_daemon_domain_depend,$3) +requires_block_template(`$0'_depend) domain_make_domain($1,optional) domain_make_entrypoint_file($1,$2,optional) typeattribute $1 daemon_domain; @@ -102,10 +102,10 @@ domain_make_entrypoint_file_depend ######################################## # -# domain_make_file_descriptors_widely_inheritable(domain,[`optional']) +# domain_make_file_descriptors_widely_inheritable(domain) # define(`domain_make_file_descriptors_widely_inheritable',` -requires_block_template(domain_make_file_descriptors_widely_inheritable_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 privfd; ') @@ -115,10 +115,10 @@ attribute privfd; ######################################## # -# domain_use_widely_inheritable_file_descriptors(domain,[`optional']) +# domain_use_widely_inheritable_file_descriptors(domain) # define(`domain_use_widely_inheritable_file_descriptors',` -requires_block_template(domain_use_widely_inheritable_file_descriptors_depend,$2) +requires_block_template(`$0'_depend) allow $1 privfd:fd use; ') @@ -129,10 +129,10 @@ class fd use; ######################################## # -# domain_ignore_use_widely_inheritable_file_descriptors(domain,[`optional']) +# domain_ignore_use_widely_inheritable_file_descriptors(domain) # define(`domain_ignore_use_widely_inheritable_file_descriptors',` -requires_block_template(domain_ignore_use_widely_inheritable_file_descriptors_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 privfd:fd use; ') @@ -143,10 +143,10 @@ class fd use; ######################################## # -# domain_all_init_domains_transition(domain,[`optional']) +# domain_all_init_domains_transition(domain) # define(`domain_all_init_domains_transition',` -requires_block_template(domain_all_init_domains_transition_depend,$3) +requires_block_template(`$0'_depend) allow $1 init_domain:process transition; allow $1 init_domain_entry:file { getattr read execute }; dontaudit $1 daemon_domain:process { noatsecure siginh rlimitinh }; @@ -160,10 +160,10 @@ class file { getattr read execute }; ######################################## # -# domain_all_daemon_domains_transition(domain,[`optional']) +# domain_all_daemon_domains_transition(domain) # define(`domain_all_daemon_domains_transition',` -requires_block_template(domain_all_daemon_domains_transition_depend,$3) +requires_block_template(`$0'_depend) allow $1 daemon_domain:process transition; allow $1 daemon_domain_entry:file { getattr read execute }; allow init_domain $1:fd use; @@ -178,10 +178,10 @@ class file { getattr read execute }; ######################################## # -# domain_signal_all_domains(domain,[`optional']) +# domain_signal_all_domains(domain) # define(`domain_signal_all_domains',` -requires_block_template(domain_signal_all_domains_depend,$2) +requires_block_template(`$0'_depend) allow $1 domain:process signal; ') @@ -192,10 +192,10 @@ class process signal; ######################################## # -# domain_kill_all_domains(domain,[`optional']) +# domain_kill_all_domains(domain) # define(`domain_kill_all_domains',` -requires_block_template(domain_kill_all_domains_depend,$2) +requires_block_template(`$0'_depend) allow $1 domain:process sigkill; allow $1 self:capability kill; ') @@ -208,10 +208,10 @@ class capability kill; ######################################## # -# domain_read_all_domains_process_state(domain,[`optional']) +# domain_read_all_domains_process_state(domain) # define(`domain_read_all_domains_process_state',` -requires_block_template(domain_read_all_domains_process_state_depend,$2) +requires_block_template(`$0'_depend) allow $1 domain:dir { getattr search read }; allow $1 domain:lnk_file { getattr read }; allow $1 domain:file { getattr read }; @@ -228,10 +228,10 @@ class process { getattr getsession }; ######################################## # -# domain_execute_all_entrypoint_programs(domain,[`optional']) +# domain_execute_all_entrypoint_programs(domain) # define(`domain_execute_all_entrypoint_programs',` -requires_block_template(domain_execute_all_entrypoint_programs_depend,$2) +requires_block_template(`$0'_depend) allow $1 entry_type:file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 1df98c0b..1dbb58f6 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -2,10 +2,10 @@ ######################################## # -# files_make_file(type,[`optional']) +# files_make_file(type) # define(`files_make_file',` -requires_block_template(files_make_file_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 file_type; filesystem_associate($1,optional) filesystem_noxattr_associate($1,optional) @@ -19,10 +19,10 @@ filesystem_noxattr_associate_depend ######################################## # -# files_make_mountpoint(type,[`optional']) +# files_make_mountpoint(type) # define(`files_make_mountpoint',` -requires_block_template(files_make_mountpoint_depend,$2) +requires_block_template(`$0'_depend) typeattribute $1 mountpoint; ') @@ -32,10 +32,10 @@ attribute mountpoint; ######################################## # -# files_get_all_file_attributes(type,[`optional']) +# files_get_all_file_attributes(type) # define(`files_get_all_file_attributes',` -requires_block_template(files_get_all_file_attributes_depend,$2) +requires_block_template(`$0'_depend) allow $1 file_type:dir { search getattr }; allow $1 file_type:file getattr; allow $1 file_type:lnk_file getattr; @@ -54,10 +54,10 @@ class sock_file getattr; ######################################## # -# files_manage_all_files_labels(type,[`optional']) +# files_manage_all_files_labels(type) # define(`files_manage_all_files_labels',` -requires_block_template(files_manage_all_files_labels_depend,$2) +requires_block_template(`$0'_depend) allow $1 file_type:dir { getattr relabelfrom relabelto }; allow $1 file_type:file { getattr relabelfrom relabelto }; allow $1 file_type:lnk_file { getattr relabelfrom relabelto }; @@ -83,7 +83,7 @@ class chr_file relabelfrom; # files_search_all_directories(domain) # define(`files_search_all_directories',` -requires_block_template(files_search_all_directories_depend) +requires_block_template(`$0'_depend) allow $1 file_type:dir search; ') @@ -97,7 +97,7 @@ class dir search; # files_ignore_search_all_directories(domain) # define(`files_ignore_search_all_directories',` -requires_block_template(files_ignore_search_all_directories_depend) +requires_block_template(`$0'_depend) dontaudit $1 file_type:dir search; ') @@ -108,10 +108,10 @@ class dir search; ######################################## # -# files_read_all_directories(type,[`optional']) +# files_read_all_directories(type) # define(`files_read_all_directories',` -requires_block_template(files_read_all_directories_depend,$2) +requires_block_template(`$0'_depend) allow $1 file_type:dir { getattr search read }; ') @@ -122,10 +122,10 @@ class dir { getattr search read }; ######################################## # -# files_mount_on_all_mountpoints(type,[`optional']) +# files_mount_on_all_mountpoints(type) # define(`files_mount_on_all_mountpoints',` -requires_block_template(files_mount_on_all_mountpoints_depend,$2) +requires_block_template(`$0'_depend) allow $1 mountpoint:dir { getattr search mounton }; ') @@ -136,10 +136,10 @@ class dir { getattr search mounton }; ######################################## # -# files_read_root_dir(domain,[`optional']) +# files_read_root_dir(domain) # define(`files_read_root_dir',` -requires_block_template(files_read_root_dir_depend,$2) +requires_block_template(`$0'_depend) allow $1 root_t:dir { getattr search read }; allow $1 root_t:lnk_file { getattr read }; ') @@ -152,10 +152,10 @@ class lnk_file { getattr read }; ######################################## # -# files_create_root_dir_entry(domain,[`optional']) +# files_create_root_dir_entry(domain) # define(`files_create_root_dir_entry',` -requires_block_template(files_create_root_dir_entry_depend,$2) +requires_block_template(`$0'_depend) allow $1 root_t:dir { getattr search read write add_name }; ') @@ -169,7 +169,7 @@ class dir { getattr search read write add_name }; # files_ignore_read_rootfs_file(domain) # define(`files_ignore_read_rootfs_file',` -requires_block_template(files_ignore_read_rootfs_file_depend) +requires_block_template(`$0'_depend) dontaudit $1 root_t:file read; ') @@ -180,10 +180,10 @@ class file read; ######################################## # -# files_ignore_modify_rootfs_file(domain,[`optional']) +# files_ignore_modify_rootfs_file(domain) # define(`files_ignore_modify_rootfs_file',` -requires_block_template(files_ignore_modify_rootfs_file_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 root_t:file { read write }; ') @@ -194,10 +194,10 @@ class file { read write }; ######################################## # -# files_ignore_modify_rootfs_device(domain,[`optional']) +# files_ignore_modify_rootfs_device(domain) # define(`files_ignore_modify_rootfs_device',` -requires_block_template(files_ignore_modify_rootfs_device_depend,$2) +requires_block_template(`$0'_depend) dontaudit $1 root_t:chr_file { read write }; ') @@ -208,10 +208,10 @@ class chr_file { read write }; ######################################## # -# files_create_private_root_dir_entry(domain,privatetype,[class(es)],[`optional']) +# files_create_private_root_dir_entry(domain,privatetype,[class(es)]) # define(`files_create_private_root_dir_entry',` -requires_block_template(files_create_private_root_dir_entry_depend,$2) +requires_block_template(`$0'_depend) allow $1 root_t:dir { getattr search read write add_name remove_name }; ifelse(`$3',`',` type_transition $1 root_t:file $2; @@ -227,10 +227,10 @@ class dir { getattr search read write add_name remove_name }; ######################################## # -# files_remove_root_dir_entry(domain,[`optional']) +# files_remove_root_dir_entry(domain) # define(`files_remove_root_dir_entry',` -requires_block_template(files_remove_root_dir_entry_depend,$2) +requires_block_template(`$0'_depend) allow $1 root_t:dir { getattr search read write remove_name }; ') @@ -241,10 +241,10 @@ class dir { getattr search read write remove_name }; ######################################## # -# files_unmount_root_filesystem(domain,[`optional']) +# files_unmount_root_filesystem(domain) # define(`files_unmount_root_filesystem',` -requires_block_template(files_unmount_root_filesystem_depend,$2) +requires_block_template(`$0'_depend) allow $1 root_t:filesystem unmount; ') @@ -255,10 +255,10 @@ class filesystem unmount; ######################################## # -# files_read_general_system_config(type,[`optional']) +# files_read_general_system_config(type) # define(`files_read_general_system_config',` -requires_block_template(files_read_general_system_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 etc_t:dir { getattr search read }; allow $1 etc_t:file { getattr read }; allow $1 etc_t:lnk_file { getattr read }; @@ -273,10 +273,10 @@ class lnk_file { getattr read }; ######################################## # -# files_execute_system_config_script(domain,[`optional']) +# files_execute_system_config_script(domain) # define(`files_execute_system_config_script',` -requires_block_template(files_execute_system_config_script_depend,$2) +requires_block_template(`$0'_depend) allow $1 etc_t:dir { getattr search read }; allow $1 etc_t:lnk_file { getattr read }; allow $1 etc_t:file { getattr read execute execute_no_trans }; @@ -291,12 +291,12 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# files_create_boot_flag(type,[`optional']) +# files_create_boot_flag(type) # # /halt, /.autofsck, etc # define(`files_create_boot_flag',` -requires_block_template(files_create_boot_flag_depend,$2) +requires_block_template(`$0'_depend) allow $1 root_t:dir { getattr search read write add_name remove_name }; allow $1 etc_runtime_t:file { create read write setattr unlink }; type_transition $1 root_t:file etc_runtime_t; @@ -310,10 +310,10 @@ class file { create read write setattr }; ######################################## # -# files_create_runtime_system_config(type,[`optional']) +# files_create_runtime_system_config(type) # define(`files_create_runtime_system_config',` -requires_block_template(files_create_runtime_system_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 etc_t:dir { getattr search read write add_name remove_name }; allow $1 etc_runtime_t:file { create read write setattr unlink }; type_transition $1 etc_t:file etc_runtime_t; @@ -327,10 +327,10 @@ class file { create read write setattr }; ######################################## # -# files_read_runtime_system_config(domain,[`optional']) +# files_read_runtime_system_config(domain) # define(`files_read_runtime_system_config',` -requires_block_template(files_read_runtime_system_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 etc_t:dir { getattr search read }; allow $1 etc_runtime_t:file { getattr read }; ') @@ -343,10 +343,10 @@ class file { getattr read }; ######################################## # -# files_create_private_config(domain,privatetype,[class(es)],[`optional']) +# files_create_private_config(domain,privatetype,[class(es)]) # define(`files_create_private_config',` -requires_block_template(files_create_private_config_depend,$4) +requires_block_template(`$0'_depend) allow $1 etc_t:dir { getattr search read write add_name remove_name }; ifelse(`$3',`',` type_transition $1 etc_t:file $2; @@ -362,10 +362,10 @@ class dir { getattr search read write add_name remove_name }; ######################################## # -# files_list_home_directories(type,[`optional']) +# files_list_home_directories(type) # define(`files_list_home_directories',` -requires_block_template(files_list_home_directories_depend,$2) +requires_block_template(`$0'_depend) allow $1 home_root_t:dir { getattr search read }; ') @@ -376,10 +376,10 @@ class dir { getattr search read }; ######################################## # -# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional']) +# files_create_private_tmp_data(domain,private_type,[object class(es)]) # define(`files_create_private_tmp_data',` -requires_block_template(files_create_private_tmp_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmp_t:dir { getattr search read write add_name remove_name }; ifelse(`$3',`',` type_transition $1 tmp_t:file $2; @@ -397,10 +397,10 @@ class dir { getattr search read write add_name }; ######################################## # -# files_remove_all_tmp_data(domain,[`optional']) +# files_remove_all_tmp_data(domain) # define(`files_remove_all_tmp_data',` -requires_block_template(files_remove_all_tmp_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir }; allow $1 tmpfile:file { getattr unlink }; allow $1 tmpfile:lnk_file { getattr unlink }; @@ -419,10 +419,10 @@ class sock_file { getattr unlink }; ######################################## # -# files_read_general_application_resources(domain,[`optional']) +# files_read_general_application_resources(domain) # define(`files_read_general_application_resources',` -requires_block_template(files_read_general_application_resources_depend,$2) +requires_block_template(`$0'_depend) allow $1 usr_t:dir { getattr search read }; allow $1 usr_t:{ file lnk_file } { getattr read }; ') @@ -439,7 +439,7 @@ class lnk_file { getattr read }; # files_read_system_source_code(domain) # define(`files_read_system_source_code',` -requires_block_template(files_read_system_source_code_depend) +requires_block_template(`$0'_depend) allow $1 usr_t:dir search; allow $1 src_t:dir { getattr search read }; allow $1 src_t:{ file lnk_file } { getattr read }; @@ -457,7 +457,7 @@ class lnk_file { getattr read }; # files_search_system_state_data_directory(domain) # define(`files_search_system_state_data_directory',` -requires_block_template(files_search_system_state_data_directory_depend) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; ') @@ -471,7 +471,7 @@ class dir search; # files_manage_pseudorandom_saved_seed(domain) # define(`files_manage_pseudorandom_saved_seed',` -requires_block_template(files_manage_pseudorandom_saved_seed_depend) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_lib_t:dir { getattr search read write add_name remove_name }; allow $1 var_lib_t:file { getattr create read write setattr unlink }; @@ -485,10 +485,10 @@ class file { getattr create read write setattr unlink }; ######################################## # -# files_manage_system_lock_files(domain,[`optional']) +# files_manage_system_lock_files(domain) # define(`files_manage_system_lock_files',` -requires_block_template(files_manage_system_lock_files_depend,$2) +requires_block_template(`$0'_depend) allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; allow $1 var_lock_t:file { getattr create read write setattr unlink }; ') @@ -501,10 +501,10 @@ class file { getattr create read write setattr unlink }; ######################################## # -# files_remove_all_lock_files(domain,[`optional']) +# files_remove_all_lock_files(domain) # define(`files_remove_all_lock_files',` -requires_block_template(files_remove_all_lock_files_depend,$2) +requires_block_template(`$0'_depend) allow $1 lockfile:dir { getattr search read write add_name remove_name }; allow $1 lockfile:file { getattr unlink }; ') @@ -520,7 +520,7 @@ class file { getattr unlink }; # files_search_runtime_data_directory(domain) # define(`files_search_runtime_data_directory',` -requires_block_template(files_search_runtime_data_directory_depend) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir search; ') @@ -535,7 +535,7 @@ class dir search; # files_read_runtime_data_directory(domain) # define(`files_read_runtime_data_directory',` -requires_block_template(files_read_runtime_data_directory_depend) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir { getattr search read }; ') @@ -550,7 +550,7 @@ class dir { getattr search read }; # files_create_daemon_runtime_data(domain,pidfile,[object class(es)]) # define(`files_create_daemon_runtime_data',` -requires_block_template(files_create_daemon_runtime_data_depend) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir { getattr search read write add_name remove_name }; ifelse(`$3',`',` @@ -569,10 +569,10 @@ class dir { getattr search read write add_name remove_name }; ######################################## # -# files_modify_system_runtime_data(domain,[`optional']) +# files_modify_system_runtime_data(domain) # define(`files_modify_system_runtime_data',` -requires_block_template(files_modify_system_runtime_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:dir { getattr search read }; allow $1 var_run_t:file { getattr read write }; @@ -586,10 +586,10 @@ class file { getattr read write }; ######################################## # -# files_remove_all_daemon_runtime_data(domain,[`optional']) +# files_remove_all_daemon_runtime_data(domain) # define(`files_remove_all_daemon_runtime_data',` -requires_block_template(files_remove_all_daemon_runtime_data_depend,$2) +requires_block_template(`$0'_depend) allow $1 var_t:dir search; allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; allow $1 var_run_t:dir rmdir; diff --git a/refpolicy/policy/modules/system/getty.if b/refpolicy/policy/modules/system/getty.if index 33412db0..43bef69c 100644 --- a/refpolicy/policy/modules/system/getty.if +++ b/refpolicy/policy/modules/system/getty.if @@ -2,10 +2,10 @@ ####################################### # -# getty_transition(domain,[`optional']) +# getty_transition(domain) # define(`getty_transition',` -requires_block_template(getty_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 getty_exec_t:file { getattr read execute }; allow $1 getty_t:process transition; type_transition $1 getty_exec_t:file getty_t; @@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh }; ####################################### # -# getty_read_log_file(domain,[`optional']) +# getty_read_log_file(domain) # define(`getty_read_log_file',` -requires_block_template(getty_read_log_file_depend,$2) +requires_block_template(`$0'_depend) allow $1 getty_log_t:file { getattr read }; ') @@ -34,10 +34,10 @@ class file { getattr read }; ####################################### # -# getty_read_config_file(domain,[`optional']) +# getty_read_config_file(domain) # define(`getty_read_config_file',` -requires_block_template(getty_read_config_file_depend,$2) +requires_block_template(`$0'_depend) allow $1 getty_etc_t:file { getattr read }; ') @@ -48,10 +48,10 @@ class file { getattr read }; ####################################### # -# getty_modify_config_file(domain,[`optional']) +# getty_modify_config_file(domain) # define(`getty_modify_config_file',` -requires_block_template(getty_modify_config_file_depend,$2) +requires_block_template(`$0'_depend) allow $1 getty_etc_t:file { getattr read write }; ') diff --git a/refpolicy/policy/modules/system/hotplug.if b/refpolicy/policy/modules/system/hotplug.if index 6747c2bd..9299c20f 100644 --- a/refpolicy/policy/modules/system/hotplug.if +++ b/refpolicy/policy/modules/system/hotplug.if @@ -5,7 +5,7 @@ # hotplug_transition(domain) # define(`hotplug_transition',` -requires_block_template(hotplug_transition_depend) +requires_block_template(`$0'_depend) allow $1 hotplug_exec_t:file { getattr read execute }; allow $1 hotplug_t:process transition; type_transition $1 hotplug_exec_t:file hotplug_t; @@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh }; # hotplug_execute(domain) # define(`hotplug_execute',` -requires_block_template(hotplug_execute_depend) +requires_block_template(`$0'_depend) allow $1 hotplug_exec_t:file { getattr read execute execute_no_trans }; ') @@ -37,7 +37,7 @@ class file { getattr read execute execute_no_trans }; # hotplug_use_file_descriptors(domain) # define(`hotplug_use_file_descriptors',` -requires_block_template(hotplug_use_file_descriptors_depend) +requires_block_template(`$0'_depend) allow $1 hotplug_t:fd use; ') diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index 47d4a836..319608d4 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -5,7 +5,7 @@ # init_transition(domain) # define(`init_transition',` -requires_block_template(init_transition_depend) +requires_block_template(`$0'_depend) allow $1 init_exec_t:file { getattr read execute }; allow $1 init_t:process transition; type_transition $1 init_exec_t:file init_t; @@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh }; # init_get_control_channel_attributes(domain) # define(`init_get_control_channel_attributes',` -requires_block_template(init_get_control_channel_attributes_depend) +requires_block_template(`$0'_depend) allow $1 initctl_t:fifo_file getattr; ') @@ -37,7 +37,7 @@ class fifo_file getattr; # init_use_control_channel(domain) # define(`init_use_control_channel',` -requires_block_template(init_use_control_channel_depend) +requires_block_template(`$0'_depend) allow $1 initctl_t:fifo_file { getattr read write }; devices_list_device_nodes($1) ') @@ -52,7 +52,7 @@ class fifo_file { getattr read write }; # init_ignore_use_control_channel(domain) # define(`init_ignore_use_control_channel',` -requires_block_template(init_ignore_use_control_channel_depend) +requires_block_template(`$0'_depend) dontaudit $1 initctl_t:fifo_file { read write }; ') @@ -66,7 +66,7 @@ class fifo_file { read write }; # init_sigchld(domain) # define(`init_sigchld',` -requires_block_template(init_sigchld_depend) +requires_block_template(`$0'_depend) allow $1 init_t:process sigchld; ') @@ -80,7 +80,7 @@ class process sigchld; # init_use_file_descriptors(domain) # define(`init_use_file_descriptors',` -requires_block_template(init_use_file_descriptors_depend) +requires_block_template(`$0'_depend) allow $1 init_t:fd use; ') @@ -94,7 +94,7 @@ class fd use; # init_ignore_use_file_descriptors(domain) # define(`init_ignore_use_file_descriptors',` -requires_block_template(init_ignore_use_file_descriptors_depend) +requires_block_template(`$0'_depend) dontaudit $1 init_t:fd use; ') @@ -108,7 +108,7 @@ class fd use; # init_script_transition(domain) # define(`init_script_transition',` -requires_block_template(init_script_transition_depend) +requires_block_template(`$0'_depend) allow $1 initrc_exec_t:file { getattr read execute }; allow $1 initrc_t:process transition; type_transition $1 initrc_exec_t:process init_t; @@ -121,12 +121,26 @@ class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh }; ') +######################################## +# +# init_script_execute(domain) +# +define(`init_script_execute',` +requires_block_template(`$0'_depend) +allow $1 initrc_exec_t:file { getattr read execute execute_no_trans }; +') + +define(`init_script_execute_depend',` +type initrc_exec_t; +class file { getattr read execute execute_no_trans }; +') + ######################################## # # init_script_direct_admin_transition(role,domain) # define(`init_script_direct_admin_transition',` -requires_block_template(init_script_direct_admin_transition_depend) +requires_block_template(`$0'_depend) allow $2 initrc_exec_t:file { getattr read execute }; allow $2 initrc_t:process transition; type_transition $2 initrc_exec_t:file init_t; @@ -146,7 +160,7 @@ kernel_system_role_transition_depend # init_script_use_file_descriptors(domain) # define(`init_script_use_file_descriptors',` -requires_block_template(init_script_use_file_descriptors_depend) +requires_block_template(`$0'_depend) allow $1 initrc_t:fd use; ') @@ -160,7 +174,7 @@ class fd use; # init_script_use_pseudoterminal(domain) # define(`init_script_use_pseudoterminal',` -requires_block_template(init_script_use_pseudoterminal_depend) +requires_block_template(`$0'_depend) allow $1 initrc_devpts_t:chr_file { read write }; ') @@ -174,7 +188,7 @@ class chr_file { read write }; # init_script_read_runtime_data(domain) # define(`init_script_read_runtime_data',` -requires_block_template(init_script_read_runtime_data_depend) +requires_block_template(`$0'_depend) files_read_runtime_data_directory($1) allow $1 initrc_var_run_t:file { getattr read }; ') @@ -189,7 +203,7 @@ class file { getattr read }; # init_script_modify_runtime_data(domain) # define(`init_script_modify_runtime_data',` -requires_block_template(init_script_modify_runtime_data_depend) +requires_block_template(`$0'_depend) files_read_runtime_data_directory($1) allow $1 initrc_var_run_t:file { getattr read write append }; ') @@ -204,7 +218,7 @@ class file { getattr read write append }; # init_script_ignore_modify_runtime_data(domain) # define(`init_script_ignore_modify_runtime_data',` -requires_block_template(init_script_ignore_modify_runtime_data_depend) +requires_block_template(`$0'_depend) dontaudit $1 initrc_var_run_t:file { getattr read write append }; ') @@ -212,3 +226,35 @@ define(`init_script_ignore_modify_runtime_data_depend',` type initrc_var_run_t; class file { getattr read write append }; ') + +######################################## +# +# init_run_init_transition(domain) +# +define(`init_run_init_transition',` +requires_block_template(`$0'_depend) +allow $1 run_init_exec_t:file { getattr read execute }; +allow $1 run_init_t:process transition; +type_transition $1 run_init_exec_t:file run_init_t; +dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; +') + +define(`init_run_init_transition_depend',` +type run_init_t, run_init_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +# +# init_run_init_use_file_descriptors(domain) +# +define(`init_run_init_use_file_descriptors',` +requires_block_template(`$0'_depend) +allow $1 run_init_t:fd use; +') + +define(`init_run_init_use_file_descriptors_depend',` +type run_init_t; +class fd use; +') diff --git a/refpolicy/policy/modules/system/iptables.if b/refpolicy/policy/modules/system/iptables.if index c389301c..5a3d6a86 100644 --- a/refpolicy/policy/modules/system/iptables.if +++ b/refpolicy/policy/modules/system/iptables.if @@ -5,7 +5,7 @@ # iptables_transition(domain) # define(`iptables_transition',` -requires_block_template(iptables_transition_depend) +requires_block_template(`$0'_depend) allow $1 iptables_exec_t:file { getattr read execute }; allow $1 iptables_t:process transition; type_transition $1 iptables_exec_t:file iptables_t; @@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh }; # iptables_execute(domain) # define(`iptables_execute',` -requires_block_template(iptables_execute_depend) +requires_block_template(`$0'_depend) allow $1 iptables_exec_t:file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if index 2832984c..7a8f4370 100644 --- a/refpolicy/policy/modules/system/libraries.if +++ b/refpolicy/policy/modules/system/libraries.if @@ -2,10 +2,10 @@ ######################################## # -# libraries_use_dynamic_loader(domain,[`optional'] +# libraries_use_dynamic_loader(domain # define(`libraries_use_dynamic_loader',` -requires_block_template(libraries_use_dynamic_loader_depend,$2) +requires_block_template(`$0'_depend) allow $1 lib_t:dir { getattr read search }; allow $1 lib_t:lnk_file { getattr read }; allow $1 ld_so_t:lnk_file { getattr read }; @@ -22,10 +22,10 @@ class file { getattr read execute }; ######################################## # -# libraries_legacy_use_dynamic_loader(domain,[`optional'] +# libraries_legacy_use_dynamic_loader(domain # define(`libraries_legacy_use_dynamic_loader',` -requires_block_template(libraries_legacy_use_dynamic_loader_depend,$2) +requires_block_template(`$0'_depend) libraries_use_dynamic_loader($1,optional) allow $1 ld_so_t:file execmod; allow $1 ld_so_cache_t:file execute; @@ -39,10 +39,10 @@ class file { execute execmod }; ######################################## # -# libraries_modify_dynamic_loader_cache(domain,[`optional'] +# libraries_modify_dynamic_loader_cache(domain # define(`libraries_modify_dynamic_loader_cache',` -requires_block_template(libraries_modify_dynamic_loader_cache_depend,$2) +requires_block_template(`$0'_depend) allow $1 ld_so_cache_t:file { getattr read write }; ') @@ -53,10 +53,10 @@ class file { getattr read write }; ######################################## # -# libraries_read_shared_libraries(domain,[`optional'] +# libraries_read_shared_libraries(domain # define(`libraries_read_shared_libraries',` -requires_block_template(libraries_read_shared_libraries_depend,$2) +requires_block_template(`$0'_depend) allow $1 lib_t:dir { getattr read search }; allow $1 lib_t:lnk_file { getattr read }; allow $1 { shlib_t texrel_shlib_t }:lnk_file { getattr read }; @@ -72,10 +72,10 @@ class file { getattr read execute }; ######################################## # -# libraries_legacy_read_shared_libraries(domain,[`optional'] +# libraries_legacy_read_shared_libraries(domain # define(`libraries_legacy_read_shared_libraries',` -requires_block_template(libraries_legacy_read_shared_libraries_depend,$2) +requires_block_template(`$0'_depend) libraries_read_shared_libraries($1,optional) allow $1 { shlib_t texrel_shlib_t }:file execmod; ') @@ -88,10 +88,10 @@ libraries_read_shared_libraries_depend ######################################## # -# libraries_read_static_libraries(domain,[`optional'] +# libraries_read_static_libraries(domain # define(`libraries_read_static_libraries',` -requires_block_template(libraries_read_static_libraries_depend,$2) +requires_block_template(`$0'_depend) allow $1 lib_t:dir { getattr read search }; allow $1 lib_t:{ file lnk_file } { getattr read }; ') @@ -105,10 +105,10 @@ class file { getattr read }; ######################################## # -# libraries_execute_library_scripts(domain,[`optional'] +# libraries_execute_library_scripts(domain # define(`libraries_execute_library_scripts',` -requires_block_template(libraries_execute_library_scripts_depend,$2) +requires_block_template(`$0'_depend) allow $1 lib_t:dir { getattr read search }; allow $1 lib_t:lnk_file { getattr read }; allow $1 lib_t:file { getattr read execute execute_no_trans }; diff --git a/refpolicy/policy/modules/system/locallogin.if b/refpolicy/policy/modules/system/locallogin.if index e283ec26..70172a05 100644 --- a/refpolicy/policy/modules/system/locallogin.if +++ b/refpolicy/policy/modules/system/locallogin.if @@ -2,10 +2,10 @@ ####################################### # -# locallogin_transition(domain,[`optional']) +# locallogin_transition(domain) # define(`locallogin_transition',` -requires_block_template(locallogin_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 login_exec_t:file { getattr read execute }; allow $1 local_login_t:process transition; type_transition $1 login_exec_t:file local_login_t; @@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# locallogin_use_file_descriptors(domain,[`optional']) +# locallogin_use_file_descriptors(domain) # define(`locallogin_use_file_descriptors',` -requires_block_template(locallogin_use_file_descriptors_depend,$2) +requires_block_template(`$0'_depend) allow $1 local_login_t:fd use; ') diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if index 2ed2cd6d..6717f9fa 100644 --- a/refpolicy/policy/modules/system/logging.if +++ b/refpolicy/policy/modules/system/logging.if @@ -5,7 +5,7 @@ # logging_make_log_file(domain) # define(`logging_make_log_file',` -requires_block_template(logging_make_log_file_depend) +requires_block_template(`$0'_depend) files_make_file($1) typeattribute $1 logfile; ') @@ -19,7 +19,7 @@ attribute logfile; # logging_send_system_log_message(domain) # define(`logging_send_system_log_message',` -requires_block_template(logging_send_system_log_message_depend) +requires_block_template(`$0'_depend) allow $1 devlog_t:lnk_file read; allow $1 devlog_t:sock_file { ioctl read getattr lock write append }; # the type of socket depends on the syslog daemon @@ -41,7 +41,7 @@ class unix_stream_socket { create read getattr write setattr append bind connect # logging_search_system_log_directory(domain) # define(`logging_search_system_log_directory',` -requires_block_template(logging_search_system_log_directory_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) allow $1 var_log_t:dir search; ') @@ -56,7 +56,7 @@ class dir search; # logging_append_all_logs(domain) # define(`logging_append_all_logs',` -requires_block_template(logging_append_all_logs_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) allow $1 var_log_t:dir { getattr search read }; allow $1 logfile:file { getattr append }; @@ -74,7 +74,7 @@ class file { getattr append }; # logging_read_all_logs(domain) # define(`logging_read_all_logs',` -requires_block_template(logging_read_all_logs_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) allow $1 var_log_t:dir { getattr search read }; allow $1 logfile:file { getattr read }; @@ -92,7 +92,7 @@ class file { getattr read }; # logging_modify_system_logs(domain) # define(`logging_modify_system_logs',` -requires_block_template(logging_modify_system_logs_depend) +requires_block_template(`$0'_depend) files_search_system_state_data_directory($1) allow $1 var_log_t:dir { getattr search read }; allow $1 var_log_t:file { getattr read write append }; diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if index 3570d5b3..7f078b49 100644 --- a/refpolicy/policy/modules/system/miscfiles.if +++ b/refpolicy/policy/modules/system/miscfiles.if @@ -2,10 +2,10 @@ ######################################## # -# miscfiles_read_localization(domain,[`optional']) +# miscfiles_read_localization(domain) # define(`miscfiles_read_localization',` -requires_block_template(miscfiles_read_localization_depend,$2) +requires_block_template(`$0'_depend) # FIXME: $1 read etc_t:lnk_file here # FIXME: $1 search usr_t:dir here # FIXME: $1 read lib_t:file(?) diff --git a/refpolicy/policy/modules/system/modutils.if b/refpolicy/policy/modules/system/modutils.if index 05b95018..b4cc3ecb 100644 --- a/refpolicy/policy/modules/system/modutils.if +++ b/refpolicy/policy/modules/system/modutils.if @@ -2,10 +2,10 @@ ######################################## # -# modutils_read_kernel_module_dependencies(domain,[`optional']) +# modutils_read_kernel_module_dependencies(domain) # define(`modutils_read_kernel_module_dependencies',` -requires_block_template(modutils_read_kernel_module_dependencies_depend,$2) +requires_block_template(`$0'_depend) bootloader_list_kernel_modules($1,optional) allow $1 modules_dep_t:file { getattr read }; ') @@ -19,10 +19,10 @@ bootloader_list_kernel_modules_depend ######################################## # -# modutils_read_kernel_module_loading_config(domain,[`optional']) +# modutils_read_kernel_module_loading_config(domain) # define(`modutils_read_kernel_module_loading_config',` -requires_block_template(modutils_read_kernel_module_loading_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 modules_conf_t:file { getattr read }; ') @@ -33,10 +33,10 @@ class file { getattr create read write setattr unlink }; ######################################## # -# modutils_insmod_transition(domain,[`optional']) +# modutils_insmod_transition(domain) # define(`modutils_insmod_transition',` -requires_block_template(modutils_insmod_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 insmod_exec_t:file { getattr read execute }; allow $1 insmod_t:process transition; type_transition $1 insmod_exec_t:file insmod_t; @@ -51,10 +51,10 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# modutils_insmod_execute(domain,[`optional']) +# modutils_insmod_execute(domain) # define(`modutils_insmod_execute',` -requires_block_template(modutils_insmod_execute_depend,$2) +requires_block_template(`$0'_depend) allow $1 insmod_exec_t:file { getattr read execute execute_no_trans }; ') @@ -65,10 +65,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# modutils_depmod_transition(domain,[`optional']) +# modutils_depmod_transition(domain) # define(`modutils_depmod_transition',` -requires_block_template(modutils_depmod_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 depmod_exec_t:file { getattr read execute }; allow $1 depmod_t:process transition; type_transition $1 depmod_exec_t:file depmod_t; @@ -83,10 +83,10 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# modutils_depmod_execute(domain,[`optional']) +# modutils_depmod_execute(domain) # define(`modutils_depmod_execute',` -requires_block_template(modutils_depmod_execute_depend,$2) +requires_block_template(`$0'_depend) allow $1 depmod_exec_t:file { getattr read execute execute_no_trans }; ') @@ -97,10 +97,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# modutils_update_modules_transition(domain,[`optional']) +# modutils_update_modules_transition(domain) # define(`modutils_update_modules_transition',` -requires_block_template(modutils_update_modules_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 update_modules_exec_t:file { getattr read execute }; allow $1 update_modules_t:process transition; type_transition $1 update_modules_exec_t:file update_modules_t; @@ -115,10 +115,10 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# modutils_update_modules_execute(domain,[`optional']) +# modutils_update_modules_execute(domain) # define(`modutils_update_modules_execute',` -requires_block_template(modutils_update_modules_execute_depend,$2) +requires_block_template(`$0'_depend) allow $1 update_modules_exec_t:file { getattr read execute execute_no_trans }; ') diff --git a/refpolicy/policy/modules/system/mount.if b/refpolicy/policy/modules/system/mount.if index 201f9137..96606bde 100644 --- a/refpolicy/policy/modules/system/mount.if +++ b/refpolicy/policy/modules/system/mount.if @@ -2,10 +2,10 @@ ####################################### # -# mount_transition(domain,[`optional']) +# mount_transition(domain) # define(`mount_transition',` -requires_block_template(mount_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 mount_exec_t:file { getattr read execute }; allow $1 mount_t:process transition; type_transition $1 mount_exec_t:file mount_t; @@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh }; ####################################### # -# mount_use_file_descriptors(domain,[`optional']) +# mount_use_file_descriptors(domain) # define(`mount_use_file_descriptors',` -requires_block_template(mount_use_file_descriptors_depend,$2) +requires_block_template(`$0'_depend) allow $1 mount_t:fd use; ') @@ -34,10 +34,10 @@ class fd use; ####################################### # -# mount_send_nfs_client_request(domain,[`optional']) +# mount_send_nfs_client_request(domain) # define(`mount_send_nfs_client_request',` -requires_block_template(mount_send_nfs_client_request_depend,$2) +requires_block_template(`$0'_depend) allow $1 mount_t:udp_socket ioctl read getattr write setattr append bind connect getopt setopt shutdown; ') diff --git a/refpolicy/policy/modules/system/selinux.if b/refpolicy/policy/modules/system/selinux.if index 04a72740..99bf89da 100644 --- a/refpolicy/policy/modules/system/selinux.if +++ b/refpolicy/policy/modules/system/selinux.if @@ -5,7 +5,7 @@ # selinux_checkpolicy_transition(domain) # define(`selinux_checkpolicy_transition',` -requires_block_template(selinux_checkpolicy_transition_depend) +requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file { getattr read execute }; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:file checkpolicy_t; @@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_checkpolicy_execute(domain) # define(`selinux_checkpolicy_execute',` -requires_block_template(selinux_checkpolicy_execute_depend) +requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; ') @@ -37,7 +37,7 @@ class file { getattr read execute execute_no_trans }; # selinux_load_policy_transition(domain) # define(`selinux_load_policy_transition',` -requires_block_template(selinux_load_policy_transition_depend) +requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read execute }; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:file load_policy_t; @@ -55,7 +55,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_load_policy_execute(domain) # define(`selinux_load_policy_execute',` -requires_block_template(selinux_load_policy_execute_depend) +requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; ') @@ -69,7 +69,7 @@ class file { getattr read execute execute_no_trans }; # selinux_read_load_policy_binary(domain) # define(`selinux_read_load_policy_binary',` -requires_block_template(selinux_read_load_policy_binary_depend) +requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read }; ') @@ -83,7 +83,7 @@ class file { getattr read }; # newrole_transition(domain) # define(`selinux_newrole_transition',` -requires_block_template(selinux_newrole_transition_depend) +requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file { getattr read execute }; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:file newrole_t; @@ -101,7 +101,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_newrole_execute(domain) # define(`selinux_newrole_execute',` -requires_block_template(selinux_newrole_execute_depend) +requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; ') @@ -115,7 +115,7 @@ class file { getattr read execute execute_no_trans }; # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` -requires_block_template(selinux_newrole_sigchld_depend) +requires_block_template(`$0'_depend) allow $1 newrole_t:process sigchld; ') @@ -129,7 +129,7 @@ class process sigchld; # selinux_newrole_use_file_descriptors(domain) # define(`selinux_newrole_use_file_descriptors',` -requires_block_template(selinux_newrole_use_file_descriptors_depend) +requires_block_template(`$0'_depend) allow $1 newrole_t:fd use; ') @@ -143,7 +143,7 @@ class fd use; # selinux_restorecon_transition(domain) # define(`selinux_restorecon_transition',` -requires_block_template(selinux_restorecon_transition_depend) +requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file { getattr read execute }; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:file restorecon_t; @@ -161,7 +161,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_restorecon_execute(domain) # define(`selinux_restorecon_execute',` -requires_block_template(selinux_restorecon_execute_depend) +requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans }; ') @@ -175,7 +175,7 @@ class file { getattr read execute execute_no_trans }; # selinux_setfiles_transition(domain) # define(`selinux_setfiles_transition',` -requires_block_template(selinux_setfiles_transition_depend) +requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file { getattr read execute }; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:file setfiles_t; @@ -193,7 +193,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_setfiles_execute(domain) # define(`selinux_setfiles_execute',` -requires_block_template(selinux_setfiles_execute_depend) +requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; ') @@ -204,10 +204,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# selinux_read_config(domain,[`optional']) +# selinux_read_config(domain) # define(`selinux_read_config',` -requires_block_template(selinux_read_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir { getattr search read }; allow $1 selinux_config_t:file { getattr read }; ') @@ -220,10 +220,10 @@ class file { getattr read }; ######################################## # -# selinux_read_default_contexts(domain,[`optional']) +# selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` -requires_block_template(selinux_read_default_contexts_depend,$2) +requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir { getattr search read }; allow $1 default_context_t:file { getattr read }; @@ -237,10 +237,10 @@ class file { getattr read }; ######################################## # -# selinux_read_file_contexts(domain,[`optional']) +# selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` -requires_block_template(selinux_read_file_contexts_depend,$2) +requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir { getattr search read }; allow $1 file_context_t:file { getattr read }; @@ -254,10 +254,10 @@ class file { getattr read }; ######################################## # -# selinux_read_binary_policy(domain,[`optional']) +# selinux_read_binary_policy(domain) # define(`selinux_read_binary_policy',` -requires_block_template(selinux_read_binary_policy_depend,$2) +requires_block_template(`$0'_depend) allow $1 policy_config_t:dir { getattr search read }; allow $1 policy_config_t:file { getattr read }; ') @@ -270,10 +270,10 @@ class file { getattr read }; ######################################## # -# selinux_write_binary_policy(domain,[`optional']) +# selinux_write_binary_policy(domain) # define(`selinux_write_binary_policy',` -requires_block_template(selinux_write_binary_policy_depend,$2) +requires_block_template(`$0'_depend) allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; allow $1 policy_config_t:file { getattr create write unlink }; typeattribute $1 can_write_binary_policy; diff --git a/refpolicy/policy/modules/system/selinuxutil.if b/refpolicy/policy/modules/system/selinuxutil.if index 04a72740..99bf89da 100644 --- a/refpolicy/policy/modules/system/selinuxutil.if +++ b/refpolicy/policy/modules/system/selinuxutil.if @@ -5,7 +5,7 @@ # selinux_checkpolicy_transition(domain) # define(`selinux_checkpolicy_transition',` -requires_block_template(selinux_checkpolicy_transition_depend) +requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file { getattr read execute }; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:file checkpolicy_t; @@ -23,7 +23,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_checkpolicy_execute(domain) # define(`selinux_checkpolicy_execute',` -requires_block_template(selinux_checkpolicy_execute_depend) +requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans }; ') @@ -37,7 +37,7 @@ class file { getattr read execute execute_no_trans }; # selinux_load_policy_transition(domain) # define(`selinux_load_policy_transition',` -requires_block_template(selinux_load_policy_transition_depend) +requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read execute }; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:file load_policy_t; @@ -55,7 +55,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_load_policy_execute(domain) # define(`selinux_load_policy_execute',` -requires_block_template(selinux_load_policy_execute_depend) +requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans }; ') @@ -69,7 +69,7 @@ class file { getattr read execute execute_no_trans }; # selinux_read_load_policy_binary(domain) # define(`selinux_read_load_policy_binary',` -requires_block_template(selinux_read_load_policy_binary_depend) +requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file { getattr read }; ') @@ -83,7 +83,7 @@ class file { getattr read }; # newrole_transition(domain) # define(`selinux_newrole_transition',` -requires_block_template(selinux_newrole_transition_depend) +requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file { getattr read execute }; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:file newrole_t; @@ -101,7 +101,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_newrole_execute(domain) # define(`selinux_newrole_execute',` -requires_block_template(selinux_newrole_execute_depend) +requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file { getattr read execute execute_no_trans }; ') @@ -115,7 +115,7 @@ class file { getattr read execute execute_no_trans }; # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` -requires_block_template(selinux_newrole_sigchld_depend) +requires_block_template(`$0'_depend) allow $1 newrole_t:process sigchld; ') @@ -129,7 +129,7 @@ class process sigchld; # selinux_newrole_use_file_descriptors(domain) # define(`selinux_newrole_use_file_descriptors',` -requires_block_template(selinux_newrole_use_file_descriptors_depend) +requires_block_template(`$0'_depend) allow $1 newrole_t:fd use; ') @@ -143,7 +143,7 @@ class fd use; # selinux_restorecon_transition(domain) # define(`selinux_restorecon_transition',` -requires_block_template(selinux_restorecon_transition_depend) +requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file { getattr read execute }; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:file restorecon_t; @@ -161,7 +161,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_restorecon_execute(domain) # define(`selinux_restorecon_execute',` -requires_block_template(selinux_restorecon_execute_depend) +requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans }; ') @@ -175,7 +175,7 @@ class file { getattr read execute execute_no_trans }; # selinux_setfiles_transition(domain) # define(`selinux_setfiles_transition',` -requires_block_template(selinux_setfiles_transition_depend) +requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file { getattr read execute }; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:file setfiles_t; @@ -193,7 +193,7 @@ class process { transition noatsecure siginh rlimitinh }; # selinux_setfiles_execute(domain) # define(`selinux_setfiles_execute',` -requires_block_template(selinux_setfiles_execute_depend) +requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans }; ') @@ -204,10 +204,10 @@ class file { getattr read execute execute_no_trans }; ######################################## # -# selinux_read_config(domain,[`optional']) +# selinux_read_config(domain) # define(`selinux_read_config',` -requires_block_template(selinux_read_config_depend,$2) +requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir { getattr search read }; allow $1 selinux_config_t:file { getattr read }; ') @@ -220,10 +220,10 @@ class file { getattr read }; ######################################## # -# selinux_read_default_contexts(domain,[`optional']) +# selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` -requires_block_template(selinux_read_default_contexts_depend,$2) +requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir { getattr search read }; allow $1 default_context_t:file { getattr read }; @@ -237,10 +237,10 @@ class file { getattr read }; ######################################## # -# selinux_read_file_contexts(domain,[`optional']) +# selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` -requires_block_template(selinux_read_file_contexts_depend,$2) +requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir { getattr search read }; allow $1 file_context_t:file { getattr read }; @@ -254,10 +254,10 @@ class file { getattr read }; ######################################## # -# selinux_read_binary_policy(domain,[`optional']) +# selinux_read_binary_policy(domain) # define(`selinux_read_binary_policy',` -requires_block_template(selinux_read_binary_policy_depend,$2) +requires_block_template(`$0'_depend) allow $1 policy_config_t:dir { getattr search read }; allow $1 policy_config_t:file { getattr read }; ') @@ -270,10 +270,10 @@ class file { getattr read }; ######################################## # -# selinux_write_binary_policy(domain,[`optional']) +# selinux_write_binary_policy(domain) # define(`selinux_write_binary_policy',` -requires_block_template(selinux_write_binary_policy_depend,$2) +requires_block_template(`$0'_depend) allow $1 policy_config_t:dir { getattr search read write add_name remove_name }; allow $1 policy_config_t:file { getattr create write unlink }; typeattribute $1 can_write_binary_policy; diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if index 82f4d3d3..8f04d2a8 100644 --- a/refpolicy/policy/modules/system/sysnetwork.if +++ b/refpolicy/policy/modules/system/sysnetwork.if @@ -1,9 +1,29 @@ +# Copyright (C) 2005 Tresys Technology, LLC + ######################################## # -# sysnetwork_read_network_config(domain,[`optional']) +# sysnetwork_ifconfig_transition(domain) +# +define(`sysnetwork_ifconfig_transition',` +requires_block_template(`$0'_depend) +allow $1 ifconfig_exec_t:file { getattr read execute }; +allow $1 ifconfig_t:process transition; +type_transition $1 ifconfig_exec_t:file ifconfig_t; +dontaudit $1 ifconfig_t:process { noatsecure siginh rlimitinh }; +') + +define(`sysnetwork_ifconfig_transition_depend',` +type ifconfig_t, ifconfig_exec_t; +class file { getattr read execute }; +class process { transition noatsecure siginh rlimitinh }; +') + +######################################## +# +# sysnetwork_read_network_config(domain) # define(`sysnetwork_read_network_config',` -requires_block_template(sysnetwork_read_network_config_depend,$2) +requires_block_template(`$0'_depend) # FIXME: allow $1 etc_t:dir search; allow $1 net_conf_t:file { getattr read }; ') diff --git a/refpolicy/policy/modules/system/udev.if b/refpolicy/policy/modules/system/udev.if index 812134c5..11ceecb7 100644 --- a/refpolicy/policy/modules/system/udev.if +++ b/refpolicy/policy/modules/system/udev.if @@ -2,10 +2,10 @@ ####################################### # -# udev_transition(domain,[`optional']) +# udev_transition(domain) # define(`udev_transition',` -requires_block_template(udev_transition_depend,$2) +requires_block_template(`$0'_depend) allow $1 udev_exec_t:file { getattr read execute }; allow $1 udev_t:process transition; type_transition $1 udev_exec_t:file udev_t; @@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh }; ######################################## # -# udev_read_database(domain,[`optional']) +# udev_read_database(domain) # define(`udev_read_database',` -requires_block_template(udev_read_database_depend,$2) +requires_block_template(`$0'_depend) allow $1 udev_tdb_t:file { getattr read }; ')