renaming insanity

This commit is contained in:
Chris PeBenito 2005-06-13 17:35:46 +00:00
parent b2bf0b5c98
commit c9428d33dc
72 changed files with 2317 additions and 2296 deletions

View File

@ -434,9 +434,6 @@ clean:
rm -f $(FC) rm -f $(FC)
bare: clean bare: clean
find . -name *~ -exec rm -f {} \;
find . -name "*#*" -exec rm -f {} \;
find . -name ".*#*" -exec rm -f {} \;
rm -f $(POLXML) rm -f $(POLXML)
rm -f $(SUPPORT)/*.pyc rm -f $(SUPPORT)/*.pyc
rm -f $(FCSORT) rm -f $(FCSORT)

View File

@ -1,9 +1,9 @@
####################################### #######################################
# #
# consoletype_transition(domain) # consoletype_domtrans(domain)
# #
define(`consoletype_transition',` define(`consoletype_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,consoletype_exec_t,consoletype_t) domain_auto_trans($1,consoletype_exec_t,consoletype_t)
@ -14,7 +14,7 @@ define(`consoletype_transition',`
allow consoletype_t $1:process sigchld; allow consoletype_t $1:process sigchld;
') ')
define(`consoletype_transition_depend',` define(`consoletype_domtrans_depend',`
type consoletype_t, consoletype_exec_t; type consoletype_t, consoletype_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -25,16 +25,16 @@ define(`consoletype_transition_depend',`
####################################### #######################################
# #
# consoletype_execute(domain) # consoletype_exec(domain)
# #
define(`consoletype_execute',` define(`consoletype_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,consoletype_exec_t) can_exec($1,consoletype_exec_t)
') ')
define(`consoletype_execute_depend',` define(`consoletype_exec_depend',`
type consoletype_exec_t; type consoletype_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -8,8 +8,8 @@ policy_module(consoletype, 1.0)
type consoletype_t; type consoletype_t;
type consoletype_exec_t; type consoletype_exec_t;
init_make_init_domain(consoletype_t,consoletype_exec_t) init_domain(consoletype_t,consoletype_exec_t)
init_make_system_domain(consoletype_t,consoletype_exec_t) init_system_domain(consoletype_t,consoletype_exec_t)
role system_r types consoletype_t; role system_r types consoletype_t;
######################################## ########################################
@ -39,27 +39,27 @@ fs_getattr_all_fs(consoletype_t)
term_use_console(consoletype_t) term_use_console(consoletype_t)
term_use_unallocated_tty(consoletype_t) term_use_unallocated_tty(consoletype_t)
init_use_file_descriptors(consoletype_t) init_use_fd(consoletype_t)
init_script_use_pseudoterminal(consoletype_t) init_use_script_pty(consoletype_t)
init_script_use_file_descriptors(consoletype_t) init_use_script_fd(consoletype_t)
domain_use_widely_inheritable_file_descriptors(consoletype_t) domain_use_wide_inherit_fd(consoletype_t)
files_ignore_read_rootfs_file(consoletype_t) files_dontaudit_read_root_file(consoletype_t)
libraries_use_dynamic_loader(consoletype_t) libs_use_ld_so(consoletype_t)
libraries_use_shared_libraries(consoletype_t) libs_use_shared_libs(consoletype_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(consoletype_t) fs_use_tmpfs_character_devices(consoletype_t)
') ')
optional_policy(`authlogin.te', ` optional_policy(`authlogin.te', `
authlogin_pam_read_runtime_data(consoletype_t) auth_read_pam_pid(consoletype_t)
') ')
optional_policy(`userdomain.te',` optional_policy(`userdomain.te',`
userdomain_use_all_unprivileged_users_file_descriptors(consoletype_t) userdom_use_unpriv_users_fd(consoletype_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for dmesg.</summary> ## <summary>Policy for dmesg.</summary>
######################################## ########################################
## <interface name="dmesg_transition"> ## <interface name="dmesg_domtrans">
## <description> ## <description>
## Execute dmesg in the dmesg domain. ## Execute dmesg in the dmesg domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`dmesg_transition',` define(`dmesg_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 dmesg_exec_t:file rx_file_perms; allow $1 dmesg_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`dmesg_transition',`
allow dmesg_t $1:process sigchld; allow dmesg_t $1:process sigchld;
') ')
define(`dmesg_transition_depend',` define(`dmesg_domtrans_depend',`
type dmesg_t, dmesg_exec_t; type dmesg_t, dmesg_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -35,7 +35,7 @@ define(`dmesg_transition_depend',`
') ')
######################################## ########################################
## <interface name="dmesg_execute"> ## <interface name="dmesg_exec">
## <description> ## <description>
## Execute dmesg in the caller domain. ## Execute dmesg in the caller domain.
## </description> ## </description>
@ -44,14 +44,14 @@ define(`dmesg_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`dmesg_execute',` define(`dmesg_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,dmesg_exec_t) can_exec($1,dmesg_exec_t)
') ')
define(`dmesg_execute_depend',` define(`dmesg_exec_depend',`
type dmesg_exec_t; type dmesg_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -8,7 +8,7 @@ policy_module(dmesg, 1.0)
type dmesg_t; type dmesg_t;
type dmesg_exec_t; type dmesg_exec_t;
init_make_system_domain(dmesg_t,dmesg_exec_t) init_system_domain(dmesg_t,dmesg_exec_t)
role system_r types dmesg_t; role system_r types dmesg_t;
######################################## ########################################
@ -29,30 +29,30 @@ kernel_change_ring_buffer_level(dmesg_t)
term_dontaudit_use_console(dmesg_t) term_dontaudit_use_console(dmesg_t)
domain_use_widely_inheritable_file_descriptors(dmesg_t) domain_use_wide_inherit_fd(dmesg_t)
files_read_general_system_config_directory(dmesg_t) files_read_generic_etc_files_directory(dmesg_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_ignore_search_isid_type_dir(dmesg_t) files_dontaudit_search_isid_type_dir(dmesg_t)
init_use_file_descriptors(dmesg_t) init_use_fd(dmesg_t)
init_script_use_pseudoterminal(dmesg_t) init_use_script_pty(dmesg_t)
libraries_use_dynamic_loader(dmesg_t) libs_use_ld_so(dmesg_t)
libraries_use_shared_libraries(dmesg_t) libs_use_shared_libs(dmesg_t)
logging_send_system_log_message(dmesg_t) logging_send_syslog_msg(dmesg_t)
logging_write_system_logs(dmesg_t) logging_write_generic_logs(dmesg_t)
miscfiles_read_localization(dmesg_t) miscfiles_read_localization(dmesg_t)
userdomain_use_admin_terminals(dmesg_t) userdom_use_sysadm_terms(dmesg_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(dmesg_t) userdom_dontaudit_use_unpriv_user_fd(dmesg_t)
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(dmesg_t) term_dontaudit_use_unallocated_tty(dmesg_t)
terminal_ignore_use_general_pseudoterminal(dmesg_t) terminal_ignore_use_general_pseudoterminal(dmesg_t)
files_ignore_read_rootfs_file(dmesg_t) files_dontaudit_read_root_file(dmesg_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -60,7 +60,7 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(dmesg_t) udev_read_db(dmesg_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -1,9 +1,9 @@
####################################### #######################################
# #
# netutils_transition(domain) # netutils_domtrans(domain)
# #
define(`netutils_transition',` define(`netutils_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 netutils_exec_t:file rx_file_perms; allow $1 netutils_exec_t:file rx_file_perms;
@ -17,7 +17,7 @@ define(`netutils_transition',`
allow netutils_t $1:process sigchld; allow netutils_t $1:process sigchld;
') ')
define(`netutils_transition_depend',` define(`netutils_domtrans_depend',`
type netutils_t, netutils_exec_t; type netutils_t, netutils_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -28,16 +28,16 @@ define(`netutils_transition_depend',`
####################################### #######################################
# #
# netutils_execute(domain) # netutils_exec(domain)
# #
define(`netutils_execute',` define(`netutils_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,netutils_exec_t) can_exec($1,netutils_exec_t)
') ')
define(`netutils_execute_depend',` define(`netutils_exec_depend',`
type netutils_exec_t; type netutils_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -8,20 +8,20 @@ policy_module(devices,1.0)
type netutils_t; type netutils_t;
type netutils_exec_t; type netutils_exec_t;
init_make_system_domain(netutils_t,netutils_exec_t) init_system_domain(netutils_t,netutils_exec_t)
role system_r types netutils_t; role system_r types netutils_t;
type netutils_tmp_t; type netutils_tmp_t;
files_make_temporary_file(netutils_tmp_t) files_tmp_file(netutils_tmp_t)
type ping_t; #, nscd_client_domain; type ping_t; #, nscd_client_domain;
type ping_exec_t; type ping_exec_t;
init_make_system_domain(ping_t,ping_exec_t) init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t; role system_r types ping_t;
type traceroute_t; #, nscd_client_domain; type traceroute_t; #, nscd_client_domain;
type traceroute_exec_t; type traceroute_exec_t;
init_make_system_domain(traceroute_t,traceroute_exec_t) init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t; role system_r types traceroute_t;
# #
@ -44,7 +44,7 @@ allow netutils_t self:tcp_socket create_socket_perms;
allow netutils_t netutils_tmp_t:dir create_dir_perms; allow netutils_t netutils_tmp_t:dir create_dir_perms;
allow netutils_t netutils_tmp_t:file create_file_perms; allow netutils_t netutils_tmp_t:file create_file_perms;
files_create_private_tmp_data(netutils_t, netutils_tmp_t, { file dir }) files_create_tmp_files(netutils_t, netutils_tmp_t, { file dir })
corenet_tcp_sendrecv_all_if(netutils_t) corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t) corenet_raw_sendrecv_all_if(netutils_t)
@ -59,19 +59,19 @@ corenet_udp_bind_all_nodes(netutils_t)
fs_getattr_xattr_fs(netutils_t) fs_getattr_xattr_fs(netutils_t)
init_use_file_descriptors(netutils_t) init_use_fd(netutils_t)
init_script_use_pseudoterminal(netutils_t) init_use_script_pty(netutils_t)
domain_use_widely_inheritable_file_descriptors(netutils_t) domain_use_wide_inherit_fd(netutils_t)
files_read_general_system_config(netutils_t) files_read_generic_etc_files(netutils_t)
# for nscd # for nscd
files_ignore_search_system_state_data_directory(netutils_t) files_dontaudit_search_var(netutils_t)
libraries_use_dynamic_loader(netutils_t) libs_use_ld_so(netutils_t)
libraries_use_shared_libraries(netutils_t) libs_use_shared_libs(netutils_t)
logging_send_system_log_message(netutils_t) logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t) miscfiles_read_localization(netutils_t)
@ -117,17 +117,17 @@ corenet_tcp_bind_all_nodes(ping_t)
fs_dontaudit_getattr_xattr_fs(ping_t) fs_dontaudit_getattr_xattr_fs(ping_t)
domain_use_widely_inheritable_file_descriptors(ping_t) domain_use_wide_inherit_fd(ping_t)
files_read_general_system_config(ping_t) files_read_generic_etc_files(ping_t)
files_ignore_search_system_state_data_directory(ping_t) files_dontaudit_search_var(ping_t)
libraries_use_dynamic_loader(ping_t) libs_use_ld_so(ping_t)
libraries_use_shared_libraries(ping_t) libs_use_shared_libs(ping_t)
sysnetwork_read_network_config(ping_t) sysnet_read_config(ping_t)
logging_send_system_log_message(ping_t) logging_send_syslog_msg(ping_t)
if (user_ping) { if (user_ping) {
term_use_all_user_ttys(ping_t) term_use_all_user_ttys(ping_t)
@ -175,22 +175,22 @@ corenet_tcp_bind_all_nodes(traceroute_t)
fs_dontaudit_getattr_xattr_fs(traceroute_t) fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_widely_inheritable_file_descriptors(traceroute_t) domain_use_wide_inherit_fd(traceroute_t)
files_read_general_system_config(traceroute_t) files_read_generic_etc_files(traceroute_t)
files_ignore_search_system_state_data_directory(traceroute_t) files_dontaudit_search_var(traceroute_t)
libraries_use_dynamic_loader(traceroute_t) libs_use_ld_so(traceroute_t)
libraries_use_shared_libraries(traceroute_t) libs_use_shared_libs(traceroute_t)
logging_send_system_log_message(traceroute_t) logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t) miscfiles_read_localization(traceroute_t)
#rules needed for nmap #rules needed for nmap
dev_read_rand(traceroute_t) dev_read_rand(traceroute_t)
dev_read_urand(traceroute_t) dev_read_urand(traceroute_t)
files_read_general_application_resources(traceroute_t) files_read_usr_files(traceroute_t)
if (user_ping) { if (user_ping) {
term_use_all_user_ttys(traceroute_t) term_use_all_user_ttys(traceroute_t)

View File

@ -2,7 +2,7 @@
## <summary>Policy for the RPM package manager.</summary> ## <summary>Policy for the RPM package manager.</summary>
######################################## ########################################
## <interface name="rpm_transition"> ## <interface name="rpm_domtrans">
## <description> ## <description>
## Execute rpm programs in the rpm domain. ## Execute rpm programs in the rpm domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`rpm_transition',` define(`rpm_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 rpm_exec_t:file rx_file_perms; allow $1 rpm_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`rpm_transition',`
allow rpm_t $1:process sigchld; allow rpm_t $1:process sigchld;
') ')
define(`rpm_transition_depend',` define(`rpm_domtrans_depend',`
type rpm_t, rpm_exec_t; type rpm_t, rpm_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -35,7 +35,7 @@ define(`rpm_transition_depend',`
') ')
######################################## ########################################
## <interface name="rpm_transition_add_role_use_terminal"> ## <interface name="rpm_run">
## <description> ## <description>
## Execute RPM programs in the RPM domain. ## Execute RPM programs in the RPM domain.
## </description> ## </description>
@ -50,23 +50,23 @@ define(`rpm_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`rpm_transition_add_role_use_terminal',` define(`rpm_run',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
rpm_transition($1) rpm_domtrans($1)
role $2 types rpm_t; role $2 types rpm_t;
role $2 types rpm_script_t; role $2 types rpm_script_t;
allow rpm_t $3:chr_file { getattr read write ioctl }; allow rpm_t $3:chr_file { getattr read write ioctl };
') ')
define(`rpm_transition_add_role_use_terminal_depend',` define(`rpm_run_depend',`
type rpm_t, rpm_script_t; type rpm_t, rpm_script_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="rpm_use_file_descriptors"> ## <interface name="rpm_use_fd">
## <description> ## <description>
## Inherit and use file descriptors from RPM. ## Inherit and use file descriptors from RPM.
## </description> ## </description>
@ -75,13 +75,13 @@ define(`rpm_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`rpm_use_file_descriptors',` define(`rpm_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 rpm_t:fd use; allow $1 rpm_t:fd use;
') ')
define(`rpm_use_file_descriptors_depend',` define(`rpm_use_fd_depend',`
type rpm_t; type rpm_t;
class fd use; class fd use;
@ -110,7 +110,7 @@ define(`rpm_read_pipe_depend',`
') ')
######################################## ########################################
## <interface name="rpm_read_package_database"> ## <interface name="rpm_read_db">
## <description> ## <description>
## Read RPM package database. ## Read RPM package database.
## </description> ## </description>
@ -119,7 +119,7 @@ define(`rpm_read_pipe_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`rpm_read_package_database',` define(`rpm_read_db',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir r_dir_perms; allow $1 rpm_var_lib_t:dir r_dir_perms;
@ -127,7 +127,7 @@ define(`rpm_read_package_database',`
allow $1 rpm_var_lib_t:lnk_file r_file_perms; allow $1 rpm_var_lib_t:lnk_file r_file_perms;
') ')
define(`rpm_read_package_database_depend',` define(`rpm_read_db_depend',`
type rpm_var_lib_t_t; type rpm_var_lib_t_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -137,9 +137,9 @@ define(`rpm_read_package_database_depend',`
######################################## ########################################
# #
# rpm_manage_package_database(domain) # rpm_manage_db(domain)
# #
define(`rpm_manage_package_database',` define(`rpm_manage_db',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 rpm_var_lib_t:dir rw_dir_perms; allow $1 rpm_var_lib_t:dir rw_dir_perms;
@ -147,7 +147,7 @@ define(`rpm_manage_package_database',`
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
') ')
define(`rpm_manage_package_database_depend',` define(`rpm_manage_db_depend',`
type rpm_var_lib_t_t; type rpm_var_lib_t_t;
class dir rw_dir_perms; class dir rw_dir_perms;

View File

@ -8,47 +8,47 @@ policy_module(rpm,1.0)
type rpm_t; #, admin, privmem, priv_system_role; type rpm_t; #, admin, privmem, priv_system_role;
type rpm_exec_t; type rpm_exec_t;
init_make_system_domain(rpm_t,rpm_exec_t) init_system_domain(rpm_t,rpm_exec_t)
kernel_make_object_identity_change_constraint_exception(rpm_t) kernel_obj_id_change_exempt(rpm_t)
domain_make_file_descriptors_widely_inheritable(rpm_t) domain_wide_inherit_fd(rpm_t)
role system_r types rpm_t; role system_r types rpm_t;
type rpm_file_t; type rpm_file_t;
files_make_file(rpm_file_t) files_file_type(rpm_file_t)
type rpm_tmp_t; type rpm_tmp_t;
files_make_temporary_file(rpm_tmp_t) files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t; type rpm_tmpfs_t;
files_make_tmpfs_file(rpm_tmpfs_t) files_tmpfs_file(rpm_tmpfs_t)
type rpm_log_t; type rpm_log_t;
logging_make_log_file(rpm_log_t) logging_log_file(rpm_log_t)
type rpm_var_lib_t; type rpm_var_lib_t;
files_make_file(rpm_var_lib_t) files_file_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t; typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_script_t; #, admin, privmem, priv_system_role; type rpm_script_t; #, admin, privmem, priv_system_role;
type rpm_script_exec_t; type rpm_script_exec_t;
kernel_make_object_identity_change_constraint_exception(rpm_script_t) kernel_obj_id_change_exempt(rpm_script_t)
corecommands_make_shell_entrypoint(rpm_script_t) corecmd_shell_entry_type(rpm_script_t)
domain_make_domain(rpm_script_t) domain_type(rpm_script_t)
domain_make_entrypoint_file(rpm_t,rpm_script_t) domain_entry_file(rpm_t,rpm_script_t)
domain_make_file_descriptors_widely_inheritable(rpm_script_t) domain_wide_inherit_fd(rpm_script_t)
role system_r types rpm_script_t; role system_r types rpm_script_t;
type rpm_script_tmp_t; type rpm_script_tmp_t;
files_make_temporary_file(rpm_script_tmp_t) files_tmp_file(rpm_script_tmp_t)
type rpm_script_tmpfs_t; type rpm_script_tmpfs_t;
files_make_tmpfs_file(rpm_script_tmpfs_t) files_tmpfs_file(rpm_script_tmpfs_t)
type rpmbuild_t; type rpmbuild_t;
domain_make_domain(rpmbuild_t) domain_type(rpmbuild_t)
type rpmbuild_exec_t; type rpmbuild_exec_t;
domain_make_entrypoint_file(rpmbuild_t,rpmbuild_exec_t) domain_entry_file(rpmbuild_t,rpmbuild_exec_t)
######################################## ########################################
# #
@ -75,11 +75,11 @@ allow rpm_t self:dir search;
allow rpm_t self:file rw_file_perms;; allow rpm_t self:file rw_file_perms;;
allow rpm_t rpm_log_t:file create_file_perms; allow rpm_t rpm_log_t:file create_file_perms;
logging_create_private_log(rpm_t,rpm_log_t) logging_create_log(rpm_t,rpm_log_t)
allow rpm_t rpm_tmp_t:dir create_dir_perms; allow rpm_t rpm_tmp_t:dir create_dir_perms;
allow rpm_t rpm_tmp_t:file create_file_perms; allow rpm_t rpm_tmp_t:file create_file_perms;
files_create_private_tmp_data(rpm_t, rpm_tmp_t, { file dir }) files_create_tmp_files(rpm_t, rpm_tmp_t, { file dir })
allow rpm_t rpm_tmpfs_t:dir create_dir_perms; allow rpm_t rpm_tmpfs_t:dir create_dir_perms;
allow rpm_t rpm_tmpfs_t:file create_file_perms; allow rpm_t rpm_tmpfs_t:file create_file_perms;
@ -126,35 +126,35 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t) term_list_ptys(rpm_t)
authlogin_ignore_read_shadow_passwords(rpm_t) auth_dontaudit_read_shadow(rpm_t)
corecommands_execute_general_programs(rpm_t) corecmd_exec_bin(rpm_t)
corecommands_execute_system_programs(rpm_t) corecmd_exec_sbin(rpm_t)
corecommands_shell_transition(rpm_t,rpm_script_t) corecmd_domtrans_shell(rpm_t,rpm_script_t)
domain_execute_all_entrypoint_programs(rpm_t) domain_exec_all_entry_files(rpm_t)
domain_read_all_domains_process_state(rpm_t) domain_read_all_domains_state(rpm_t)
domain_use_widely_inheritable_file_descriptors(rpm_t) domain_use_wide_inherit_fd(rpm_t)
files_execute_system_config_script(rpm_t) files_exec_generic_etc_files(rpm_t)
init_script_transition(rpm_t) init_domtrans_script(rpm_t)
libraries_use_dynamic_loader(rpm_t) libs_use_ld_so(rpm_t)
libraries_use_shared_libraries(rpm_t) libs_use_shared_libs(rpm_t)
libraries_execute_dynamic_loader(rpm_t) libs_exec_ld_so(rpm_t)
libraries_execute_library_scripts(rpm_t) libs_exec_lib_files(rpm_t)
libraries_ldconfig_transition(rpm_t) libs_domtrans_ldconfig(rpm_t)
logging_send_system_log_message(rpm_t) logging_send_syslog_msg(rpm_t)
# allow compiling and loading new policy # allow compiling and loading new policy
selinux_manage_source_policy(rpm_t) selinux_manage_src_pol(rpm_t)
selinux_manage_binary_policy(rpm_t) selinux_manage_binary_pol(rpm_t)
sysnetwork_read_network_config(rpm_t) sysnet_read_config(rpm_t)
userdomain_use_all_unprivileged_users_file_descriptors(rpm_t) userdom_use_unpriv_users_fd(rpm_t)
#cron_transition_from(rpm,rpm_exec_t) #cron_transition_from(rpm,rpm_exec_t)
@ -235,11 +235,11 @@ allow rpm_script_t rpm_tmp_t:file r_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton; allow rpm_script_t rpm_script_tmp_t:dir mounton;
allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms; allow rpm_script_t rpm_script_tmp_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmp_t:file create_file_perms; allow rpm_script_t rpm_script_tmp_t:file create_file_perms;
files_create_private_tmp_data(rpm_script_t, rpm_script_tmp_t, { file dir }) files_create_tmp_files(rpm_script_t, rpm_script_tmp_t, { file dir })
allow rpm_script_t rpm_script_tmpfs_t:dir rw_dir_perms; allow rpm_script_t rpm_script_tmpfs_t:dir create_dir_perms;
allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:lnk_file create_lnk_perms;
allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:sock_file create_file_perms;
allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms; allow rpm_script_t rpm_script_tmpfs_t:fifo_file create_file_perms;
fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) fs_create_tmpfs_data(rpm_script_t,rpm_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@ -272,41 +272,41 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t) term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t) term_list_ptys(rpm_script_t)
authlogin_ignore_get_shadow_passwords_attributes(rpm_script_t) auth_dontaudit_getattr_shadow(rpm_script_t)
# ideally we would not need this # ideally we would not need this
authlogin_manage_all_files_except_shadow(rpm_script_t) auth_manage_all_files_except_shadow(rpm_script_t)
corecommands_execute_general_programs(rpm_script_t) corecmd_exec_bin(rpm_script_t)
corecommands_execute_system_programs(rpm_script_t) corecmd_exec_sbin(rpm_script_t)
domain_read_all_domains_process_state(rpm_script_t) domain_read_all_domains_state(rpm_script_t)
domain_use_widely_inheritable_file_descriptors(rpm_script_t) domain_use_wide_inherit_fd(rpm_script_t)
domain_execute_all_entrypoint_programs(rpm_script_t) domain_exec_all_entry_files(rpm_script_t)
domain_signal_all_domains(rpm_script_t) domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t) domain_signull_all_domains(rpm_script_t)
files_execute_system_config_script(rpm_script_t) files_exec_generic_etc_files(rpm_script_t)
files_read_runtime_system_config(rpm_script_t) files_read_etc_runtime_files(rpm_script_t)
init_script_transition(rpm_script_t) init_domtrans_script(rpm_script_t)
libraries_use_dynamic_loader(rpm_script_t) libs_use_ld_so(rpm_script_t)
libraries_use_shared_libraries(rpm_script_t) libs_use_shared_libs(rpm_script_t)
libraries_execute_dynamic_loader(rpm_script_t) libs_exec_ld_so(rpm_script_t)
libraries_execute_library_scripts(rpm_script_t) libs_exec_lib_files(rpm_script_t)
libraries_ldconfig_transition(rpm_script_t) libs_domtrans_ldconfig(rpm_script_t)
logging_send_system_log_message(rpm_script_t) logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t) miscfiles_read_localization(rpm_script_t)
modutils_depmod_transition(rpm_script_t) modutils_domtrans_depmod(rpm_script_t)
modutils_insmod_transition(rpm_script_t) modutils_domtrans_insmod(rpm_script_t)
selinux_load_policy_transition(rpm_script_t) selinux_domtrans_loadpol(rpm_script_t)
selinux_restorecon_transition(rpm_script_t) selinux_domtrans_restorecon(rpm_script_t)
userdomain_use_all_users_file_descriptors(rpm_script_t) userdom_use_all_user_fd(rpm_script_t)
optional_policy(`bootloader.te', ` optional_policy(`bootloader.te', `
bootloader_domtrans(rpm_script_t) bootloader_domtrans(rpm_script_t)
@ -354,7 +354,7 @@ kernel_compute_create_context(rpmbuild_t)
kernel_compute_relabel_context(rpmbuild_t) kernel_compute_relabel_context(rpmbuild_t)
kernel_compute_reachable_user_contexts(rpmbuild_t) kernel_compute_reachable_user_contexts(rpmbuild_t)
selinux_read_source_policy(rpmbuild_t) selinux_read_src_pol(rpmbuild_t)
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for managing user accounts.</summary> ## <summary>Policy for managing user accounts.</summary>
######################################## ########################################
## <interface name="usermanage_chfn_transition"> ## <interface name="usermanage_domtrans_chfn">
## <description> ## <description>
## Execute chfn in the chfn domain. ## Execute chfn in the chfn domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_chfn_transition',` define(`usermanage_domtrans_chfn',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 chfn_exec_t:file rx_file_perms; allow $1 chfn_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`usermanage_chfn_transition',`
allow chfn_t $1:process sigchld; allow chfn_t $1:process sigchld;
') ')
define(`usermanage_chfn_transition_depend',` define(`usermanage_domtrans_chfn_depend',`
type chfn_t, chfn_exec_t; type chfn_t, chfn_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -35,7 +35,7 @@ define(`usermanage_chfn_transition_depend',`
') ')
######################################## ########################################
## <interface name="usermanage_chfn_transition_add_role_use_terminal"> ## <interface name="usermanage_run_chfn">
## <description> ## <description>
## Execute chfn in the chfn domain, and ## Execute chfn in the chfn domain, and
## allow the specified role the chfn domain. ## allow the specified role the chfn domain.
@ -51,22 +51,22 @@ define(`usermanage_chfn_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_chfn_transition_add_role_use_terminal',` define(`usermanage_run_chfn',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
usermanage_chfn_transition($1) usermanage_domtrans_chfn($1)
role $2 types chfn_t; role $2 types chfn_t;
allow chfn_t $3:chr_file { getattr read write ioctl }; allow chfn_t $3:chr_file { getattr read write ioctl };
') ')
define(`usermanage_chfn_transition_add_role_use_terminal_depend',` define(`usermanage_run_chfn_depend',`
type chfn_t; type chfn_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="usermanage_groupadd_transition"> ## <interface name="usermanage_domtrans_groupadd">
## <description> ## <description>
## Execute groupadd in the groupadd domain. ## Execute groupadd in the groupadd domain.
## </description> ## </description>
@ -75,7 +75,7 @@ define(`usermanage_chfn_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_groupadd_transition',` define(`usermanage_domtrans_groupadd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,groupadd_exec_t,groupadd_t) domain_auto_trans($1,groupadd_exec_t,groupadd_t)
@ -86,7 +86,7 @@ define(`usermanage_groupadd_transition',`
allow groupadd_t $1:process sigchld; allow groupadd_t $1:process sigchld;
') ')
define(`usermanage_groupadd_transition_depend',` define(`usermanage_domtrans_groupadd_depend',`
type groupadd_t, groupadd_exec_t; type groupadd_t, groupadd_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -96,7 +96,7 @@ define(`usermanage_groupadd_transition_depend',`
') ')
######################################## ########################################
## <interface name="usermanage_groupadd_transition_add_role_use_terminal"> ## <interface name="usermanage_run_groupadd">
## <description> ## <description>
## Execute groupadd in the groupadd domain, and ## Execute groupadd in the groupadd domain, and
## allow the specified role the groupadd domain. ## allow the specified role the groupadd domain.
@ -112,22 +112,22 @@ define(`usermanage_groupadd_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_groupadd_transition_add_role_use_terminal',` define(`usermanage_run_groupadd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
usermanage_groupadd_transition($1) usermanage_domtrans_groupadd($1)
role $2 types groupadd_t; role $2 types groupadd_t;
allow groupadd_t $3:chr_file { getattr read write ioctl }; allow groupadd_t $3:chr_file { getattr read write ioctl };
') ')
define(`usermanage_groupadd_transition_add_role_use_terminal_depend',` define(`usermanage_run_groupadd_depend',`
type groupadd_t; type groupadd_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="usermanage_passwd_transition"> ## <interface name="usermanage_domtrans_passwd">
## <description> ## <description>
## Execute passwd in the passwd domain. ## Execute passwd in the passwd domain.
## </description> ## </description>
@ -136,7 +136,7 @@ define(`usermanage_groupadd_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_passwd_transition',` define(`usermanage_domtrans_passwd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 passwd_exec_t:file rx_file_perms; allow $1 passwd_exec_t:file rx_file_perms;
@ -150,7 +150,7 @@ define(`usermanage_passwd_transition',`
allow passwd_t $1:process sigchld; allow passwd_t $1:process sigchld;
') ')
define(`usermanage_passwd_transition_depend',` define(`usermanage_domtrans_passwd_depend',`
type passwd_t, passwd_exec_t; type passwd_t, passwd_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -160,7 +160,7 @@ define(`usermanage_passwd_transition_depend',`
') ')
######################################## ########################################
## <interface name="usermanage_passwd_transition_add_role_use_terminal"> ## <interface name="usermanage_run_passwd">
## <description> ## <description>
## Execute passwd in the passwd domain, and ## Execute passwd in the passwd domain, and
## allow the specified role the passwd domain. ## allow the specified role the passwd domain.
@ -176,22 +176,22 @@ define(`usermanage_passwd_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_passwd_transition_add_role_use_terminal',` define(`usermanage_run_passwd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
usermanage_passwd_transition($1) usermanage_domtrans_passwd($1)
role $2 types passwd_t; role $2 types passwd_t;
allow passwd_t $3:chr_file { getattr read write ioctl }; allow passwd_t $3:chr_file { getattr read write ioctl };
') ')
define(`usermanage_passwd_transition_add_role_use_terminal_depend',` define(`usermanage_run_passwd_depend',`
type passwd_t; type passwd_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="usermanage_useradd_transition"> ## <interface name="usermanage_domtrans_useradd">
## <description> ## <description>
## Execute useradd in the useradd domain. ## Execute useradd in the useradd domain.
## </description> ## </description>
@ -200,7 +200,7 @@ define(`usermanage_passwd_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_useradd_transition',` define(`usermanage_domtrans_useradd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 useradd_exec_t:file rx_file_perms; allow $1 useradd_exec_t:file rx_file_perms;
@ -214,7 +214,7 @@ define(`usermanage_useradd_transition',`
allow useradd_t $1:process sigchld; allow useradd_t $1:process sigchld;
') ')
define(`usermanage_useradd_transition_depend',` define(`usermanage_domtrans_useradd_depend',`
type useradd_t, useradd_exec_t; type useradd_t, useradd_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -224,7 +224,7 @@ define(`usermanage_useradd_transition_depend',`
') ')
######################################## ########################################
## <interface name="usermanage_useradd_transition_add_role_use_terminal"> ## <interface name="usermanage_run_useradd">
## <description> ## <description>
## Execute useradd in the useradd domain, and ## Execute useradd in the useradd domain, and
## allow the specified role the useradd domain. ## allow the specified role the useradd domain.
@ -240,15 +240,15 @@ define(`usermanage_useradd_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`usermanage_useradd_transition_add_role_use_terminal',` define(`usermanage_run_useradd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
usermanage_useradd_transition($1) usermanage_domtrans_useradd($1)
role $2 types useradd_t; role $2 types useradd_t;
allow useradd_t $3:chr_file { getattr read write ioctl }; allow useradd_t $3:chr_file { getattr read write ioctl };
') ')
define(`usermanage_useradd_transition_add_role_use_terminal_depend',` define(`usermanage_run_useradd_depend',`
type useradd_t; type useradd_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };

View File

@ -7,54 +7,54 @@ policy_module(usermanage,1.0)
# #
type admin_passwd_exec_t; type admin_passwd_exec_t;
files_make_file(admin_passwd_exec_t) files_file_type(admin_passwd_exec_t)
type chfn_t; type chfn_t;
kernel_make_object_identity_change_constraint_exception(chfn_t) kernel_obj_id_change_exempt(chfn_t)
domain_make_domain(chfn_t) domain_type(chfn_t)
role system_r types chfn_t; role system_r types chfn_t;
type chfn_exec_t; type chfn_exec_t;
domain_make_entrypoint_file(chfn_t,chfn_exec_t) domain_entry_file(chfn_t,chfn_exec_t)
type crack_t; type crack_t;
role system_r types crack_t; role system_r types crack_t;
type crack_exec_t; type crack_exec_t;
domain_make_entrypoint_file(crack_t,crack_exec_t) domain_entry_file(crack_t,crack_exec_t)
type crack_db_t; #, usercanread; type crack_db_t; #, usercanread;
files_make_file(crack_db_t) files_file_type(crack_db_t)
type crack_tmp_t; type crack_tmp_t;
files_make_temporary_file(crack_tmp_t) files_tmp_file(crack_tmp_t)
type groupadd_t; #, nscd_client_domain; type groupadd_t; #, nscd_client_domain;
type groupadd_exec_t; type groupadd_exec_t;
kernel_make_object_identity_change_constraint_exception(groupadd_t) kernel_obj_id_change_exempt(groupadd_t)
init_make_system_domain(groupadd_t,groupadd_exec_t) init_system_domain(groupadd_t,groupadd_exec_t)
role system_r types groupadd_t; role system_r types groupadd_t;
type passwd_t; type passwd_t;
kernel_make_object_identity_change_constraint_exception(passwd_t) kernel_obj_id_change_exempt(passwd_t)
domain_make_domain(passwd_t) domain_type(passwd_t)
role system_r types passwd_t; role system_r types passwd_t;
type passwd_exec_t; type passwd_exec_t;
domain_make_entrypoint_file(passwd_t,passwd_exec_t) domain_entry_file(passwd_t,passwd_exec_t)
type sysadm_passwd_t; type sysadm_passwd_t;
kernel_make_object_identity_change_constraint_exception(sysadm_passwd_t) kernel_obj_id_change_exempt(sysadm_passwd_t)
domain_make_domain(sysadm_passwd_t) domain_type(sysadm_passwd_t)
domain_make_entrypoint_file(sysadm_passwd_t,admin_passwd_exec_t) domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
type sysadm_passwd_tmp_t; type sysadm_passwd_tmp_t;
files_make_file(sysadm_passwd_tmp_t) files_file_type(sysadm_passwd_tmp_t)
type useradd_t; # nscd_client_domain; type useradd_t; # nscd_client_domain;
type useradd_exec_t; type useradd_exec_t;
kernel_make_object_identity_change_constraint_exception(useradd_t) kernel_obj_id_change_exempt(useradd_t)
init_make_system_domain(useradd_t,useradd_exec_t) init_system_domain(useradd_t,useradd_exec_t)
role system_r types useradd_t; role system_r types useradd_t;
######################################## ########################################
@ -94,22 +94,22 @@ dev_read_urand(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_script_ignore_modify_runtime_data(chfn_t) init_dontaudit_rw_script_pid(chfn_t)
domain_use_widely_inheritable_file_descriptors(chfn_t) domain_use_wide_inherit_fd(chfn_t)
files_manage_general_system_config(chfn_t) files_manage_generic_etc_files(chfn_t)
files_read_runtime_system_config(chfn_t) files_read_etc_runtime_files(chfn_t)
libraries_use_dynamic_loader(chfn_t) libs_use_ld_so(chfn_t)
libraries_use_shared_libraries(chfn_t) libs_use_shared_libs(chfn_t)
miscfiles_read_localization(chfn_t) miscfiles_read_localization(chfn_t)
logging_send_system_log_message(chfn_t) logging_send_syslog_msg(chfn_t)
authlogin_check_password_transition(chfn_t) auth_domtrans_chk_passwd(chfn_t)
authlogin_ignore_read_shadow_passwords(chfn_t) auth_dontaudit_read_shadow(chfn_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types chfn_t; role sysadm_r types chfn_t;
@ -152,11 +152,11 @@ allow crack_t self:fifo_file rw_file_perms;
allow crack_t crack_db_t:dir rw_dir_perms; allow crack_t crack_db_t:dir rw_dir_perms;
allow crack_t crack_db_t:file create_file_perms; allow crack_t crack_db_t:file create_file_perms;
allow crack_t crack_db_t:lnk_file create_file_perms; allow crack_t crack_db_t:lnk_file create_file_perms;
files_search_system_state_data_directory(crack_t) files_search_var(crack_t)
allow crack_t crack_tmp_t:dir create_dir_perms; allow crack_t crack_tmp_t:dir create_dir_perms;
allow crack_t crack_tmp_t:file create_file_perms; allow crack_t crack_tmp_t:file create_file_perms;
files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir }) files_create_tmp_files(crack_t, crack_tmp_t, { file dir })
kernel_read_system_state(crack_t) kernel_read_system_state(crack_t)
@ -165,17 +165,17 @@ dev_read_urand(crack_t)
fs_getattr_xattr_fs(crack_t) fs_getattr_xattr_fs(crack_t)
files_read_general_system_config(crack_t) files_read_generic_etc_files(crack_t)
files_read_runtime_system_config(crack_t) files_read_etc_runtime_files(crack_t)
# for dictionaries # for dictionaries
files_read_general_application_resources(crack_t) files_read_usr_files(crack_t)
corecommands_execute_general_programs(crack_t) corecmd_exec_bin(crack_t)
libraries_use_dynamic_loader(crack_t) libs_use_ld_so(crack_t)
libraries_use_shared_libraries(crack_t) libs_use_shared_libs(crack_t)
logging_send_system_log_message(crack_t) logging_send_syslog_msg(crack_t)
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`crond.te', ` ifdef(`crond.te', `
@ -222,26 +222,26 @@ fs_getattr_xattr_fs(groupadd_t)
term_use_all_user_ttys(groupadd_t) term_use_all_user_ttys(groupadd_t)
term_use_all_user_ptys(groupadd_t) term_use_all_user_ptys(groupadd_t)
init_use_file_descriptors(groupadd_t) init_use_fd(groupadd_t)
init_script_read_runtime_data(groupadd_t) init_read_script_pid(groupadd_t)
domain_use_widely_inheritable_file_descriptors(groupadd_t) domain_use_wide_inherit_fd(groupadd_t)
files_manage_general_system_config(groupadd_t) files_manage_generic_etc_files(groupadd_t)
libraries_use_dynamic_loader(groupadd_t) libs_use_ld_so(groupadd_t)
libraries_use_shared_libraries(groupadd_t) libs_use_shared_libs(groupadd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecommands_execute_general_programs(groupadd_t) corecmd_exec_bin(groupadd_t)
corecommands_execute_system_programs(groupadd_t) corecmd_exec_sbin(groupadd_t)
logging_send_system_log_message(groupadd_t) logging_send_syslog_msg(groupadd_t)
miscfiles_read_localization(groupadd_t) miscfiles_read_localization(groupadd_t)
authlogin_manage_shadow_passwords(groupadd_t) auth_manage_shadow(groupadd_t)
authlogin_modify_last_login_log(groupadd_t) auth_rw_lastlog(groupadd_t)
selinux_read_config(groupadd_t) selinux_read_config(groupadd_t)
@ -299,21 +299,21 @@ fs_getattr_xattr_fs(passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_script_ignore_modify_runtime_data(passwd_t) init_dontaudit_rw_script_pid(passwd_t)
domain_use_widely_inheritable_file_descriptors(passwd_t) domain_use_wide_inherit_fd(passwd_t)
files_read_runtime_system_config(passwd_t) files_read_etc_runtime_files(passwd_t)
files_manage_general_system_config(passwd_t) files_manage_generic_etc_files(passwd_t)
libraries_use_dynamic_loader(passwd_t) libs_use_ld_so(passwd_t)
libraries_use_shared_libraries(passwd_t) libs_use_shared_libs(passwd_t)
logging_send_system_log_message(passwd_t) logging_send_syslog_msg(passwd_t)
miscfiles_read_localization(passwd_t) miscfiles_read_localization(passwd_t)
authlogin_manage_shadow_passwords(passwd_t) auth_manage_shadow(passwd_t)
ifdef(`TODO',` ifdef(`TODO',`
@ -379,8 +379,8 @@ allow sysadm_passwd_t self:msg { send receive };
# allow vipw to create temporary files under /var/tmp/vi.recover # allow vipw to create temporary files under /var/tmp/vi.recover
allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms; allow sysadm_passwd_t sysadm_passwd_tmp_t:dir create_dir_perms;
allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms; allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
files_create_private_tmp_data(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir }) files_create_tmp_files(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
files_search_system_state_data_directory(sysadm_passwd_t) files_search_var(sysadm_passwd_t)
kernel_get_selinuxfs_mount_point(sysadm_passwd_t) kernel_get_selinuxfs_mount_point(sysadm_passwd_t)
kernel_validate_context(sysadm_passwd_t) kernel_validate_context(sysadm_passwd_t)
@ -401,26 +401,26 @@ term_use_all_user_ptys(sysadm_passwd_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate # /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp. # correctly without it. Do not audit write denials to utmp.
init_script_ignore_modify_runtime_data(sysadm_passwd_t) init_dontaudit_rw_script_pid(sysadm_passwd_t)
domain_use_widely_inheritable_file_descriptors(sysadm_passwd_t) domain_use_wide_inherit_fd(sysadm_passwd_t)
files_manage_general_system_config(sysadm_passwd_t) files_manage_generic_etc_files(sysadm_passwd_t)
files_read_runtime_system_config(sysadm_passwd_t) files_read_etc_runtime_files(sysadm_passwd_t)
# allow vipw to exec the editor # allow vipw to exec the editor
corecommands_execute_general_programs(sysadm_passwd_t) corecmd_exec_bin(sysadm_passwd_t)
corecommands_execute_shell(sysadm_passwd_t) corecmd_exec_shell(sysadm_passwd_t)
files_read_general_application_resources(sysadm_passwd_t) files_read_usr_files(sysadm_passwd_t)
libraries_use_dynamic_loader(sysadm_passwd_t) libs_use_ld_so(sysadm_passwd_t)
libraries_use_shared_libraries(sysadm_passwd_t) libs_use_shared_libs(sysadm_passwd_t)
miscfiles_read_localization(sysadm_passwd_t) miscfiles_read_localization(sysadm_passwd_t)
logging_send_system_log_message(sysadm_passwd_t) logging_send_syslog_msg(sysadm_passwd_t)
authlogin_manage_shadow_passwords(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t)
ifdef(`TODO',` ifdef(`TODO',`
role sysadm_r types sysadm_passwd_t; role sysadm_r types sysadm_passwd_t;
@ -488,29 +488,29 @@ fs_getattr_xattr_fs(useradd_t)
term_use_all_user_ttys(useradd_t) term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t) term_use_all_user_ptys(useradd_t)
init_use_file_descriptors(useradd_t) init_use_fd(useradd_t)
init_script_modify_runtime_data(useradd_t) init_rw_script_pid(useradd_t)
domain_use_widely_inheritable_file_descriptors(useradd_t) domain_use_wide_inherit_fd(useradd_t)
files_manage_general_system_config(useradd_t) files_manage_generic_etc_files(useradd_t)
libraries_use_dynamic_loader(useradd_t) libs_use_ld_so(useradd_t)
libraries_use_shared_libraries(useradd_t) libs_use_shared_libs(useradd_t)
corecommands_execute_shell(useradd_t) corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}. # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecommands_execute_general_programs(useradd_t) corecmd_exec_bin(useradd_t)
corecommands_execute_system_programs(useradd_t) corecmd_exec_sbin(useradd_t)
miscfiles_read_localization(useradd_t) miscfiles_read_localization(useradd_t)
selinux_read_config(useradd_t) selinux_read_config(useradd_t)
logging_send_system_log_message(useradd_t) logging_send_syslog_msg(useradd_t)
authlogin_manage_shadow_passwords(useradd_t) auth_manage_shadow(useradd_t)
authlogin_modify_last_login_log(useradd_t) auth_rw_lastlog(useradd_t)
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -14,27 +14,27 @@ define(`gpg_per_userdomain_template',`
# #
type $1_gpg_t; type $1_gpg_t;
domain_make_domain($1_gpg_t) domain_type($1_gpg_t)
domain_make_entrypoint_file($1_gpg_t,gpg_exec_t) domain_entry_file($1_gpg_t,gpg_exec_t)
role $1_r types $1_gpg_t; role $1_r types $1_gpg_t;
type $1_gpg_agent_t; type $1_gpg_agent_t;
domain_make_domain($1_gpg_agent_t) domain_type($1_gpg_agent_t)
domain_make_entrypoint_file($1_gpg_agent_t,gpg_agent_exec_t) domain_entry_file($1_gpg_agent_t,gpg_agent_exec_t)
role $1_r types $1_gpg_agent_t; role $1_r types $1_gpg_agent_t;
type $1_gpg_agent_tmp_t; type $1_gpg_agent_tmp_t;
files_make_temporary_file($1_gpg_agent_tmp_t) files_tmp_file($1_gpg_agent_tmp_t)
type $1_gpg_secret_t; #, $1_file_type; type $1_gpg_secret_t; #, $1_file_type;
files_make_file($1_gpg_secret_t) files_file_type($1_gpg_secret_t)
type $1_gpg_helper_t; type $1_gpg_helper_t;
domain_make_domain($1_gpg_helper_t) domain_type($1_gpg_helper_t)
role $1_r types $1_gpg_helper_t; role $1_r types $1_gpg_helper_t;
type $1_gpg_pinentry_t; type $1_gpg_pinentry_t;
domain_make_domain($1_gpg_pinentry_t) domain_type($1_gpg_pinentry_t)
role $1_r types $1_gpg_pinentry_t; role $1_r types $1_gpg_pinentry_t;
######################################## ########################################
@ -81,23 +81,23 @@ define(`gpg_per_userdomain_template',`
fs_getattr_xattr_fs($1_gpg_t) fs_getattr_xattr_fs($1_gpg_t)
files_read_general_system_config($1_gpg_t) files_read_generic_etc_files($1_gpg_t)
files_read_general_application_resources($1_gpg_t) files_read_usr_files($1_gpg_t)
libraries_use_shared_libraries($1_gpg_t) libs_use_shared_libs($1_gpg_t)
libraries_use_dynamic_loader($1_gpg_t) libs_use_ld_so($1_gpg_t)
miscfiles_read_localization($1_gpg_t) miscfiles_read_localization($1_gpg_t)
logging_send_system_log_message($1_gpg_t) logging_send_syslog_msg($1_gpg_t)
sysnetwork_read_network_config($1_gpg_t) sysnet_read_config($1_gpg_t)
# Legacy # Legacy
if (allow_gpg_execstack) { if (allow_gpg_execstack) {
allow $1_gpg_t self:process execmem; allow $1_gpg_t self:process execmem;
libraries_legacy_use_shared_libraries($1_gpg_t) libs_legacy_use_shared_libs($1_gpg_t)
libraries_legacy_use_dynamic_loader($1_gpg_t) libs_legacy_use_ld_so($1_gpg_t)
miscfiles_legacy_read_localization($1_gpg_t) miscfiles_legacy_read_localization($1_gpg_t)
# Not quite sure why this is needed... # Not quite sure why this is needed...
allow $1_gpg_t gpg_exec_t:file execmod; allow $1_gpg_t gpg_exec_t:file execmod;
@ -188,14 +188,14 @@ define(`gpg_per_userdomain_template',`
dev_read_urand($1_gpg_helper_t) dev_read_urand($1_gpg_helper_t)
files_read_general_system_config($1_gpg_helper_t) files_read_generic_etc_files($1_gpg_helper_t)
# for nscd # for nscd
files_ignore_search_system_state_data_directory($1_gpg_helper_t) files_dontaudit_search_var($1_gpg_helper_t)
libraries_use_dynamic_loader($1_gpg_helper_t) libs_use_ld_so($1_gpg_helper_t)
libraries_use_shared_libraries($1_gpg_helper_t) libs_use_shared_libs($1_gpg_helper_t)
sysnetwork_read_network_config($1_gpg_helper_t) sysnet_read_config($1_gpg_helper_t)
ifdef(`TODO',` ifdef(`TODO',`
@ -230,12 +230,12 @@ define(`gpg_per_userdomain_template',`
allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms; allow $1_t $1_gpg_agent_tmp_t:dir create_dir_perms;
allow $1_t $1_gpg_agent_tmp_t:file create_file_perms; allow $1_t $1_gpg_agent_tmp_t:file create_file_perms;
allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms; allow $1_t $1_gpg_agent_tmp_t:sock_file create_file_perms;
files_create_private_tmp_data($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir }) files_create_tmp_files($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
domain_use_widely_inheritable_file_descriptors($1_gpg_agent_t) domain_use_wide_inherit_fd($1_gpg_agent_t)
libraries_use_dynamic_loader($1_gpg_agent_t) libs_use_ld_so($1_gpg_agent_t)
libraries_use_shared_libraries($1_gpg_agent_t) libs_use_shared_libs($1_gpg_agent_t)
miscfiles_read_localization($1_gpg_agent_t) miscfiles_read_localization($1_gpg_agent_t)
@ -297,12 +297,12 @@ define(`gpg_per_userdomain_template',`
# read /proc/meminfo # read /proc/meminfo
kernel_read_system_state($1_gpg_pinentry_t) kernel_read_system_state($1_gpg_pinentry_t)
files_read_general_application_resources($1_gpg_pinentry_t) files_read_usr_files($1_gpg_pinentry_t)
# read /etc/X11/qtrc # read /etc/X11/qtrc
files_read_general_system_config($1_gpg_pinentry_t) files_read_generic_etc_files($1_gpg_pinentry_t)
libraries_use_dynamic_loader($1_gpg_pinentry_t) libs_use_ld_so($1_gpg_pinentry_t)
libraries_use_shared_libraries($1_gpg_pinentry_t) libs_use_shared_libs($1_gpg_pinentry_t)
miscfiles_read_fonts($1_gpg_pinentry_t) miscfiles_read_fonts($1_gpg_pinentry_t)
miscfiles_read_localization($1_gpg_pinentry_t) miscfiles_read_localization($1_gpg_pinentry_t)

View File

@ -12,16 +12,16 @@ bool allow_gpg_execstack false;
# Type for gpg or pgp executables. # Type for gpg or pgp executables.
type gpg_exec_t; type gpg_exec_t;
type gpg_helper_exec_t; type gpg_helper_exec_t;
files_make_file(gpg_exec_t) files_file_type(gpg_exec_t)
files_make_file(gpg_helper_exec_t) files_file_type(gpg_helper_exec_t)
# Type for the gpg-agent executable. # Type for the gpg-agent executable.
type gpg_agent_exec_t; type gpg_agent_exec_t;
files_make_file(gpg_agent_exec_t) files_file_type(gpg_agent_exec_t)
# type for the pinentry executable # type for the pinentry executable
type pinentry_exec_t; type pinentry_exec_t;
files_make_file(pinentry_exec_t) files_file_type(pinentry_exec_t)
#allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search; #allow sysadm_gpg_t { home_root_t user_home_dir_t }:dir search;
#allow sysadm_gpg_t ptyfile:chr_file rw_file_perms; #allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;

View File

@ -412,11 +412,11 @@ define(`bootloader_write_kernel_modules',`
allow $1 modules_object_t:dir r_dir_perms; allow $1 modules_object_t:dir r_dir_perms;
allow $1 modules_object_t:file { write append }; allow $1 modules_object_t:file { write append };
typeattribute $1 can_modify_kernel_modules; typeattribute $1 rw_kern_modules;
') ')
define(`bootloader_write_kernel_modules_depend',` define(`bootloader_write_kernel_modules_depend',`
attribute can_modify_kernel_modules; attribute rw_kern_modules;
type modules_object_t; type modules_object_t;
@ -441,11 +441,11 @@ define(`bootloader_manage_kernel_modules',`
allow $1 modules_object_t:file { rw_file_perms create setattr unlink }; allow $1 modules_object_t:file { rw_file_perms create setattr unlink };
allow $1 modules_object_t:dir rw_dir_perms; allow $1 modules_object_t:dir rw_dir_perms;
typeattribute $1 can_modify_kernel_modules; typeattribute $1 rw_kern_modules;
') ')
define(`bootloader_manage_kernel_modules_depend',` define(`bootloader_manage_kernel_modules_depend',`
attribute can_modify_kernel_modules; attribute rw_kern_modules;
type modules_object_t; type modules_object_t;

View File

@ -6,14 +6,14 @@ policy_module(bootloader,1.0)
# Declarations # Declarations
# #
attribute can_modify_kernel_modules; attribute rw_kern_modules;
# #
# boot_t is the type for files in /boot # boot_t is the type for files in /boot
# #
type boot_t; type boot_t;
files_make_file(boot_t) files_file_type(boot_t)
files_make_mountpoint(boot_t) files_mountpoint(boot_t)
# #
# boot_runtime_t is the type for /boot/kernel.h, # boot_runtime_t is the type for /boot/kernel.h,
@ -21,41 +21,41 @@ files_make_mountpoint(boot_t)
# only for Red Hat # only for Red Hat
# #
type boot_runtime_t; type boot_runtime_t;
files_make_file(boot_runtime_t) files_file_type(boot_runtime_t)
type bootloader_t; type bootloader_t;
domain_make_domain(bootloader_t) domain_type(bootloader_t)
role system_r types bootloader_t; role system_r types bootloader_t;
type bootloader_exec_t; type bootloader_exec_t;
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t) domain_entry_file(bootloader_t,bootloader_exec_t)
# #
# bootloader_etc_t is the configuration file, # bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc. # grub.conf, lilo.conf, etc.
# #
type bootloader_etc_t alias etc_bootloader_t; type bootloader_etc_t alias etc_bootloader_t;
files_make_file(bootloader_etc_t) files_file_type(bootloader_etc_t)
# #
# The temp file is used for initrd creation; # The temp file is used for initrd creation;
# it consists of files and device nodes # it consists of files and device nodes
# #
type bootloader_tmp_t; type bootloader_tmp_t;
files_make_temporary_file(bootloader_tmp_t) files_tmp_file(bootloader_tmp_t)
dev_node(bootloader_tmp_t) dev_node(bootloader_tmp_t)
# kernel modules # kernel modules
type modules_object_t; type modules_object_t;
files_make_file(modules_object_t) files_file_type(modules_object_t)
neverallow ~can_modify_kernel_modules modules_object_t:file { create append write }; neverallow ~rw_kern_modules modules_object_t:file { create append write };
# #
# system_map_t is for the system.map files in /boot # system_map_t is for the system.map files in /boot
# #
type system_map_t; type system_map_t;
files_make_file(system_map_t) files_file_type(system_map_t)
######################################## ########################################
# #
@ -73,16 +73,16 @@ allow bootloader_t boot_t:lnk_file { r_file_perms create unlink };
allow bootloader_t bootloader_etc_t:file r_file_perms; allow bootloader_t bootloader_etc_t:file r_file_perms;
# uncomment the following lines if you use "lilo -p" # uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename }; #allow bootloader_t bootloader_etc_t:file { create ioctl read getattr lock write setattr append link unlink rename };
#files_create_private_config(bootloader_t,bootloader_etc_t) #files_create_etc_config(bootloader_t,bootloader_etc_t)
allow bootloader_t bootloader_tmp_t:dir create_dir_perms; allow bootloader_t bootloader_tmp_t:dir create_dir_perms;
allow bootloader_t bootloader_tmp_t:file create_file_perms; allow bootloader_t bootloader_tmp_t:file create_file_perms;
allow bootloader_t bootloader_tmp_t:chr_file create_file_perms; allow bootloader_t bootloader_tmp_t:chr_file create_file_perms;
allow bootloader_t bootloader_tmp_t:blk_file create_file_perms; allow bootloader_t bootloader_tmp_t:blk_file create_file_perms;
allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms; allow bootloader_t bootloader_tmp_t:lnk_file create_lnk_perms;
files_create_private_tmp_data(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file }) files_create_tmp_files(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file blk_file })
# for tune2fs (cjp: ?) # for tune2fs (cjp: ?)
files_create_private_root_dir_entry(bootloader_t,bootloader_tmp_t) files_create_root(bootloader_t,bootloader_tmp_t)
allow bootloader_t modules_object_t:dir r_dir_perms; allow bootloader_t modules_object_t:dir r_dir_perms;
allow bootloader_t modules_object_t:file r_file_perms; allow bootloader_t modules_object_t:file r_file_perms;
@ -110,34 +110,34 @@ fs_getattr_xattr_fs(bootloader_t)
term_getattr_all_user_ttys(bootloader_t) term_getattr_all_user_ttys(bootloader_t)
init_get_control_channel_attributes(bootloader_t) init_getattr_initctl(bootloader_t)
init_script_use_pseudoterminal(bootloader_t) init_use_script_pty(bootloader_t)
init_script_use_file_descriptors(bootloader_t) init_use_script_fd(bootloader_t)
domain_use_widely_inheritable_file_descriptors(bootloader_t) domain_use_wide_inherit_fd(bootloader_t)
libraries_use_dynamic_loader(bootloader_t) libs_use_ld_so(bootloader_t)
libraries_use_shared_libraries(bootloader_t) libs_use_shared_libs(bootloader_t)
libraries_read_library_resources(bootloader_t) libs_read_lib(bootloader_t)
files_read_general_system_config(bootloader_t) files_read_generic_etc_files(bootloader_t)
files_read_runtime_system_config(bootloader_t) files_read_etc_runtime_files(bootloader_t)
files_read_system_source_code(bootloader_t) files_read_usr_src(bootloader_t)
files_read_general_application_resources(bootloader_t) files_read_usr_files(bootloader_t)
# for nscd # for nscd
files_ignore_search_runtime_data_directory(bootloader_t) files_dontaudit_search_pids(bootloader_t)
corecommands_execute_general_programs(bootloader_t) corecmd_exec_bin(bootloader_t)
corecommands_execute_system_programs(bootloader_t) corecmd_exec_sbin(bootloader_t)
corecommands_execute_shell(bootloader_t) corecmd_exec_shell(bootloader_t)
logging_send_system_log_message(bootloader_t) logging_send_syslog_msg(bootloader_t)
logging_modify_system_logs(bootloader_t) logging_rw_generic_logs(bootloader_t)
miscfiles_read_localization(bootloader_t) miscfiles_read_localization(bootloader_t)
selinux_read_binary_policy(bootloader_t) selinux_read_binary_pol(bootloader_t)
selinux_read_load_policy_binary(bootloader_t) selinux_read_loadpol(bootloader_t)
ifdef(`distro_debian', ` ifdef(`distro_debian', `
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto }; allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
@ -153,10 +153,10 @@ ifdef(`distro_redhat', `
allow bootloader_t boot_runtime_t:file { r_file_perms unlink }; allow bootloader_t boot_runtime_t:file { r_file_perms unlink };
# mkinitrd mount initrd on bootloader temp dir # mkinitrd mount initrd on bootloader temp dir
files_make_mountpoint(bootloader_tmp_t) files_mountpoint(bootloader_tmp_t)
# for mke2fs # for mke2fs
mount_transition(bootloader_t) mount_domtrans(bootloader_t)
') ')
optional_policy(`filesystemtools.te', ` optional_policy(`filesystemtools.te', `
@ -168,17 +168,17 @@ optional_policy(`filesystemtools.te', `
optional_policy(`lvm.te', ` optional_policy(`lvm.te', `
dev_rw_lvm_control(bootloader_t) dev_rw_lvm_control(bootloader_t)
lvm_transition(bootloader_t) lvm_domtrans(bootloader_t)
lvm_read_config(bootloader_t) lvm_read_config(bootloader_t)
') ')
optional_policy(`modutils.te',` optional_policy(`modutils.te',`
modutils_insmod_execute(insmod_t) modutils_exec_insmod(insmod_t)
modutils_read_kernel_module_dependencies(bootloader_t) modutils_read_kernel_module_dependencies(bootloader_t)
modutils_read_kernel_module_loading_config(bootloader_t) modutils_read_module_conf(bootloader_t)
modutils_insmod_execute(bootloader_t) modutils_exec_insmod(bootloader_t)
modutils_depmod_execute(bootloader_t) modutils_exec_depmod(bootloader_t)
modutils_update_modules_execute(bootloader_t) modutils_exec_update_mods(bootloader_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -7,13 +7,13 @@ attribute port_type;
attribute reserved_port_type; attribute reserved_port_type;
type ppp_device_t; type ppp_device_t;
devices_make_device_node(ppp_device_t) dev_node(ppp_device_t)
# #
# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/* # tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
# #
type tun_tap_device_t; type tun_tap_device_t;
devices_make_device_node(tun_tap_device_t) dev_node(tun_tap_device_t)
######################################## ########################################
# #

View File

@ -153,6 +153,28 @@ define(`dev_create_dir_depend',`
class dir { ra_dir_perms create }; class dir { ra_dir_perms create };
') ')
########################################
## <interface name="dev_relabel_dev_dirs">
## <description>
## Allow full relabeling (to and from) of directories in /dev.
## </description>
## <parameter name="domain">
## Domain allowed to relabel.
## </parameter>
## </interface>
#
define(`dev_relabel_dev_dirs',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { r_dir_perms relabelfrom relabelto };
')
define(`dev_relabel_dev_dirs_depend',`
type device_t;
class dir { r_dir_perms relabelfrom relabelto };
')
######################################## ########################################
## <interface name="dev_dontaudit_getattr_generic_pipe"> ## <interface name="dev_dontaudit_getattr_generic_pipe">
## <description> ## <description>
@ -209,13 +231,13 @@ define(`ddev_getattr_generic_blk_file_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`ddev_dontaudit_getattr_generic_blk_files',` define(`dev_dontaudit_getattr_generic_blk_file',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 device_t:blk_file getattr; dontaudit $1 device_t:blk_file getattr;
') ')
define(`dev_dontaudit_getattr_generic_blk_files_depend',` define(`dev_dontaudit_getattr_generic_blk_file_depend',`
type device_t; type device_t;
class blk_file getattr; class blk_file getattr;
@ -258,7 +280,7 @@ define(`dev_manage_generic_blk_file_depend',`
define(`dev_create_generic_chr_file',` define(`dev_create_generic_chr_file',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name }; allow $1 device_t:dir ra_dir_perms;
allow $1 device_t:chr_file create; allow $1 device_t:chr_file create;
allow $1 self:capability mknod; allow $1 self:capability mknod;
@ -267,7 +289,7 @@ define(`dev_create_generic_chr_file',`
define(`dev_create_generic_chr_file_depend',` define(`dev_create_generic_chr_file_depend',`
type device_t; type device_t;
class dir { getattr search read write add_name }; class dir ra_dir_perms;
class chr_file create; class chr_file create;
class capability mknod; class capability mknod;
') ')
@ -312,7 +334,7 @@ define(`dev_dontaudit_getattr_generic_chr_file',`
dontaudit $1 device_t:chr_file getattr; dontaudit $1 device_t:chr_file getattr;
') ')
define(`dev_dontaudit_getattr_generic_chr_file',` define(`dev_dontaudit_getattr_generic_chr_file_depend',`
type device_t; type device_t;
class chr_file getattr; class chr_file getattr;
@ -369,7 +391,7 @@ define(`dev_manage_generic_symlinks_depend',`
') ')
######################################## ########################################
## <interface name="dev_manage_all_dev_nodes"> ## <interface name="dev_manage_dev_nodes">
## <description> ## <description>
## Create, delete, read, and write device nodes in device directories. ## Create, delete, read, and write device nodes in device directories.
## </description> ## </description>
@ -378,7 +400,7 @@ define(`dev_manage_generic_symlinks_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`dev_manage_all_dev_nodes',` define(`dev_manage_dev_nodes',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
@ -398,7 +420,7 @@ define(`dev_manage_all_dev_nodes',`
typeattribute $1 memory_raw_write; typeattribute $1 memory_raw_write;
') ')
define(`dev_manage_all_dev_nodes_depend',` define(`dev_manage_dev_nodes_depend',`
attribute device_node, memory_raw_read, memory_raw_write; attribute device_node, memory_raw_read, memory_raw_write;
type device_t; type device_t;

View File

@ -9,8 +9,8 @@ attribute memory_raw_write;
# device_t is the type of /dev. # device_t is the type of /dev.
# #
type device_t; type device_t;
files_make_file(device_t) files_file_type(device_t)
files_make_mountpoint(device_t) files_mountpoint(device_t)
fs_associate_tmpfs(device_t) fs_associate_tmpfs(device_t)
# Only directories and symlinks should be labeled device_t. # Only directories and symlinks should be labeled device_t.

View File

@ -62,7 +62,7 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
# tmpfs_t is the type for tmpfs filesystems # tmpfs_t is the type for tmpfs filesystems
# #
type tmpfs_t, fs_type; type tmpfs_t, fs_type;
files_make_file(tmpfs_t) files_file_type(tmpfs_t)
# Use a transition SID based on the allocating task SID and the # Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types, # filesystem SID to label inodes in the following filesystem types,
@ -124,7 +124,7 @@ allow removable_t noxattrfs:filesystem associate;
# and their files. # and their files.
# #
type nfs_t, fs_type, noxattrfs; type nfs_t, fs_type, noxattrfs;
files_make_mountpoint(nfs_t) files_mountpoint(nfs_t)
allow nfs_t self:filesystem associate; allow nfs_t self:filesystem associate;
genfscon nfs / context_template(system_u:object_r:nfs_t,s0) genfscon nfs / context_template(system_u:object_r:nfs_t,s0)
genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0) genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0)

View File

@ -130,7 +130,7 @@ define(`kernel_dontaudit_use_fd_depend',`
') ')
######################################## ########################################
## <interface name="kernel_make_process_identity_change_constraint_exception"> ## <interface name="kernel_subj_id_change_exempt">
## <description> ## <description>
## Makes caller an exception to the constraint preventing ## Makes caller an exception to the constraint preventing
## changing of user identity. ## changing of user identity.
@ -140,18 +140,18 @@ define(`kernel_dontaudit_use_fd_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`kernel_make_process_identity_change_constraint_exception',` define(`kernel_subj_id_change_exempt',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
typeattribute $1 can_change_process_identity; typeattribute $1 can_change_process_identity;
') ')
define(`kernel_make_process_identity_change_constraint_exception_depend',` define(`kernel_subj_id_change_exempt_depend',`
attribute can_change_process_identity; attribute can_change_process_identity;
') ')
######################################## ########################################
## <interface name="kernel_make_role_change_constraint_exception"> ## <interface name="kernel_role_change_exempt">
## <description> ## <description>
## Makes caller an exception to the constraint preventing ## Makes caller an exception to the constraint preventing
## changing of role. ## changing of role.
@ -161,18 +161,18 @@ define(`kernel_make_process_identity_change_constraint_exception_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`kernel_make_role_change_constraint_exception',` define(`kernel_role_change_exempt',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
typeattribute $1 can_change_process_role; typeattribute $1 can_change_process_role;
') ')
define(`kernel_make_role_change_constraint_exception_depend',` define(`kernel_role_change_exempt_depend',`
attribute can_change_process_role; attribute can_change_process_role;
') ')
######################################## ########################################
## <interface name="kernel_make_object_identity_change_constraint_exception"> ## <interface name="kernel_obj_id_change_exempt">
## <description> ## <description>
## Makes caller an exception to the constraint preventing ## Makes caller an exception to the constraint preventing
## changing the user identity in object contexts. ## changing the user identity in object contexts.
@ -182,13 +182,13 @@ define(`kernel_make_role_change_constraint_exception_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`kernel_make_object_identity_change_constraint_exception',` define(`kernel_obj_id_change_exempt',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
typeattribute $1 can_change_object_identity; typeattribute $1 can_change_object_identity;
') ')
define(`kernel_make_object_identity_change_constraint_exception_depend',` define(`kernel_obj_id_change_exempt_depend',`
attribute can_change_object_identity; attribute can_change_object_identity;
') ')

View File

@ -19,7 +19,7 @@ attribute can_change_object_identity;
# #
type kernel_t, can_load_kernmodule, can_load_policy; type kernel_t, can_load_kernmodule, can_load_policy;
role system_r types kernel_t; role system_r types kernel_t;
domain_make_domain(kernel_t) domain_type(kernel_t)
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127) sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
# #
@ -63,7 +63,7 @@ genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
# sysfs_t is the type for /sys # sysfs_t is the type for /sys
# #
type sysfs_t; type sysfs_t;
files_make_mountpoint(sysfs_t) files_mountpoint(sysfs_t)
fs_make_fs(sysfs_t) fs_make_fs(sysfs_t)
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
@ -72,7 +72,7 @@ genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
# #
type proc_t; type proc_t;
files_make_mountpoint(proc_t) files_mountpoint(proc_t)
fs_make_fs(proc_t) fs_make_fs(proc_t)
genfscon proc / context_template(system_u:object_r:proc_t,s0) genfscon proc / context_template(system_u:object_r:proc_t,s0)
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0) genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
@ -107,13 +107,13 @@ genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
# /proc/sys directory, base directory of sysctls # /proc/sys directory, base directory of sysctls
type sysctl_t; type sysctl_t;
files_make_mountpoint(sysctl_t) files_mountpoint(sysctl_t)
sid sysctl context_template(system_u:object_r:sysctl_t,s0) sid sysctl context_template(system_u:object_r:sysctl_t,s0)
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0) genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
# /proc/sys/fs directory and files # /proc/sys/fs directory and files
type sysctl_fs_t; type sysctl_fs_t;
files_make_mountpoint(sysctl_fs_t) files_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0) genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
# /proc/sys/kernel directory and files # /proc/sys/kernel directory and files
@ -148,7 +148,7 @@ genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
# usbfs_t is the type for /proc/bus/usb # usbfs_t is the type for /proc/bus/usb
# #
type usbfs_t alias usbdevfs_t; type usbfs_t alias usbdevfs_t;
files_make_mountpoint(usbfs_t) files_mountpoint(usbfs_t)
fs_make_noxattr_fs(usbfs_t) fs_make_noxattr_fs(usbfs_t)
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
@ -206,26 +206,26 @@ term_use_console(kernel_t)
# from initrd, then mounting the root filesystem # from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t) fs_mount_all_fs(kernel_t)
corecommands_execute_shell(kernel_t) corecmd_exec_shell(kernel_t)
corecommands_read_system_programs_directory(kernel_t) corecmd_list_sbin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules. # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
corecommands_execute_general_programs(kernel_t) corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t) domain_signal_all_domains(kernel_t)
files_read_root_dir(kernel_t) files_list_root(kernel_t)
files_list_home_directories(kernel_t) files_list_home(kernel_t)
files_read_general_application_resources(kernel_t) files_read_usr_files(kernel_t)
init_sigchld(kernel_t) init_sigchld(kernel_t)
libraries_use_dynamic_loader(kernel_t) libs_use_ld_so(kernel_t)
libraries_use_shared_libraries(kernel_t) libs_use_shared_libs(kernel_t)
logging_send_system_log_message(kernel_t) logging_send_syslog_msg(kernel_t)
selinux_read_config(kernel_t) selinux_read_config(kernel_t)
selinux_read_binary_policy(kernel_t) selinux_read_binary_pol(kernel_t)
neverallow ~can_load_policy security_t:security load_policy; neverallow ~can_load_policy security_t:security load_policy;
neverallow ~can_setenforce security_t:security setenforce; neverallow ~can_setenforce security_t:security setenforce;

View File

@ -33,6 +33,9 @@ define(`term_pty_depend',`
## pty type. This allows it to be relabeled via ## pty type. This allows it to be relabeled via
## type change by login programs such as ssh. ## type change by login programs such as ssh.
## </description> ## </description>
## <parameter name="userdomaing">
## The type of the user domain associated with
## this pty.
## <parameter name="object_type"> ## <parameter name="object_type">
## An object type that will applied to a pty. ## An object type that will applied to a pty.
## </parameter> ## </parameter>
@ -42,7 +45,7 @@ define(`term_user_pty',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
term_pty($1) term_pty($1)
typeattribute $1 server_ptynode; type_change $1 server_ptynode:chr_file $2;
') ')
define(`term_user_pty_depend',` define(`term_user_pty_depend',`
@ -683,7 +686,7 @@ define(`term_dontaudit_getattr_all_user_ttys_depend',`
define(`term_setattr_all_user_ttys',` define(`term_setattr_all_user_ttys',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
devices_list_device_nodes($1) dev_list_all_dev_nodes($1)
allow $1 ttynode:chr_file setattr; allow $1 ttynode:chr_file setattr;
') ')

View File

@ -21,7 +21,7 @@ dev_node(console_device_t)
# the type of the root directory of the file system. # the type of the root directory of the file system.
# #
type devpts_t; type devpts_t;
files_make_mountpoint(devpts_t) files_mountpoint(devpts_t)
fs_make_fs(devpts_t) fs_make_fs(devpts_t)
fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0); fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0);

View File

@ -8,16 +8,16 @@ define(`cron_per_userdomain_template',`
# Type of user crontabs once moved to cron spool. # Type of user crontabs once moved to cron spool.
type $1_cron_spool_t; type $1_cron_spool_t;
files_make_file($1_cron_spool_t) files_file_type($1_cron_spool_t)
type $1_crond_t; # user_crond_domain; type $1_crond_t; # user_crond_domain;
domain_make_domain($1_crond_t); domain_type($1_crond_t);
corecommands_make_shell_entrypoint($1_crond_t) corecmd_shell_entry_type($1_crond_t)
role $1_r types $1_crond_t; role $1_r types $1_crond_t;
type $1_crontab_t; type $1_crontab_t;
domain_make_domain($1_crontab_t) domain_type($1_crontab_t)
domain_make_entrypoint_file($1_crontab_t,crontab_exec_t) domain_entry_file($1_crontab_t,crontab_exec_t)
role $1_r types $1_crontab_t; role $1_r types $1_crontab_t;
############################## ##############################
@ -72,24 +72,24 @@ define(`cron_per_userdomain_template',`
fs_getattr_all_fs($1_crond_t) fs_getattr_all_fs($1_crond_t)
domain_execute_all_entrypoint_programs($1_crond_t) domain_exec_all_entry_files($1_crond_t)
files_read_general_application_resources($1_crond_t) files_read_usr_files($1_crond_t)
files_execute_system_config_script($1_crond_t) files_exec_generic_etc_files($1_crond_t)
# for nscd: # for nscd:
files_ignore_search_runtime_data_directory($1_crond_t) files_dontaudit_search_pids($1_crond_t)
corecommands_execute_general_programs($1_crond_t) corecmd_exec_bin($1_crond_t)
corecommands_execute_system_programs($1_crond_t) corecmd_exec_sbin($1_crond_t)
libraries_use_dynamic_loader($1_crond_t) libs_use_ld_so($1_crond_t)
libraries_use_shared_libraries($1_crond_t) libs_use_shared_libs($1_crond_t)
libraries_execute_library_scripts($1_crond_t) libs_exec_lib_files($1_crond_t)
libraries_execute_dynamic_loader($1_crond_t) libs_exec_ld_so($1_crond_t)
files_read_runtime_system_config($1_crond_t) files_read_etc_runtime_files($1_crond_t)
logging_search_system_log_directory($1_crond_t) logging_search_logs($1_crond_t)
selinux_read_config($1_crond_t) selinux_read_config($1_crond_t)
@ -155,14 +155,14 @@ define(`cron_per_userdomain_template',`
fs_getattr_xattr_fs($1_crontab_t) fs_getattr_xattr_fs($1_crontab_t)
domain_use_widely_inheritable_file_descriptors($1_crontab_t) domain_use_wide_inherit_fd($1_crontab_t)
files_read_general_system_config($1_crontab_t) files_read_generic_etc_files($1_crontab_t)
libraries_use_dynamic_loader($1_crontab_t) libs_use_ld_so($1_crontab_t)
libraries_use_shared_libraries($1_crontab_t) libs_use_shared_libs($1_crontab_t)
logging_send_system_log_message($1_crontab_t) logging_send_syslog_msg($1_crontab_t)
miscfiles_read_localization($1_crontab_t) miscfiles_read_localization($1_crontab_t)
@ -218,7 +218,7 @@ define(`cron_per_userdomain_template',`
# #
define(`cron_admin_template',` define(`cron_admin_template',`
logging_read_system_logs($1_crond_t) logging_read_generic_logs($1_crond_t)
# Allow our crontab domain to unlink a user cron spool file. # Allow our crontab domain to unlink a user cron spool file.
#allow $1_crontab_t user_cron_spool_t:file unlink; #allow $1_crontab_t user_cron_spool_t:file unlink;
@ -241,15 +241,15 @@ define(`cron_admin_template',`
######################################## ########################################
# #
# cron_modify_log(domain) # cron_rw_log(domain)
# #
define(`cron_modify_log',` define(`cron_rw_log',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 crond_log_t:file rw_file_perms; allow $1 crond_log_t:file rw_file_perms;
') ')
define(`cron_modify_log_depend',` define(`cron_rw_log_depend',`
type crond_log_t; type crond_log_t;
class file rw_file_perms; class file rw_file_perms;

View File

@ -10,39 +10,39 @@ policy_module(cron, 1.0)
bool cron_can_relabel false; bool cron_can_relabel false;
type anacron_exec_t; type anacron_exec_t;
files_make_file(anacron_exec_t) files_file_type(anacron_exec_t)
type cron_spool_t; type cron_spool_t;
files_make_file(cron_spool_t) files_file_type(cron_spool_t)
type crond_t; #, privmail, nscd_client_domain type crond_t; #, privmail, nscd_client_domain
type crond_exec_t; type crond_exec_t;
init_make_daemon_domain(crond_t,crond_exec_t) init_daemon_domain(crond_t,crond_exec_t)
domain_make_file_descriptors_widely_inheritable(crond_t) domain_wide_inherit_fd(crond_t)
type crond_log_t; type crond_log_t;
logging_make_log_file(crond_log_t) logging_log_file(crond_log_t)
type crond_tmp_t; type crond_tmp_t;
files_make_temporary_file(crond_tmp_t) files_tmp_file(crond_tmp_t)
type crond_var_run_t; type crond_var_run_t;
files_make_daemon_runtime_file(crond_var_run_t) files_pid_file(crond_var_run_t)
type crontab_exec_t; type crontab_exec_t;
files_make_file(crontab_exec_t) files_file_type(crontab_exec_t)
type system_cron_spool_t; type system_cron_spool_t;
type system_crond_t; #, privmail, nscd_client_domain; type system_crond_t; #, privmail, nscd_client_domain;
init_make_daemon_domain(system_crond_t,anacron_exec_t) init_daemon_domain(system_crond_t,anacron_exec_t)
corecommands_make_shell_entrypoint(system_crond_t) corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t; role system_r types system_crond_t;
type system_crond_lock_t; type system_crond_lock_t;
files_make_lock_file(system_crond_lock_t) files_lock_file(system_crond_lock_t)
type system_crond_tmp_t; type system_crond_tmp_t;
files_make_temporary_file(system_crond_tmp_t) files_tmp_file(system_crond_tmp_t)
######################################## ########################################
# #
@ -67,11 +67,11 @@ allow crond_t self:msg { send receive };
allow crond_t crond_log_t:file create_file_perms; allow crond_t crond_log_t:file create_file_perms;
allow crond_t crond_var_run_t:file create_file_perms; allow crond_t crond_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(crond_t,crond_var_run_t) files_create_pid(crond_t,crond_var_run_t)
allow crond_t crond_tmp_t:dir create_dir_perms; allow crond_t crond_tmp_t:dir create_dir_perms;
allow crond_t crond_tmp_t:file create_file_perms; allow crond_t crond_tmp_t:file create_file_perms;
files_create_private_tmp_data(crond_t, crond_tmp_t, { file dir }) files_create_tmp_files(crond_t, crond_tmp_t, { file dir })
allow crond_t cron_spool_t:dir r_dir_perms; allow crond_t cron_spool_t:dir r_dir_perms;
allow crond_t cron_spool_t:file r_file_perms; allow crond_t cron_spool_t:file r_file_perms;
@ -94,23 +94,23 @@ fs_getattr_all_fs(crond_t)
term_dontaudit_use_console(crond_t) term_dontaudit_use_console(crond_t)
# need auth_chkpwd to check for locked accounts. # need auth_chkpwd to check for locked accounts.
authlogin_check_password_transition(crond_t) auth_domtrans_chk_passwd(crond_t)
corecommands_execute_shell(crond_t) corecmd_exec_shell(crond_t)
corecommands_read_system_programs_directory(crond_t) corecmd_list_sbin(crond_t)
domain_use_widely_inheritable_file_descriptors(crond_t) domain_use_wide_inherit_fd(crond_t)
files_read_general_system_config(crond_t) files_read_generic_etc_files(crond_t)
files_read_system_spools(crond_t) files_read_spools(crond_t)
init_use_file_descriptors(crond_t) init_use_fd(crond_t)
init_script_use_pseudoterminal(crond_t) init_use_script_pty(crond_t)
libraries_use_dynamic_loader(crond_t) libs_use_ld_so(crond_t)
libraries_use_shared_libraries(crond_t) libs_use_shared_libs(crond_t)
logging_send_system_log_message(crond_t) logging_send_syslog_msg(crond_t)
selinux_read_config(crond_t) selinux_read_config(crond_t)
selinux_read_default_contexts(crond_t) selinux_read_default_contexts(crond_t)
@ -118,7 +118,7 @@ selinux_newrole_sigchld(crond_t)
miscfiles_read_localization(crond_t) miscfiles_read_localization(crond_t)
userdomain_use_all_unprivileged_users_file_descriptors(crond_t) userdom_use_unpriv_users_fd(crond_t)
tunable_policy(`fcron_crond', ` tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms; allow crond_t system_cron_spool_t:file create_file_perms;
@ -127,11 +127,11 @@ tunable_policy(`fcron_crond', `
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(crond_t) term_dontaudit_use_unallocated_tty(crond_t)
terminal_ignore_use_general_pseudoterminal(crond_t) terminal_ignore_use_general_pseudoterminal(crond_t)
files_ignore_read_rootfs_file(crond_t) files_dontaudit_read_root_file(crond_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(crond_t) udev_read_db(crond_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -212,11 +212,11 @@ allow system_crond_t crond_t:process sigchld;
# Write /var/lock/makewhatis.lock. # Write /var/lock/makewhatis.lock.
allow system_crond_t system_crond_lock_t:file create_file_perms; allow system_crond_t system_crond_lock_t:file create_file_perms;
files_create_private_lock_file(system_crond_t,system_crond_lock_t) files_create_lock_file(system_crond_t,system_crond_lock_t)
# write temporary files # write temporary files
allow system_crond_t system_crond_tmp_t:file create_file_perms; allow system_crond_t system_crond_tmp_t:file create_file_perms;
files_create_private_tmp_data(system_crond_t,system_crond_tmp_t) files_create_tmp_files(system_crond_t,system_crond_tmp_t)
# write temporary files in crond tmp dir: # write temporary files in crond tmp dir:
allow system_crond_t crond_tmp_t:dir rw_dir_perms; allow system_crond_t crond_tmp_t:dir rw_dir_perms;
@ -228,7 +228,7 @@ allow system_crond_t cron_spool_t:file r_file_perms;
# Access crond log files # Access crond log files
allow system_crond_t crond_log_t:file create_file_perms; allow system_crond_t crond_log_t:file create_file_perms;
logging_create_private_log(system_crond_t,crond_log_t) logging_create_log(system_crond_t,crond_log_t)
kernel_read_kernel_sysctl(system_crond_t) kernel_read_kernel_sysctl(system_crond_t)
kernel_read_system_state(system_crond_t) kernel_read_system_state(system_crond_t)
@ -255,45 +255,45 @@ dev_read_urand(system_crond_t)
fs_getattr_all_fs(system_crond_t) fs_getattr_all_fs(system_crond_t)
fs_getattr_all_files(system_crond_t) fs_getattr_all_files(system_crond_t)
init_use_file_descriptors(system_crond_t) init_use_fd(system_crond_t)
init_script_use_file_descriptors(system_crond_t) init_use_script_fd(system_crond_t)
init_script_use_pseudoterminal(system_crond_t) init_use_script_pty(system_crond_t)
init_script_read_runtime_data(system_crond_t) init_read_script_pid(system_crond_t)
init_script_ignore_modify_runtime_data(system_crond_t) init_dontaudit_rw_script_pid(system_crond_t)
domain_execute_all_entrypoint_programs(system_crond_t) domain_exec_all_entry_files(system_crond_t)
files_execute_system_config_script(system_crond_t) files_exec_generic_etc_files(system_crond_t)
files_read_general_system_config(system_crond_t) files_read_generic_etc_files(system_crond_t)
files_read_runtime_system_config(system_crond_t) files_read_etc_runtime_files(system_crond_t)
files_read_all_directories(system_crond_t) files_list_all_dirs(system_crond_t)
files_get_all_file_attributes(system_crond_t) files_getattr_all_files(system_crond_t)
files_read_general_application_resources(system_crond_t) files_read_usr_files(system_crond_t)
# for nscd: # for nscd:
files_ignore_search_runtime_data_directory(system_crond_t) files_dontaudit_search_pids(system_crond_t)
# Access other spool directories like # Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull. # /var/spool/anacron and /var/spool/slrnpull.
files_manage_system_spools(system_crond_t) files_manage_spools(system_crond_t)
corecommands_execute_general_programs(system_crond_t) corecmd_exec_bin(system_crond_t)
corecommands_execute_system_programs(system_crond_t) corecmd_exec_sbin(system_crond_t)
libraries_use_dynamic_loader(system_crond_t) libs_use_ld_so(system_crond_t)
libraries_use_shared_libraries(system_crond_t) libs_use_shared_libs(system_crond_t)
libraries_execute_library_scripts(system_crond_t) libs_exec_lib_files(system_crond_t)
libraries_execute_dynamic_loader(system_crond_t) libs_exec_ld_so(system_crond_t)
logging_read_system_logs(system_crond_t) logging_read_generic_logs(system_crond_t)
logging_send_system_log_message(system_crond_t) logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t) miscfiles_read_localization(system_crond_t)
miscfiles_read_man_pages(system_crond_t) miscfiles_read_man_pages(system_crond_t)
miscfiles_manage_man_page_cache(system_crond_t) miscfiles_rw_man_cache(system_crond_t)
selinux_read_config(system_crond_t) selinux_read_config(system_crond_t)
if (cron_can_relabel) { if (cron_can_relabel) {
selinux_setfiles_transition(system_crond_t) selinux_domtrans_setfiles(system_crond_t)
} else { } else {
kernel_get_selinuxfs_mount_point(system_crond_t) kernel_get_selinuxfs_mount_point(system_crond_t)
kernel_validate_context(system_crond_t) kernel_validate_context(system_crond_t)

View File

@ -11,11 +11,11 @@ define(`mta_per_userdomain_template',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
type $1_mail_t; # , user_mail_domain, nscd_client_domain; type $1_mail_t; # , user_mail_domain, nscd_client_domain;
domain_make_domain($1_mail_t) domain_type($1_mail_t)
role $1_r types $1_mail_t; role $1_r types $1_mail_t;
type $1_mail_tmp_t; type $1_mail_tmp_t;
files_make_temporary_file($1_mail_tmp_t) files_tmp_file($1_mail_tmp_t)
############################## ##############################
# #
@ -50,20 +50,20 @@ define(`mta_per_userdomain_template',`
corenet_tcp_sendrecv_all_ports($1_mail_t) corenet_tcp_sendrecv_all_ports($1_mail_t)
corenet_tcp_bind_all_nodes($1_mail_t) corenet_tcp_bind_all_nodes($1_mail_t)
domain_use_widely_inheritable_file_descriptors($1_mail_t) domain_use_wide_inherit_fd($1_mail_t)
libraries_use_dynamic_loader($1_mail_t) libs_use_ld_so($1_mail_t)
libraries_use_shared_libraries($1_mail_t) libs_use_shared_libs($1_mail_t)
corecommands_execute_general_programs($1_mail_t) corecmd_exec_bin($1_mail_t)
files_read_general_system_config($1_mail_t) files_read_generic_etc_files($1_mail_t)
logging_send_system_log_message($1_mail_t) logging_send_syslog_msg($1_mail_t)
miscfiles_read_localization($1_mail_t) miscfiles_read_localization($1_mail_t)
sysnetwork_read_network_config($1_mail_t) sysnet_read_config($1_mail_t)
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow $1_mail_t self:udp_socket create_socket_perms; allow $1_mail_t self:udp_socket create_socket_perms;
@ -142,30 +142,30 @@ define(`mta_per_userdomain_template_depend',`
####################################### #######################################
# #
# mta_make_mailserver_domain(domain,entrypointtype) # mta_mailserver(domain,entrypointtype)
# #
define(`mta_make_mailserver_domain',` define(`mta_mailserver',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
init_make_daemon_domain($1,$2) init_daemon_domain($1,$2)
typeattribute $1 mailserver_domain; typeattribute $1 mailserver_domain;
') ')
define(`mta_make_mailserver_domain_depend',` define(`mta_mailserver_depend',`
attribute mailserver_domain; attribute mailserver_domain;
') ')
####################################### #######################################
# #
# mta_make_sendmail_mailserver_domain(domain,entrypointtype) # mta_sendmail_mailserver(domain,entrypointtype)
# #
define(`mta_make_sendmail_mailserver_domain',` define(`mta_sendmail_mailserver',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
mta_make_mailserver_domain($1,sendmail_exec_t) mta_mailserver($1,sendmail_exec_t)
') ')
define(`mta_make_sendmail_mailserver_domain_depend',` define(`mta_sendmail_mailserver_depend',`
type sendmail_exec_t; type sendmail_exec_t;
') ')
@ -197,22 +197,22 @@ define(`mta_send_mail_depend',`
####################################### #######################################
# #
# mta_execute(domain) # mta_exec(domain)
# #
define(`mta_execute',` define(`mta_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1, sendmail_exec_t) can_exec($1, sendmail_exec_t)
') ')
define(`mta_execute_depend',` define(`mta_exec_depend',`
type sendmail_exec_t; type sendmail_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
## <interface name="mta_read_mail_aliases"> ## <interface name="mta_read_aliases">
## <description> ## <description>
## Read mail address aliases. ## Read mail address aliases.
## </description> ## </description>
@ -221,13 +221,13 @@ define(`mta_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`mta_read_mail_aliases',` define(`mta_read_aliases',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 etc_aliases_t:file r_file_perms; allow $1 etc_aliases_t:file r_file_perms;
') ')
define(`mta_read_mail_aliases_depend',` define(`mta_read_aliases_depend',`
type etc_aliases_t; type etc_aliases_t;
class file r_file_perms; class file r_file_perms;
@ -235,15 +235,15 @@ define(`mta_read_mail_aliases_depend',`
####################################### #######################################
# #
# mta_modify_mail_aliases(domain) # mta_rw_aliases(domain)
# #
define(`mta_modify_mail_aliases',` define(`mta_rw_aliases',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow sendmail_t etc_aliases_t:file { rw_file_perms setattr }; allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
') ')
define(`mta_modify_mail_aliases_depend',` define(`mta_rw_aliases_depend',`
type etc_aliases_t; type etc_aliases_t;
class file { rw_file_perms setattr }; class file { rw_file_perms setattr };
@ -251,18 +251,18 @@ define(`mta_modify_mail_aliases_depend',`
####################################### #######################################
# #
# mta_get_mail_spool_attributes(domain) # mta_getattr_spool(domain)
# #
define(`mta_get_mail_spool_attributes',` define(`mta_getattr_spool',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_spool_directory($1) files_search_spool($1)
allow $1 mail_spool_t:dir r_dir_perms; allow $1 mail_spool_t:dir r_dir_perms;
allow $1 mail_spool_t:lnk_file read; allow $1 mail_spool_t:lnk_file read;
allow $1 mail_spool_t:file getattr; allow $1 mail_spool_t:file getattr;
') ')
define(`mta_get_mail_spool_attributes_depend',` define(`mta_getattr_spool_depend',`
type mail_spool_t; type mail_spool_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -272,17 +272,17 @@ define(`mta_get_mail_spool_attributes_depend',`
####################################### #######################################
# #
# mta_modify_mail_spool(domain) # mta_rw_spool(domain)
# #
define(`mta_modify_mail_spool',` define(`mta_rw_spool',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_spool_directory($1) files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms; allow $1 mail_spool_t:dir rw_dir_perms;
allow $1 mail_spool_t:file { rw_file_perms setattr }; allow $1 mail_spool_t:file { rw_file_perms setattr };
') ')
define(`mta_modify_mail_spool_depend',` define(`mta_rw_spool_depend',`
type mail_spool_t; type mail_spool_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -291,17 +291,17 @@ define(`mta_modify_mail_spool_depend',`
####################################### #######################################
# #
# mta_manage_mail_spool(domain) # mta_manage_spool(domain)
# #
define(`mta_manage_mail_spool',` define(`mta_manage_spool',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_spool_directory($1) files_search_spool($1)
allow $1 mail_spool_t:dir rw_dir_perms; allow $1 mail_spool_t:dir rw_dir_perms;
allow $1 mail_spool_t:file create_file_perms; allow $1 mail_spool_t:file create_file_perms;
') ')
define(`mta_manage_mail_spool_depend',` define(`mta_manage_spool_depend',`
type mail_spool_t; type mail_spool_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -310,16 +310,16 @@ define(`mta_manage_mail_spool_depend',`
####################################### #######################################
# #
# mta_manage_mail_queue(domain) # mta_manage_queue(domain)
# #
define(`mta_manage_mail_queue',` define(`mta_manage_queue',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 mqueue_spool_t:dir rw_dir_perms; allow $1 mqueue_spool_t:dir rw_dir_perms;
allow $1 mqueue_spool_t:file create_file_perms; allow $1 mqueue_spool_t:file create_file_perms;
') ')
define(`mta_manage_mail_queue_depend',` define(`mta_manage_queue_depend',`
type mqueue_spool_t; type mqueue_spool_t;
class dir rw_dir_perms; class dir rw_dir_perms;

View File

@ -7,31 +7,31 @@ policy_module(mta,1.0)
# #
type etc_aliases_t; type etc_aliases_t;
files_make_file(etc_aliases_t) files_file_type(etc_aliases_t)
type etc_mail_t; type etc_mail_t;
files_make_file(etc_mail_t) files_file_type(etc_mail_t)
attribute mailserver_domain; attribute mailserver_domain;
type mqueue_spool_t; type mqueue_spool_t;
files_make_file(mqueue_spool_t) files_file_type(mqueue_spool_t)
type mail_spool_t; type mail_spool_t;
files_make_file(mail_spool_t) files_file_type(mail_spool_t)
type sendmail_exec_t; type sendmail_exec_t;
files_make_file(sendmail_exec_t) files_file_type(sendmail_exec_t)
type system_mail_t; #, user_mail_domain, nscd_client_domain; type system_mail_t; #, user_mail_domain, nscd_client_domain;
domain_make_domain(system_mail_t) domain_type(system_mail_t)
role system_r types system_mail_t; role system_r types system_mail_t;
ifdef(`targeted_policy',`',` ifdef(`targeted_policy',`',`
optional_policy(`sendmail.te', ` optional_policy(`sendmail.te', `
domain_make_entrypoint_file(system_mail_t,sendmail_exec_t) domain_entry_file(system_mail_t,sendmail_exec_t)
', ` ', `
init_make_system_domain(system_mail_t,sendmail_exec_t) init_system_domain(system_mail_t,sendmail_exec_t)
') dnl end if sendmail ') dnl end if sendmail
') dnl end targeted_policy ') dnl end targeted_policy
@ -64,23 +64,23 @@ dev_read_urand(system_mail_t)
fs_getattr_xattr_fs(system_mail_t) fs_getattr_xattr_fs(system_mail_t)
init_script_use_pseudoterminal(system_mail_t) init_use_script_pty(system_mail_t)
files_read_runtime_system_config(system_mail_t) files_read_etc_runtime_files(system_mail_t)
files_read_general_system_config(system_mail_t) files_read_generic_etc_files(system_mail_t)
# It wants to check for nscd # It wants to check for nscd
files_ignore_search_runtime_data_directory(system_mail_t) files_dontaudit_search_pids(system_mail_t)
corecommands_execute_general_programs(system_mail_t) corecmd_exec_bin(system_mail_t)
libraries_use_dynamic_loader(system_mail_t) libs_use_ld_so(system_mail_t)
libraries_use_shared_libraries(system_mail_t) libs_use_shared_libs(system_mail_t)
logging_send_system_log_message(system_mail_t) logging_send_syslog_msg(system_mail_t)
miscfiles_read_localization(system_mail_t) miscfiles_read_localization(system_mail_t)
sysnetwork_read_network_config(system_mail_t) sysnet_read_config(system_mail_t)
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow system_mail_t self:udp_socket create_socket_perms; allow system_mail_t self:udp_socket create_socket_perms;
@ -144,14 +144,14 @@ ifdef(`targeted_policy', `
# targeted policy. We could move these rules permanantly here. # targeted policy. We could move these rules permanantly here.
ifdef(`postfix.te', `', ` ifdef(`postfix.te', `', `
domain_execute_all_entrypoint_programs(system_mail_t) domain_exec_all_entry_files(system_mail_t)
files_execute_system_config_script(system_mail_t) files_exec_generic_etc_files(system_mail_t)
corecommands_execute_general_programs(system_mail_t) corecmd_exec_bin(system_mail_t)
corecommands_execute_system_programs(system_mail_t) corecmd_exec_sbin(system_mail_t)
libraries_use_dynamic_loader(system_mail_t) libs_use_ld_so(system_mail_t)
libraries_use_shared_libraries(system_mail_t) libs_use_shared_libs(system_mail_t)
libraries_execute_dynamic_loader(system_mail_t) libs_exec_ld_so(system_mail_t)
libraries_execute_library_scripts(system_mail_t) libs_exec_lib_files(system_mail_t)
') ')
allow system_mail_t { var_t var_spool_t }:dir getattr; allow system_mail_t { var_t var_spool_t }:dir getattr;

View File

@ -14,7 +14,7 @@
define(`remotelogin_domtrans',` define(`remotelogin_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
authlogin_login_program_transition($1,remote_login_t) auth_domtrans_login_program($1,remote_login_t)
') ')
define(`remotelogin_domtrans_depend',` define(`remotelogin_domtrans_depend',`

View File

@ -7,16 +7,16 @@ policy_module(authlogin,1.0)
# #
type remote_login_t; #, nscd_client_domain; type remote_login_t; #, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception(remote_login_t) kernel_obj_id_change_exempt(remote_login_t)
kernel_make_process_identity_change_constraint_exception(remote_login_t) kernel_subj_id_change_exempt(remote_login_t)
kernel_make_role_change_constraint_exception(remote_login_t) kernel_role_change_exempt(remote_login_t)
domain_make_domain(remote_login_t) domain_type(remote_login_t)
domain_make_file_descriptors_widely_inheritable(remote_login_t) domain_wide_inherit_fd(remote_login_t)
authlogin_make_login_program_entrypoint(remote_login_t) auth_login_entry_type(remote_login_t)
role system_r types remote_login_t; role system_r types remote_login_t;
type remote_login_tmp_t; type remote_login_tmp_t;
files_make_temporary_file(remote_login_tmp_t) files_tmp_file(remote_login_tmp_t)
######################################## ########################################
# #
@ -39,7 +39,7 @@ allow remote_login_t self:msg { send receive };
allow remote_login_t remote_login_tmp_t:dir create_dir_perms; allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
allow remote_login_t remote_login_tmp_t:file create_file_perms; allow remote_login_t remote_login_tmp_t:file create_file_perms;
files_create_private_tmp_data(remote_login_t, remote_login_tmp_t, { file dir }) files_create_tmp_files(remote_login_t, remote_login_tmp_t, { file dir })
kernel_read_system_state(remote_login_t) kernel_read_system_state(remote_login_t)
kernel_read_kernel_sysctl(remote_login_t) kernel_read_kernel_sysctl(remote_login_t)
@ -55,29 +55,29 @@ dev_read_urand(remote_login_t)
fs_getattr_xattr_fs(remote_login_t) fs_getattr_xattr_fs(remote_login_t)
init_script_modify_runtime_data(remote_login_t) init_rw_script_pid(remote_login_t)
domain_read_all_entrypoint_programs(remote_login_t) domain_read_all_entry_files(remote_login_t)
files_read_general_system_config(remote_login_t) files_read_generic_etc_files(remote_login_t)
files_read_runtime_system_config(remote_login_t) files_read_etc_runtime_files(remote_login_t)
files_list_home_directories(remote_login_t) files_list_home(remote_login_t)
files_read_general_application_resources(remote_login_t) files_read_usr_files(remote_login_t)
libraries_use_dynamic_loader(remote_login_t) libs_use_ld_so(remote_login_t)
libraries_use_shared_libraries(remote_login_t) libs_use_shared_libs(remote_login_t)
logging_send_system_log_message(remote_login_t) logging_send_syslog_msg(remote_login_t)
selinux_read_config(remote_login_t) selinux_read_config(remote_login_t)
selinux_read_default_contexts(remote_login_t) selinux_read_default_contexts(remote_login_t)
authlogin_check_password_transition(remote_login_t) auth_domtrans_chk_passwd(remote_login_t)
authlogin_ignore_read_shadow_passwords(remote_login_t) auth_dontaudit_read_shadow(remote_login_t)
authlogin_modify_login_records(remote_login_t) auth_rw_login_records(remote_login_t)
authlogin_modify_last_login_log(remote_login_t) auth_rw_lastlog(remote_login_t)
authlogin_pam_execute(remote_login_t) auth_exec_pam(remote_login_t)
authlogin_pam_console_manage_runtime_data(remote_login_t) auth_manage_pam_console_data(remote_login_t)
miscfiles_read_localization(remote_login_t) miscfiles_read_localization(remote_login_t)

View File

@ -7,16 +7,16 @@ policy_module(sendmail,1.0)
# #
type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm) type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm)
mta_make_sendmail_mailserver_domain(sendmail_t) mta_sendmail_mailserver(sendmail_t)
type sendmail_log_t; type sendmail_log_t;
logging_make_log_file(sendmail_log_t) logging_log_file(sendmail_log_t)
type sendmail_tmp_t; type sendmail_tmp_t;
files_make_temporary_file(sendmail_tmp_t) files_tmp_file(sendmail_tmp_t)
type sendmail_var_run_t; type sendmail_var_run_t;
files_make_daemon_runtime_file(sendmail_var_run_t) files_pid_file(sendmail_var_run_t)
######################################## ########################################
# #
@ -30,14 +30,14 @@ allow sendmail_t self:unix_dgram_socket create_socket_perms;
allow sendmail_t sendmail_log_t:file create_file_perms; allow sendmail_t sendmail_log_t:file create_file_perms;
allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr }; allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
logging_create_private_log(sendmail_t,sendmail_log_t,{ file dir }) logging_create_log(sendmail_t,sendmail_log_t,{ file dir })
allow sendmail_t sendmail_tmp_t:dir create_dir_perms; allow sendmail_t sendmail_tmp_t:dir create_dir_perms;
allow sendmail_t sendmail_tmp_t:file create_file_perms; allow sendmail_t sendmail_tmp_t:file create_file_perms;
files_create_private_tmp_data(sendmail_t, sendmail_tmp_t, { file dir }) files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink }; allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
files_create_daemon_runtime_data(sendmail_t,sendmail_var_run_t) files_create_pid(sendmail_t,sendmail_var_run_t)
kernel_read_kernel_sysctl(sendmail_t) kernel_read_kernel_sysctl(sendmail_t)
kernel_read_hardware_state(sendmail_t) kernel_read_hardware_state(sendmail_t)
@ -60,38 +60,38 @@ fs_getattr_all_fs(sendmail_t)
term_dontaudit_use_console(sendmail_t) term_dontaudit_use_console(sendmail_t)
init_use_file_descriptors(sendmail_t) init_use_fd(sendmail_t)
init_script_use_pseudoterminal(sendmail_t) init_use_script_pty(sendmail_t)
# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
init_script_read_runtime_data(sendmail_t) init_read_script_pid(sendmail_t)
init_script_ignore_write_runtime_data(sendmail_t) init_dontaudit_write_script_pid(sendmail_t)
domain_use_widely_inheritable_file_descriptors(sendmail_t) domain_use_wide_inherit_fd(sendmail_t)
files_read_general_system_config(sendmail_t) files_read_generic_etc_files(sendmail_t)
files_search_system_spool_directory(sendmail_t) files_search_spool(sendmail_t)
logging_send_system_log_message(sendmail_t) logging_send_syslog_msg(sendmail_t)
libraries_use_dynamic_loader(sendmail_t) libs_use_ld_so(sendmail_t)
libraries_use_shared_libraries(sendmail_t) libs_use_shared_libs(sendmail_t)
# Read /usr/lib/sasl2/.* # Read /usr/lib/sasl2/.*
libraries_read_library_resources(sendmail_t) libs_read_lib(sendmail_t)
miscfiles_read_localization(sendmail_t) miscfiles_read_localization(sendmail_t)
# Write to /etc/aliases and /etc/mail. # Write to /etc/aliases and /etc/mail.
mta_modify_mail_aliases(sendmail_t) mta_rw_aliases(sendmail_t)
# Write to /var/spool/mail and /var/spool/mqueue. # Write to /var/spool/mail and /var/spool/mqueue.
mta_manage_mail_queue(sendmail_t) mta_manage_queue(sendmail_t)
mta_manage_mail_spool(sendmail_t) mta_manage_spool(sendmail_t)
sysnetwork_read_network_config(sendmail_t) sysnet_read_config(sendmail_t)
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(sendmail_t) term_dontaudit_use_unallocated_tty(sendmail_t)
terminal_ignore_use_general_pseudoterminal(sendmail_t) terminal_ignore_use_general_pseudoterminal(sendmail_t)
files_ignore_read_rootfs_file(sendmail_t) files_dontaudit_read_root_file(sendmail_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -99,7 +99,7 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(sendmail_t) udev_read_db(sendmail_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -143,7 +143,7 @@ dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr sear
# Run procmail in its own domain, if defined. # Run procmail in its own domain, if defined.
ifdef(`procmail.te',` ifdef(`procmail.te',`
corecommands_search_general_programs_directory(sendmail_t) corecmd_search_bin(sendmail_t)
procmail_transition(sendmail_t) procmail_transition(sendmail_t)
domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t) domain_auto_trans(system_mail_t, procmail_exec_t, procmail_t)
') ')

View File

@ -26,15 +26,15 @@ define(`authlogin_per_userdomain_template',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
domain_make_domain($1_chkpwd_t) domain_type($1_chkpwd_t)
domain_make_entrypoint_file($1_chkpwd_t,chkpwd_exec_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
role $1_r types $1_chkpwd_t; role $1_r types $1_chkpwd_t;
role $1_r types system_chkpwd_t; role $1_r types system_chkpwd_t;
allow $1_chkpwd_t self:capability setuid; allow $1_chkpwd_t self:capability setuid;
allow $1_chkpwd_t self:process getattr; allow $1_chkpwd_t self:process getattr;
files_read_general_system_config_directory($1_chkpwd_t) files_read_generic_etc_files_directory($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read }; allow $1_chkpwd_t shadow_t:file { getattr read };
# is_selinux_enabled # is_selinux_enabled
@ -42,16 +42,16 @@ define(`authlogin_per_userdomain_template',`
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
domain_use_widely_inheritable_file_descriptors($1_chkpwd_t) domain_use_wide_inherit_fd($1_chkpwd_t)
libraries_use_dynamic_loader($1_chkpwd_t) libs_use_ld_so($1_chkpwd_t)
libraries_use_shared_libraries($1_chkpwd_t) libs_use_shared_libs($1_chkpwd_t)
files_read_general_system_config($1_chkpwd_t) files_read_generic_etc_files($1_chkpwd_t)
# for nscd # for nscd
files_ignore_search_system_state_data_directory($1_chkpwd_t) files_dontaudit_search_var($1_chkpwd_t)
logging_send_system_log_message($1_chkpwd_t) logging_send_syslog_msg($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t) miscfiles_read_localization($1_chkpwd_t)
@ -84,11 +84,11 @@ define(`authlogin_per_userdomain_template',`
corenet_raw_sendrecv_all_nodes($1_chkpwd_t) corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
corenet_udp_bind_all_nodes($1_chkpwd_t) corenet_udp_bind_all_nodes($1_chkpwd_t)
corenet_udp_sendrecv_dns_port($1_chkpwd_t) corenet_udp_sendrecv_dns_port($1_chkpwd_t)
sysnetwork_read_network_config($1_chkpwd_t) sysnet_read_config($1_chkpwd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_newrole_use_file_descriptors($1_chkpwd_t) selinux_use_newrole_fd($1_chkpwd_t)
') ')
') dnl end authlogin_per_userdomain_template ') dnl end authlogin_per_userdomain_template
@ -108,7 +108,7 @@ define(`authlogin_per_userdomain_template_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_make_login_program_entrypoint"> ## <interface name="auth_login_entry_type">
## <description> ## <description>
## ##
## </description> ## </description>
@ -123,20 +123,20 @@ define(`authlogin_per_userdomain_template_depend',`
####################################### #######################################
# #
# authlogin_make_login_program_entrypoint(domain) # auth_login_entry_type(domain)
# #
define(`authlogin_make_login_program_entrypoint',` define(`auth_login_entry_type',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_make_entrypoint_file($1,login_exec_t) domain_entry_file($1,login_exec_t)
') ')
define(`authlogin_make_login_program_entrypoint_depend',` define(`auth_login_entry_type_depend',`
type login_exec_t; type login_exec_t;
') ')
######################################## ########################################
## <interface name="authlogin_login_program_transition"> ## <interface name="auth_domtrans_login_program">
## <description> ## <description>
## Execute a login_program in the target domain. ## Execute a login_program in the target domain.
## </description> ## </description>
@ -148,7 +148,7 @@ define(`authlogin_make_login_program_entrypoint_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`authlogin_login_program_transition',` define(`auth_domtrans_login_program',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search bin_t # FIXME: search bin_t
@ -163,7 +163,7 @@ define(`authlogin_login_program_transition',`
allow $2 $1:process sigchld; allow $2 $1:process sigchld;
') ')
define(`authlogin_login_program_transition_depend',` define(`auth_domtrans_login_program_depend',`
type login_exec_t; type login_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -173,7 +173,7 @@ define(`authlogin_login_program_transition_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_check_password_transition"> ## <interface name="auth_domtrans_chk_passwd">
## <description> ## <description>
## ##
## </description> ## </description>
@ -187,9 +187,9 @@ define(`authlogin_login_program_transition_depend',`
# #
####################################### #######################################
# #
# authlogin_check_password_transition(domain) # auth_domtrans_chk_passwd(domain)
# #
define(`authlogin_check_password_transition',` define(`auth_domtrans_chk_passwd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t) domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
@ -213,11 +213,11 @@ define(`authlogin_check_password_transition',`
corenet_raw_sendrecv_all_nodes($1) corenet_raw_sendrecv_all_nodes($1)
corenet_udp_bind_all_nodes($1) corenet_udp_bind_all_nodes($1)
corenet_udp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1)
sysnetwork_read_network_config($1) sysnet_read_config($1)
') ')
') ')
define(`authlogin_check_password_transition_depend',` define(`auth_domtrans_chk_passwd_depend',`
type system_chkpwd_t, chkpwd_exec_t, shadow_t; type system_chkpwd_t, chkpwd_exec_t, shadow_t;
class file rx_file_perms; class file rx_file_perms;
@ -228,7 +228,7 @@ define(`authlogin_check_password_transition_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_ignore_get_shadow_passwords_attributes"> ## <interface name="auth_dontaudit_getattr_shadow">
## <description> ## <description>
## ##
## </description> ## </description>
@ -242,22 +242,22 @@ define(`authlogin_check_password_transition_depend',`
# #
####################################### #######################################
# #
# authlogin_ignore_get_shadow_passwords_attributes(domain) # auth_dontaudit_getattr_shadow(domain)
# #
define(`authlogin_ignore_get_shadow_passwords_attributes',` define(`auth_dontaudit_getattr_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 shadow_t:file getattr; dontaudit $1 shadow_t:file getattr;
') ')
define(`authlogin_ignore_get_shadow_passwords_attributes_depend',` define(`auth_dontaudit_getattr_shadow_depend',`
type shadow_t; type shadow_t;
class file stat_file_perms; class file stat_file_perms;
') ')
######################################## ########################################
## <interface name="authlogin_read_shadow_passwords"> ## <interface name="auth_read_shadow">
## <description> ## <description>
## ##
## </description> ## </description>
@ -271,17 +271,17 @@ define(`authlogin_ignore_get_shadow_passwords_attributes_depend',`
# #
####################################### #######################################
# #
# authlogin_read_shadow_passwords(domain) # auth_read_shadow(domain)
# #
define(`authlogin_read_shadow_passwords',` define(`auth_read_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_read_general_system_config_directory($1) files_read_generic_etc_files_directory($1)
allow $1 shadow_t:file r_file_perms; allow $1 shadow_t:file r_file_perms;
typeattribute $1 can_read_shadow_passwords; typeattribute $1 can_read_shadow_passwords;
') ')
define(`authlogin_read_shadow_passwords_depend',` define(`auth_read_shadow_depend',`
attribute can_read_shadow_passwords; attribute can_read_shadow_passwords;
type shadow_t; type shadow_t;
@ -290,7 +290,7 @@ define(`authlogin_read_shadow_passwords_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_ignore_read_shadow_passwords"> ## <interface name="auth_dontaudit_read_shadow">
## <description> ## <description>
## ##
## </description> ## </description>
@ -304,22 +304,22 @@ define(`authlogin_read_shadow_passwords_depend',`
# #
####################################### #######################################
# #
# authlogin_ignore_read_shadow_passwords(domain) # auth_dontaudit_read_shadow(domain)
# #
define(`authlogin_ignore_read_shadow_passwords',` define(`auth_dontaudit_read_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 shadow_t:file { getattr read }; dontaudit $1 shadow_t:file { getattr read };
') ')
define(`authlogin_ignore_read_shadow_passwords_depend',` define(`auth_dontaudit_read_shadow_depend',`
type shadow_t; type shadow_t;
class file r_file_perms; class file r_file_perms;
') ')
######################################## ########################################
## <interface name="authlogin_modify_shadow_passwords"> ## <interface name="auth_rw_shadow">
## <description> ## <description>
## ##
## </description> ## </description>
@ -333,17 +333,17 @@ define(`authlogin_ignore_read_shadow_passwords_depend',`
# #
####################################### #######################################
# #
# authlogin_modify_shadow_passwords(domain) # auth_rw_shadow(domain)
# #
define(`authlogin_modify_shadow_passwords',` define(`auth_rw_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_read_general_system_config_directory($1) files_read_generic_etc_files_directory($1)
allow $1 shadow_t:file rw_file_perms; allow $1 shadow_t:file rw_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
') ')
define(`authlogin_modify_shadow_passwords_depend',` define(`auth_rw_shadow_depend',`
attribute can_read_shadow_passwords, can_write_shadow_passwords; attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t; type shadow_t;
@ -352,18 +352,18 @@ define(`authlogin_modify_shadow_passwords_depend',`
####################################### #######################################
# #
# authlogin_manage_shadow_passwords(domain) # auth_manage_shadow(domain)
# #
define(`authlogin_manage_shadow_passwords',` define(`auth_manage_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 shadow_t:file create_file_perms; allow $1 shadow_t:file create_file_perms;
files_create_private_config($1,shadow_t,file) files_create_etc_config($1,shadow_t,file)
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
') ')
define(`authlogin_manage_shadow_passwords_depend',` define(`auth_manage_shadow_depend',`
attribute can_read_shadow_passwords, can_write_shadow_passwords; attribute can_read_shadow_passwords, can_write_shadow_passwords;
type shadow_t; type shadow_t;
@ -373,17 +373,17 @@ define(`authlogin_manage_shadow_passwords_depend',`
####################################### #######################################
# #
# authlogin_relabel_to_shadow_passwords(domain) # auth_relabelto_shadow(domain)
# #
define(`authlogin_relabel_to_shadow_passwords',` define(`auth_relabelto_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_general_system_config_directory($1) files_search_etc($1)
allow $1 shadow_t:file relabelto; allow $1 shadow_t:file relabelto;
typeattribute $1 can_relabelto_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords;
') ')
define(`authlogin_relabel_to_shadow_passwords_depend',` define(`auth_relabelto_shadow_depend',`
attribute can_relabelto_shadow_passwords; attribute can_relabelto_shadow_passwords;
type shadow_t; type shadow_t;
@ -393,16 +393,16 @@ define(`authlogin_relabel_to_shadow_passwords_depend',`
####################################### #######################################
# #
# authlogin_modify_login_failure_records(domain) # auth_rw_faillog(domain)
# #
define(`authlogin_modify_login_failure_records',` define(`auth_rw_faillog',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 faillog_t:file rw_file_perms; allow $1 faillog_t:file rw_file_perms;
logging_search_system_log_directory($1) logging_search_logs($1)
') ')
define(`authlogin_modify_login_failure_records_depend',` define(`auth_rw_faillog_depend',`
type faillog_t; type faillog_t;
class file rw_file_perms; class file rw_file_perms;
@ -410,23 +410,23 @@ define(`authlogin_modify_login_failure_records_depend',`
####################################### #######################################
# #
# authlogin_modify_last_login_log(domain) # auth_rw_lastlog(domain)
# #
define(`authlogin_modify_last_login_log',` define(`auth_rw_lastlog',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
logging_search_system_log_directory($1) logging_search_logs($1)
allow $1 lastlog_t:file { getattr read write setattr }; allow $1 lastlog_t:file { getattr read write setattr };
') ')
define(`authlogin_modify_last_login_log_depend',` define(`auth_rw_lastlog_depend',`
type lastlog_t; type lastlog_t;
class file { getattr read write setattr }; class file { getattr read write setattr };
') ')
######################################## ########################################
## <interface name="authlogin_pam_transition"> ## <interface name="auth_domtrans_pam">
## <description> ## <description>
## Execute pam programs in the pam domain. ## Execute pam programs in the pam domain.
## </description> ## </description>
@ -435,7 +435,7 @@ define(`authlogin_modify_last_login_log_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`authlogin_pam_transition',` define(`auth_domtrans_pam',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,pam_exec_t,pam_t) domain_auto_trans($1,pam_exec_t,pam_t)
@ -446,7 +446,7 @@ define(`authlogin_pam_transition',`
allow pam_t $1:process sigchld; allow pam_t $1:process sigchld;
') ')
define(`authlogin_pam_transition_depend',` define(`auth_domtrans_pam_depend',`
type pam_t, pam_exec_t; type pam_t, pam_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -456,7 +456,7 @@ define(`authlogin_pam_transition_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_pam_transition_add_role_use_terminal"> ## <interface name="auth_run_pam">
## <description> ## <description>
## Execute pam programs in the PAM domain. ## Execute pam programs in the PAM domain.
## </description> ## </description>
@ -471,22 +471,22 @@ define(`authlogin_pam_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`authlogin_pam_transition_add_role_use_terminal',` define(`auth_run_pam',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
authlogin_pam_transition($1) auth_domtrans_pam($1)
role $2 types pam_t; role $2 types pam_t;
allow pam_t $3:chr_file rw_file_perms; allow pam_t $3:chr_file rw_file_perms;
') ')
define(`authlogin_pam_transition_add_role_use_terminal_depend',` define(`auth_run_pam_depend',`
type pam_t; type pam_t;
class chr_file rw_file_perms; class chr_file rw_file_perms;
') ')
######################################## ########################################
## <interface name="authlogin_pam_execute"> ## <interface name="auth_exec_pam">
## <description> ## <description>
## ##
## </description> ## </description>
@ -500,15 +500,15 @@ define(`authlogin_pam_transition_add_role_use_terminal_depend',`
# #
####################################### #######################################
# #
# authlogin_pam_execute(domain) # auth_exec_pam(domain)
# #
define(`authlogin_pam_execute',` define(`auth_exec_pam',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,pam_exec_t) can_exec($1,pam_exec_t)
') ')
define(`authlogin_pam_execute_depend',` define(`auth_exec_pam_depend',`
type pam_exec_t; type pam_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
@ -516,18 +516,18 @@ define(`authlogin_pam_execute_depend',`
####################################### #######################################
# #
# authlogin_pam_read_runtime_data(domain) # auth_read_pam_pid(domain)
# #
define(`authlogin_pam_read_runtime_data',` define(`auth_read_pam_pid',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
files_search_runtime_data_directory($1) files_search_pids($1)
allow $1 pam_var_run_t:dir r_dir_perms; allow $1 pam_var_run_t:dir r_dir_perms;
allow $1 pam_var_run_t:file r_file_perms; allow $1 pam_var_run_t:file r_file_perms;
') ')
define(`authlogin_pam_read_runtime_data_depend',` define(`auth_read_pam_pid_depend',`
type pam_var_run_t; type pam_var_run_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -535,7 +535,7 @@ define(`authlogin_pam_read_runtime_data_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_pam_remove_runtime_data"> ## <interface name="auth_delete_pam_pid">
## <description> ## <description>
## ##
## </description> ## </description>
@ -549,18 +549,18 @@ define(`authlogin_pam_read_runtime_data_depend',`
# #
####################################### #######################################
# #
# authlogin_pam_remove_runtime_data(domain) # auth_delete_pam_pid(domain)
# #
define(`authlogin_pam_remove_runtime_data',` define(`auth_delete_pam_pid',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
files_search_runtime_data_directory($1) files_search_pids($1)
allow $1 pam_var_run_t:dir { getattr search read write remove_name }; allow $1 pam_var_run_t:dir { getattr search read write remove_name };
allow $1 pam_var_run_t:file { getattr unlink }; allow $1 pam_var_run_t:file { getattr unlink };
') ')
define(`authlogin_pam_remove_runtime_data_depend',` define(`auth_delete_pam_pid_depend',`
type pam_var_run_t; type pam_var_run_t;
class dir { getattr search read write remove_name }; class dir { getattr search read write remove_name };
@ -569,9 +569,9 @@ define(`authlogin_pam_remove_runtime_data_depend',`
####################################### #######################################
# #
# authlogin_pam_console_transition(domain) # auth_domtrans_pam_console(domain)
# #
define(`authlogin_pam_console_transition',` define(`auth_domtrans_pam_console',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,pam_console_exec_t,pam_console_t) domain_auto_trans($1,pam_console_exec_t,pam_console_t)
@ -582,7 +582,7 @@ define(`authlogin_pam_console_transition',`
allow pam_console_t $1:process sigchld; allow pam_console_t $1:process sigchld;
') ')
define(`authlogin_pam_console_transition_depend',` define(`auth_domtrans_pam_console_depend',`
type pam_console_t, pam_console_exec_t; type pam_console_t, pam_console_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -592,7 +592,7 @@ define(`authlogin_pam_console_transition_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_pam_console_read_runtime_data_dir"> ## <interface name="auth_list_pam_console_data">
## <description> ## <description>
## ##
## </description> ## </description>
@ -606,17 +606,17 @@ define(`authlogin_pam_console_transition_depend',`
# #
####################################### #######################################
# #
# authlogin_pam_console_read_runtime_data_dir(domain) # auth_list_pam_console_data(domain)
# #
define(`authlogin_pam_console_read_runtime_data_dir',` define(`auth_list_pam_console_data',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
files_search_runtime_data_directory($1) files_search_pids($1)
allow $1 pam_var_console_t:dir r_dir_perms; allow $1 pam_var_console_t:dir r_dir_perms;
') ')
define(`authlogin_pam_console_read_runtime_data_dir_depend',` define(`auth_list_pam_console_data_depend',`
type pam_var_console_t; type pam_var_console_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -624,18 +624,18 @@ define(`authlogin_pam_console_read_runtime_data_dir_depend',`
####################################### #######################################
# #
# authlogin_pam_console_read_runtime_data(domain) # auth_read_pam_console_data(domain)
# #
define(`authlogin_pam_console_read_runtime_data',` define(`auth_read_pam_console_data',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
files_search_runtime_data_directory($1) files_search_pids($1)
allow $1 pam_var_console_t:dir r_dir_perms; allow $1 pam_var_console_t:dir r_dir_perms;
allow $1 pam_var_console_t:file r_file_perms; allow $1 pam_var_console_t:file r_file_perms;
') ')
define(`authlogin_pam_console_read_runtime_data_depend',` define(`auth_read_pam_console_data_depend',`
type pam_var_console_t; type pam_var_console_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -644,19 +644,19 @@ define(`authlogin_pam_console_read_runtime_data_depend',`
####################################### #######################################
# #
# authlogin_pam_console_manage_runtime_data(domain) # auth_manage_pam_console_data(domain)
# #
define(`authlogin_pam_console_manage_runtime_data',` define(`auth_manage_pam_console_data',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
files_search_runtime_data_directory($1) files_search_pids($1)
allow $1 pam_var_console_t:dir rw_dir_perms; allow $1 pam_var_console_t:dir rw_dir_perms;
allow $1 pam_var_console_t:file create_file_perms; allow $1 pam_var_console_t:file create_file_perms;
allow $1 pam_var_console_t:lnk_file create_lnk_perms; allow $1 pam_var_console_t:lnk_file create_lnk_perms;
') ')
define(`authlogin_pam_console_manage_runtime_data_depend',` define(`auth_manage_pam_console_data_depend',`
type pam_var_console_t; type pam_var_console_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -665,7 +665,7 @@ define(`authlogin_pam_console_manage_runtime_data_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_relabel_all_files_except_shadow"> ## <interface name="auth_relabel_all_files_except_shadow">
## <description> ## <description>
## Relabel all files on the filesystem, except ## Relabel all files on the filesystem, except
## the shadow passwords and listed exceptions. ## the shadow passwords and listed exceptions.
@ -680,18 +680,18 @@ define(`authlogin_pam_console_manage_runtime_data_depend',`
## </interface> ## </interface>
# #
define(`authlogin_relabel_all_files_except_shadow',` define(`auth_relabel_all_files_except_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_relabel_all_files($1,$2 -shadow_t) files_relabel_all_files($1,$2 -shadow_t)
') ')
define(`authlogin_relabel_all_files_except_shadow_depend',` define(`auth_relabel_all_files_except_shadow_depend',`
type shadow_t; type shadow_t;
') ')
######################################## ########################################
## <interface name="authlogin_manage_all_files_except_shadow"> ## <interface name="auth_manage_all_files_except_shadow">
## <description> ## <description>
## Manage all files on the filesystem, except ## Manage all files on the filesystem, except
## the shadow passwords and listed exceptions. ## the shadow passwords and listed exceptions.
@ -706,18 +706,18 @@ define(`authlogin_relabel_all_files_except_shadow_depend',`
## </interface> ## </interface>
# #
define(`authlogin_manage_all_files_except_shadow',` define(`auth_manage_all_files_except_shadow',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_manage_all_files($1,$2 -shadow_t) files_manage_all_files($1,$2 -shadow_t)
') ')
define(`authlogin_manage_all_files_except_shadow_depend',` define(`auth_manage_all_files_except_shadow_depend',`
type shadow_t; type shadow_t;
') ')
######################################## ########################################
## <interface name="authlogin_utempter_transition"> ## <interface name="auth_domtrans_utempter">
## <description> ## <description>
## Execute utempter programs in the utempter domain. ## Execute utempter programs in the utempter domain.
## </description> ## </description>
@ -726,7 +726,7 @@ define(`authlogin_manage_all_files_except_shadow_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`authlogin_utempter_transition',` define(`auth_domtrans_utempter',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,utempter_exec_t,utempter_t) domain_auto_trans($1,utempter_exec_t,utempter_t)
@ -737,7 +737,7 @@ define(`authlogin_utempter_transition',`
allow utempter_t $1:process sigchld; allow utempter_t $1:process sigchld;
') ')
define(`authlogin_utempter_transition_depend',` define(`auth_domtrans_utempter_depend',`
type utempter_t, utempter_exec_t; type utempter_t, utempter_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -747,7 +747,7 @@ define(`authlogin_utempter_transition_depend',`
') ')
######################################## ########################################
## <interface name="authlogin_utempter_transition_add_role_use_terminal"> ## <interface name="auth_run_utempter">
## <description> ## <description>
## Execute utempter programs in the utempter domain. ## Execute utempter programs in the utempter domain.
## </description> ## </description>
@ -762,22 +762,22 @@ define(`authlogin_utempter_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`authlogin_utempter_transition_add_role_use_terminal',` define(`auth_run_utempter',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
authlogin_utempter_transition($1) auth_domtrans_utempter($1)
role $2 types utempter_t; role $2 types utempter_t;
allow utempter_t $3:chr_file rw_file_perms; allow utempter_t $3:chr_file rw_file_perms;
') ')
define(`authlogin_utempter_transition_add_role_use_terminal_depend',` define(`auth_run_utempter_depend',`
type utempter_t; type utempter_t;
class chr_file rw_file_perms; class chr_file rw_file_perms;
') ')
######################################## ########################################
## <interface name="authlogin_read_login_records"> ## <interface name="auth_read_login_records">
## <description> ## <description>
## ##
## </description> ## </description>
@ -791,23 +791,23 @@ define(`authlogin_utempter_transition_add_role_use_terminal_depend',`
# #
####################################### #######################################
# #
# authlogin_read_login_records(domain) # auth_read_login_records(domain)
# #
define(`authlogin_read_login_records',` define(`auth_read_login_records',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
logging_search_system_log_directory($1) logging_search_logs($1)
allow $1 wtmp_t:file r_file_perms; allow $1 wtmp_t:file r_file_perms;
') ')
define(`authlogin_read_login_records_depend',` define(`auth_read_login_records_depend',`
type wtmp_t; type wtmp_t;
class file r_file_perms; class file r_file_perms;
') ')
######################################## ########################################
## <interface name="authlogin_ignore_write_login_records"> ## <interface name="auth_dontaudit_write_login_records">
## <description> ## <description>
## ##
## </description> ## </description>
@ -818,15 +818,15 @@ define(`authlogin_read_login_records_depend',`
# #
####################################### #######################################
# #
# authlogin_ignore_write_login_records(domain) # auth_dontaudit_write_login_records(domain)
# #
define(`authlogin_ignore_write_login_records',` define(`auth_dontaudit_write_login_records',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 wtmp_t:file write; dontaudit $1 wtmp_t:file write;
') ')
define(`authlogin_read_login_records_depend',` define(`auth_read_login_records_depend',`
type wtmp_t; type wtmp_t;
class file write; class file write;
@ -834,16 +834,16 @@ define(`authlogin_read_login_records_depend',`
####################################### #######################################
# #
# authlogin_modify_login_records(domain) # auth_rw_login_records(domain)
# #
define(`authlogin_modify_login_records',` define(`auth_rw_login_records',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 wtmp_t:file rw_file_perms; allow $1 wtmp_t:file rw_file_perms;
logging_search_system_log_directory($1) logging_search_logs($1)
') ')
define(`authlogin_modify_login_records_depend',` define(`auth_rw_login_records_depend',`
type wtmp_t; type wtmp_t;
class file rw_file_perms; class file rw_file_perms;
') ')

View File

@ -11,59 +11,59 @@ attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords; attribute can_relabelto_shadow_passwords;
type chkpwd_exec_t; type chkpwd_exec_t;
files_make_file(chkpwd_exec_t) files_file_type(chkpwd_exec_t)
type faillog_t; type faillog_t;
logging_make_log_file(faillog_t) logging_log_file(faillog_t)
type lastlog_t; type lastlog_t;
logging_make_log_file(lastlog_t) logging_log_file(lastlog_t)
type login_exec_t; type login_exec_t;
files_make_file(login_exec_t) files_file_type(login_exec_t)
type pam_console_t; type pam_console_t;
type pam_console_exec_t; type pam_console_exec_t;
init_make_system_domain(pam_console_t,pam_console_exec_t) init_system_domain(pam_console_t,pam_console_exec_t)
role system_r types pam_console_t; role system_r types pam_console_t;
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t) domain_entry_file(pam_console_t,pam_console_exec_t)
type pam_t; #, nscd_client_domain; type pam_t; #, nscd_client_domain;
domain_make_domain(pam_t) domain_type(pam_t)
role system_r types pam_t; role system_r types pam_t;
type pam_exec_t; type pam_exec_t;
domain_make_entrypoint_file(pam_t,pam_exec_t) domain_entry_file(pam_t,pam_exec_t)
type pam_tmp_t; type pam_tmp_t;
files_make_temporary_file(pam_tmp_t) files_tmp_file(pam_tmp_t)
type pam_var_console_t; #, nscd_client_domain type pam_var_console_t; #, nscd_client_domain
files_make_file(pam_var_console_t) files_file_type(pam_var_console_t)
type pam_var_run_t; type pam_var_run_t;
files_make_daemon_runtime_file(pam_var_run_t) files_pid_file(pam_var_run_t)
type shadow_t; type shadow_t;
files_make_file(shadow_t) files_file_type(shadow_t)
neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
domain_make_domain(system_chkpwd_t) domain_type(system_chkpwd_t)
domain_make_entrypoint_file(system_chkpwd_t,chkpwd_exec_t) domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t; role system_r types system_chkpwd_t;
type utempter_t; #, nscd_client_domain; type utempter_t; #, nscd_client_domain;
domain_make_domain(utempter_t) domain_type(utempter_t)
type utempter_exec_t; type utempter_exec_t;
domain_make_entrypoint_file(utempter_t,utempter_exec_t) domain_entry_file(utempter_t,utempter_exec_t)
type wtmp_t; type wtmp_t;
logging_make_log_file(wtmp_t) logging_log_file(wtmp_t)
######################################## ########################################
# #
@ -89,27 +89,27 @@ allow pam_t pam_var_run_t:file { getattr read unlink };
allow pam_t pam_tmp_t:dir create_dir_perms; allow pam_t pam_tmp_t:dir create_dir_perms;
allow pam_t pam_tmp_t:file create_file_perms; allow pam_t pam_tmp_t:file create_file_perms;
files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir }) files_create_tmp_files(pam_t, pam_tmp_t, { file dir })
kernel_read_system_state(pam_t) kernel_read_system_state(pam_t)
term_use_all_user_ttys(pam_t) term_use_all_user_ttys(pam_t)
term_use_all_user_ptys(pam_t) term_use_all_user_ptys(pam_t)
init_script_ignore_modify_runtime_data(pam_t) init_dontaudit_rw_script_pid(pam_t)
files_read_general_system_config(pam_t) files_read_generic_etc_files(pam_t)
files_read_runtime_data_directory(pam_t) files_list_pids(pam_t)
libraries_use_dynamic_loader(pam_t) libs_use_ld_so(pam_t)
libraries_use_shared_libraries(pam_t) libs_use_shared_libs(pam_t)
logging_send_system_log_message(pam_t) logging_send_syslog_msg(pam_t)
userdomain_use_all_unprivileged_users_file_descriptors(pam_t) userdom_use_unpriv_users_fd(pam_t)
optional_policy(`locallogin.te',` optional_policy(`locallogin.te',`
locallogin_use_file_descriptors(pam_t) locallogin_use_fd(pam_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -151,38 +151,38 @@ term_use_console(pam_console_t)
term_getattr_unallocated_ttys(pam_console_t) term_getattr_unallocated_ttys(pam_console_t)
term_setattr_unallocated_ttys(pam_console_t) term_setattr_unallocated_ttys(pam_console_t)
init_use_file_descriptors(pam_console_t) init_use_fd(pam_console_t)
init_use_file_descriptors(pam_console_t) init_use_fd(pam_console_t)
init_script_use_pseudoterminal(pam_console_t) init_use_script_pty(pam_console_t)
domain_use_widely_inheritable_file_descriptors(pam_console_t) domain_use_wide_inherit_fd(pam_console_t)
files_read_general_system_config(pam_console_t) files_read_generic_etc_files(pam_console_t)
files_search_runtime_data_directory(pam_console_t) files_search_pids(pam_console_t)
files_read_mnt_dir(pam_console_t) files_list_mnt(pam_console_t)
libraries_use_dynamic_loader(pam_console_t) libs_use_ld_so(pam_console_t)
libraries_use_shared_libraries(pam_console_t) libs_use_shared_libs(pam_console_t)
logging_send_system_log_message(pam_console_t) logging_send_syslog_msg(pam_console_t)
selinux_read_file_contexts(pam_console_t) selinux_read_file_contexts(pam_console_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(pam_console_t) userdom_dontaudit_use_unpriv_user_fd(pam_console_t)
ifdef(`direct_sysadm_daemon', ` ifdef(`direct_sysadm_daemon', `
userdomain_dontaudit_use_admin_terminals(pam_console_t) userdom_dontaudit_use_sysadm_terms(pam_console_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(pam_console_t) term_dontaudit_use_unallocated_tty(pam_console_t)
terminal_ignore_use_general_pseudoterminal(pam_console_t) terminal_ignore_use_general_pseudoterminal(pam_console_t)
files_ignore_read_rootfs_file(pam_console_t) files_dontaudit_read_root_file(pam_console_t)
') ')
optional_policy(`hotplug.te', ` optional_policy(`hotplug.te', `
hotplug_use_file_descriptors(pam_console_t) hotplug_use_fd(pam_console_t)
hotplug_ignore_search_config_directory(pam_console_t) hotplug_dontaudit_search_config(pam_console_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -190,7 +190,7 @@ selinux_newrole_sigchld(pam_console_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(pam_console_t) udev_read_db(pam_console_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -240,14 +240,14 @@ fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
term_use_unallocated_tty(system_chkpwd_t) term_use_unallocated_tty(system_chkpwd_t)
files_read_general_system_config(system_chkpwd_t) files_read_generic_etc_files(system_chkpwd_t)
# for nscd # for nscd
files_ignore_search_system_state_data_directory(system_chkpwd_t) files_dontaudit_search_var(system_chkpwd_t)
libraries_use_dynamic_loader(system_chkpwd_t) libs_use_ld_so(system_chkpwd_t)
libraries_use_shared_libraries(system_chkpwd_t) libs_use_shared_libs(system_chkpwd_t)
logging_send_system_log_message(system_chkpwd_t) logging_send_syslog_msg(system_chkpwd_t)
miscfiles_read_localization(system_chkpwd_t) miscfiles_read_localization(system_chkpwd_t)
@ -261,7 +261,7 @@ tunable_policy(`use_dns',`
corenet_raw_sendrecv_all_nodes(system_chkpwd_t) corenet_raw_sendrecv_all_nodes(system_chkpwd_t)
corenet_udp_bind_all_nodes(system_chkpwd_t) corenet_udp_bind_all_nodes(system_chkpwd_t)
corenet_udp_sendrecv_dns_port(system_chkpwd_t) corenet_udp_sendrecv_dns_port(system_chkpwd_t)
sysnetwork_read_network_config(system_chkpwd_t) sysnet_read_config(system_chkpwd_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -288,16 +288,16 @@ term_dontaudit_use_all_user_ttys(utempter_t)
term_dontaudit_use_all_user_ptys(utempter_t) term_dontaudit_use_all_user_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t) term_dontaudit_use_ptmx(utempter_t)
init_script_modify_runtime_data(utempter_t) init_rw_script_pid(utempter_t)
files_read_general_system_config(utempter_t) files_read_generic_etc_files(utempter_t)
domain_use_widely_inheritable_file_descriptors(utempter_t) domain_use_wide_inherit_fd(utempter_t)
libraries_use_dynamic_loader(utempter_t) libs_use_ld_so(utempter_t)
libraries_use_shared_libraries(utempter_t) libs_use_shared_libs(utempter_t)
logging_search_system_log_directory(utempter_t) logging_search_logs(utempter_t)
ifdef(`TODO',` ifdef(`TODO',`
# Allow utemper to write to /tmp/.xses-* # Allow utemper to write to /tmp/.xses-*

View File

@ -2,7 +2,7 @@
## <summary>Policy for reading and setting the hardware clock.</summary> ## <summary>Policy for reading and setting the hardware clock.</summary>
######################################## ########################################
## <interface name="clock_transition"> ## <interface name="clock_domtrans">
## <description> ## <description>
## Execute hwclock in the clock domain. ## Execute hwclock in the clock domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`clock_transition',` define(`clock_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,hwclock_exec_t,hwclock_t) domain_auto_trans($1,hwclock_exec_t,hwclock_t)
@ -22,7 +22,7 @@ define(`clock_transition',`
allow hwclock_t $1:process sigchld; allow hwclock_t $1:process sigchld;
') ')
define(`clock_transition_depend',` define(`clock_domtrans_depend',`
type hwclock_t, hwclock_exec_t; type hwclock_t, hwclock_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -32,7 +32,7 @@ define(`clock_transition_depend',`
') ')
######################################## ########################################
## <interface name="clock_transition_add_role_use_terminal"> ## <interface name="clock_run">
## <description> ## <description>
## Execute hwclock in the clock domain, and ## Execute hwclock in the clock domain, and
## allow the specified role the hwclock domain. ## allow the specified role the hwclock domain.
@ -48,22 +48,22 @@ define(`clock_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`clock_transition_add_role_use_terminal',` define(`clock_run',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
clock_transition($1) clock_domtrans($1)
role $2 types hwclock_t; role $2 types hwclock_t;
allow hwclock_t $3:chr_file { getattr read write ioctl }; allow hwclock_t $3:chr_file { getattr read write ioctl };
') ')
define(`clock_transition_add_role_use_terminal_depend',` define(`clock_run_depend',`
type hwclock_t; type hwclock_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="clock_execute"> ## <interface name="clock_exec">
## <description> ## <description>
## Execute hwclock ## Execute hwclock
## </description> ## </description>
@ -72,20 +72,20 @@ define(`clock_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`clock_execute',` define(`clock_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,hwclock_exec_t) can_exec($1,hwclock_exec_t)
') ')
define(`clock_execute_depend',` define(`clock_exec_depend',`
type hwclock_exec_t; type hwclock_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
## <interface name="clock_modify_drift_records"> ## <interface name="clock_rw_adjtime">
## <description> ## <description>
## Allow executing domain to modify clock drift ## Allow executing domain to modify clock drift
## </description> ## </description>
@ -94,14 +94,14 @@ define(`clock_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`clock_modify_drift_records',` define(`clock_rw_adjtime',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 adjtime_t:file rw_file_perms; allow $1 adjtime_t:file rw_file_perms;
files_read_general_system_config_directory($1) files_read_generic_etc_files_directory($1)
') ')
define(`clock_modify_drift_records_depend',` define(`clock_rw_adjtime_depend',`
type adjtime_t; type adjtime_t;
class file rw_file_perms; class file rw_file_perms;

View File

@ -7,11 +7,11 @@ policy_module(clock,1.0)
# #
type adjtime_t; type adjtime_t;
files_make_file(adjtime_t) files_file_type(adjtime_t)
type hwclock_t; type hwclock_t;
type hwclock_exec_t; type hwclock_exec_t;
init_make_system_domain(hwclock_t,hwclock_exec_t) init_system_domain(hwclock_t,hwclock_exec_t)
role system_r types hwclock_t; role system_r types hwclock_t;
######################################## ########################################
@ -41,26 +41,26 @@ term_use_unallocated_tty(hwclock_t)
term_use_all_user_ttys(hwclock_t) term_use_all_user_ttys(hwclock_t)
term_use_all_user_ptys(hwclock_t) term_use_all_user_ptys(hwclock_t)
init_use_file_descriptors(hwclock_t) init_use_fd(hwclock_t)
init_script_use_pseudoterminal(hwclock_t) init_use_script_pty(hwclock_t)
domain_use_widely_inheritable_file_descriptors(hwclock_t) domain_use_wide_inherit_fd(hwclock_t)
files_read_general_system_config_directory(hwclock_t) files_read_generic_etc_files_directory(hwclock_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_ignore_search_isid_type_dir(hwclock_t) files_dontaudit_search_isid_type_dir(hwclock_t)
libraries_use_dynamic_loader(hwclock_t) libs_use_ld_so(hwclock_t)
libraries_use_shared_libraries(hwclock_t) libs_use_shared_libs(hwclock_t)
logging_send_system_log_message(hwclock_t) logging_send_syslog_msg(hwclock_t)
miscfiles_read_localization(hwclock_t) miscfiles_read_localization(hwclock_t)
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hwclock_t) term_dontaudit_use_unallocated_tty(hwclock_t)
terminal_ignore_use_general_pseudoterminal(hwclock_t) terminal_ignore_use_general_pseudoterminal(hwclock_t)
files_ignore_read_rootfs_file(hwclock_t) files_dontaudit_read_root_file(hwclock_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -68,11 +68,11 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(hwclock_t) udev_read_db(hwclock_t)
') ')
optional_policy(`userdomain.te',` optional_policy(`userdomain.te',`
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hwclock_t) userdom_dontaudit_use_unpriv_user_fd(hwclock_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -6,29 +6,29 @@
####################################### #######################################
# #
# corecommands_make_shell_entrypoint(domain) # corecmd_shell_entry_type(domain)
# #
define(`corecommands_make_shell_entrypoint',` define(`corecmd_shell_entry_type',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_make_entrypoint_file($1,shell_exec_t) domain_entry_file($1,shell_exec_t)
') ')
define(`corecommands_make_shell_entrypoint_depend',` define(`corecmd_shell_entry_type_depend',`
type shell_exec_t; type shell_exec_t;
') ')
######################################## ########################################
# #
# corecommands_search_general_programs_directory(domain) # corecmd_search_bin(domain)
# #
define(`corecommands_search_general_programs_directory',` define(`corecmd_search_bin',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 bin_t:dir search; allow $1 bin_t:dir search;
') ')
define(`corecommands_search_general_programs_directory_depend',` define(`corecmd_search_bin_depend',`
type bin_t; type bin_t;
class dir search; class dir search;
@ -36,15 +36,15 @@ define(`corecommands_search_general_programs_directory_depend',`
######################################## ########################################
# #
# corecommands_read_general_programs_directory(domain) # corecmd_list_bin(domain)
# #
define(`corecommands_read_general_programs_directory',` define(`corecmd_list_bin',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:dir r_dir_perms;
') ')
define(`corecommands_read_general_programs_directory_depend',` define(`corecmd_list_bin_depend',`
type bin_t; type bin_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -52,9 +52,9 @@ define(`corecommands_read_general_programs_directory_depend',`
######################################## ########################################
# #
# corecommands_execute_general_programs(domain) # corecmd_exec_bin(domain)
# #
define(`corecommands_execute_general_programs',` define(`corecmd_exec_bin',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:dir r_dir_perms;
@ -63,7 +63,7 @@ define(`corecommands_execute_general_programs',`
') ')
define(`corecommands_execute_general_programs_depend',` define(`corecmd_exec_bin_depend',`
type bin_t; type bin_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -73,15 +73,15 @@ define(`corecommands_execute_general_programs_depend',`
######################################## ########################################
# #
# corecommands_search_system_programs_directory(domain) # corecmd_search_sbin(domain)
# #
define(`corecommands_search_system_programs_directory',` define(`corecmd_search_sbin',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 sbin_t:dir search; allow $1 sbin_t:dir search;
') ')
define(`corecommands_search_system_programs_directory_depend',` define(`corecmd_search_sbin_depend',`
type sbin_t; type sbin_t;
class dir search; class dir search;
@ -89,15 +89,15 @@ define(`corecommands_search_system_programs_directory_depend',`
######################################## ########################################
# #
# corecommands_read_system_programs_directory(domain) # corecmd_list_sbin(domain)
# #
define(`corecommands_read_system_programs_directory',` define(`corecmd_list_sbin',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:dir r_dir_perms;
') ')
define(`corecommands_read_system_programs_directory_depend',` define(`corecmd_list_sbin_depend',`
type sbin_t; type sbin_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -105,15 +105,15 @@ define(`corecommands_read_system_programs_directory_depend',`
######################################## ########################################
# #
# corecommands_ignore_get_system_programs_attributes(domain) # corecmd_dontaudit_getattr_sbin_file(domain)
# #
define(`corecommands_ignore_get_system_programs_attributes',` define(`corecmd_dontaudit_getattr_sbin_file',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 sbin_t:file getattr; allow $1 sbin_t:file getattr;
') ')
define(`corecommands_ignore_get_system_programs_attributes_depend',` define(`corecmd_dontaudit_getattr_sbin_file_depend',`
type sbin_t; type sbin_t;
class file getattr; class file getattr;
@ -121,9 +121,9 @@ define(`corecommands_ignore_get_system_programs_attributes_depend',`
######################################## ########################################
# #
# corecommands_execute_system_programs(domain) # corecmd_exec_sbin(domain)
# #
define(`corecommands_execute_system_programs',` define(`corecmd_exec_sbin',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 sbin_t:dir r_dir_perms; allow $1 sbin_t:dir r_dir_perms;
@ -132,7 +132,7 @@ define(`corecommands_execute_system_programs',`
') ')
define(`corecommands_execute_system_programs_depend',` define(`corecmd_exec_sbin_depend',`
type sbin_t; type sbin_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -142,9 +142,9 @@ define(`corecommands_execute_system_programs_depend',`
######################################## ########################################
# #
# corecommands_execute_shell(domain) # corecmd_exec_shell(domain)
# #
define(`corecommands_execute_shell',` define(`corecmd_exec_shell',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:dir r_dir_perms;
@ -152,7 +152,7 @@ define(`corecommands_execute_shell',`
can_exec($1,shell_exec_t) can_exec($1,shell_exec_t)
') ')
define(`corecommands_execute_shell_depend',` define(`corecmd_exec_shell_depend',`
type bin_t, shell_exec_t; type bin_t, shell_exec_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -162,9 +162,9 @@ define(`corecommands_execute_shell_depend',`
######################################## ########################################
# #
# corecommands_execute_ls(domain) # corecmd_exec_ls(domain)
# #
define(`corecommands_execute_ls',` define(`corecmd_exec_ls',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:dir r_dir_perms;
@ -172,7 +172,7 @@ define(`corecommands_execute_ls',`
can_exec($1,ls_exec_t) can_exec($1,ls_exec_t)
') ')
define(`corecommands_execute_shell_depend',` define(`corecmd_exec_shell_depend',`
type bin_t, ls_exec_t; type bin_t, ls_exec_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -181,7 +181,7 @@ define(`corecommands_execute_shell_depend',`
') ')
######################################## ########################################
## <interface name="corecommands_shell_explicit_transition"> ## <interface name="corecmd_shell_spec_domtrans">
## <description> ## <description>
## Execute a shell in the target domain. This ## Execute a shell in the target domain. This
## is an explicit transition, requiring the ## is an explicit transition, requiring the
@ -195,7 +195,7 @@ define(`corecommands_execute_shell_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`corecommands_shell_explicit_transition',` define(`corecmd_shell_spec_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 bin_t:dir r_dir_perms; allow $1 bin_t:dir r_dir_perms;
@ -209,7 +209,7 @@ define(`corecommands_shell_explicit_transition',`
allow $2 $1:process sigchld; allow $2 $1:process sigchld;
') ')
define(`corecommands_shell_explicit_transition_depend',` define(`corecmd_shell_spec_domtrans_depend',`
type bin_t, shell_exec_t; type bin_t, shell_exec_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -221,7 +221,7 @@ define(`corecommands_shell_explicit_transition_depend',`
') ')
######################################## ########################################
## <interface name="corecommands_shell_transition"> ## <interface name="corecmd_domtrans_shell">
## <description> ## <description>
## Execute a shell in the target domain. ## Execute a shell in the target domain.
## </description> ## </description>
@ -233,29 +233,29 @@ define(`corecommands_shell_explicit_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`corecommands_shell_transition',` define(`corecmd_domtrans_shell',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
corecommands_shell_explicit_transition($1,$2) corecmd_shell_spec_domtrans($1,$2)
type_transition $1 shell_exec_t:process $2; type_transition $1 shell_exec_t:process $2;
') ')
define(`corecommands_shell_transition_depend',` define(`corecmd_domtrans_shell_depend',`
type shell_exec_t; type shell_exec_t;
') ')
######################################## ########################################
# #
# corecommands_chroot(domain) # corecmd_chroot_exec_chroot(domain)
# #
define(`corecommands_chroot',` define(`corecmd_chroot_exec_chroot',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 chroot_exec_t:file { getattr read execute execute_no_trans }; allow $1 chroot_exec_t:file { getattr read execute execute_no_trans };
allow $1 self:capability sys_chroot; allow $1 self:capability sys_chroot;
') ')
define(`corecommands_chroot_depend',` define(`corecmd_chroot_exec_chroot_depend',`
type chroot_exec_t; type chroot_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -5,25 +5,25 @@ policy_module(corecommands,1.0)
# bin_t is the type of files in the system bin directories. # bin_t is the type of files in the system bin directories.
# #
type bin_t; type bin_t;
files_make_file(bin_t) files_file_type(bin_t)
# #
# sbin_t is the type of files in the system sbin directories. # sbin_t is the type of files in the system sbin directories.
# #
type sbin_t; type sbin_t;
files_make_file(sbin_t) files_file_type(sbin_t)
# #
# ls_exec_t is the type of the ls program. # ls_exec_t is the type of the ls program.
# #
type ls_exec_t; type ls_exec_t;
files_make_file(ls_exec_t) files_file_type(ls_exec_t)
# #
# shell_exec_t is the type of user shells such as /bin/bash. # shell_exec_t is the type of user shells such as /bin/bash.
# #
type shell_exec_t; type shell_exec_t;
files_make_file(shell_exec_t) files_file_type(shell_exec_t)
type chroot_exec_t; type chroot_exec_t;
files_make_file(chroot_exec_t) files_file_type(chroot_exec_t)

View File

@ -3,9 +3,9 @@
######################################## ########################################
# #
# domain_make_base_domain(domain) # domain_base_domain_type(domain)
# #
define(`domain_make_base_domain',` define(`domain_base_domain_type',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# mark as a domain # mark as a domain
@ -19,7 +19,7 @@ define(`domain_make_base_domain',`
allow $1 self:process { fork sigchld }; allow $1 self:process { fork sigchld };
') ')
define(`domain_make_base_domain_depend',` define(`domain_base_domain_type_depend',`
attribute domain; attribute domain;
class dir r_dir_perms; class dir r_dir_perms;
@ -29,11 +29,11 @@ define(`domain_make_base_domain_depend',`
######################################## ########################################
# #
# domain_make_domain(domain) # domain_type(domain)
# #
define(`domain_make_domain',` define(`domain_type',`
# start with basic domain # start with basic domain
domain_make_base_domain($1) domain_base_domain_type($1)
# Use trusted objects in /dev # Use trusted objects in /dev
dev_rw_null_dev($1) dev_rw_null_dev($1)
@ -41,31 +41,31 @@ define(`domain_make_domain',`
term_use_controlling_term($1) term_use_controlling_term($1)
# read the root directory # read the root directory
files_read_root_dir($1) files_list_root($1)
# send init a sigchld # send init a sigchld
init_sigchld($1) init_sigchld($1)
# this seems highly questionable: # this seems highly questionable:
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
rpm_use_file_descriptors($1) rpm_use_fd($1)
rpm_read_pipe($1) rpm_read_pipe($1)
') ')
') ')
######################################## ########################################
# #
# domain_make_entrypoint_file(domain,entrypointfile) # domain_entry_file(domain,entrypointfile)
# #
define(`domain_make_entrypoint_file',` define(`domain_entry_file',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_make_file($2) files_file_type($2)
allow $1 $2:file entrypoint; allow $1 $2:file entrypoint;
typeattribute $2 entry_type; typeattribute $2 entry_type;
') ')
define(`domain_make_entrypoint_file_depend',` define(`domain_entry_file_depend',`
attribute entry_type; attribute entry_type;
class file entrypoint; class file entrypoint;
@ -73,29 +73,29 @@ define(`domain_make_entrypoint_file_depend',`
######################################## ########################################
# #
# domain_make_file_descriptors_widely_inheritable(domain) # domain_wide_inherit_fd(domain)
# #
define(`domain_make_file_descriptors_widely_inheritable',` define(`domain_wide_inherit_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
typeattribute $1 privfd; typeattribute $1 privfd;
') ')
define(`domain_make_file_descriptors_widely_inheritable_depend',` define(`domain_wide_inherit_fd_depend',`
attribute privfd; attribute privfd;
') ')
######################################## ########################################
# #
# domain_use_widely_inheritable_file_descriptors(domain) # domain_use_wide_inherit_fd(domain)
# #
define(`domain_use_widely_inheritable_file_descriptors',` define(`domain_use_wide_inherit_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 privfd:fd use; allow $1 privfd:fd use;
') ')
define(`domain_use_widely_inheritable_file_descriptors_depend',` define(`domain_use_wide_inherit_fd_depend',`
attribute privfd; attribute privfd;
class fd use; class fd use;
@ -103,15 +103,15 @@ define(`domain_use_widely_inheritable_file_descriptors_depend',`
######################################## ########################################
# #
# domain_ignore_use_widely_inheritable_file_descriptors(domain) # domain_dontaudit_use_wide_inherit_fd(domain)
# #
define(`domain_ignore_use_widely_inheritable_file_descriptors',` define(`domain_dontaudit_use_wide_inherit_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 privfd:fd use; dontaudit $1 privfd:fd use;
') ')
define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',` define(`domain_dontaudit_use_wide_inherit_fd_depend',`
attribute privfd; attribute privfd;
class fd use; class fd use;
@ -119,15 +119,15 @@ define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
######################################## ########################################
# #
# domain_set_all_domains_priorities(domain) # domain_setpriority_all_domains(domain)
# #
define(`domain_set_all_domains_priorities',` define(`domain_setpriority_all_domains',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 domain:process setsched; allow $1 domain:process setsched;
') ')
define(`domain_set_all_domains_priorities_depend',` define(`domain_setpriority_all_domains_depend',`
attribute domain; attribute domain;
class process setsched; class process setsched;
@ -246,7 +246,7 @@ define(`domain_kill_all_domains_depend',`
') ')
######################################## ########################################
## <interface name="domain_read_all_domains_process_state"> ## <interface name="domain_read_all_domains_state">
## <description> ## <description>
## Read the process state (/proc/pid) of all domains. ## Read the process state (/proc/pid) of all domains.
## </description> ## </description>
@ -255,7 +255,7 @@ define(`domain_kill_all_domains_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_read_all_domains_process_state',` define(`domain_read_all_domains_state',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 domain:dir r_dir_perms; allow $1 domain:dir r_dir_perms;
@ -270,7 +270,7 @@ define(`domain_read_all_domains_process_state',`
dontaudit $1 domain:process ptrace; dontaudit $1 domain:process ptrace;
') ')
define(`domain_read_all_domains_process_state_depend',` define(`domain_read_all_domains_state_depend',`
attribute domain; attribute domain;
class dir r_dir_perms; class dir r_dir_perms;
@ -280,7 +280,7 @@ define(`domain_read_all_domains_process_state_depend',`
') ')
######################################## ########################################
## <interface name="domain_ignore_read_all_domains_process_dirs"> ## <interface name="domain_dontaudit_list_all_domains_proc">
## <description> ## <description>
## Do not audit attempts to read the process state ## Do not audit attempts to read the process state
## directories of all domains. ## directories of all domains.
@ -290,13 +290,13 @@ define(`domain_read_all_domains_process_state_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_ignore_read_all_domains_process_dirs',` define(`domain_dontaudit_list_all_domains_proc',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 domain:dir r_dir_perms; dontaudit $1 domain:dir r_dir_perms;
') ')
define(`domain_ignore_read_all_domains_process_dirs_depend',` define(`domain_dontaudit_list_all_domains_proc_depend',`
attribute domain; attribute domain;
class dir r_dir_perms; class dir r_dir_perms;
@ -304,7 +304,7 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',`
######################################## ########################################
## <interface name="domain_get_all_domains_session_id"> ## <interface name="domain_getsession_all_domains">
## <description> ## <description>
## Get the session ID of all domains. ## Get the session ID of all domains.
## </description> ## </description>
@ -313,20 +313,20 @@ define(`domain_ignore_read_all_domains_process_dirs_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_get_all_domains_session_id',` define(`domain_getsession_all_domains',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 domain:process getsession; allow $1 domain:process getsession;
') ')
define(`domain_get_all_domains_session_id_depend',` define(`domain_getsession_all_domains_depend',`
attribute domain; attribute domain;
class process getsession; class process getsession;
') ')
######################################## ########################################
## <interface name="domain_ignore_get_all_domains_udp_socket_attributes"> ## <interface name="domain_dontaudit_getattr_all_udp_sockets">
## <description> ## <description>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of all domains UDP sockets. ## of all domains UDP sockets.
@ -336,20 +336,20 @@ define(`domain_get_all_domains_session_id_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_ignore_get_all_domains_udp_socket_attributes',` define(`domain_dontaudit_getattr_all_udp_sockets',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 domain:udp_socket getattr; dontaudit $1 domain:udp_socket getattr;
') ')
define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',` define(`domain_dontaudit_getattr_all_udp_sockets_depend',`
attribute domain; attribute domain;
class udp_socket getattr; class udp_socket getattr;
') ')
######################################## ########################################
## <interface name="domain_ignore_get_all_domains_tcp_socket_attributes"> ## <interface name="domain_dontaudit_getattr_all_tcp_sockets">
## <description> ## <description>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of all domains TCP sockets. ## of all domains TCP sockets.
@ -359,20 +359,20 @@ define(`domain_ignore_get_all_domains_udp_socket_attributes_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_ignore_get_all_domains_tcp_socket_attributes',` define(`domain_dontaudit_getattr_all_tcp_sockets',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 domain:tcp_socket getattr; dontaudit $1 domain:tcp_socket getattr;
') ')
define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',` define(`domain_dontaudit_getattr_all_tcp_sockets_depend',`
attribute domain; attribute domain;
class tcp_socket getattr; class tcp_socket getattr;
') ')
######################################## ########################################
## <interface name="domain_ignore_get_all_domains_unix_dgram_socket_attributes"> ## <interface name="domain_dontaudit_getattr_all_unix_dgram_sockets">
## <description> ## <description>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of all domains unix datagram sockets. ## of all domains unix datagram sockets.
@ -382,20 +382,20 @@ define(`domain_ignore_get_all_domains_tcp_socket_attributes_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes',` define(`domain_dontaudit_getattr_all_unix_dgram_sockets',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 domain:unix_dgram_socket getattr; dontaudit $1 domain:unix_dgram_socket getattr;
') ')
define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',` define(`domain_dontaudit_getattr_all_unix_dgram_sockets_depend',`
attribute domain; attribute domain;
class unix_dgram_socket getattr; class unix_dgram_socket getattr;
') ')
######################################## ########################################
## <interface name="domain_ignore_get_all_domains_pipe_attributes"> ## <interface name="domain_dontaudit_getattr_all_unnamed_pipes">
## <description> ## <description>
## Do not audit attempts to get the attributes ## Do not audit attempts to get the attributes
## of all domains unnamed pipes. ## of all domains unnamed pipes.
@ -405,13 +405,13 @@ define(`domain_ignore_get_all_domains_unix_dgram_socket_attributes_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`domain_ignore_get_all_domains_pipe_attributes',` define(`domain_dontaudit_getattr_all_unnamed_pipes',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 domain:fifo_file getattr; dontaudit $1 domain:fifo_file getattr;
') ')
define(`domain_ignore_get_all_domains_pipe_attributes_depend',` define(`domain_dontaudit_getattr_all_unnamed_pipes_depend',`
attribute domain; attribute domain;
class fifo_file getattr; class fifo_file getattr;
@ -419,16 +419,16 @@ define(`domain_ignore_get_all_domains_pipe_attributes_depend',`
######################################## ########################################
# #
# domain_execute_all_entrypoint_programs(domain) # domain_exec_all_entry_files(domain)
# #
define(`domain_execute_all_entrypoint_programs',` define(`domain_exec_all_entry_files',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,entry_type) can_exec($1,entry_type)
') ')
define(`domain_execute_all_entrypoint_programs_depend',` define(`domain_exec_all_entry_files_depend',`
attribute entry_type; attribute entry_type;
class file { getattr read ioctl lock execute execute_no_trans }; class file { getattr read ioctl lock execute execute_no_trans };
@ -436,16 +436,16 @@ define(`domain_execute_all_entrypoint_programs_depend',`
######################################## ########################################
# #
# domain_read_all_entrypoint_programs(domain) # domain_read_all_entry_files(domain)
# #
define(`domain_read_all_entrypoint_programs',` define(`domain_read_all_entry_files',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 entry_type:lnk_file r_file_perms; allow $1 entry_type:lnk_file r_file_perms;
allow $1 entry_type:file r_file_perms; allow $1 entry_type:file r_file_perms;
') ')
define(`domain_read_all_entrypoint_programs_depend',` define(`domain_read_all_entry_files_depend',`
attribute entry_type; attribute entry_type;
class file r_file_perms; class file r_file_perms;

File diff suppressed because it is too large Load Diff

View File

@ -2,7 +2,7 @@
## <summary>Policy for getty.</summary> ## <summary>Policy for getty.</summary>
######################################## ########################################
## <interface name="getty_transition"> ## <interface name="getty_domtrans">
## <description> ## <description>
## Execute gettys in the getty domain. ## Execute gettys in the getty domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`getty_transition',` define(`getty_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 getty_exec_t:file { getattr read execute }; allow $1 getty_exec_t:file { getattr read execute };
@ -25,7 +25,7 @@ define(`getty_transition',`
allow getty_t $1:process sigchld; allow getty_t $1:process sigchld;
') ')
define(`getty_transition_depend',` define(`getty_domtrans_depend',`
type getty_t, getty_exec_t; type getty_t, getty_exec_t;
class file { getattr read execute }; class file { getattr read execute };
@ -35,7 +35,7 @@ define(`getty_transition_depend',`
') ')
######################################## ########################################
## <interface name="getty_read_log_file"> ## <interface name="getty_read_log">
## <description> ## <description>
## Allow process to read getty log file. ## Allow process to read getty log file.
## </description> ## </description>
@ -44,20 +44,20 @@ define(`getty_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`getty_read_log_file',` define(`getty_read_log',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 getty_log_t:file { getattr read }; allow $1 getty_log_t:file { getattr read };
') ')
define(`getty_read_log_file_depend',` define(`getty_read_log_depend',`
type getty_log_t; type getty_log_t;
class file { getattr read }; class file { getattr read };
') ')
######################################## ########################################
## <interface name="getty_read_config_file"> ## <interface name="getty_read_config">
## <description> ## <description>
## Allow process to read getty config file. ## Allow process to read getty config file.
## </description> ## </description>
@ -66,20 +66,20 @@ define(`getty_read_log_file_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`getty_read_config_file',` define(`getty_read_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 getty_etc_t:file { getattr read }; allow $1 getty_etc_t:file { getattr read };
') ')
define(`getty_read_config_file_depend',` define(`getty_read_config_depend',`
type getty_etc_t; type getty_etc_t;
class file { getattr read }; class file { getattr read };
') ')
######################################## ########################################
## <interface name="getty_modify_config_file"> ## <interface name="getty_modify_config">
## <description> ## <description>
## Allow process to edit getty config file. ## Allow process to edit getty config file.
## </description> ## </description>
@ -88,13 +88,13 @@ define(`getty_read_config_file_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`getty_modify_config_file',` define(`getty_modify_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 getty_etc_t:file { getattr read write }; allow $1 getty_etc_t:file { getattr read write };
') ')
define(`getty_modify_config_file_depend',` define(`getty_modify_config_depend',`
type getty_etc_t; type getty_etc_t;
class file { getattr read write }; class file { getattr read write };

View File

@ -8,17 +8,17 @@ policy_module(getty,1.0)
type getty_t; type getty_t;
type getty_exec_t; type getty_exec_t;
init_make_init_domain(getty_t,getty_exec_t) init_domain(getty_t,getty_exec_t)
domain_make_file_descriptors_widely_inheritable(getty_t) domain_wide_inherit_fd(getty_t)
type getty_etc_t; type getty_etc_t;
typealias getty_etc_t alias etc_getty_t; typealias getty_etc_t alias etc_getty_t;
type getty_log_t; type getty_log_t;
logging_make_log_file(getty_log_t) logging_log_file(getty_log_t)
type getty_tmp_t; type getty_tmp_t;
files_make_temporary_file(getty_tmp_t) files_tmp_file(getty_tmp_t)
######################################## ########################################
# #
@ -34,11 +34,11 @@ allow getty_t self:process { getpgid getsession };
allow getty_t getty_etc_t:dir r_dir_perms; allow getty_t getty_etc_t:dir r_dir_perms;
allow getty_t getty_etc_t:file r_file_perms; allow getty_t getty_etc_t:file r_file_perms;
files_create_private_config(getty_t,getty_etc_t,{ file dir }) files_create_etc_config(getty_t,getty_etc_t,{ file dir })
allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink }; allow getty_t getty_tmp_t:file { getattr create read setattr write setattr unlink };
allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir }; allow getty_t getty_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
files_create_private_tmp_data(getty_t,getty_tmp_t,{ file dir }) files_create_tmp_files(getty_t,getty_tmp_t,{ file dir })
allow getty_t getty_log_t:file { getattr append setattr }; allow getty_t getty_log_t:file { getattr append setattr };
@ -54,23 +54,23 @@ term_setattr_all_user_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t) term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t) term_setattr_console(getty_t)
authlogin_modify_login_records(getty_t) auth_rw_login_records(getty_t)
corecommands_search_general_programs_directory(getty_t) corecmd_search_bin(getty_t)
files_modify_system_runtime_data(getty_t) files_rw_generic_pids(getty_t)
files_manage_system_lock_files(getty_t) files_manage_generic_lock_files(getty_t)
files_read_runtime_system_config(getty_t) files_read_etc_runtime_files(getty_t)
files_read_general_system_config(getty_t) files_read_generic_etc_files(getty_t)
init_script_modify_runtime_data(getty_t) init_rw_script_pid(getty_t)
init_script_use_pseudoterminal(getty_t) init_use_script_pty(getty_t)
libraries_use_dynamic_loader(getty_t) libs_use_ld_so(getty_t)
libraries_use_shared_libraries(getty_t) libs_use_shared_libs(getty_t)
locallogin_transition(getty_t) locallogin_domtrans(getty_t)
logging_send_system_log_message(getty_t) logging_send_syslog_msg(getty_t)
miscfiles_read_localization(getty_t) miscfiles_read_localization(getty_t)

View File

@ -2,7 +2,7 @@
## <summary>Policy for changing the system host name.</summary> ## <summary>Policy for changing the system host name.</summary>
######################################## ########################################
## <interface name="hostname_transition"> ## <interface name="hostname_domtrans">
## <description> ## <description>
## Execute hostname in the hostname domain. ## Execute hostname in the hostname domain.
## </description> ## </description>
@ -12,7 +12,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`hostname_transition',` define(`hostname_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 hostname_exec_t:file rx_file_perms; allow $1 hostname_exec_t:file rx_file_perms;
@ -26,7 +26,7 @@ define(`hostname_transition',`
allow hostname_t $1:process sigchld; allow hostname_t $1:process sigchld;
') ')
define(`hostname_transition_depend',` define(`hostname_domtrans_depend',`
type hostname_t, hostname_exec_t; type hostname_t, hostname_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -36,7 +36,7 @@ define(`hostname_transition_depend',`
') ')
######################################## ########################################
## <interface name="hostname_transition_add_role_use_terminal"> ## <interface name="hostname_run">
## <description> ## <description>
## Execute hostname in the hostname domain, and ## Execute hostname in the hostname domain, and
## allow the specified role the hostname domain. ## allow the specified role the hostname domain.
@ -53,22 +53,22 @@ define(`hostname_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`hostname_transition_add_role_use_terminal',` define(`hostname_run',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
hostname_transition($1) hostname_domtrans($1)
role $2 types hostname_t; role $2 types hostname_t;
allow hostname_t $3:chr_file { getattr read write ioctl }; allow hostname_t $3:chr_file { getattr read write ioctl };
') ')
define(`hostname_transition_add_role_use_terminal_depend',` define(`hostname_run_depend',`
type hostname_t; type hostname_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="hostname_execute"> ## <interface name="hostname_exec">
## <description> ## <description>
## Execute hostname in the hostname domain, and ## Execute hostname in the hostname domain, and
## Has a sigchld signal backchannel. ## Has a sigchld signal backchannel.
@ -80,16 +80,16 @@ define(`hostname_transition_add_role_use_terminal_depend',`
# #
####################################### #######################################
# #
# hostname_execute(domain) # hostname_exec(domain)
# #
define(`hostname_execute',` define(`hostname_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,hostname_exec_t) can_exec($1,hostname_exec_t)
') ')
define(`hostname_execute_depend',` define(`hostname_exec_depend',`
type hostname_exec_t; type hostname_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -8,7 +8,7 @@ policy_module(hostname,1.0)
type hostname_t; type hostname_t;
type hostname_exec_t; type hostname_exec_t;
init_make_system_domain(hostname_t,hostname_exec_t) init_system_domain(hostname_t,hostname_exec_t)
role system_r types hostname_t; role system_r types hostname_t;
@ -23,36 +23,36 @@ allow hostname_t self:process { sigchld sigkill sigstop signull signal };
allow hostname_t self:capability sys_admin; allow hostname_t self:capability sys_admin;
dontaudit hostname_t self:capability sys_tty_config; dontaudit hostname_t self:capability sys_tty_config;
sysnetwork_read_network_config(hostname_t) sysnet_read_config(hostname_t)
kernel_read_kernel_sysctl(hostname_t) kernel_read_kernel_sysctl(hostname_t)
kernel_read_hardware_state(hostname_t) kernel_read_hardware_state(hostname_t)
kernel_dontaudit_use_fd(hostname_t) kernel_dontaudit_use_fd(hostname_t)
files_read_general_system_config(hostname_t) files_read_generic_etc_files(hostname_t)
files_ignore_search_system_state_data_directory(hostname_t) files_dontaudit_search_var(hostname_t)
fs_getattr_xattr_fs(hostname_t) fs_getattr_xattr_fs(hostname_t)
term_dontaudit_use_console(hostname_t) term_dontaudit_use_console(hostname_t)
term_use_all_user_ttys(hostname_t) term_use_all_user_ttys(hostname_t)
term_use_all_user_ptys(hostname_t) term_use_all_user_ptys(hostname_t)
init_use_file_descriptors(hostname_t) init_use_fd(hostname_t)
init_script_use_pseudoterminal(hostname_t) init_use_script_pty(hostname_t)
domain_use_widely_inheritable_file_descriptors(hostname_t) domain_use_wide_inherit_fd(hostname_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_ignore_search_isid_type_dir(hostname_t) files_dontaudit_search_isid_type_dir(hostname_t)
libraries_use_dynamic_loader(hostname_t) libs_use_ld_so(hostname_t)
libraries_use_shared_libraries(hostname_t) libs_use_shared_libs(hostname_t)
logging_send_system_log_message(hostname_t) logging_send_syslog_msg(hostname_t)
miscfiles_read_localization(hostname_t) miscfiles_read_localization(hostname_t)
userdomain_use_all_users_file_descriptors(hostname_t) userdom_use_all_user_fd(hostname_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(hostname_t) fs_use_tmpfs_character_devices(hostname_t)
@ -61,7 +61,7 @@ ifdef(`distro_redhat', `
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hostname_t) term_dontaudit_use_unallocated_tty(hostname_t)
terminal_ignore_use_general_pseudoterminal(hostname_t) terminal_ignore_use_general_pseudoterminal(hostname_t)
files_ignore_read_rootfs_file(hostname_t) files_dontaudit_read_root_file(hostname_t)
') ')
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
@ -72,11 +72,11 @@ tunable_policy(`use_dns',`
corenet_raw_sendrecv_all_nodes(hostname_t) corenet_raw_sendrecv_all_nodes(hostname_t)
corenet_udp_bind_all_nodes(hostname_t) corenet_udp_bind_all_nodes(hostname_t)
corenet_udp_sendrecv_dns_port(hostname_t) corenet_udp_sendrecv_dns_port(hostname_t)
sysnetwork_read_network_config(hostname_t) sysnet_read_config(hostname_t)
') ')
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_ignore_use_file_descriptors(hostname_t) hotplug_dontaudit_use_fd(hostname_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -84,7 +84,7 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(hostname_t) udev_read_db(hostname_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -6,9 +6,9 @@
####################################### #######################################
# #
# hotplug_transition(domain) # hotplug_domtrans(domain)
# #
define(`hotplug_transition',` define(`hotplug_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 hotplug_exec_t:file rx_file_perms; allow $1 hotplug_exec_t:file rx_file_perms;
@ -22,7 +22,7 @@ define(`hotplug_transition',`
allow hotplug_t $1:process sigchld; allow hotplug_t $1:process sigchld;
') ')
define(`hotplug_transition_depend',` define(`hotplug_domtrans_depend',`
type hotplug_t, hotplug_exec_t; type hotplug_t, hotplug_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -33,16 +33,16 @@ define(`hotplug_transition_depend',`
####################################### #######################################
# #
# hotplug_execute(domain) # hotplug_exec(domain)
# #
define(`hotplug_execute',` define(`hotplug_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,hotplug_exec_t) can_exec($1,hotplug_exec_t)
') ')
define(`hotplug_execute_depend',` define(`hotplug_exec_depend',`
type hotplug_t; type hotplug_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
@ -50,15 +50,15 @@ define(`hotplug_execute_depend',`
####################################### #######################################
# #
# hotplug_use_file_descriptors(domain) # hotplug_use_fd(domain)
# #
define(`hotplug_use_file_descriptors',` define(`hotplug_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 hotplug_t:fd use; allow $1 hotplug_t:fd use;
') ')
define(`hotplug_use_file_descriptors_depend',` define(`hotplug_use_fd_depend',`
type hotplug_t; type hotplug_t;
class fd use; class fd use;
@ -66,15 +66,15 @@ define(`hotplug_use_file_descriptors_depend',`
####################################### #######################################
# #
# hotplug_ignore_use_file_descriptors(domain) # hotplug_dontaudit_use_fd(domain)
# #
define(`hotplug_ignore_use_file_descriptors',` define(`hotplug_dontaudit_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 hotplug_t:fd use; dontaudit $1 hotplug_t:fd use;
') ')
define(`hotplug_ignore_use_file_descriptors_depend',` define(`hotplug_dontaudit_use_fd_depend',`
type hotplug_t; type hotplug_t;
class fd use; class fd use;
@ -82,15 +82,15 @@ define(`hotplug_ignore_use_file_descriptors_depend',`
######################################## ########################################
# #
# hotplug_ignore_search_config_directory(domain) # hotplug_dontaudit_search_config(domain)
# #
define(`hotplug_ignore_search_config_directory',` define(`hotplug_dontaudit_search_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 hotplug_etc_t:dir search; dontaudit $1 hotplug_etc_t:dir search;
') ')
define(`hotplug_ignore_search_config_directory_depend',` define(`hotplug_dontaudit_search_config_depend',`
type hotplug_etc_t; type hotplug_etc_t;
class dir search; class dir search;
@ -109,7 +109,7 @@ define(`hotplug_ignore_search_config_directory_depend',`
define(`hotplug_read_config',` define(`hotplug_read_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_general_system_config_directory($1) files_search_etc($1)
allow $1 hotplug_etc_t:file r_file_perms; allow $1 hotplug_etc_t:file r_file_perms;
allow $1 hotplug_etc_t:dir r_dir_perms; allow $1 hotplug_etc_t:dir r_dir_perms;
allow $1 hotplug_etc_t:lnk_file r_file_perms; allow $1 hotplug_etc_t:lnk_file r_file_perms;

View File

@ -9,13 +9,13 @@ policy_module(hotplug, 1.0)
type hotplug_t; type hotplug_t;
type hotplug_exec_t; type hotplug_exec_t;
kernel_userland_entry(hotplug_t,hotplug_exec_t) kernel_userland_entry(hotplug_t,hotplug_exec_t)
init_make_system_domain(hotplug_t,hotplug_exec_t) init_system_domain(hotplug_t,hotplug_exec_t)
type hotplug_etc_t; #, usercanread; type hotplug_etc_t; #, usercanread;
files_make_file(hotplug_etc_t) files_file_type(hotplug_etc_t)
type hotplug_var_run_t; type hotplug_var_run_t;
files_make_daemon_runtime_file(hotplug_var_run_t) files_pid_file(hotplug_var_run_t)
######################################## ########################################
# #
@ -41,7 +41,7 @@ allow hotplug_t hotplug_exec_t:file { getattr read ioctl execute execute_no_tran
allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans }; allow hotplug_t hotplug_etc_t:file { getattr read execute execute_no_trans };
allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink }; allow hotplug_t hotplug_var_run_t:file { getattr create read write append setattr unlink };
files_create_daemon_runtime_data(hotplug_t,hotplug_var_run_t) files_create_pid(hotplug_t,hotplug_var_run_t)
kernel_read_system_state(hotplug_t) kernel_read_system_state(hotplug_t)
kernel_read_kernel_sysctl(hotplug_t) kernel_read_kernel_sysctl(hotplug_t)
@ -68,71 +68,71 @@ storage_set_removable_device_attributes(hotplug_t)
term_dontaudit_use_console(hotplug_t) term_dontaudit_use_console(hotplug_t)
corecommands_execute_general_programs(hotplug_t) corecmd_exec_bin(hotplug_t)
corecommands_execute_shell(hotplug_t) corecmd_exec_shell(hotplug_t)
corecommands_execute_system_programs(hotplug_t) corecmd_exec_sbin(hotplug_t)
domain_use_widely_inheritable_file_descriptors(hotplug_t) domain_use_wide_inherit_fd(hotplug_t)
files_read_general_system_config(hotplug_t) files_read_generic_etc_files(hotplug_t)
files_manage_runtime_system_config(hotplug_t) files_manage_etc_runtime_files(hotplug_t)
files_execute_system_config_script(hotplug_t) files_exec_generic_etc_files(hotplug_t)
# for when filesystems are not mounted early in the boot: # for when filesystems are not mounted early in the boot:
files_ignore_search_isid_type_dir(hotplug_t) files_dontaudit_search_isid_type_dir(hotplug_t)
init_use_file_descriptors(hotplug_t) init_use_fd(hotplug_t)
init_script_use_pseudoterminal(hotplug_t) init_use_script_pty(hotplug_t)
init_script_read_process_state(hotplug_t) init_read_script_process_state(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and # Allow hotplug (including /sbin/ifup-local) to start/stop services and
# run sendmail -q # run sendmail -q
init_script_transition(hotplug_t) init_domtrans_script(hotplug_t)
# kernel threads inherit from shared descriptor table used by init # kernel threads inherit from shared descriptor table used by init
init_ignore_use_control_channel(hotplug_t) init_dontaudit_use_initctl(hotplug_t)
logging_send_system_log_message(hotplug_t) logging_send_syslog_msg(hotplug_t)
logging_search_system_log_directory(hotplug_t) logging_search_logs(hotplug_t)
libraries_use_dynamic_loader(hotplug_t) libs_use_ld_so(hotplug_t)
libraries_use_shared_libraries(hotplug_t) libs_use_shared_libs(hotplug_t)
# Read /usr/lib/gconv/.* # Read /usr/lib/gconv/.*
libraries_read_library_resources(hotplug_t) libs_read_lib(hotplug_t)
modutils_insmod_transition(hotplug_t) modutils_domtrans_insmod(hotplug_t)
modutils_read_kernel_module_dependencies(hotplug_t) modutils_read_kernel_module_dependencies(hotplug_t)
miscfiles_read_localization(hotplug_t) miscfiles_read_localization(hotplug_t)
mount_transition(hotplug_t) mount_domtrans(hotplug_t)
sysnetwork_read_network_config(hotplug_t) sysnet_read_config(hotplug_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(hotplug_t) userdom_dontaudit_use_unpriv_user_fd(hotplug_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
optional_policy(`netutils.te', ` optional_policy(`netutils.te', `
# for arping used for static IP addresses on PCMCIA ethernet # for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(hotplug_t) netutils_domtrans(hotplug_t)
fs_use_tmpfs_character_devices(hotplug_t) fs_use_tmpfs_character_devices(hotplug_t)
') ')
files_get_system_lock_file_attributes(hotplug_t) files_getattr_generic_lock_files(hotplug_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(hotplug_t) term_dontaudit_use_unallocated_tty(hotplug_t)
terminal_ignore_use_general_pseudoterminal(hotplug_t) terminal_ignore_use_general_pseudoterminal(hotplug_t)
files_ignore_read_rootfs_file(hotplug_t) files_dontaudit_read_root_file(hotplug_t)
') ')
optional_policy(`consoletype.te',` optional_policy(`consoletype.te',`
consoletype_transition(hotplug_t) consoletype_domtrans(hotplug_t)
') ')
optional_policy(`hostname.te',` optional_policy(`hostname.te',`
hostname_execute(hotplug_t) hostname_exec(hotplug_t)
') ')
optional_policy(`iptables.te',` optional_policy(`iptables.te',`
iptables_transition(hotplug_t) iptables_domtrans(hotplug_t)
') ')
optional_policy(`mta.te', ` optional_policy(`mta.te', `
@ -144,12 +144,12 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition(hotplug_t) sysnet_domtrans_ifconfig(hotplug_t)
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_transition(hotplug_t) udev_domtrans(hotplug_t)
udev_read_database(hotplug_t) udev_read_db(hotplug_t)
') ')
optional_policy(`updfstab.te', ` optional_policy(`updfstab.te', `

View File

@ -3,13 +3,13 @@
######################################## ########################################
# #
# init_make_init_domain(domain,entrypointfile) # init_domain(domain,entrypointfile)
# #
define(`init_make_init_domain',` define(`init_domain',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_make_domain($1) domain_type($1)
domain_make_entrypoint_file($1,$2) domain_entry_file($1,$2)
role system_r types $1; role system_r types $1;
@ -27,11 +27,11 @@ define(`init_make_init_domain',`
# fd open from the initrd # fd open from the initrd
optional_policy(`distro_redhat',` optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1) kernel_dontaudit_use_fd($1)
files_ignore_read_rootfs_file($1) files_dontaudit_read_root_file($1)
') ')
') ')
define(`init_make_init_domain_depend',` define(`init_domain_depend',`
type init_t; type init_t;
class file rx_file_perms; class file rx_file_perms;
class fd use; class fd use;
@ -42,13 +42,13 @@ define(`init_make_init_domain_depend',`
######################################## ########################################
# #
# init_make_daemon_domain(domain,entrypointfile) # init_daemon_domain(domain,entrypointfile)
# #
define(`init_make_daemon_domain',` define(`init_daemon_domain',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_make_domain($1) domain_type($1)
domain_make_entrypoint_file($1,$2) domain_entry_file($1,$2)
role system_r types $1; role system_r types $1;
@ -66,11 +66,11 @@ define(`init_make_daemon_domain',`
# fd open from the initrd # fd open from the initrd
optional_policy(`distro_redhat',` optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1) kernel_dontaudit_use_fd($1)
files_ignore_read_rootfs_file($1) files_dontaudit_read_root_file($1)
') ')
') ')
define(`init_make_daemon_domain_depend',` define(`init_daemon_domain_depend',`
type initrc_t; type initrc_t;
role system_r; role system_r;
@ -83,13 +83,13 @@ define(`init_make_daemon_domain_depend',`
######################################## ########################################
# #
# init_make_system_domain(domain,entrypointfile) # init_system_domain(domain,entrypointfile)
# #
define(`init_make_system_domain',` define(`init_system_domain',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_make_domain($1) domain_type($1)
domain_make_entrypoint_file($1,$2) domain_entry_file($1,$2)
role system_r types $1; role system_r types $1;
@ -107,11 +107,11 @@ define(`init_make_system_domain',`
# fd open from the initrd # fd open from the initrd
optional_policy(`distro_redhat',` optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd($1) kernel_dontaudit_use_fd($1)
files_ignore_read_rootfs_file($1) files_dontaudit_read_root_file($1)
') ')
') ')
define(`init_make_system_domain_depend',` define(`init_system_domain_depend',`
type initrc_t; type initrc_t;
role system_r; role system_r;
@ -123,9 +123,9 @@ define(`init_make_system_domain_depend',`
######################################## ########################################
# #
# init_transition(domain) # init_domtrans(domain)
# #
define(`init_transition',` define(`init_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 init_exec_t:file rx_file_perms; allow $1 init_exec_t:file rx_file_perms;
@ -139,7 +139,7 @@ define(`init_transition',`
allow init_t $1:process sigchld; allow init_t $1:process sigchld;
') ')
define(`init_transition_depend',` define(`init_domtrans_depend',`
type init_t, init_exec_t; type init_t, init_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -166,15 +166,15 @@ define(`init_get_process_group_depend',`
######################################## ########################################
# #
# init_get_control_channel_attributes(domain) # init_getattr_initctl(domain)
# #
define(`init_get_control_channel_attributes',` define(`init_getattr_initctl',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 initctl_t:fifo_file getattr; allow $1 initctl_t:fifo_file getattr;
') ')
define(`init_get_control_channel_attributes_depend',` define(`init_getattr_initctl_depend',`
type initctl_t; type initctl_t;
class fifo_file getattr; class fifo_file getattr;
@ -182,15 +182,15 @@ define(`init_get_control_channel_attributes_depend',`
######################################## ########################################
# #
# init_ignore_get_control_channel_attributes(domain) # init_dontaudit_getattr_initctl(domain)
# #
define(`init_ignore_get_control_channel_attributes',` define(`init_dontaudit_getattr_initctl',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 initctl_t:fifo_file getattr; dontaudit $1 initctl_t:fifo_file getattr;
') ')
define(`init_get_control_channel_attributes_depend',` define(`init_getattr_initctl_depend',`
type initctl_t; type initctl_t;
class fifo_file getattr; class fifo_file getattr;
@ -198,16 +198,16 @@ define(`init_get_control_channel_attributes_depend',`
######################################## ########################################
# #
# init_use_control_channel(domain) # init_use_initctl(domain)
# #
define(`init_use_control_channel',` define(`init_use_initctl',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
allow $1 initctl_t:fifo_file rw_file_perms; allow $1 initctl_t:fifo_file rw_file_perms;
') ')
define(`init_use_control_channel_depend',` define(`init_use_initctl_depend',`
type initctl_t; type initctl_t;
class fifo_file rw_file_perms; class fifo_file rw_file_perms;
@ -215,15 +215,15 @@ define(`init_use_control_channel_depend',`
######################################## ########################################
# #
# init_ignore_use_control_channel(domain) # init_dontaudit_use_initctl(domain)
# #
define(`init_ignore_use_control_channel',` define(`init_dontaudit_use_initctl',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 initctl_t:fifo_file { read write }; dontaudit $1 initctl_t:fifo_file { read write };
') ')
define(`init_ignore_use_control_channel_depend',` define(`init_dontaudit_use_initctl_depend',`
type initctl_t; type initctl_t;
class fifo_file { read write }; class fifo_file { read write };
@ -247,15 +247,15 @@ define(`init_sigchld_depend',`
######################################## ########################################
# #
# init_use_file_descriptors(domain) # init_use_fd(domain)
# #
define(`init_use_file_descriptors',` define(`init_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 init_t:fd use; allow $1 init_t:fd use;
') ')
define(`init_use_file_descriptors_depend',` define(`init_use_fd_depend',`
type init_t; type init_t;
class fd use; class fd use;
@ -263,15 +263,15 @@ define(`init_use_file_descriptors_depend',`
######################################## ########################################
# #
# init_ignore_use_file_descriptors(domain) # init_dontaudit_use_fd(domain)
# #
define(`init_ignore_use_file_descriptors',` define(`init_dontaudit_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 init_t:fd use; dontaudit $1 init_t:fd use;
') ')
define(`init_ignore_use_file_descriptors_depend',` define(`init_dontaudit_use_fd_depend',`
type init_t; type init_t;
class fd use; class fd use;
@ -279,9 +279,9 @@ define(`init_ignore_use_file_descriptors_depend',`
######################################## ########################################
# #
# init_script_transition(domain) # init_domtrans_script(domain)
# #
define(`init_script_transition',` define(`init_domtrans_script',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 initrc_exec_t:file rx_file_perms; allow $1 initrc_exec_t:file rx_file_perms;
@ -295,7 +295,7 @@ define(`init_script_transition',`
allow initrc_t $1:process sigchld; allow initrc_t $1:process sigchld;
') ')
define(`init_script_transition_depend',` define(`init_domtrans_script_depend',`
type initrc_t, initrc_exec_t; type initrc_t, initrc_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -306,23 +306,23 @@ define(`init_script_transition_depend',`
######################################## ########################################
# #
# init_script_execute(domain) # init_exec_script(domain)
# #
define(`init_script_execute',` define(`init_exec_script',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,initrc_exec_t) can_exec($1,initrc_exec_t)
') ')
define(`init_script_execute_depend',` define(`init_exec_script_depend',`
type initrc_exec_t; type initrc_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
## <interface name="init_script_read_process_state"> ## <interface name="init_read_script_process_state">
## <description> ## <description>
## Read the process state (/proc/pid) of the init scripts. ## Read the process state (/proc/pid) of the init scripts.
## </description> ## </description>
@ -331,7 +331,7 @@ define(`init_script_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`init_script_read_process_state',` define(`init_read_script_process_state',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 initrc_t:dir r_dir_perms; allow $1 initrc_t:dir r_dir_perms;
@ -345,7 +345,7 @@ define(`init_script_read_process_state',`
dontaudit $1 initrc_t:process ptrace; dontaudit $1 initrc_t:process ptrace;
') ')
define(`init_script_read_process_state_depend',` define(`init_read_script_process_state_depend',`
type initrc_t; type initrc_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -356,15 +356,15 @@ define(`init_script_read_process_state_depend',`
######################################## ########################################
# #
# init_script_use_file_descriptors(domain) # init_use_script_fd(domain)
# #
define(`init_script_use_file_descriptors',` define(`init_use_script_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 initrc_t:fd use; allow $1 initrc_t:fd use;
') ')
define(`init_script_use_file_descriptors_depend',` define(`init_use_script_fd_depend',`
type initrc_t; type initrc_t;
class fd use; class fd use;
@ -372,15 +372,15 @@ define(`init_script_use_file_descriptors_depend',`
######################################## ########################################
# #
# init_script_ignore_use_file_descriptors(domain) # init_dontaudit_use_script_fd(domain)
# #
define(`init_script_ignore_use_file_descriptors',` define(`init_dontaudit_use_script_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 initrc_t:fd use; dontaudit $1 initrc_t:fd use;
') ')
define(`init_script_ignore_use_file_descriptors_depend',` define(`init_dontaudit_use_script_fd_depend',`
type initrc_t; type initrc_t;
class fd use; class fd use;
@ -388,15 +388,15 @@ define(`init_script_ignore_use_file_descriptors_depend',`
######################################## ########################################
# #
# init_script_get_process_group(domain) # init_get_script_process_group(domain)
# #
define(`init_script_get_process_group',` define(`init_get_script_process_group',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 initrc_t:process getpgid; allow $1 initrc_t:process getpgid;
') ')
define(`init_script_get_process_group_depend',` define(`init_get_script_process_group_depend',`
type initrc_t; type initrc_t;
class process getpgid; class process getpgid;
@ -404,16 +404,16 @@ define(`init_script_get_process_group_depend',`
######################################## ########################################
# #
# init_script_use_pseudoterminal(domain) # init_use_script_pty(domain)
# #
define(`init_script_use_pseudoterminal',` define(`init_use_script_pty',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
term_list_ptys($1) term_list_ptys($1)
allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
') ')
define(`init_script_use_pseudoterminal_depend',` define(`init_use_script_pty_depend',`
type initrc_devpts_t; type initrc_devpts_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -421,22 +421,22 @@ define(`init_script_use_pseudoterminal_depend',`
######################################## ########################################
# #
# init_script_ignore_use_pseudoterminal(domain) # init_dontaudit_use_script_pty(domain)
# #
define(`init_script_ignore_use_pseudoterminal',` define(`init_dontaudit_use_script_pty',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 initrc_devpts_t:chr_file { read write ioctl }; dontaudit $1 initrc_devpts_t:chr_file { read write ioctl };
') ')
define(`init_script_ignore_use_pseudoterminal_depend',` define(`init_dontaudit_use_script_pty_depend',`
type initrc_devpts_t; type initrc_devpts_t;
class chr_file { read write ioctl }; class chr_file { read write ioctl };
') ')
######################################## ########################################
## <interface name="init_script_modify_temporary_data"> ## <interface name="init_rw_script_tmp_files">
## <description> ## <description>
## Read and write init script temporary data. ## Read and write init script temporary data.
## </description> ## </description>
@ -445,14 +445,14 @@ define(`init_script_ignore_use_pseudoterminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`init_script_modify_temporary_data',` define(`init_rw_script_tmp_files',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: read tmp_t # FIXME: read tmp_t
allow $1 initrc_tmp_t:file rw_file_perms; allow $1 initrc_tmp_t:file rw_file_perms;
') ')
define(`init_script_modify_temporary_data_depend',` define(`init_rw_script_tmp_files_depend',`
type initrc_var_run_t; type initrc_var_run_t;
class file rw_file_perms; class file rw_file_perms;
@ -460,16 +460,16 @@ define(`init_script_modify_temporary_data_depend',`
######################################## ########################################
# #
# init_script_read_runtime_data(domain) # init_read_script_pid(domain)
# #
define(`init_script_read_runtime_data',` define(`init_read_script_pid',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_read_runtime_data_directory($1) files_list_pids($1)
allow $1 initrc_var_run_t:file r_file_perms; allow $1 initrc_var_run_t:file r_file_perms;
') ')
define(`init_script_read_runtime_data_depend',` define(`init_read_script_pid_depend',`
type initrc_var_run_t; type initrc_var_run_t;
class file r_file_perms; class file r_file_perms;
@ -477,15 +477,15 @@ define(`init_script_read_runtime_data_depend',`
######################################## ########################################
# #
# init_script_ignore_write_runtime_data(domain) # init_dontaudit_write_script_pid(domain)
# #
define(`init_script_ignore_write_runtime_data',` define(`init_dontaudit_write_script_pid',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 initrc_var_run_t:file { write lock }; dontaudit $1 initrc_var_run_t:file { write lock };
') ')
define(`init_script_ignore_write_runtime_data_depend',` define(`init_dontaudit_write_script_pid_depend',`
type initrc_var_run_t; type initrc_var_run_t;
class file { write lock }; class file { write lock };
@ -493,16 +493,16 @@ define(`init_script_ignore_write_runtime_data_depend',`
######################################## ########################################
# #
# init_script_modify_runtime_data(domain) # init_rw_script_pid(domain)
# #
define(`init_script_modify_runtime_data',` define(`init_rw_script_pid',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_read_runtime_data_directory($1) files_list_pids($1)
allow $1 initrc_var_run_t:file rw_file_perms; allow $1 initrc_var_run_t:file rw_file_perms;
') ')
define(`init_script_modify_runtime_data_depend',` define(`init_rw_script_pid_depend',`
type initrc_var_run_t; type initrc_var_run_t;
class file rw_file_perms; class file rw_file_perms;
@ -510,15 +510,15 @@ define(`init_script_modify_runtime_data_depend',`
######################################## ########################################
# #
# init_script_ignore_modify_runtime_data(domain) # init_dontaudit_rw_script_pid(domain)
# #
define(`init_script_ignore_modify_runtime_data',` define(`init_dontaudit_rw_script_pid',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 initrc_var_run_t:file { getattr read write append }; dontaudit $1 initrc_var_run_t:file { getattr read write append };
') ')
define(`init_script_ignore_modify_runtime_data_depend',` define(`init_dontaudit_rw_script_pid_depend',`
type initrc_var_run_t; type initrc_var_run_t;
class file rw_file_perms; class file rw_file_perms;

View File

@ -10,7 +10,7 @@ policy_module(init,1.0)
# init_t is the domain of the init process. # init_t is the domain of the init process.
# #
type init_t; type init_t;
domain_make_domain(init_t) domain_type(init_t)
role system_r types init_t; role system_r types init_t;
# #
@ -18,13 +18,13 @@ role system_r types init_t;
# #
type init_exec_t; type init_exec_t;
kernel_userland_entry(init_t,init_exec_t) kernel_userland_entry(init_t,init_exec_t)
domain_make_entrypoint_file(init_t,init_exec_t) domain_entry_file(init_t,init_exec_t)
# #
# init_var_run_t is the type for /var/run/shutdown.pid. # init_var_run_t is the type for /var/run/shutdown.pid.
# #
type init_var_run_t; type init_var_run_t;
files_make_daemon_runtime_file(init_var_run_t) files_pid_file(init_var_run_t)
# #
# initctl_t is the type of the named pipe created # initctl_t is the type of the named pipe created
@ -32,14 +32,14 @@ files_make_daemon_runtime_file(init_var_run_t)
# to communicate with init. # to communicate with init.
# #
type initctl_t; type initctl_t;
files_make_file(initctl_t) files_file_type(initctl_t)
type initrc_t; type initrc_t;
domain_make_domain(initrc_t) domain_type(initrc_t)
role system_r types initrc_t; role system_r types initrc_t;
type initrc_exec_t; type initrc_exec_t;
domain_make_entrypoint_file(initrc_t,initrc_exec_t) domain_entry_file(initrc_t,initrc_exec_t)
type initrc_devpts_t; type initrc_devpts_t;
fs_associate(initrc_devpts_t) fs_associate(initrc_devpts_t)
@ -47,13 +47,13 @@ fs_associate_noxattr(initrc_devpts_t)
term_pty(initrc_devpts_t) term_pty(initrc_devpts_t)
type initrc_var_run_t; type initrc_var_run_t;
files_make_daemon_runtime_file(initrc_var_run_t) files_pid_file(initrc_var_run_t)
type initrc_state_t; type initrc_state_t;
files_make_file(initrc_state_t) files_file_type(initrc_state_t)
type initrc_tmp_t; type initrc_tmp_t;
files_make_temporary_file(initrc_tmp_t) files_tmp_file(initrc_tmp_t)
######################################## ########################################
# #
@ -67,7 +67,7 @@ allow init_t self:capability ~sys_module;
# sys_tty_config # sys_tty_config
# kill: now provided by domain_kill_all_domains() # kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown) # setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot() # sys_chroot (from /usr/bin/chroot): now provided by corecmd_chroot_exec_chroot()
allow init_t self:fifo_file rw_file_perms; allow init_t self:fifo_file rw_file_perms;
@ -76,7 +76,7 @@ allow init_t init_exec_t:file { getattr read ioctl execute execute_no_trans };
# For /var/run/shutdown.pid. # For /var/run/shutdown.pid.
allow init_t init_var_run_t:file { create getattr read append write setattr unlink }; allow init_t init_var_run_t:file { create getattr read append write setattr unlink };
files_create_daemon_runtime_data(init_t,init_var_run_t) files_create_pid(init_t,init_var_run_t)
allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink };
fs_associate_tmpfs(initctl_t) fs_associate_tmpfs(initctl_t)
@ -95,9 +95,9 @@ kernel_share_state(init_t)
term_use_all_terms(init_t) term_use_all_terms(init_t)
corecommands_chroot(init_t) corecmd_chroot_exec_chroot(init_t)
corecommands_execute_general_programs(init_t) corecmd_exec_bin(init_t)
corecommands_execute_system_programs(init_t) corecmd_exec_sbin(init_t)
domain_kill_all_domains(init_t) domain_kill_all_domains(init_t)
domain_signal_all_domains(init_t) domain_signal_all_domains(init_t)
@ -106,22 +106,22 @@ domain_sigstop_all_domains(init_t)
domain_sigstop_all_domains(init_t) domain_sigstop_all_domains(init_t)
domain_sigchld_all_domains(init_t) domain_sigchld_all_domains(init_t)
files_read_general_system_config(init_t) files_read_generic_etc_files(init_t)
files_modify_system_runtime_data(init_t) files_rw_generic_pids(init_t)
files_ignore_search_isid_type_dir(init_t) files_dontaudit_search_isid_type_dir(init_t)
files_manage_runtime_system_config(init_t) files_manage_etc_runtime_files(init_t)
# Run /etc/X11/prefdm: # Run /etc/X11/prefdm:
files_execute_system_config_script(init_t) files_exec_generic_etc_files(init_t)
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs:
files_ignore_modify_rootfs_file(init_t) files_dontaudit_rw_root_file(init_t)
files_ignore_modify_rootfs_device(init_t) files_dontaudit_rw_root_chr_dev(init_t)
libraries_use_dynamic_loader(init_t) libs_use_ld_so(init_t)
libraries_use_shared_libraries(init_t) libs_use_shared_libs(init_t)
libraries_modify_dynamic_loader_cache(init_t) libs_rw_ld_so_cache(init_t)
logging_send_system_log_message(init_t) logging_send_syslog_msg(init_t)
logging_modify_system_logs(init_t) logging_rw_generic_logs(init_t)
selinux_read_config(init_t) selinux_read_config(init_t)
@ -133,12 +133,12 @@ ifdef(`distro_redhat',`
') ')
optional_policy(`authlogin.te',` optional_policy(`authlogin.te',`
authlogin_modify_login_records(init_t) auth_rw_login_records(init_t)
') ')
# Run the shell in the sysadm_t domain for single-user mode. # Run the shell in the sysadm_t domain for single-user mode.
optional_policy(`userdomain.te',` optional_policy(`userdomain.te',`
userdomain_sysadm_shell_transition(init_t) userdom_shell_domtrans_sysadm(init_t)
') ')
######################################## ########################################
@ -167,11 +167,11 @@ allow initrc_t initrc_state_t:file create_file_perms;
allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename }; allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rename };
allow initrc_t initrc_var_run_t:file create_file_perms; allow initrc_t initrc_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(initrc_t,initrc_var_run_t) files_create_pid(initrc_t,initrc_var_run_t)
allow initrc_t initrc_tmp_t:file create_file_perms; allow initrc_t initrc_tmp_t:file create_file_perms;
allow initrc_t initrc_tmp_t:dir create_dir_perms; allow initrc_t initrc_tmp_t:dir create_dir_perms;
files_create_private_tmp_data(initrc_t,initrc_tmp_t, { file dir }) files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
kernel_read_system_state(initrc_t) kernel_read_system_state(initrc_t)
kernel_read_software_raid_state(initrc_t) kernel_read_software_raid_state(initrc_t)
@ -230,16 +230,16 @@ storage_set_removable_device_attributes(initrc_t)
term_use_all_terms(initrc_t) term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t) term_reset_tty_labels(initrc_t)
authlogin_modify_login_records(initrc_t) auth_rw_login_records(initrc_t)
authlogin_modify_last_login_log(initrc_t) auth_rw_lastlog(initrc_t)
authlogin_pam_read_runtime_data(initrc_t) auth_read_pam_pid(initrc_t)
authlogin_pam_remove_runtime_data(initrc_t) auth_delete_pam_pid(initrc_t)
authlogin_pam_console_read_runtime_data_dir(initrc_t) auth_list_pam_console_data(initrc_t)
corecommands_execute_general_programs(initrc_t) corecmd_exec_bin(initrc_t)
corecommands_execute_system_programs(initrc_t) corecmd_exec_sbin(initrc_t)
corecommands_execute_shell(initrc_t) corecmd_exec_shell(initrc_t)
corecommands_execute_ls(initrc_t) corecmd_exec_ls(initrc_t)
domain_kill_all_domains(initrc_t) domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t) domain_signal_all_domains(initrc_t)
@ -247,53 +247,53 @@ domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t) domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t) domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_process_state(initrc_t) domain_read_all_domains_state(initrc_t)
domain_get_all_domains_session_id(initrc_t) domain_getsession_all_domains(initrc_t)
domain_use_widely_inheritable_file_descriptors(initrc_t) domain_use_wide_inherit_fd(initrc_t)
# for lsof which is used by alsa shutdown: # for lsof which is used by alsa shutdown:
domain_ignore_get_all_domains_udp_socket_attributes(initrc_t) domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_ignore_get_all_domains_tcp_socket_attributes(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_ignore_get_all_domains_unix_dgram_socket_attributes(initrc_t) domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
domain_ignore_get_all_domains_pipe_attributes(initrc_t) domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
files_get_all_file_attributes(initrc_t) files_getattr_all_files(initrc_t)
files_remove_all_tmp_data(initrc_t) files_delete_all_tmp_files(initrc_t)
files_remove_all_lock_files(initrc_t) files_delete_all_lock_files(initrc_t)
files_read_all_daemon_runtime_data(initrc_t) files_read_all_pids(initrc_t)
files_remove_all_daemon_runtime_data(initrc_t) files_delete_all_pids(initrc_t)
files_read_general_system_config(initrc_t) files_read_generic_etc_files(initrc_t)
files_manage_runtime_system_config(initrc_t) files_manage_etc_runtime_files(initrc_t)
files_manage_system_lock_files(initrc_t) files_manage_generic_lock_files(initrc_t)
files_execute_system_config_script(initrc_t) files_exec_generic_etc_files(initrc_t)
files_read_general_application_resources(initrc_t) files_read_usr_files(initrc_t)
files_manage_pseudorandom_saved_seed(initrc_t) files_manage_urandom_seed(initrc_t)
files_manage_system_spools(initrc_t) files_manage_spools(initrc_t)
libraries_modify_dynamic_loader_cache(initrc_t) libs_rw_ld_so_cache(initrc_t)
libraries_use_dynamic_loader(initrc_t) libs_use_ld_so(initrc_t)
libraries_use_shared_libraries(initrc_t) libs_use_shared_libs(initrc_t)
libraries_execute_library_scripts(initrc_t) libs_exec_lib_files(initrc_t)
logging_send_system_log_message(initrc_t) logging_send_syslog_msg(initrc_t)
logging_modify_system_logs(initrc_t) logging_rw_generic_logs(initrc_t)
logging_read_all_logs(initrc_t) logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t) logging_append_all_logs(initrc_t)
miscfiles_read_localization(initrc_t) miscfiles_read_localization(initrc_t)
modutils_read_kernel_module_loading_config(initrc_t) modutils_read_module_conf(initrc_t)
selinux_read_config(initrc_t) selinux_read_config(initrc_t)
sysnetwork_read_network_config(initrc_t) sysnet_read_config(initrc_t)
udev_modify_database(initrc_t) udev_rw_db(initrc_t)
userdomain_read_all_users_data(initrc_t) userdom_read_all_user_data(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the # Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such # TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain. # started from init should be placed in their own domain.
userdomain_use_admin_terminals(initrc_t) userdom_use_sysadm_terms(initrc_t)
ifdef(`distro_debian', ` ifdef(`distro_debian', `
fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir) fs_create_tmpfs_data(initrc_t,initrc_var_run_t,dir)
@ -306,7 +306,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
kernel_dontaudit_use_fd(initrc_t) kernel_dontaudit_use_fd(initrc_t)
files_ignore_read_rootfs_file(initrc_t) files_dontaudit_read_root_file(initrc_t)
kernel_set_enforcement_mode(initrc_t) kernel_set_enforcement_mode(initrc_t)
@ -329,7 +329,7 @@ ifdef(`distro_redhat',`
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
# readahead asks for these # readahead asks for these
mta_read_mail_aliases(initrc_t) mta_read_aliases(initrc_t)
') ')
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
@ -349,7 +349,7 @@ optional_policy(`lvm.te',`
') ')
optional_policy(`rhgb.te',` optional_policy(`rhgb.te',`
corecommands_make_shell_entrypoint(initrc_t) corecmd_shell_entry_type(initrc_t)
') ')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
@ -357,13 +357,13 @@ optional_policy(`rpm.te',`
kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t) kernel_dontaudit_getattr_unlabeled_blk_dev(initrc_t)
# for a bug in rm # for a bug in rm
files_ignore_write_all_daemon_runtime_data(initrc_t) files_dontaudit_write_all_pids(initrc_t)
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_ignore_ioctl_all_daemon_runtime_data(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
# why is this needed: # why is this needed:
rpm_manage_package_database(initrc_t) rpm_manage_db(initrc_t)
') dnl end rpm.te ') dnl end rpm.te
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for iptables.</summary> ## <summary>Policy for iptables.</summary>
######################################## ########################################
## <interface name="iptables_transition"> ## <interface name="iptables_domtrans">
## <description> ## <description>
## Execute iptables in the iptables domain. ## Execute iptables in the iptables domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`iptables_transition',` define(`iptables_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 iptables_exec_t:file rx_file_perms; allow $1 iptables_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`iptables_transition',`
allow iptables_t $1:process sigchld; allow iptables_t $1:process sigchld;
') ')
define(`iptables_transition_depend',` define(`iptables_domtrans_depend',`
type iptables_t, iptables_exec_t; type iptables_t, iptables_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -35,7 +35,7 @@ define(`iptables_transition_depend',`
') ')
######################################## ########################################
## <interface name="iptables_transition_add_role_use_terminal"> ## <interface name="iptables_run">
## <description> ## <description>
## Execute iptables in the iptables domain, and ## Execute iptables in the iptables domain, and
## allow the specified role the iptables domain. ## allow the specified role the iptables domain.
@ -51,22 +51,22 @@ define(`iptables_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`iptables_transition_add_role_use_terminal',` define(`iptables_run',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
iptables_transition($1) iptables_domtrans($1)
role $2 types iptables_t; role $2 types iptables_t;
allow iptables_t $3:chr_file { getattr read write ioctl }; allow iptables_t $3:chr_file { getattr read write ioctl };
') ')
define(`iptables_transition_add_role_use_terminal_depend',` define(`iptables_run_depend',`
type iptables_t; type iptables_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="iptables_execute"> ## <interface name="iptables_exec">
## <description> ## <description>
## Execute iptables in the caller domain. ## Execute iptables in the caller domain.
## </description> ## </description>
@ -75,14 +75,14 @@ define(`iptables_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`iptables_execute',` define(`iptables_exec',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,iptables_exec_t) can_exec($1,iptables_exec_t)
') ')
define(`iptables_execute_depend',` define(`iptables_exec_depend',`
type iptables_t, iptables_exec_t; type iptables_t, iptables_exec_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -8,14 +8,14 @@ policy_module(iptables, 1.0)
type iptables_t; type iptables_t;
type iptables_exec_t; type iptables_exec_t;
init_make_system_domain(iptables_t,iptables_exec_t) init_system_domain(iptables_t,iptables_exec_t)
role system_r types iptables_t; role system_r types iptables_t;
type iptables_tmp_t; type iptables_tmp_t;
files_make_temporary_file(iptables_tmp_t) files_tmp_file(iptables_tmp_t)
type iptables_var_run_t; type iptables_var_run_t;
files_make_daemon_runtime_file(iptables_var_run_t) files_pid_file(iptables_var_run_t)
######################################## ########################################
# #
@ -27,13 +27,13 @@ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t iptables_var_run_t:dir rw_dir_perms; allow iptables_t iptables_var_run_t:dir rw_dir_perms;
files_create_daemon_runtime_data(iptables_t,iptables_var_run_t) files_create_pid(iptables_t,iptables_var_run_t)
can_exec(iptables_t,iptables_exec_t) can_exec(iptables_t,iptables_exec_t)
allow iptables_t iptables_tmp_t:dir create_dir_perms; allow iptables_t iptables_tmp_t:dir create_dir_perms;
allow iptables_t iptables_tmp_t:file create_file_perms; allow iptables_t iptables_tmp_t:file create_file_perms;
files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir }) files_create_tmp_files(iptables_t, iptables_tmp_t, { file dir })
allow iptables_t self:rawip_socket create_socket_perms; allow iptables_t self:rawip_socket create_socket_perms;
@ -48,27 +48,27 @@ fs_getattr_xattr_fs(iptables_t)
term_dontaudit_use_console(iptables_t) term_dontaudit_use_console(iptables_t)
domain_use_widely_inheritable_file_descriptors(iptables_t) domain_use_wide_inherit_fd(iptables_t)
files_read_general_system_config(iptables_t) files_read_generic_etc_files(iptables_t)
init_use_file_descriptors(iptables_t) init_use_fd(iptables_t)
init_script_use_pseudoterminal(iptables_t) init_use_script_pty(iptables_t)
# to allow rules to be saved on reboot: # to allow rules to be saved on reboot:
init_script_modify_temporary_data(iptables_t) init_rw_script_tmp_files(iptables_t)
libraries_use_dynamic_loader(iptables_t) libs_use_ld_so(iptables_t)
libraries_use_shared_libraries(iptables_t) libs_use_shared_libs(iptables_t)
logging_send_system_log_message(iptables_t) logging_send_syslog_msg(iptables_t)
# system-config-network appends to /var/log # system-config-network appends to /var/log
#logging_append_system_logs(iptables_t) #logging_append_system_logs(iptables_t)
miscfiles_read_localization(iptables_t) miscfiles_read_localization(iptables_t)
sysnetwork_ifconfig_transition(iptables_t) sysnet_domtrans_ifconfig(iptables_t)
userdomain_use_all_users_file_descriptors(iptables_t) userdom_use_all_user_fd(iptables_t)
tunable_policy(`use_dns',` tunable_policy(`use_dns',`
allow iptables_t self:udp_socket create_socket_perms; allow iptables_t self:udp_socket create_socket_perms;
@ -80,12 +80,12 @@ tunable_policy(`use_dns',`
corenet_udp_bind_all_nodes(iptables_t) corenet_udp_bind_all_nodes(iptables_t)
corenet_udp_sendrecv_dns_port(iptables_t) corenet_udp_sendrecv_dns_port(iptables_t)
sysnetwork_read_network_config(iptables_t) sysnet_read_config(iptables_t)
') ')
optional_policy(`modutils.te', ` optional_policy(`modutils.te', `
corecommands_search_system_programs_directory(iptables_t) corecmd_search_sbin(iptables_t)
modutils_insmod_transition(iptables_t) modutils_domtrans_insmod(iptables_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -93,14 +93,14 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(iptables_t) udev_read_db(iptables_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(iptables_t) term_dontaudit_use_unallocated_tty(iptables_t)
terminal_ignore_use_general_pseudoterminal(iptables_t) terminal_ignore_use_general_pseudoterminal(iptables_t)
files_ignore_read_rootfs_file(iptables_t) files_dontaudit_read_root_file(iptables_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for system libraries.</summary> ## <summary>Policy for system libraries.</summary>
######################################## ########################################
## <interface name="libraries_ldconfig_transition"> ## <interface name="libs_domtrans_ldconfig">
## <description> ## <description>
## Execute ldconfig in the ldconfig domain. ## Execute ldconfig in the ldconfig domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_ldconfig_transition',` define(`libs_domtrans_ldconfig',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1,ldconfig_exec_t,ldconfig_t) domain_auto_trans($1,ldconfig_exec_t,ldconfig_t)
@ -22,7 +22,7 @@ define(`libraries_ldconfig_transition',`
allow ldconfig_t $1:process sigchld; allow ldconfig_t $1:process sigchld;
') ')
define(`libraries_ldconfig_transition_depend',` define(`libs_domtrans_ldconfig_depend',`
type ldconfig_t, ldconfig_exec_t; type ldconfig_t, ldconfig_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -32,7 +32,7 @@ define(`libraries_ldconfig_transition_depend',`
') ')
######################################## ########################################
## <interface name="libraries_ldconfig_transition_add_role_use_terminal"> ## <interface name="libs_run_ldconfig">
## <description> ## <description>
## Execute ldconfig in the ldconfig domain. ## Execute ldconfig in the ldconfig domain.
## </description> ## </description>
@ -47,22 +47,22 @@ define(`libraries_ldconfig_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_ldconfig_transition_add_role_use_terminal',` define(`libs_run_ldconfig',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
libraries_ldconfig_transition($1) libs_domtrans_ldconfig($1)
role $2 types ldconfig_t; role $2 types ldconfig_t;
allow ldconfig_t $3:chr_file { getattr read write ioctl }; allow ldconfig_t $3:chr_file { getattr read write ioctl };
') ')
define(`libraries_ldconfig_transition_add_role_use_terminal_depend',` define(`libs_run_ldconfig_depend',`
type ldconfig_t; type ldconfig_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="libraries_use_dynamic_loader"> ## <interface name="libs_use_ld_so">
## <description> ## <description>
## Use the dynamic link/loader for automatic loading ## Use the dynamic link/loader for automatic loading
## of shared libraries. ## of shared libraries.
@ -72,10 +72,10 @@ define(`libraries_ldconfig_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_use_dynamic_loader',` define(`libs_use_ld_so',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_read_general_system_config_directory($1) files_read_generic_etc_files_directory($1)
allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms; allow $1 lib_t:lnk_file r_file_perms;
allow $1 ld_so_t:lnk_file r_file_perms; allow $1 ld_so_t:lnk_file r_file_perms;
@ -83,7 +83,7 @@ define(`libraries_use_dynamic_loader',`
allow $1 ld_so_cache_t:file r_file_perms; allow $1 ld_so_cache_t:file r_file_perms;
') ')
define(`libraries_use_dynamic_loader_depend',` define(`libs_use_ld_so_depend',`
type lib_t, ld_so_t, ld_so_cache_t; type lib_t, ld_so_t, ld_so_cache_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -92,7 +92,7 @@ define(`libraries_use_dynamic_loader_depend',`
') ')
######################################## ########################################
## <interface name="libraries_legacy_use_dynamic_loader"> ## <interface name="libs_legacy_use_ld_so">
## <description> ## <description>
## Use the dynamic link/loader for automatic loading ## Use the dynamic link/loader for automatic loading
## of shared libraries with legacy support. ## of shared libraries with legacy support.
@ -102,22 +102,22 @@ define(`libraries_use_dynamic_loader_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_legacy_use_dynamic_loader',` define(`libs_legacy_use_ld_so',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
libraries_use_dynamic_loader($1) libs_use_ld_so($1)
allow $1 ld_so_t:file execmod; allow $1 ld_so_t:file execmod;
allow $1 ld_so_cache_t:file execute; allow $1 ld_so_cache_t:file execute;
') ')
define(`libraries_legacy_use_dynamic_loader_depend',` define(`libs_legacy_use_ld_so_depend',`
type ld_so_t, ld_so_cache_t; type ld_so_t, ld_so_cache_t;
class file { execute execmod }; class file { execute execmod };
') ')
######################################## ########################################
## <interface name="libraries_execute_dynamic_loader"> ## <interface name="libs_exec_ld_so">
## <description> ## <description>
## Execute the dynamic link/loader in the caller's ## Execute the dynamic link/loader in the caller's
## domain. This is commonly needed for the ## domain. This is commonly needed for the
@ -131,7 +131,7 @@ define(`libraries_legacy_use_dynamic_loader_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_execute_dynamic_loader',` define(`libs_exec_ld_so',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:dir r_dir_perms;
@ -140,7 +140,7 @@ define(`libraries_execute_dynamic_loader',`
allow $1 ld_so_t:file { r_file_perms execute execute_no_trans }; allow $1 ld_so_t:file { r_file_perms execute execute_no_trans };
') ')
define(`libraries_execute_dynamic_loader_depend',` define(`libs_exec_ld_so_depend',`
type lib_t, ld_so_t; type lib_t, ld_so_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -149,7 +149,7 @@ define(`libraries_execute_dynamic_loader_depend',`
') ')
######################################## ########################################
## <interface name="libraries_modify_dynamic_loader_cache"> ## <interface name="libs_rw_ld_so_cache">
## <description> ## <description>
## Modify the dynamic link/loader's cached listing ## Modify the dynamic link/loader's cached listing
## of shared libraries. ## of shared libraries.
@ -159,21 +159,21 @@ define(`libraries_execute_dynamic_loader_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_modify_dynamic_loader_cache',` define(`libs_rw_ld_so_cache',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_read_general_system_config_directory($1) files_read_generic_etc_files_directory($1)
allow $1 ld_so_cache_t:file rw_file_perms; allow $1 ld_so_cache_t:file rw_file_perms;
') ')
define(`libraries_modify_dynamic_loader_cache_depend',` define(`libs_rw_ld_so_cache_depend',`
type ld_so_cache_t; type ld_so_cache_t;
class file rw_file_perms; class file rw_file_perms;
') ')
######################################## ########################################
## <interface name="libraries_read_library_resources"> ## <interface name="libs_read_lib">
## <description> ## <description>
## Read files in the library directories, such ## Read files in the library directories, such
## as static libraries. ## as static libraries.
@ -183,14 +183,14 @@ define(`libraries_modify_dynamic_loader_cache_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_read_library_resources',` define(`libs_read_lib',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:{ file lnk_file } r_file_perms; allow $1 lib_t:{ file lnk_file } r_file_perms;
') ')
define(`libraries_read_library_resources_depend',` define(`libs_read_lib_depend',`
type lib_t; type lib_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -199,7 +199,7 @@ define(`libraries_read_library_resources_depend',`
') ')
######################################## ########################################
## <interface name="libraries_execute_library_scripts"> ## <interface name="libs_exec_lib_files">
## <description> ## <description>
## Execute library scripts in the caller domain. ## Execute library scripts in the caller domain.
## </description> ## </description>
@ -208,7 +208,7 @@ define(`libraries_read_library_resources_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_execute_library_scripts',` define(`libs_exec_lib_files',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:dir r_dir_perms;
@ -216,7 +216,7 @@ define(`libraries_execute_library_scripts',`
allow $1 lib_t:file { getattr read execute execute_no_trans }; allow $1 lib_t:file { getattr read execute execute_no_trans };
') ')
define(`libraries_execute_library_scripts_depend',` define(`libs_exec_lib_files_depend',`
type lib_t; type lib_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -225,7 +225,7 @@ define(`libraries_execute_library_scripts_depend',`
') ')
######################################## ########################################
## <interface name="libraries_use_shared_libraries"> ## <interface name="libs_use_shared_libs">
## <description> ## <description>
## Load and execute functions from shared libraries. ## Load and execute functions from shared libraries.
## </description> ## </description>
@ -234,17 +234,17 @@ define(`libraries_execute_library_scripts_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_use_shared_libraries',` define(`libs_use_shared_libs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_general_application_resources_dir($1) files_search_usr($1)
allow $1 lib_t:dir r_dir_perms; allow $1 lib_t:dir r_dir_perms;
allow $1 lib_t:lnk_file r_file_perms; allow $1 lib_t:lnk_file r_file_perms;
allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms; allow $1 { shlib_t texrel_shlib_t }:lnk_file r_file_perms;
allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms; allow $1 { shlib_t texrel_shlib_t }:file rx_file_perms;
') ')
define(`libraries_use_shared_libraries_depend',` define(`libs_use_shared_libs_depend',`
type lib_t, shlib_t, texrel_shlib_t; type lib_t, shlib_t, texrel_shlib_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -253,7 +253,7 @@ define(`libraries_use_shared_libraries_depend',`
') ')
######################################## ########################################
## <interface name="libraries_legacy_use_shared_libraries"> ## <interface name="libs_legacy_use_shared_libs">
## <description> ## <description>
## Load and execute functions from shared libraries, ## Load and execute functions from shared libraries,
## with legacy support. ## with legacy support.
@ -263,14 +263,14 @@ define(`libraries_use_shared_libraries_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`libraries_legacy_use_shared_libraries',` define(`libs_legacy_use_shared_libs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
libraries_use_shared_libraries($1) libs_use_shared_libs($1)
allow $1 { shlib_t texrel_shlib_t }:file execmod; allow $1 { shlib_t texrel_shlib_t }:file execmod;
') ')
define(`libraries_legacy_use_shared_libraries_depend',` define(`libs_legacy_use_shared_libs_depend',`
type shlib_t, texrel_shlib_t; type shlib_t, texrel_shlib_t;
class file execmod; class file execmod;

View File

@ -10,33 +10,33 @@ policy_module(libraries,1.0)
# ld_so_cache_t is the type of /etc/ld.so.cache. # ld_so_cache_t is the type of /etc/ld.so.cache.
# #
type ld_so_cache_t; type ld_so_cache_t;
files_make_file(ld_so_cache_t) files_file_type(ld_so_cache_t)
# #
# ld_so_t is the type of the system dynamic loaders. # ld_so_t is the type of the system dynamic loaders.
# #
type ld_so_t; type ld_so_t;
files_make_file(ld_so_t) files_file_type(ld_so_t)
# #
# lib_t is the type of files in the system lib directories. # lib_t is the type of files in the system lib directories.
# #
type lib_t; type lib_t;
files_make_file(lib_t) files_file_type(lib_t)
# #
# shlib_t is the type of shared objects in the system lib # shlib_t is the type of shared objects in the system lib
# directories. # directories.
# #
type shlib_t; type shlib_t;
files_make_file(shlib_t) files_file_type(shlib_t)
# #
# texrel_shlib_t is the type of shared objects in the system lib # texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation. # directories, which require text relocation.
# #
type texrel_shlib_t; type texrel_shlib_t;
files_make_file(texrel_shlib_t) files_file_type(texrel_shlib_t)
######################################## ########################################
# #
@ -44,11 +44,11 @@ files_make_file(texrel_shlib_t)
# #
type ldconfig_t; type ldconfig_t;
type ldconfig_exec_t; type ldconfig_exec_t;
init_make_system_domain(ldconfig_t,ldconfig_exec_t) init_system_domain(ldconfig_t,ldconfig_exec_t)
role system_r types ldconfig_t; role system_r types ldconfig_t;
allow ldconfig_t ld_so_cache_t:file create_file_perms; allow ldconfig_t ld_so_cache_t:file create_file_perms;
files_create_private_config(ldconfig_t,ld_so_cache_t,file) files_create_etc_config(ldconfig_t,ld_so_cache_t,file)
allow ldconfig_t lib_t:dir rw_dir_perms; allow ldconfig_t lib_t:dir rw_dir_perms;
allow ldconfig_t lib_t:lnk_file { getattr create read unlink }; allow ldconfig_t lib_t:lnk_file { getattr create read unlink };
@ -62,17 +62,17 @@ kernel_read_system_state(ldconfig_t)
fs_getattr_xattr_fs(ldconfig_t) fs_getattr_xattr_fs(ldconfig_t)
domain_use_widely_inheritable_file_descriptors(ldconfig_t) domain_use_wide_inherit_fd(ldconfig_t)
files_read_general_system_config(ldconfig_t) files_read_generic_etc_files(ldconfig_t)
# for when /etc/ld.so.cache is mislabeled: # for when /etc/ld.so.cache is mislabeled:
files_remove_general_system_config(ldconfig_t) files_delete_generic_etc_files(ldconfig_t)
init_script_use_pseudoterminal(ldconfig_t) init_use_script_pty(ldconfig_t)
logging_send_system_log_message(ldconfig_t) logging_send_syslog_msg(ldconfig_t)
userdomain_use_all_users_file_descriptors(ldconfig_t) userdom_use_all_user_fd(ldconfig_t)
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for local logins.</summary> ## <summary>Policy for local logins.</summary>
######################################## ########################################
## <interface name="locallogin_transition"> ## <interface name="locallogin_domtrans">
## <description> ## <description>
## Execute local logins in the locallogin domain. ## Execute local logins in the locallogin domain.
## </description> ## </description>
@ -11,18 +11,18 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`locallogin_transition',` define(`locallogin_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
authlogin_login_program_transition($1,local_login_t) auth_domtrans_login_program($1,local_login_t)
') ')
define(`locallogin_transition_depend',` define(`locallogin_domtrans_depend',`
type local_login_t; type local_login_t;
') ')
######################################## ########################################
## <interface name="locallogin_use_file_descriptors"> ## <interface name="locallogin_use_fd">
## <description> ## <description>
## Allow processes to inherit local login file descriptors ## Allow processes to inherit local login file descriptors
## </description> ## </description>
@ -33,15 +33,15 @@ define(`locallogin_transition_depend',`
# #
######################################## ########################################
# #
# locallogin_use_file_descriptors(domain) # locallogin_use_fd(domain)
# #
define(`locallogin_use_file_descriptors',` define(`locallogin_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 local_login_t:fd use; allow $1 local_login_t:fd use;
') ')
define(`locallogin_use_file_descriptors_depend',` define(`locallogin_use_fd_depend',`
type local_login_t; type local_login_t;
class fd use; class fd use;

View File

@ -7,25 +7,25 @@ policy_module(locallogin,1.0)
# #
type local_login_t; #, nscd_client_domain; type local_login_t; #, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception(local_login_t) kernel_obj_id_change_exempt(local_login_t)
kernel_make_process_identity_change_constraint_exception(local_login_t) kernel_subj_id_change_exempt(local_login_t)
kernel_make_role_change_constraint_exception(local_login_t) kernel_role_change_exempt(local_login_t)
authlogin_make_login_program_entrypoint(local_login_t) auth_login_entry_type(local_login_t)
domain_make_domain(local_login_t) domain_type(local_login_t)
domain_make_file_descriptors_widely_inheritable(local_login_t) domain_wide_inherit_fd(local_login_t)
role system_r types local_login_t; role system_r types local_login_t;
type local_login_tmp_t; type local_login_tmp_t;
files_make_file(local_login_tmp_t) files_file_type(local_login_tmp_t)
type sulogin_t; type sulogin_t;
type sulogin_exec_t; type sulogin_exec_t;
kernel_make_object_identity_change_constraint_exception(sulogin_t) kernel_obj_id_change_exempt(sulogin_t)
kernel_make_process_identity_change_constraint_exception(sulogin_t) kernel_subj_id_change_exempt(sulogin_t)
kernel_make_role_change_constraint_exception(sulogin_t) kernel_role_change_exempt(sulogin_t)
domain_make_file_descriptors_widely_inheritable(sulogin_t) domain_wide_inherit_fd(sulogin_t)
init_make_init_domain(sulogin_t,sulogin_exec_t) init_domain(sulogin_t,sulogin_exec_t)
init_make_system_domain(sulogin_t,sulogin_exec_t) init_system_domain(sulogin_t,sulogin_exec_t)
role system_r types sulogin_t; role system_r types sulogin_t;
######################################## ########################################
@ -49,7 +49,7 @@ allow local_login_t self:msg { send receive };
allow local_login_t local_login_tmp_t:dir create_dir_perms; allow local_login_t local_login_tmp_t:dir create_dir_perms;
allow local_login_t local_login_tmp_t:file create_file_perms; allow local_login_t local_login_tmp_t:file create_file_perms;
files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir }) files_create_tmp_files(local_login_t, local_login_tmp_t, { file dir })
kernel_read_system_state(local_login_t) kernel_read_system_state(local_login_t)
kernel_read_kernel_sysctl(local_login_t) kernel_read_kernel_sysctl(local_login_t)
@ -70,47 +70,47 @@ term_relabel_all_user_ttys(local_login_t)
term_setattr_all_user_ttys(local_login_t) term_setattr_all_user_ttys(local_login_t)
term_setattr_unallocated_ttys(local_login_t) term_setattr_unallocated_ttys(local_login_t)
authlogin_check_password_transition(local_login_t) auth_domtrans_chk_passwd(local_login_t)
authlogin_ignore_read_shadow_passwords(local_login_t) auth_dontaudit_read_shadow(local_login_t)
authlogin_modify_login_records(local_login_t) auth_rw_login_records(local_login_t)
authlogin_modify_last_login_log(local_login_t) auth_rw_lastlog(local_login_t)
authlogin_modify_login_failure_records(local_login_t) auth_rw_faillog(local_login_t)
authlogin_pam_execute(local_login_t) auth_exec_pam(local_login_t)
authlogin_pam_console_manage_runtime_data(local_login_t) auth_manage_pam_console_data(local_login_t)
domain_read_all_entrypoint_programs(local_login_t) domain_read_all_entry_files(local_login_t)
files_read_general_system_config(local_login_t) files_read_generic_etc_files(local_login_t)
files_read_runtime_system_config(local_login_t) files_read_etc_runtime_files(local_login_t)
files_read_general_application_resources(local_login_t) files_read_usr_files(local_login_t)
files_manage_system_lock_files(var_lock_t) files_manage_generic_lock_files(var_lock_t)
init_script_modify_runtime_data(local_login_t) init_rw_script_pid(local_login_t)
init_ignore_use_file_descriptors(local_login_t) init_dontaudit_use_fd(local_login_t)
libraries_use_dynamic_loader(local_login_t) libs_use_ld_so(local_login_t)
libraries_use_shared_libraries(local_login_t) libs_use_shared_libs(local_login_t)
logging_send_system_log_message(local_login_t) logging_send_syslog_msg(local_login_t)
miscfiles_read_localization(local_login_t) miscfiles_read_localization(local_login_t)
selinux_read_config(local_login_t) selinux_read_config(local_login_t)
selinux_read_default_contexts(local_login_t) selinux_read_default_contexts(local_login_t)
userdomain_all_users_explicit_transition(local_login_t) userdom_spec_domtrans_all_users(local_login_t)
userdomain_signal_all_userdomains(local_login_t) userdom_signal_all_users(local_login_t)
userdomain_search_all_users_home_dirs(local_login_t) userdom_search_all_users_home(local_login_t)
userdomain_use_all_unprivileged_users_file_descriptors(local_login_t) userdom_use_unpriv_users_fd(local_login_t)
# Search for mail spool file. # Search for mail spool file.
mta_get_mail_spool_attributes(local_login_t) mta_getattr_spool(local_login_t)
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
optional_policy(`distro_redhat',` optional_policy(`distro_redhat',`
kernel_dontaudit_use_fd(local_login_t) kernel_dontaudit_use_fd(local_login_t)
files_ignore_read_rootfs_file(local_login_t) files_dontaudit_read_root_file(local_login_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -210,24 +210,24 @@ allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t) kernel_read_system_state(sulogin_t)
init_script_get_process_group(sulogin_t) init_get_script_process_group(sulogin_t)
files_read_general_system_config(sulogin_t) files_read_generic_etc_files(sulogin_t)
# because file systems are not mounted: # because file systems are not mounted:
files_ignore_search_isid_type_dir(sulogin_t) files_dontaudit_search_isid_type_dir(sulogin_t)
libraries_use_dynamic_loader(sulogin_t) libs_use_ld_so(sulogin_t)
libraries_use_shared_libraries(sulogin_t) libs_use_shared_libs(sulogin_t)
logging_send_system_log_message(sulogin_t) logging_send_syslog_msg(sulogin_t)
selinux_read_config(sulogin_t) selinux_read_config(sulogin_t)
selinux_read_default_contexts(sulogin_t) selinux_read_default_contexts(sulogin_t)
authlogin_read_shadow_passwords(sulogin_t) auth_read_shadow(sulogin_t)
userdomain_sysadm_shell_transition(sulogin_t) userdom_shell_domtrans_sysadm(sulogin_t)
userdomain_use_all_unprivileged_users_file_descriptors(sulogin_t) userdom_use_unpriv_users_fd(sulogin_t)
# suse and debian do not use pam with sulogin... # suse and debian do not use pam with sulogin...
ifdef(`monolithic_policy',` ifdef(`monolithic_policy',`

View File

@ -3,24 +3,24 @@
####################################### #######################################
# #
# logging_make_log_file(domain) # logging_log_file(domain)
# #
define(`logging_make_log_file',` define(`logging_log_file',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_make_file($1) files_file_type($1)
typeattribute $1 logfile; typeattribute $1 logfile;
') ')
define(`logging_make_log_file_depend',` define(`logging_log_file_depend',`
attribute logfile; attribute logfile;
') ')
######################################## ########################################
# #
# logging_create_private_log(domain,privatetype,[class(es)]) # logging_create_log(domain,privatetype,[class(es)])
# #
define(`logging_create_private_log',` define(`logging_create_log',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 var_log_t:dir rw_dir_perms; allow $1 var_log_t:dir rw_dir_perms;
@ -32,7 +32,7 @@ define(`logging_create_private_log',`
') ')
') ')
define(`logging_create_private_log_depend',` define(`logging_create_log_depend',`
type var_log_t; type var_log_t;
class dir rw_dir_perms; class dir rw_dir_perms;
@ -40,9 +40,9 @@ define(`logging_create_private_log_depend',`
####################################### #######################################
# #
# logging_send_system_log_message(domain) # logging_send_syslog_msg(domain)
# #
define(`logging_send_system_log_message',` define(`logging_send_syslog_msg',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 devlog_t:lnk_file read; allow $1 devlog_t:lnk_file read;
@ -58,7 +58,7 @@ define(`logging_send_system_log_message',`
term_use_console($1) term_use_console($1)
') ')
define(`logging_send_system_log_message_depend',` define(`logging_send_syslog_msg_depend',`
type syslogd_t, devlog_t; type syslogd_t, devlog_t;
class sock_file rw_file_perms; class sock_file rw_file_perms;
@ -67,7 +67,7 @@ define(`logging_send_system_log_message_depend',`
') ')
######################################## ########################################
## <interface name="logging_search_system_log_directory"> ## <interface name="logging_search_logs">
## <description> ## <description>
## Allows the domain to open a file in the ## Allows the domain to open a file in the
## log directory, but does not allow the listing ## log directory, but does not allow the listing
@ -78,14 +78,14 @@ define(`logging_send_system_log_message_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`logging_search_system_log_directory',` define(`logging_search_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
allow $1 var_log_t:dir search; allow $1 var_log_t:dir search;
') ')
define(`logging_search_system_log_directory_depend',` define(`logging_search_logs_depend',`
type var_log_t; type var_log_t;
class dir search; class dir search;
@ -93,15 +93,15 @@ define(`logging_search_system_log_directory_depend',`
####################################### #######################################
# #
# logging_ignore_get_all_logs_attributes(domain) # logging_dontaudit_getattr_all_logs(domain)
# #
define(`logging_ignore_get_all_logs_attributes',` define(`logging_dontaudit_getattr_all_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 logfile:file getattr; dontaudit $1 logfile:file getattr;
') ')
define(`logging_ignore_get_all_logs_attributes_depend',` define(`logging_dontaudit_getattr_all_logs_depend',`
attribute logfile; attribute logfile;
class file getattr; class file getattr;
@ -114,7 +114,7 @@ define(`logging_ignore_get_all_logs_attributes_depend',`
define(`logging_append_all_logs',` define(`logging_append_all_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file { getattr append }; allow $1 logfile:file { getattr append };
') ')
@ -135,7 +135,7 @@ define(`logging_append_all_logs_depend',`
define(`logging_read_all_logs',` define(`logging_read_all_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:dir r_dir_perms;
allow $1 logfile:file r_file_perms; allow $1 logfile:file r_file_perms;
') ')
@ -151,17 +151,17 @@ define(`logging_read_all_logs_depend',`
####################################### #######################################
# #
# logging_read_system_logs(domain) # logging_read_generic_logs(domain)
# #
define(`logging_read_system_logs',` define(`logging_read_generic_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file r_file_perms; allow $1 var_log_t:file r_file_perms;
') ')
define(`logging_read_system_logs_depend',` define(`logging_read_generic_logs_depend',`
type var_log_t; type var_log_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -170,17 +170,17 @@ define(`logging_read_system_logs_depend',`
####################################### #######################################
# #
# logging_write_system_logs(domain) # logging_write_generic_logs(domain)
# #
define(`logging_write_system_logs',` define(`logging_write_generic_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file { getattr write }; allow $1 var_log_t:file { getattr write };
') ')
define(`logging_write_system_logs_depend',` define(`logging_write_generic_logs_depend',`
type var_log_t; type var_log_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -189,17 +189,17 @@ define(`logging_write_system_logs_depend',`
####################################### #######################################
# #
# logging_modify_system_logs(domain) # logging_rw_generic_logs(domain)
# #
define(`logging_modify_system_logs',` define(`logging_rw_generic_logs',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_system_state_data_directory($1) files_search_var($1)
allow $1 var_log_t:dir r_dir_perms; allow $1 var_log_t:dir r_dir_perms;
allow $1 var_log_t:file rw_file_perms; allow $1 var_log_t:file rw_file_perms;
') ')
define(`logging_modify_system_logs_depend',` define(`logging_rw_generic_logs_depend',`
type var_log_t; type var_log_t;
class dir r_dir_perms; class dir r_dir_perms;

View File

@ -9,40 +9,40 @@ policy_module(logging,1.0)
attribute logfile; attribute logfile;
type auditd_log_t; type auditd_log_t;
logging_make_log_file(auditd_t,auditd_log_t) logging_log_file(auditd_t,auditd_log_t)
type auditd_t; type auditd_t;
type auditd_exec_t; type auditd_exec_t;
init_make_daemon_domain(auditd_t,auditd_exec_t) init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t; type auditd_var_run_t;
files_make_daemon_runtime_file(auditd_var_run_t) files_pid_file(auditd_var_run_t)
type devlog_t; type devlog_t;
files_make_file(devlog_t) files_file_type(devlog_t)
type klogd_t; type klogd_t;
type klogd_exec_t; type klogd_exec_t;
init_make_daemon_domain(klogd_t,klogd_exec_t) init_daemon_domain(klogd_t,klogd_exec_t)
type klogd_tmp_t; type klogd_tmp_t;
files_make_temporary_file(klogd_tmp_t) files_tmp_file(klogd_tmp_t)
type klogd_var_run_t; type klogd_var_run_t;
files_make_daemon_runtime_file(klogd_var_run_t) files_pid_file(klogd_var_run_t)
type syslogd_t; type syslogd_t;
type syslogd_exec_t; type syslogd_exec_t;
init_make_daemon_domain(syslogd_t,syslogd_exec_t) init_daemon_domain(syslogd_t,syslogd_exec_t)
type syslogd_tmp_t; type syslogd_tmp_t;
files_make_temporary_file(syslogd_tmp_t) files_tmp_file(syslogd_tmp_t)
type syslogd_var_run_t; type syslogd_var_run_t;
files_make_daemon_runtime_file(syslogd_var_run_t) files_pid_file(syslogd_var_run_t)
type var_log_t, logfile; type var_log_t, logfile;
files_make_file(var_log_t) files_file_type(var_log_t)
######################################## ########################################
# #
@ -56,7 +56,7 @@ allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_
allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t auditd_log_t:file create_file_perms;
allow auditd_t auditd_var_run_t:file create_file_perms; allow auditd_t auditd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(auditd_t,auditd_var_run_t) files_create_pid(auditd_t,auditd_var_run_t)
kernel_read_kernel_sysctl(auditd_t) kernel_read_kernel_sysctl(auditd_t)
kernel_read_hardware_state(auditd_t) kernel_read_hardware_state(auditd_t)
@ -65,24 +65,24 @@ fs_getattr_all_fs(auditd_t)
term_dontaudit_use_console(auditd_t) term_dontaudit_use_console(auditd_t)
init_use_file_descriptors(auditd_t) init_use_fd(auditd_t)
init_script_use_pseudoterminal(auditd_t) init_use_script_pty(auditd_t)
domain_use_widely_inheritable_file_descriptors(auditd_t) domain_use_wide_inherit_fd(auditd_t)
files_read_general_system_config(auditd_t) files_read_generic_etc_files(auditd_t)
logging_send_system_log_message(auditd_t) logging_send_syslog_msg(auditd_t)
libraries_use_dynamic_loader(auditd_t) libs_use_ld_so(auditd_t)
libraries_use_shared_libraries(auditd_t) libs_use_shared_libs(auditd_t)
miscfiles_read_localization(auditd_t) miscfiles_read_localization(auditd_t)
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(auditd_t) term_dontaudit_use_unallocated_tty(auditd_t)
terminal_ignore_use_general_pseudoterminal(auditd_t) terminal_ignore_use_general_pseudoterminal(auditd_t)
files_ignore_read_rootfs_file(auditd_t) files_dontaudit_read_root_file(auditd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -90,7 +90,7 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(auditd_t) udev_read_db(auditd_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -115,7 +115,7 @@ allow auditd_t sysadm_tty_device_t:chr_file rw_file_perms;
# #
allow klogd_t klogd_tmp_t:file create_file_perms; allow klogd_t klogd_tmp_t:file create_file_perms;
files_create_private_tmp_data(klogd_t,klogd_tmp_t) files_create_tmp_files(klogd_t,klogd_tmp_t)
allow klogd_t klogd_var_run_t:file create_file_perms; allow klogd_t klogd_var_run_t:file create_file_perms;
@ -134,17 +134,17 @@ dev_read_raw_memory(klogd_t)
fs_getattr_all_fs(klogd_t) fs_getattr_all_fs(klogd_t)
files_create_daemon_runtime_data(klogd_t,klogd_var_run_t) files_create_pid(klogd_t,klogd_var_run_t)
files_read_runtime_system_config(klogd_t) files_read_etc_runtime_files(klogd_t)
# read /etc/nsswitch.conf # read /etc/nsswitch.conf
files_read_general_system_config(klogd_t) files_read_generic_etc_files(klogd_t)
init_use_file_descriptors(klogd_t) init_use_fd(klogd_t)
libraries_use_dynamic_loader(klogd_t) libs_use_ld_so(klogd_t)
libraries_use_shared_libraries(klogd_t) libs_use_shared_libs(klogd_t)
logging_send_system_log_message(klogd_t) logging_send_syslog_msg(klogd_t)
miscfiles_read_localization(klogd_t) miscfiles_read_localization(klogd_t)
@ -170,21 +170,21 @@ allow syslogd_t var_log_t:file create_file_perms;
# manage temporary files # manage temporary files
allow syslogd_t syslogd_tmp_t:file create_file_perms; allow syslogd_t syslogd_tmp_t:file create_file_perms;
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t) files_create_tmp_files(syslogd_t,syslogd_tmp_t)
allow syslogd_t syslogd_var_run_t:file create_file_perms; allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file) files_create_pid(syslogd_t,syslogd_var_run_t,file)
# Create and bind to /dev/log or /var/run/log. # Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms; allow syslogd_t devlog_t:sock_file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file) files_create_pid(syslogd_t,devlog_t,sock_file)
# I belive these are not needed: # I belive these are not needed:
allow syslogd_t devlog_t:unix_stream_socket name_bind; allow syslogd_t devlog_t:unix_stream_socket name_bind;
allow syslogd_t devlog_t:unix_dgram_socket name_bind; allow syslogd_t devlog_t:unix_dgram_socket name_bind;
# manage pid file # manage pid file
allow syslogd_t syslogd_var_run_t:file create_file_perms; allow syslogd_t syslogd_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t) files_create_pid(syslogd_t,syslogd_var_run_t)
kernel_read_hardware_state(syslogd_t) kernel_read_hardware_state(syslogd_t)
kernel_read_kernel_sysctl(syslogd_t) kernel_read_kernel_sysctl(syslogd_t)
@ -196,8 +196,8 @@ term_dontaudit_use_console(syslogd_t)
term_write_unallocated_ttys(syslogd_t) term_write_unallocated_ttys(syslogd_t)
# for sending messages to logged in users # for sending messages to logged in users
init_script_read_runtime_data(syslogd_t) init_read_script_pid(syslogd_t)
init_script_ignore_write_runtime_data(syslogd_t) init_dontaudit_write_script_pid(syslogd_t)
term_write_all_user_ttys(syslogd_t) term_write_all_user_ttys(syslogd_t)
corenet_raw_sendrecv_all_if(syslogd_t) corenet_raw_sendrecv_all_if(syslogd_t)
@ -210,26 +210,26 @@ corenet_udp_bind_syslogd_port(syslogd_t)
fs_getattr_all_fs(syslogd_t) fs_getattr_all_fs(syslogd_t)
init_use_file_descriptors(syslogd_t) init_use_fd(syslogd_t)
init_script_use_pseudoterminal(syslogd_t) init_use_script_pty(syslogd_t)
domain_use_widely_inheritable_file_descriptors(syslogd_t) domain_use_wide_inherit_fd(syslogd_t)
files_read_general_system_config(syslogd_t) files_read_generic_etc_files(syslogd_t)
libraries_use_dynamic_loader(syslogd_t) libs_use_ld_so(syslogd_t)
libraries_use_shared_libraries(syslogd_t) libs_use_shared_libs(syslogd_t)
sysnetwork_read_network_config(syslogd_t) sysnet_read_config(syslogd_t)
miscfiles_read_localization(syslogd_t) miscfiles_read_localization(syslogd_t)
userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t) userdom_dontaudit_use_unpriv_user_fd(syslogd_t)
# #
# /initrd is not umounted before minilog starts # /initrd is not umounted before minilog starts
# #
files_ignore_search_isid_type_dir(syslogd_t) files_dontaudit_search_isid_type_dir(syslogd_t)
#allow syslogd_t tmpfs_t:dir search; #allow syslogd_t tmpfs_t:dir search;
#dontaudit syslogd_t unlabeled_t:file read; #dontaudit syslogd_t unlabeled_t:file read;
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr; #dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
@ -246,7 +246,7 @@ ifdef(`klogd.te', `', `
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(syslogd_t) term_dontaudit_use_unallocated_tty(syslogd_t)
terminal_ignore_use_general_pseudoterminal(syslogd_t) terminal_ignore_use_general_pseudoterminal(syslogd_t)
files_ignore_read_rootfs_file(syslogd_t) files_dontaudit_read_root_file(syslogd_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
@ -254,11 +254,11 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(syslogd_t) udev_read_db(syslogd_t)
') ')
optional_policy(`cron.te',` optional_policy(`cron.te',`
cron_modify_log(syslogd_t) cron_rw_log(syslogd_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for logical volume management programs.</summary> ## <summary>Policy for logical volume management programs.</summary>
######################################## ########################################
## <interface name="lvm_transition"> ## <interface name="lvm_domtrans">
## <description> ## <description>
## Execute lvm programs in the lvm domain. ## Execute lvm programs in the lvm domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`lvm_transition',` define(`lvm_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, lvm_exec_t, lvm_t) domain_auto_trans($1, lvm_exec_t, lvm_t)
@ -22,7 +22,7 @@ define(`lvm_transition',`
allow lvm_t $1:process sigchld; allow lvm_t $1:process sigchld;
') ')
define(`lvm_transition_depend',` define(`lvm_domtrans_depend',`
type lvm_t, lvm_exec_t; type lvm_t, lvm_exec_t;
class file { getattr read execute }; class file { getattr read execute };
@ -32,7 +32,7 @@ define(`lvm_transition_depend',`
') ')
######################################## ########################################
## <interface name="lvm_transition_add_role_use_terminal"> ## <interface name="lvm_run">
## <description> ## <description>
## Execute lvm programs in the lvm domain. ## Execute lvm programs in the lvm domain.
## </description> ## </description>
@ -47,15 +47,15 @@ define(`lvm_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`lvm_transition_add_role_use_terminal',` define(`lvm_run',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
lvm_transition($1) lvm_domtrans($1)
role $2 types lvm_t; role $2 types lvm_t;
allow lvm_t $3:chr_file { getattr read write ioctl }; allow lvm_t $3:chr_file { getattr read write ioctl };
') ')
define(`lvm_transition_add_role_use_terminal_depend',` define(`lvm_run_depend',`
type lvm_t; type lvm_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };

View File

@ -8,23 +8,23 @@ policy_module(lvm,1.0)
type lvm_t; type lvm_t;
type lvm_exec_t; type lvm_exec_t;
init_make_system_domain(lvm_t,lvm_exec_t) init_system_domain(lvm_t,lvm_exec_t)
# needs privowner because it assigns the identity system_u to device nodes # needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin # but runs as the identity of the sysadmin
kernel_make_object_identity_change_constraint_exception(lvm_t) kernel_obj_id_change_exempt(lvm_t)
role system_r types lvm_t; role system_r types lvm_t;
type lvm_etc_t; type lvm_etc_t;
files_make_file(lvm_etc_t) files_file_type(lvm_etc_t)
type lvm_lock_t; type lvm_lock_t;
files_make_lock_file(lvm_lock_t) files_lock_file(lvm_lock_t)
type lvm_metadata_t; type lvm_metadata_t;
files_make_file(lvm_metadata_t) files_file_type(lvm_metadata_t)
type lvm_tmp_t; type lvm_tmp_t;
files_make_temporary_file(lvm_tmp_t) files_tmp_file(lvm_tmp_t)
######################################## ########################################
# #
@ -45,7 +45,7 @@ allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t lvm_tmp_t:dir create_dir_perms; allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file create_file_perms; allow lvm_t lvm_tmp_t:file create_file_perms;
files_create_private_tmp_data(lvm_t, lvm_tmp_t, { file dir }) files_create_tmp_files(lvm_t, lvm_tmp_t, { file dir })
# /lib/lvm-<version> holds the actual LVM binaries (and symlinks) # /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
allow lvm_t lvm_exec_t:dir search; allow lvm_t lvm_exec_t:dir search;
@ -57,7 +57,7 @@ can_exec(lvm_t, lvm_exec_t)
# Creating lock files # Creating lock files
allow lvm_t lvm_lock_t:dir rw_dir_perms; allow lvm_t lvm_lock_t:dir rw_dir_perms;
allow lvm_t lvm_lock_t:file create_file_perms; allow lvm_t lvm_lock_t:file create_file_perms;
files_create_private_lock_file(lvm_t,lvm_lock_t) files_create_lock_file(lvm_t,lvm_lock_t)
allow lvm_t lvm_etc_t:file r_file_perms; allow lvm_t lvm_etc_t:file r_file_perms;
allow lvm_t lvm_etc_t:lnk_file r_file_perms; allow lvm_t lvm_etc_t:lnk_file r_file_perms;
@ -66,7 +66,7 @@ allow lvm_t lvm_etc_t:dir rw_dir_perms;
allow lvm_t lvm_metadata_t:file create_file_perms; allow lvm_t lvm_metadata_t:file create_file_perms;
allow lvm_t lvm_metadata_t:dir rw_dir_perms; allow lvm_t lvm_metadata_t:dir rw_dir_perms;
type_transition lvm_t lvm_etc_t:file lvm_metadata_t; type_transition lvm_t lvm_etc_t:file lvm_metadata_t;
files_create_private_config(lvm_t,lvm_metadata_t,file) files_create_etc_config(lvm_t,lvm_metadata_t,file)
kernel_read_system_state(lvm_t) kernel_read_system_state(lvm_t)
kernel_get_selinuxfs_mount_point(lvm_t) kernel_get_selinuxfs_mount_point(lvm_t)
@ -89,8 +89,8 @@ dev_read_rand(lvm_t)
dev_read_urand(lvm_t) dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t) dev_rw_lvm_control(lvm_t)
dev_manage_generic_symlinks(lvm_t) dev_manage_generic_symlinks(lvm_t)
devices_relabel_dev_dirs(lvm_t) dev_relabel_dev_dirs(lvm_t)
devices_manage_generic_block_device(lvm_t) dev_manage_generic_blk_file(lvm_t)
# LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex...
dev_dontaudit_getattr_all_chr_files(lvm_t) dev_dontaudit_getattr_all_chr_files(lvm_t)
@ -110,25 +110,25 @@ storage_create_fixed_disk_dev_entry(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed? # Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t) storage_manage_fixed_disk(lvm_t)
corecommands_search_system_programs_directory(lvm_t) corecmd_search_sbin(lvm_t)
corecommands_ignore_get_system_programs_attributes(lvm_t) corecmd_dontaudit_getattr_sbin_file(lvm_t)
domain_use_widely_inheritable_file_descriptors(lvm_t) domain_use_wide_inherit_fd(lvm_t)
files_search_system_state_data_directory(lvm_t) files_search_var(lvm_t)
files_read_general_system_config(lvm_t) files_read_generic_etc_files(lvm_t)
files_read_runtime_system_config(lvm_t) files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted: # for when /usr is not mounted:
files_ignore_search_isid_type_dir(lvm_t) files_dontaudit_search_isid_type_dir(lvm_t)
init_use_file_descriptors(lvm_t) init_use_fd(lvm_t)
init_ignore_get_control_channel_attributes(lvm_t) init_dontaudit_getattr_initctl(lvm_t)
init_script_use_pseudoterminal(lvm_t) init_use_script_pty(lvm_t)
libraries_use_dynamic_loader(lvm_t) libs_use_ld_so(lvm_t)
libraries_use_shared_libraries(lvm_t) libs_use_shared_libs(lvm_t)
logging_send_system_log_message(lvm_t) logging_send_syslog_msg(lvm_t)
miscfiles_read_localization(lvm_t) miscfiles_read_localization(lvm_t)
@ -138,14 +138,14 @@ selinux_newrole_sigchld(lvm_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
# this is from the initrd: # this is from the initrd:
files_modify_isid_type_dir(lvm_t) files_rw_isid_type_dir(lvm_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(lvm_t) term_dontaudit_use_unallocated_tty(lvm_t)
terminal_ignore_use_general_pseudoterminal(lvm_t) terminal_ignore_use_general_pseudoterminal(lvm_t)
files_ignore_read_rootfs_file(lvm_t) files_dontaudit_read_root_file(lvm_t)
') ')
optional_policy(`bootloader.te',` optional_policy(`bootloader.te',`
@ -153,7 +153,7 @@ optional_policy(`bootloader.te',`
') ')
optional_policy(`udev.te', ` optional_policy(`udev.te', `
udev_read_database(lvm_t) udev_read_db(lvm_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Miscelaneous files.</summary> ## <summary>Miscelaneous files.</summary>
######################################## ########################################
## <interface name="miscfiles_manage_man_page_cache"> ## <interface name="miscfiles_rw_man_cache">
## <description> ## <description>
## Allow process to create files and dirs in /var/cache/man ## Allow process to create files and dirs in /var/cache/man
## and /var/catman/ ## and /var/catman/
@ -15,7 +15,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`miscfiles_manage_man_page_cache',` define(`miscfiles_rw_man_cache',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search var_t dir # FIXME: search var_t dir
@ -23,7 +23,7 @@ define(`miscfiles_manage_man_page_cache',`
allow $1 catman_t:file create_file_perms; allow $1 catman_t:file create_file_perms;
') ')
define(`miscfiles_manage_man_page_cache_depend',` define(`miscfiles_rw_man_cache_depend',`
type catman_t; type catman_t;
class dir create_dir_perms; class dir create_dir_perms;
@ -83,7 +83,7 @@ define(`miscfiles_read_localization',`
allow $1 locale_t:file r_file_perms; allow $1 locale_t:file r_file_perms;
# why? # why?
libraries_read_library_resources($1) libs_read_lib($1)
') ')
define(`miscfiles_read_localization_depend',` define(`miscfiles_read_localization_depend',`

View File

@ -5,41 +5,41 @@ policy_module(miscfiles,1.0)
# catman_t is the type for /var/catman. # catman_t is the type for /var/catman.
# #
type catman_t; # , tmpfile; type catman_t; # , tmpfile;
files_make_file(catman_t) files_file_type(catman_t)
# #
# cert_t is the type of files in the system certs directories. # cert_t is the type of files in the system certs directories.
# #
type cert_t; type cert_t;
files_make_file(cert_t) files_file_type(cert_t)
# #
# fonts_t is the type of various font # fonts_t is the type of various font
# files in /usr # files in /usr
# #
type fonts_t; type fonts_t;
files_make_file(fonts_t) files_file_type(fonts_t)
# #
# locale_t is the type for system localization # locale_t is the type for system localization
# #
type locale_t; type locale_t;
files_make_file(locale_t) files_file_type(locale_t)
# #
# man_t is the type for the man directories. # man_t is the type for the man directories.
# #
type man_t; type man_t;
files_make_file(man_t) files_file_type(man_t)
# #
# Base type for the tests directory. # Base type for the tests directory.
# #
type test_file_t; type test_file_t;
files_make_file(test_file_t) files_file_type(test_file_t)
# #
# for /var/{spool,lib}/texmf index files # for /var/{spool,lib}/texmf index files
# #
type tetex_data_t; # , tmpfile; type tetex_data_t; # , tmpfile;
files_make_file(tetex_data_t) files_file_type(tetex_data_t)

View File

@ -26,7 +26,7 @@ define(`modutils_read_kernel_module_dependencies_depend',`
') ')
######################################## ########################################
## <interface name="modutils_read_kernel_module_loading_config"> ## <interface name="modutils_read_module_conf">
## <description> ## <description>
## Read the configuration options used when ## Read the configuration options used when
## loading modules. ## loading modules.
@ -36,20 +36,20 @@ define(`modutils_read_kernel_module_dependencies_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_read_kernel_module_loading_config',` define(`modutils_read_module_conf',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 modules_conf_t:file r_file_perms; allow $1 modules_conf_t:file r_file_perms;
') ')
define(`modutils_read_kernel_module_loading_config_depend',` define(`modutils_read_module_conf_depend',`
type modules_conf_t; type modules_conf_t;
class file r_file_perms; class file r_file_perms;
') ')
######################################## ########################################
## <interface name="modutils_insmod_transition"> ## <interface name="modutils_domtrans_insmod">
## <description> ## <description>
## Execute insmod in the insmod domain. Has a ## Execute insmod in the insmod domain. Has a
## sigchld backchannel. ## sigchld backchannel.
@ -59,7 +59,7 @@ define(`modutils_read_kernel_module_loading_config_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_insmod_transition',` define(`modutils_domtrans_insmod',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, insmod_exec_t, insmod_t) domain_auto_trans($1, insmod_exec_t, insmod_t)
@ -70,7 +70,7 @@ define(`modutils_insmod_transition',`
allow insmod_t $1:process sigchld; allow insmod_t $1:process sigchld;
') ')
define(`modutils_insmod_transition_depend',` define(`modutils_domtrans_insmod_depend',`
type insmod_t; type insmod_t;
class file { getattr read execute }; class file { getattr read execute };
@ -80,7 +80,7 @@ define(`modutils_insmod_transition_depend',`
') ')
######################################## ########################################
## <interface name="modutils_insmod_transition_add_role_use_terminal"> ## <interface name="modutils_run_insmod">
## <description> ## <description>
## Execute insmod in the insmod domain, and ## Execute insmod in the insmod domain, and
## allow the specified role the insmod domain, ## allow the specified role the insmod domain,
@ -98,15 +98,15 @@ define(`modutils_insmod_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_insmod_transition_add_role_use_terminal',` define(`modutils_run_insmod',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
modutils_insmod_transition($1) modutils_domtrans_insmod($1)
role $2 types insmod_t; role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl }; allow insmod_t $3:chr_file { getattr read write ioctl };
') ')
define(`modutils_insmod_transition_add_role_use_terminal_depend',` define(`modutils_run_insmod_depend',`
type insmod_t; type insmod_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -114,22 +114,22 @@ define(`modutils_insmod_transition_add_role_use_terminal_depend',`
######################################## ########################################
# #
# modutils_insmod_execute(domain) # modutils_exec_insmod(domain)
# #
define(`modutils_insmod_execute',` define(`modutils_exec_insmod',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1, insmod_exec_t) can_exec($1, insmod_exec_t)
') ')
define(`modutils_insmod_execute_depend',` define(`modutils_exec_insmod_depend',`
type insmod_t; type insmod_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
## <interface name="modutils_depmod_transition"> ## <interface name="modutils_domtrans_depmod">
## <description> ## <description>
## Execute depmod in the depmod domain. ## Execute depmod in the depmod domain.
## </description> ## </description>
@ -138,7 +138,7 @@ define(`modutils_insmod_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_depmod_transition',` define(`modutils_domtrans_depmod',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, depmod_exec_t, depmod_t) domain_auto_trans($1, depmod_exec_t, depmod_t)
@ -149,7 +149,7 @@ define(`modutils_depmod_transition',`
allow depmod_t $1:process sigchld; allow depmod_t $1:process sigchld;
') ')
define(`modutils_depmod_transition_depend',` define(`modutils_domtrans_depmod_depend',`
type depmod_t; type depmod_t;
class file { getattr read execute }; class file { getattr read execute };
@ -159,7 +159,7 @@ define(`modutils_depmod_transition_depend',`
') ')
######################################## ########################################
## <interface name="modutils_depmod_transition_add_role_use_terminal"> ## <interface name="modutils_run_depmod">
## <description> ## <description>
## Execute depmod in the depmod domain. ## Execute depmod in the depmod domain.
## </description> ## </description>
@ -174,15 +174,15 @@ define(`modutils_depmod_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_depmod_transition_add_role_use_terminal',` define(`modutils_run_depmod',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
modutils_depmod_transition($1) modutils_domtrans_depmod($1)
role $2 types insmod_t; role $2 types insmod_t;
allow insmod_t $3:chr_file { getattr read write ioctl }; allow insmod_t $3:chr_file { getattr read write ioctl };
') ')
define(`modutils_depmod_transition_add_role_use_terminal_depend',` define(`modutils_run_depmod_depend',`
type depmod_t; type depmod_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -190,22 +190,22 @@ define(`modutils_depmod_transition_add_role_use_terminal_depend',`
######################################## ########################################
# #
# modutils_depmod_execute(domain) # modutils_exec_depmod(domain)
# #
define(`modutils_depmod_execute',` define(`modutils_exec_depmod',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1, depmod_exec_t) can_exec($1, depmod_exec_t)
') ')
define(`modutils_depmod_execute_depend',` define(`modutils_exec_depmod_depend',`
type depmod_t; type depmod_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };
') ')
######################################## ########################################
## <interface name="modutils_update_modules_transition"> ## <interface name="modutils_domtrans_update_mods">
## <description> ## <description>
## Execute depmod in the depmod domain. ## Execute depmod in the depmod domain.
## </description> ## </description>
@ -214,7 +214,7 @@ define(`modutils_depmod_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_update_modules_transition',` define(`modutils_domtrans_update_mods',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, update_modules_exec_t, update_modules_t) domain_auto_trans($1, update_modules_exec_t, update_modules_t)
@ -225,7 +225,7 @@ define(`modutils_update_modules_transition',`
allow update_modules_t $1:process sigchld; allow update_modules_t $1:process sigchld;
') ')
define(`modutils_update_modules_transition_depend',` define(`modutils_domtrans_update_mods_depend',`
type update_modules_t; type update_modules_t;
class file { getattr read execute }; class file { getattr read execute };
@ -235,7 +235,7 @@ define(`modutils_update_modules_transition_depend',`
') ')
######################################## ########################################
## <interface name="modutils_update_modules_transition_add_role_use_terminal"> ## <interface name="modutils_run_update_mods">
## <description> ## <description>
## Execute update_modules in the update_modules domain. ## Execute update_modules in the update_modules domain.
## </description> ## </description>
@ -250,15 +250,15 @@ define(`modutils_update_modules_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`modutils_update_modules_transition_add_role_use_terminal',` define(`modutils_run_update_mods',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
modutils_update_modules_transition($1) modutils_domtrans_update_mods($1)
role $2 types update_modules_t; role $2 types update_modules_t;
allow update_modules_t $3:chr_file rw_file_perms; allow update_modules_t $3:chr_file rw_file_perms;
') ')
define(`modutils_update_modules_transition_add_role_use_terminal_depend',` define(`modutils_run_update_mods_depend',`
type update_modules_t; type update_modules_t;
class chr_file rw_file_perms; class chr_file rw_file_perms;
@ -266,15 +266,15 @@ define(`modutils_update_modules_transition_add_role_use_terminal_depend',`
######################################## ########################################
# #
# modutils_update_modules_execute(domain) # modutils_exec_update_mods(domain)
# #
define(`modutils_update_modules_execute',` define(`modutils_exec_update_mods',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1, update_modules_exec_t) can_exec($1, update_modules_exec_t)
') ')
define(`modutils_update_modules_execute_depend',` define(`modutils_exec_update_mods_depend',`
type update_modules_t; type update_modules_t;
class file { getattr read execute execute_no_trans }; class file { getattr read execute execute_no_trans };

View File

@ -8,30 +8,30 @@ policy_module(modutils,1.0)
# module loading config # module loading config
type modules_conf_t; type modules_conf_t;
files_make_file(modules_conf_t) files_file_type(modules_conf_t)
# module dependencies # module dependencies
type modules_dep_t; type modules_dep_t;
files_make_file(modules_dep_t) files_file_type(modules_dep_t)
type insmod_t; type insmod_t;
type insmod_exec_t; type insmod_exec_t;
kernel_userland_entry(insmod_t,insmod_exec_t) kernel_userland_entry(insmod_t,insmod_exec_t)
init_make_system_domain(insmod_t,insmod_exec_t) init_system_domain(insmod_t,insmod_exec_t)
role system_r types insmod_t; role system_r types insmod_t;
type depmod_t; type depmod_t;
type depmod_exec_t; type depmod_exec_t;
init_make_system_domain(depmod_t,depmod_exec_t) init_system_domain(depmod_t,depmod_exec_t)
role system_r types depmod_t; role system_r types depmod_t;
type update_modules_t; type update_modules_t;
type update_modules_exec_t; type update_modules_exec_t;
init_make_system_domain(update_modules_t,update_modules_exec_t) init_system_domain(update_modules_t,update_modules_exec_t)
role system_r types update_modules_t; role system_r types update_modules_t;
type update_modules_tmp_t; type update_modules_tmp_t;
files_make_temporary_file(update_modules_tmp_t) files_tmp_file(update_modules_tmp_t)
######################################## ########################################
# #
@ -68,37 +68,37 @@ dev_rw_agp_dev(insmod_t)
fs_getattr_xattr_fs(insmod_t) fs_getattr_xattr_fs(insmod_t)
corecommands_execute_general_programs(insmod_t) corecmd_exec_bin(insmod_t)
corecommands_execute_system_programs(insmod_t) corecmd_exec_sbin(insmod_t)
corecommands_execute_shell(insmod_t) corecmd_exec_shell(insmod_t)
domain_signal_all_domains(insmod_t) domain_signal_all_domains(insmod_t)
domain_use_widely_inheritable_file_descriptors(insmod_t) domain_use_wide_inherit_fd(insmod_t)
files_read_runtime_system_config(insmod_t) files_read_etc_runtime_files(insmod_t)
files_read_general_system_config(insmod_t) files_read_generic_etc_files(insmod_t)
files_read_general_application_resources(insmod_t) files_read_usr_files(insmod_t)
files_execute_system_config_script(insmod_t) files_exec_generic_etc_files(insmod_t)
# for nscd: # for nscd:
files_ignore_search_runtime_data_directory(insmod_t) files_dontaudit_search_pids(insmod_t)
# for when /var is not mounted early in the boot: # for when /var is not mounted early in the boot:
files_ignore_search_isid_type_dir(insmod_t) files_dontaudit_search_isid_type_dir(insmod_t)
init_use_control_channel(insmod_t) init_use_initctl(insmod_t)
init_use_file_descriptors(insmod_t) init_use_fd(insmod_t)
init_script_use_file_descriptors(insmod_t) init_use_script_fd(insmod_t)
init_script_use_pseudoterminal(insmod_t) init_use_script_pty(insmod_t)
libraries_use_dynamic_loader(insmod_t) libs_use_ld_so(insmod_t)
libraries_use_shared_libraries(insmod_t) libs_use_shared_libs(insmod_t)
logging_send_system_log_message(insmod_t) logging_send_syslog_msg(insmod_t)
logging_search_system_log_directory(insmod_t) logging_search_logs(insmod_t)
miscfiles_read_localization(insmod_t) miscfiles_read_localization(insmod_t)
optional_policy(`mount.te',` optional_policy(`mount.te',`
mount_transition(insmod_t) mount_domtrans(insmod_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -138,18 +138,18 @@ term_use_console(depmod_t)
bootloader_read_kernel_symbol_table(depmod_t) bootloader_read_kernel_symbol_table(depmod_t)
bootloader_read_kernel_modules(depmod_t) bootloader_read_kernel_modules(depmod_t)
init_use_file_descriptors(depmod_t) init_use_fd(depmod_t)
init_script_use_file_descriptors(depmod_t) init_use_script_fd(depmod_t)
init_script_use_pseudoterminal(depmod_t) init_use_script_pty(depmod_t)
domain_use_widely_inheritable_file_descriptors(depmod_t) domain_use_wide_inherit_fd(depmod_t)
files_read_runtime_system_config(depmod_t) files_read_etc_runtime_files(depmod_t)
files_read_general_system_config(depmod_t) files_read_generic_etc_files(depmod_t)
files_read_system_source_code(depmod_t) files_read_usr_src(depmod_t)
libraries_use_dynamic_loader(depmod_t) libs_use_ld_so(depmod_t)
libraries_use_shared_libraries(depmod_t) libs_use_shared_libs(depmod_t)
ifdef(`TODO',` ifdef(`TODO',`
@ -177,14 +177,14 @@ can_exec(update_modules_t, update_modules_exec_t)
# manage module loading configuration # manage module loading configuration
allow update_modules_t modules_conf_t:file create_file_perms; allow update_modules_t modules_conf_t:file create_file_perms;
bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t) bootloader_create_private_module_dir_entry(update_modules_t,modules_conf_t)
files_create_private_config(update_modules_t,modules_conf_t) files_create_etc_config(update_modules_t,modules_conf_t)
# transition to depmod # transition to depmod
domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t) domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
allow update_modules_t update_modules_tmp_t:dir create_dir_perms; allow update_modules_t update_modules_tmp_t:dir create_dir_perms;
allow update_modules_t update_modules_tmp_t:file create_file_perms; allow update_modules_t update_modules_tmp_t:file create_file_perms;
files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir }) files_create_tmp_files(update_modules_t, update_modules_tmp_t, { file dir })
kernel_read_kernel_sysctl(update_modules_t) kernel_read_kernel_sysctl(update_modules_t)
kernel_read_system_state(update_modules_t) kernel_read_system_state(update_modules_t)
@ -195,24 +195,24 @@ fs_getattr_xattr_fs(update_modules_t)
term_use_console(update_modules_t) term_use_console(update_modules_t)
init_use_file_descriptors(depmod_t) init_use_fd(depmod_t)
init_script_use_file_descriptors(depmod_t) init_use_script_fd(depmod_t)
init_script_use_pseudoterminal(depmod_t) init_use_script_pty(depmod_t)
domain_use_widely_inheritable_file_descriptors(depmod_t) domain_use_wide_inherit_fd(depmod_t)
files_read_runtime_system_config(update_modules_t) files_read_etc_runtime_files(update_modules_t)
files_read_general_system_config(update_modules_t) files_read_generic_etc_files(update_modules_t)
files_execute_system_config_script(update_modules_t) files_exec_generic_etc_files(update_modules_t)
corecommands_execute_general_programs(update_modules_t) corecmd_exec_bin(update_modules_t)
corecommands_execute_system_programs(update_modules_t) corecmd_exec_sbin(update_modules_t)
corecommands_execute_shell(update_modules_t) corecmd_exec_shell(update_modules_t)
libraries_use_dynamic_loader(update_modules_t) libs_use_ld_so(update_modules_t)
libraries_use_shared_libraries(update_modules_t) libs_use_shared_libs(update_modules_t)
logging_send_system_log_message(update_modules_t) logging_send_syslog_msg(update_modules_t)
miscfiles_read_localization(update_modules_t) miscfiles_read_localization(update_modules_t)

View File

@ -2,7 +2,7 @@
## <summary>Policy for mount.</summary> ## <summary>Policy for mount.</summary>
######################################## ########################################
## <interface name="mount_transition"> ## <interface name="mount_domtrans">
## <description> ## <description>
## Execute mount in the mount domain. ## Execute mount in the mount domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`mount_transition',` define(`mount_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 mount_exec_t:file rx_file_perms; allow $1 mount_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`mount_transition',`
allow mount_t $1:process sigchld; allow mount_t $1:process sigchld;
') ')
define(`mount_transition_depend',` define(`mount_domtrans_depend',`
type mount_t, mount_exec_t; type mount_t, mount_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -35,7 +35,7 @@ define(`mount_transition_depend',`
') ')
######################################## ########################################
## <interface name="mount_transition_add_role_use_terminal"> ## <interface name="mount_run">
## <description> ## <description>
## Execute mount in the mount domain, and ## Execute mount in the mount domain, and
## allow the specified role the mount domain, ## allow the specified role the mount domain,
@ -52,22 +52,22 @@ define(`mount_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`mount_transition_add_role_use_terminal',` define(`mount_run',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
mount_transition($1) mount_domtrans($1)
role $2 types mount_t; role $2 types mount_t;
allow mount_t $3:chr_file rw_file_perms; allow mount_t $3:chr_file rw_file_perms;
') ')
define(`mount_transition_add_role_use_terminal_depend',` define(`mount_run_depend',`
type mount_t; type mount_t;
class chr_file rw_file_perms; class chr_file rw_file_perms;
') ')
######################################## ########################################
## <interface name="mount_use_file_descriptors"> ## <interface name="mount_use_fd">
## <description> ## <description>
## Use file descriptors for mount. ## Use file descriptors for mount.
## </description> ## </description>
@ -76,13 +76,13 @@ define(`mount_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`mount_use_file_descriptors',` define(`mount_use_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 mount_t:fd use; allow $1 mount_t:fd use;
') ')
define(`mount_use_file_descriptors_depend',` define(`mount_use_fd_depend',`
type mount_t; type mount_t;
class fd use; class fd use;

View File

@ -1,11 +1,11 @@
type mount_t; type mount_t;
type mount_exec_t; type mount_exec_t;
init_make_system_domain(mount_t,mount_exec_t) init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t; role system_r types mount_t;
type mount_tmp_t; type mount_tmp_t;
files_make_temporary_file(mount_tmp_t) files_tmp_file(mount_tmp_t)
######################################## ########################################
# #
@ -16,7 +16,7 @@ allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown
allow mount_t mount_tmp_t:file create_file_perms; allow mount_t mount_tmp_t:file create_file_perms;
allow mount_t mount_tmp_t:dir create_dir_perms; allow mount_t mount_tmp_t:dir create_dir_perms;
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir }) files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t) kernel_read_system_state(mount_t)
kernel_dontaudit_use_fd(mount_t) kernel_dontaudit_use_fd(mount_t)
@ -41,39 +41,39 @@ fs_relabelfrom_xattr_fs(mount_t)
term_use_console(mount_t) term_use_console(mount_t)
# required for mount.smbfs # required for mount.smbfs
corecommands_execute_system_programs(mount_t) corecmd_exec_sbin(mount_t)
corecommands_execute_general_programs(mount_t) corecmd_exec_bin(mount_t)
domain_use_widely_inheritable_file_descriptors(mount_t) domain_use_wide_inherit_fd(mount_t)
files_search_all_directories(mount_t) files_search_all_dirs(mount_t)
files_read_general_system_config(mount_t) files_read_generic_etc_files(mount_t)
files_manage_runtime_system_config(mount_t) files_manage_etc_runtime_files(mount_t)
files_mount_on_all_mountpoints(mount_t) files_mounton_all_mountpoints(mount_t)
files_unmount_root_fs(mount_t) files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it: # These rules need to be generalized. Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t) files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t)
init_use_file_descriptors(mount_t) init_use_fd(mount_t)
init_script_use_pseudoterminal(mount_t) init_use_script_pty(mount_t)
libraries_use_dynamic_loader(mount_t) libs_use_ld_so(mount_t)
libraries_use_shared_libraries(mount_t) libs_use_shared_libs(mount_t)
logging_send_system_log_message(mount_t) logging_send_syslog_msg(mount_t)
miscfiles_read_localization(mount_t) miscfiles_read_localization(mount_t)
userdomain_use_all_users_file_descriptors(mount_t) userdom_use_all_user_fd(mount_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
fs_use_tmpfs_character_devices(mount_t) fs_use_tmpfs_character_devices(mount_t)
allow mount_t tmpfs_t:dir mounton; allow mount_t tmpfs_t:dir mounton;
optional_policy(`authlogin.te',` optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(mount_t) auth_read_pam_console_data(mount_t)
# mount config by default sets fscontext=removable_t # mount config by default sets fscontext=removable_t
fs_relabelfrom_dos_fs(mount_t) fs_relabelfrom_dos_fs(mount_t)
') ')
@ -103,7 +103,7 @@ optional_policy(`portmap.te', `
ifdef(`TODO',` ifdef(`TODO',`
# this goes to the nfs/rpc module # this goes to the nfs/rpc module
files_make_mountpoint(var_lib_nfs_t) files_mountpoint(var_lib_nfs_t)
# TODO: Need to examine this further. Not sure how to handle this # TODO: Need to examine this further. Not sure how to handle this
#type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type; #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;

View File

@ -2,7 +2,7 @@
## <summary>Policy for SELinux policy and userland applications.</summary> ## <summary>Policy for SELinux policy and userland applications.</summary>
####################################### #######################################
## <interface name="selinux_checkpolicy_transition"> ## <interface name="selinux_domtrans_checkpol">
## <description> ## <description>
## Execute checkpolicy in the checkpolicy domain. ## Execute checkpolicy in the checkpolicy domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_checkpolicy_transition',` define(`selinux_domtrans_checkpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',`
allow checkpolicy_t $1:process sigchld; allow checkpolicy_t $1:process sigchld;
') ')
define(`selinux_checkpolicy_transition_depend',` define(`selinux_domtrans_checkpol_depend',`
type checkpolicy_t, checkpolicy_exec_t; type checkpolicy_t, checkpolicy_exec_t;
class file rx_file_perms class file rx_file_perms
@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal"> ## <interface name="selinux_run_checkpol">
## <description> ## <description>
## Execute checkpolicy in the checkpolicy domain, and ## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain, ## allow the specified role the checkpolicy domain,
@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_checkpolicy_transition_add_role_use_terminal',` define(`selinux_run_checkpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_checkpolicy_transition($1) selinux_domtrans_checkpol($1)
role $2 types checkpolicy_t; role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl }; allow checkpolicy_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` define(`selinux_run_checkpol_depend',`
type checkpolicy_t; type checkpolicy_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_checkpolicy_execute(domain) # selinux_exec_checkpol(domain)
# #
define(`selinux_checkpolicy_execute',` define(`selinux_exec_checkpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,checkpolicy_exec_t) can_exec($1,checkpolicy_exec_t)
') ')
define(`selinux_checkpolicy_execute_depend',` define(`selinux_exec_checkpol_depend',`
type checkpolicy_exec_t; type checkpolicy_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
####################################### #######################################
## <interface name="selinux_load_policy_transition"> ## <interface name="selinux_domtrans_loadpol">
## <description> ## <description>
## Execute load_policy in the load_policy domain. ## Execute load_policy in the load_policy domain.
## </description> ## </description>
@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_load_policy_transition',` define(`selinux_domtrans_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_exec_t:file rx_file_perms;
@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',`
allow load_policy_t $1:process sigchld; allow load_policy_t $1:process sigchld;
') ')
define(`selinux_load_policy_transition_depend',` define(`selinux_domtrans_loadpol_depend',`
type load_policy_t, load_policy_exec_t; type load_policy_t, load_policy_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_load_policy_transition_add_role_use_terminal"> ## <interface name="selinux_run_loadpol">
## <description> ## <description>
## Execute load_policy in the load_policy domain, and ## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain, ## allow the specified role the load_policy domain,
@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_load_policy_transition_add_role_use_terminal',` define(`selinux_run_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_load_policy_transition($1) selinux_domtrans_loadpol($1)
role $2 types load_policy_t; role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl }; allow load_policy_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_load_policy_transition_add_role_use_terminal_depend',` define(`selinux_run_loadpol_depend',`
type load_policy_t; type load_policy_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_load_policy_execute(domain) # selinux_exec_loadpol(domain)
# #
define(`selinux_load_policy_execute',` define(`selinux_exec_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,load_policy_exec_t) can_exec($1,load_policy_exec_t)
') ')
define(`selinux_load_policy_execute_depend',` define(`selinux_exec_loadpol_depend',`
type load_policy_exec_t; type load_policy_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',`
####################################### #######################################
# #
# selinux_read_load_policy_binary(domain) # selinux_read_loadpol(domain)
# #
define(`selinux_read_load_policy_binary',` define(`selinux_read_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file r_file_perms; allow $1 load_policy_exec_t:file r_file_perms;
') ')
define(`selinux_read_load_policy_binary_depend',` define(`selinux_read_loadpol_depend',`
type load_policy_exec_t; type load_policy_exec_t;
class file r_file_perms class file r_file_perms
') ')
####################################### #######################################
## <interface name="selinux_newrole_transition"> ## <interface name="selinux_domtrans_newrole">
## <description> ## <description>
## Execute newrole in the load_policy domain. ## Execute newrole in the load_policy domain.
## </description> ## </description>
@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_newrole_transition',` define(`selinux_domtrans_newrole',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_exec_t:file rx_file_perms;
@ -205,7 +205,7 @@ define(`selinux_newrole_transition',`
allow newrole_t $1:process sigchld; allow newrole_t $1:process sigchld;
') ')
define(`selinux_newrole_transition_depend',` define(`selinux_domtrans_newrole_depend',`
type newrole_t, newrole_exec_t; type newrole_t, newrole_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_newrole_transition_add_role_use_terminal"> ## <interface name="selinux_run_newrole">
## <description> ## <description>
## Execute newrole in the newrole domain, and ## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain, ## allow the specified role the newrole domain,
@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_newrole_transition_add_role_use_terminal',` define(`selinux_run_newrole',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_newrole_transition($1) selinux_domtrans_newrole($1)
role $2 types newrole_t; role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl }; allow newrole_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_newrole_transition_add_role_use_terminal_depend',` define(`selinux_run_newrole_depend',`
type newrole_t; type newrole_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_newrole_execute(domain) # selinux_exec_newrole(domain)
# #
define(`selinux_newrole_execute',` define(`selinux_exec_newrole',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,newrole_exec_t) can_exec($1,newrole_exec_t)
') ')
define(`selinux_newrole_execute_depend',` define(`selinux_exec_newrole_depend',`
type newrole_t, newrole_exec_t; type newrole_t, newrole_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
######################################## ########################################
## <interface name="selinux_newrole_ignore_signal"> ## <interface name="selinux_dontaudit_newrole_signal">
## <description> ## <description>
## Do not audit the caller attempts to send ## Do not audit the caller attempts to send
## a signal to newrole. ## a signal to newrole.
@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_newrole_ignore_signal',` define(`selinux_dontaudit_newrole_signal',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 newrole_t:process signal; dontaudit $1 newrole_t:process signal;
') ')
define(`selinux_newrole_ignore_signal_depend',` define(`selinux_dontaudit_newrole_signal_depend',`
type newrole_t; type newrole_t;
class process signal; class process signal;
@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
####################################### #######################################
# #
# selinux_newrole_use_file_descriptors(domain) # selinux_use_newrole_fd(domain)
# #
define(`selinux_newrole_use_file_descriptors',` define(`selinux_use_newrole_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 newrole_t:fd use; allow $1 newrole_t:fd use;
') ')
define(`selinux_newrole_use_file_descriptors_depend',` define(`selinux_use_newrole_fd_depend',`
type newrole_t; type newrole_t;
class fd use; class fd use;
') ')
####################################### #######################################
## <interface name="selinux_restorecon_transition"> ## <interface name="selinux_domtrans_restorecon">
## <description> ## <description>
## Execute restorecon in the restorecon domain. ## Execute restorecon in the restorecon domain.
## </description> ## </description>
@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_restorecon_transition',` define(`selinux_domtrans_restorecon',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_exec_t:file rx_file_perms;
@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',`
allow restorecon_t $1:process sigchld; allow restorecon_t $1:process sigchld;
') ')
define(`selinux_restorecon_transition_depend',` define(`selinux_domtrans_restorecon_depend',`
type restorecon_t, restorecon_exec_t; type restorecon_t, restorecon_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_restorecon_transition_add_role_use_terminal"> ## <interface name="selinux_run_restorecon">
## <description> ## <description>
## Execute restorecon in the restorecon domain, and ## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain, ## allow the specified role the restorecon domain,
@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_restorecon_transition_add_role_use_terminal',` define(`selinux_run_restorecon',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_restorecon_transition($1) selinux_domtrans_restorecon($1)
role $2 types restorecon_t; role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl }; allow restorecon_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_restorecon_transition_add_role_use_terminal_depend',` define(`selinux_run_restorecon_depend',`
type restorecon_t; type restorecon_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_restorecon_execute(domain) # selinux_exec_restorecon(domain)
# #
define(`selinux_restorecon_execute',` define(`selinux_exec_restorecon',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,restorecon_exec_t) can_exec($1,restorecon_exec_t)
') ')
define(`selinux_restorecon_execute_depend',` define(`selinux_exec_restorecon_depend',`
type restorecon_t, restorecon_exec_t; type restorecon_t, restorecon_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
######################################## ########################################
## <interface name="selinux_run_init_transition"> ## <interface name="selinux_domtrans_runinit">
## <description> ## <description>
## Execute run_init in the run_init domain. ## Execute run_init in the run_init domain.
## </description> ## </description>
@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_init_transition',` define(`selinux_domtrans_runinit',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_exec_t:file rx_file_perms;
@ -421,7 +421,7 @@ define(`selinux_run_init_transition',`
allow run_init_t $1:process sigchld; allow run_init_t $1:process sigchld;
') ')
define(`selinux_run_init_transition_depend',` define(`selinux_domtrans_runinit_depend',`
type run_init_t, run_init_exec_t; type run_init_t, run_init_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_init_transition_add_role_use_terminal"> ## <interface name="selinux_run_runinit">
## <description> ## <description>
## Execute run_init in the run_init domain, and ## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain, ## allow the specified role the run_init domain,
@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_init_transition_add_role_use_terminal',` define(`selinux_run_runinit',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_run_init_transition($1) selinux_domtrans_runinit($1)
role $2 types run_init_t; role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl }; allow run_init_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_init_transition_add_role_use_terminal_depend',` define(`selinux_run_runinit_depend',`
type run_init_t; type run_init_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',`
######################################## ########################################
# #
# selinux_run_init_use_file_descriptors(domain) # selinux_use_runinit_fd(domain)
# #
define(`selinux_run_init_use_file_descriptors',` define(`selinux_use_runinit_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use; allow $1 run_init_t:fd use;
') ')
define(`selinux_run_init_use_file_descriptors_depend',` define(`selinux_use_runinit_fd_depend',`
type run_init_t; type run_init_t;
class fd use; class fd use;
') ')
######################################## ########################################
## <interface name="selinux_setfiles_transition"> ## <interface name="selinux_domtrans_setfiles">
## <description> ## <description>
## Execute setfiles in the setfiles domain. ## Execute setfiles in the setfiles domain.
## </description> ## </description>
@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_setfiles_transition',` define(`selinux_domtrans_setfiles',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_exec_t:file rx_file_perms;
@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',`
allow setfiles_t $1:process sigchld; allow setfiles_t $1:process sigchld;
') ')
define(`selinux_setfiles_transition_depend',` define(`selinux_domtrans_setfiles_depend',`
type setfiles_t, setfiles_exec_t; type setfiles_t, setfiles_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_setfiles_transition_add_role_use_terminal"> ## <interface name="selinux_run_setfiles">
## <description> ## <description>
## Execute setfiles in the setfiles domain, and ## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain, ## allow the specified role the setfiles domain,
@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_setfiles_transition_add_role_use_terminal',` define(`selinux_run_setfiles',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_setfiles_transition($1) selinux_domtrans_setfiles($1)
role $2 types setfiles_t; role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl }; allow setfiles_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_setfiles_transition_add_role_use_terminal_depend',` define(`selinux_run_setfiles_depend',`
type setfiles_t; type setfiles_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_setfiles_execute(domain) # selinux_exec_setfiles(domain)
# #
define(`selinux_setfiles_execute',` define(`selinux_exec_setfiles',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,setfiles_exec_t) can_exec($1,setfiles_exec_t)
') ')
define(`selinux_setfiles_execute_depend',` define(`selinux_exec_setfiles_depend',`
type setfiles_exec_t; type setfiles_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
######################################## ########################################
# #
# selinux_read_binary_policy(domain) # selinux_read_binary_pol(domain)
# #
define(`selinux_read_binary_policy',` define(`selinux_read_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms; allow $1 policy_config_t:file r_file_perms;
') ')
define(`selinux_read_binary_policy_depend',` define(`selinux_read_binary_pol_depend',`
type policy_config_t; type policy_config_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',`
######################################## ########################################
# #
# selinux_write_binary_policy(domain) # selinux_write_binary_pol(domain)
# #
define(`selinux_write_binary_policy',` define(`selinux_write_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:dir rw_dir_perms;
@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',`
typeattribute $1 can_write_binary_policy; typeattribute $1 can_write_binary_policy;
') ')
define(`selinux_write_binary_policy_depend',` define(`selinux_write_binary_pol_depend',`
attribute can_write_binary_policy; attribute can_write_binary_policy;
type policy_config_t; type policy_config_t;
@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',`
') ')
######################################## ########################################
## <interface name="selinux_relabelto_binary_policy"> ## <interface name="selinux_relabelto_binary_pol">
## <description> ## <description>
## Allow the caller to relabel a file to the binary policy type. ## Allow the caller to relabel a file to the binary policy type.
## </description> ## </description>
@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_relabelto_binary_policy',` define(`selinux_relabelto_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 policy_config_t:file relabelto; allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy; typeattribute $1 can_relabelto_binary_policy;
') ')
define(`selinux_relabelto_binary_policy_depend',` define(`selinux_relabelto_binary_pol_depend',`
attribute can_relabelto_binary_policy; attribute can_relabelto_binary_policy;
type policy_config_t; type policy_config_t;
@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',`
######################################## ########################################
# #
# selinux_manage_binary_policy(domain) # selinux_manage_binary_pol(domain)
# #
define(`selinux_manage_binary_policy',` define(`selinux_manage_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',`
typeattribute $1 can_write_binary_policy; typeattribute $1 can_write_binary_policy;
') ')
define(`selinux_manage_binary_policy_depend',` define(`selinux_manage_binary_pol_depend',`
attribute can_write_binary_policy; attribute can_write_binary_policy;
type selinux_config_t, policy_config_t; type selinux_config_t, policy_config_t;
@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',`
######################################## ########################################
# #
# selinux_read_source_policy(domain) # selinux_read_src_pol(domain)
# #
define(`selinux_read_source_policy',` define(`selinux_read_src_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -714,7 +714,7 @@ define(`selinux_read_source_policy',`
allow $1 policy_src_t:file r_file_perms; allow $1 policy_src_t:file r_file_perms;
') ')
define(`selinux_read_source_policy_depend',` define(`selinux_read_src_pol_depend',`
type selinux_config_t, policy_src_t; type selinux_config_t, policy_src_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',`
######################################## ########################################
# #
# selinux_manage_source_policy(domain) # selinux_manage_src_pol(domain)
# #
define(`selinux_manage_source_policy',` define(`selinux_manage_src_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',`
allow $1 policy_src_t:file create_file_perms; allow $1 policy_src_t:file create_file_perms;
') ')
define(`selinux_manage_source_policy_depend',` define(`selinux_manage_src_pol_depend',`
type selinux_config_t, policy_src_t; type selinux_config_t, policy_src_t;
class dir create_dir_perms; class dir create_dir_perms;

View File

@ -10,48 +10,48 @@ attribute can_write_binary_policy;
attribute can_relabelto_binary_policy; attribute can_relabelto_binary_policy;
type checkpolicy_t, can_write_binary_policy; type checkpolicy_t, can_write_binary_policy;
domain_make_domain(checkpolicy_t) domain_type(checkpolicy_t)
role system_r types checkpolicy_t; role system_r types checkpolicy_t;
type checkpolicy_exec_t; type checkpolicy_exec_t;
domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
# #
# default_context_t is the type applied to # default_context_t is the type applied to
# /etc/selinux/*/contexts/* # /etc/selinux/*/contexts/*
# #
type default_context_t; type default_context_t;
files_make_file(default_context_t) files_file_type(default_context_t)
# #
# file_context_t is the type applied to # file_context_t is the type applied to
# /etc/selinux/*/contexts/files # /etc/selinux/*/contexts/files
# #
type file_context_t; type file_context_t;
files_make_file(file_context_t) files_file_type(file_context_t)
type load_policy_t; type load_policy_t;
domain_make_domain(load_policy_t) domain_type(load_policy_t)
role system_r types load_policy_t; role system_r types load_policy_t;
type load_policy_exec_t; type load_policy_exec_t;
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
kernel_make_role_change_constraint_exception(newrole_t) kernel_role_change_exempt(newrole_t)
kernel_make_object_identity_change_constraint_exception(newrole_t) kernel_obj_id_change_exempt(newrole_t)
domain_make_domain(newrole_t) domain_type(newrole_t)
domain_make_file_descriptors_widely_inheritable(newrole_t) domain_wide_inherit_fd(newrole_t)
type newrole_exec_t; type newrole_exec_t;
domain_make_entrypoint_file(newrole_t,newrole_exec_t) domain_entry_file(newrole_t,newrole_exec_t)
# #
# policy_config_t is the type of /etc/security/selinux/* # policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration. # the security server policy configuration.
# #
type policy_config_t; type policy_config_t;
files_make_file(policy_config_t) files_file_type(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append }; neverallow ~can_write_binary_policy policy_config_t:file { write append };
@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
# files. # files.
# #
type policy_src_t; type policy_src_t;
files_make_file(policy_src_t) files_file_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy; type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t; type restorecon_exec_t;
kernel_make_object_identity_change_constraint_exception(restorecon_t) kernel_obj_id_change_exempt(restorecon_t)
init_make_system_domain(restorecon_t,restorecon_exec_t) init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t; role system_r types restorecon_t;
type run_init_t; type run_init_t;
domain_make_domain(run_init_t) domain_type(run_init_t)
type run_init_exec_t; type run_init_exec_t;
domain_make_entrypoint_file(run_init_t,run_init_exec_t) domain_entry_file(run_init_t,run_init_exec_t)
# #
# selinux_config_t is the type applied to # selinux_config_t is the type applied to
# /etc/selinux/config # /etc/selinux/config
# #
type selinux_config_t; type selinux_config_t;
files_make_file(selinux_config_t) files_file_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy; type setfiles_t, can_relabelto_binary_policy;
kernel_make_object_identity_change_constraint_exception(setfiles_t) kernel_obj_id_change_exempt(setfiles_t)
domain_make_domain(setfiles_t) domain_type(setfiles_t)
role system_r types setfiles_t; role system_r types setfiles_t;
type setfiles_exec_t; type setfiles_exec_t;
domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) domain_entry_file(setfiles_t,setfiles_exec_t)
######################################## ########################################
# #
@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t)
term_use_console(checkpolicy_t) term_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t) domain_use_wide_inherit_fd(checkpolicy_t)
# directory search permissions for path to source and binary policy files # directory search permissions for path to source and binary policy files
files_search_general_system_config_directory(checkpolicy_t) files_search_etc(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t) init_use_fd(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t) init_use_script_pty(checkpolicy_t)
libraries_use_dynamic_loader(checkpolicy_t) libs_use_ld_so(checkpolicy_t)
libraries_use_shared_libraries(checkpolicy_t) libs_use_shared_libs(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t) userdom_use_all_user_fd(checkpolicy_t)
ifdef(`TODO',` ifdef(`TODO',`
# Read the devpts root directory. # Read the devpts root directory.
@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t)
term_use_console(load_policy_t) term_use_console(load_policy_t)
term_list_ptys(load_policy_t) term_list_ptys(load_policy_t)
init_script_use_file_descriptors(load_policy_t) init_use_script_fd(load_policy_t)
init_script_use_pseudoterminal(load_policy_t) init_use_script_pty(load_policy_t)
domain_use_widely_inheritable_file_descriptors(load_policy_t) domain_use_wide_inherit_fd(load_policy_t)
files_search_general_system_config_directory(load_policy_t) files_search_etc(load_policy_t)
libraries_use_dynamic_loader(load_policy_t) libs_use_ld_so(load_policy_t)
libraries_use_shared_libraries(load_policy_t) libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t) miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t) userdom_use_all_user_fd(load_policy_t)
######################################## ########################################
# #
@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t)
term_use_all_user_ttys(newrole_t) term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t) term_use_all_user_ptys(newrole_t)
authlogin_check_password_transition(newrole_t) auth_domtrans_chk_passwd(newrole_t)
domain_use_widely_inheritable_file_descriptors(newrole_t) domain_use_wide_inherit_fd(newrole_t)
# Write to utmp. # Write to utmp.
init_script_modify_runtime_data(newrole_t) init_rw_script_pid(newrole_t)
files_read_general_system_config(newrole_t) files_read_generic_etc_files(newrole_t)
libraries_use_dynamic_loader(newrole_t) libs_use_ld_so(newrole_t)
libraries_use_shared_libraries(newrole_t) libs_use_shared_libs(newrole_t)
logging_send_system_log_message(newrole_t) logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) userdom_use_unpriv_users_fd(newrole_t)
ifdef(`TODO',` ifdef(`TODO',`
@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t)
term_use_unallocated_tty(restorecon_t) term_use_unallocated_tty(restorecon_t)
init_use_file_descriptors(restorecon_t) init_use_fd(restorecon_t)
init_script_use_pseudoterminal(restorecon_t) init_use_script_pty(restorecon_t)
domain_use_widely_inheritable_file_descriptors(restorecon_t) domain_use_wide_inherit_fd(restorecon_t)
files_read_runtime_system_config(restorecon_t) files_read_etc_runtime_files(restorecon_t)
files_read_general_system_config(restorecon_t) files_read_generic_etc_files(restorecon_t)
libraries_use_dynamic_loader(restorecon_t) libs_use_ld_so(restorecon_t)
libraries_use_shared_libraries(restorecon_t) libs_use_shared_libs(restorecon_t)
logging_send_system_log_message(restorecon_t) logging_send_syslog_msg(restorecon_t)
userdomain_use_all_users_file_descriptors(restorecon_t) userdom_use_all_user_fd(restorecon_t)
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_use_file_descriptors(restorecon_t) hotplug_use_fd(restorecon_t)
') ')
# relabeling rules # relabeling rules
@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t)
dev_relabel_all_dev_nodes(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t)
files_relabel_all_files(restorecon_t) files_relabel_all_files(restorecon_t)
files_read_all_directories(restorecon_t) files_list_all_dirs(restorecon_t)
# this is to satisfy the assertion: # this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t) auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(restorecon_t) fs_use_tmpfs_character_devices(restorecon_t)
@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',`
fs_getattr_xattr_fs(run_init_t) fs_getattr_xattr_fs(run_init_t)
dev_dontaudit_list_all_nodes(run_init_t) dev_dontaudit_list_all_dev_nodes(run_init_t)
term_dontaudit_list_ptys(run_init_t) term_dontaudit_list_ptys(run_init_t)
authlogin_check_password_transition(run_init_t) auth_domtrans_chk_passwd(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t) auth_dontaudit_read_shadow(run_init_t)
corecommands_execute_general_programs(run_init_t) corecmd_exec_bin(run_init_t)
corecommands_execute_shell(run_init_t) corecmd_exec_shell(run_init_t)
domain_use_widely_inheritable_file_descriptors(run_init_t) domain_use_wide_inherit_fd(run_init_t)
files_read_general_system_config(run_init_t) files_read_generic_etc_files(run_init_t)
files_ignore_search_all_directories(run_init_t) files_dontaudit_search_all_dirs(run_init_t)
init_script_transition(run_init_t) init_domtrans_script(run_init_t)
# for utmp # for utmp
init_script_modify_runtime_data(run_init_t) init_rw_script_pid(run_init_t)
libraries_use_dynamic_loader(run_init_t) libs_use_ld_so(run_init_t)
libraries_use_shared_libraries(run_init_t) libs_use_shared_libs(run_init_t)
selinux_read_config(run_init_t) selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t) selinux_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t) miscfiles_read_localization(run_init_t)
logging_send_system_log_message(run_init_t) logging_send_syslog_msg(run_init_t)
') dnl end ifdef targeted policy ') dnl end ifdef targeted policy
ifdef(`TODO',` ifdef(`TODO',`
@ -398,7 +398,7 @@ ifdef(`TODO',`
ifdef(`distro_gentoo', ` ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript: # Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t) domain_entry_file(run_init_t,initrc_exec_t)
') ')
') dnl end TODO ') dnl end TODO
@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t) term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t) term_use_unallocated_tty(setfiles_t)
init_use_file_descriptors(setfiles_t) init_use_fd(setfiles_t)
init_script_use_file_descriptors(setfiles_t) init_use_script_fd(setfiles_t)
init_script_use_pseudoterminal(setfiles_t) init_use_script_pty(setfiles_t)
domain_use_widely_inheritable_file_descriptors(setfiles_t) domain_use_wide_inherit_fd(setfiles_t)
libraries_use_dynamic_loader(setfiles_t) libs_use_ld_so(setfiles_t)
libraries_use_shared_libraries(setfiles_t) libs_use_shared_libs(setfiles_t)
files_read_runtime_system_config(setfiles_t) files_read_etc_runtime_files(setfiles_t)
files_read_general_system_config(setfiles_t) files_read_generic_etc_files(setfiles_t)
logging_send_system_log_message(setfiles_t) logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t) userdom_use_all_user_fd(setfiles_t)
# for config files in a home directory # for config files in a home directory
userdomain_read_all_users_data(setfiles_t) userdom_read_all_user_data(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled(setfiles_t) kernel_relabel_unlabeled(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t)
files_list_all_dirs(setfiles_t)
files_read_all_directories(setfiles_t)
files_relabel_all_files(setfiles_t) files_relabel_all_files(setfiles_t)
# this is to satisfy the assertion: # this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(setfiles_t) auth_relabelto_shadow(setfiles_t)
ifdef(`TODO',` ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade

View File

@ -2,7 +2,7 @@
## <summary>Policy for SELinux policy and userland applications.</summary> ## <summary>Policy for SELinux policy and userland applications.</summary>
####################################### #######################################
## <interface name="selinux_checkpolicy_transition"> ## <interface name="selinux_domtrans_checkpol">
## <description> ## <description>
## Execute checkpolicy in the checkpolicy domain. ## Execute checkpolicy in the checkpolicy domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_checkpolicy_transition',` define(`selinux_domtrans_checkpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_exec_t:file rx_file_perms;
@ -25,7 +25,7 @@ define(`selinux_checkpolicy_transition',`
allow checkpolicy_t $1:process sigchld; allow checkpolicy_t $1:process sigchld;
') ')
define(`selinux_checkpolicy_transition_depend',` define(`selinux_domtrans_checkpol_depend',`
type checkpolicy_t, checkpolicy_exec_t; type checkpolicy_t, checkpolicy_exec_t;
class file rx_file_perms class file rx_file_perms
@ -35,7 +35,7 @@ define(`selinux_checkpolicy_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal"> ## <interface name="selinux_run_checkpol">
## <description> ## <description>
## Execute checkpolicy in the checkpolicy domain, and ## Execute checkpolicy in the checkpolicy domain, and
## allow the specified role the checkpolicy domain, ## allow the specified role the checkpolicy domain,
@ -53,15 +53,15 @@ define(`selinux_checkpolicy_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_checkpolicy_transition_add_role_use_terminal',` define(`selinux_run_checkpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_checkpolicy_transition($1) selinux_domtrans_checkpol($1)
role $2 types checkpolicy_t; role $2 types checkpolicy_t;
allow checkpolicy_t $3:chr_file { getattr read write ioctl }; allow checkpolicy_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` define(`selinux_run_checkpol_depend',`
type checkpolicy_t; type checkpolicy_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -69,22 +69,22 @@ define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_checkpolicy_execute(domain) # selinux_exec_checkpol(domain)
# #
define(`selinux_checkpolicy_execute',` define(`selinux_exec_checkpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,checkpolicy_exec_t) can_exec($1,checkpolicy_exec_t)
') ')
define(`selinux_checkpolicy_execute_depend',` define(`selinux_exec_checkpol_depend',`
type checkpolicy_exec_t; type checkpolicy_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
####################################### #######################################
## <interface name="selinux_load_policy_transition"> ## <interface name="selinux_domtrans_loadpol">
## <description> ## <description>
## Execute load_policy in the load_policy domain. ## Execute load_policy in the load_policy domain.
## </description> ## </description>
@ -93,7 +93,7 @@ define(`selinux_checkpolicy_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_load_policy_transition',` define(`selinux_domtrans_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_exec_t:file rx_file_perms;
@ -107,7 +107,7 @@ define(`selinux_load_policy_transition',`
allow load_policy_t $1:process sigchld; allow load_policy_t $1:process sigchld;
') ')
define(`selinux_load_policy_transition_depend',` define(`selinux_domtrans_loadpol_depend',`
type load_policy_t, load_policy_exec_t; type load_policy_t, load_policy_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -117,7 +117,7 @@ define(`selinux_load_policy_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_load_policy_transition_add_role_use_terminal"> ## <interface name="selinux_run_loadpol">
## <description> ## <description>
## Execute load_policy in the load_policy domain, and ## Execute load_policy in the load_policy domain, and
## allow the specified role the load_policy domain, ## allow the specified role the load_policy domain,
@ -135,15 +135,15 @@ define(`selinux_load_policy_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_load_policy_transition_add_role_use_terminal',` define(`selinux_run_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_load_policy_transition($1) selinux_domtrans_loadpol($1)
role $2 types load_policy_t; role $2 types load_policy_t;
allow load_policy_t $3:chr_file { getattr read write ioctl }; allow load_policy_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_load_policy_transition_add_role_use_terminal_depend',` define(`selinux_run_loadpol_depend',`
type load_policy_t; type load_policy_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -151,15 +151,15 @@ define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_load_policy_execute(domain) # selinux_exec_loadpol(domain)
# #
define(`selinux_load_policy_execute',` define(`selinux_exec_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,load_policy_exec_t) can_exec($1,load_policy_exec_t)
') ')
define(`selinux_load_policy_execute_depend',` define(`selinux_exec_loadpol_depend',`
type load_policy_exec_t; type load_policy_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
@ -167,22 +167,22 @@ define(`selinux_load_policy_execute_depend',`
####################################### #######################################
# #
# selinux_read_load_policy_binary(domain) # selinux_read_loadpol(domain)
# #
define(`selinux_read_load_policy_binary',` define(`selinux_read_loadpol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 load_policy_exec_t:file r_file_perms; allow $1 load_policy_exec_t:file r_file_perms;
') ')
define(`selinux_read_load_policy_binary_depend',` define(`selinux_read_loadpol_depend',`
type load_policy_exec_t; type load_policy_exec_t;
class file r_file_perms class file r_file_perms
') ')
####################################### #######################################
## <interface name="selinux_newrole_transition"> ## <interface name="selinux_domtrans_newrole">
## <description> ## <description>
## Execute newrole in the load_policy domain. ## Execute newrole in the load_policy domain.
## </description> ## </description>
@ -191,7 +191,7 @@ define(`selinux_read_load_policy_binary_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_newrole_transition',` define(`selinux_domtrans_newrole',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_exec_t:file rx_file_perms;
@ -205,7 +205,7 @@ define(`selinux_newrole_transition',`
allow newrole_t $1:process sigchld; allow newrole_t $1:process sigchld;
') ')
define(`selinux_newrole_transition_depend',` define(`selinux_domtrans_newrole_depend',`
type newrole_t, newrole_exec_t; type newrole_t, newrole_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -215,7 +215,7 @@ define(`selinux_newrole_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_newrole_transition_add_role_use_terminal"> ## <interface name="selinux_run_newrole">
## <description> ## <description>
## Execute newrole in the newrole domain, and ## Execute newrole in the newrole domain, and
## allow the specified role the newrole domain, ## allow the specified role the newrole domain,
@ -232,15 +232,15 @@ define(`selinux_newrole_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_newrole_transition_add_role_use_terminal',` define(`selinux_run_newrole',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_newrole_transition($1) selinux_domtrans_newrole($1)
role $2 types newrole_t; role $2 types newrole_t;
allow newrole_t $3:chr_file { getattr read write ioctl }; allow newrole_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_newrole_transition_add_role_use_terminal_depend',` define(`selinux_run_newrole_depend',`
type newrole_t; type newrole_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -248,22 +248,22 @@ define(`selinux_newrole_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_newrole_execute(domain) # selinux_exec_newrole(domain)
# #
define(`selinux_newrole_execute',` define(`selinux_exec_newrole',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,newrole_exec_t) can_exec($1,newrole_exec_t)
') ')
define(`selinux_newrole_execute_depend',` define(`selinux_exec_newrole_depend',`
type newrole_t, newrole_exec_t; type newrole_t, newrole_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
######################################## ########################################
## <interface name="selinux_newrole_ignore_signal"> ## <interface name="selinux_dontaudit_newrole_signal">
## <description> ## <description>
## Do not audit the caller attempts to send ## Do not audit the caller attempts to send
## a signal to newrole. ## a signal to newrole.
@ -273,13 +273,13 @@ define(`selinux_newrole_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_newrole_ignore_signal',` define(`selinux_dontaudit_newrole_signal',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 newrole_t:process signal; dontaudit $1 newrole_t:process signal;
') ')
define(`selinux_newrole_ignore_signal_depend',` define(`selinux_dontaudit_newrole_signal_depend',`
type newrole_t; type newrole_t;
class process signal; class process signal;
@ -303,22 +303,22 @@ define(`selinux_newrole_sigchld_depend',`
####################################### #######################################
# #
# selinux_newrole_use_file_descriptors(domain) # selinux_use_newrole_fd(domain)
# #
define(`selinux_newrole_use_file_descriptors',` define(`selinux_use_newrole_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 newrole_t:fd use; allow $1 newrole_t:fd use;
') ')
define(`selinux_newrole_use_file_descriptors_depend',` define(`selinux_use_newrole_fd_depend',`
type newrole_t; type newrole_t;
class fd use; class fd use;
') ')
####################################### #######################################
## <interface name="selinux_restorecon_transition"> ## <interface name="selinux_domtrans_restorecon">
## <description> ## <description>
## Execute restorecon in the restorecon domain. ## Execute restorecon in the restorecon domain.
## </description> ## </description>
@ -327,7 +327,7 @@ define(`selinux_newrole_use_file_descriptors_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_restorecon_transition',` define(`selinux_domtrans_restorecon',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_exec_t:file rx_file_perms;
@ -341,7 +341,7 @@ define(`selinux_restorecon_transition',`
allow restorecon_t $1:process sigchld; allow restorecon_t $1:process sigchld;
') ')
define(`selinux_restorecon_transition_depend',` define(`selinux_domtrans_restorecon_depend',`
type restorecon_t, restorecon_exec_t; type restorecon_t, restorecon_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -351,7 +351,7 @@ define(`selinux_restorecon_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_restorecon_transition_add_role_use_terminal"> ## <interface name="selinux_run_restorecon">
## <description> ## <description>
## Execute restorecon in the restorecon domain, and ## Execute restorecon in the restorecon domain, and
## allow the specified role the restorecon domain, ## allow the specified role the restorecon domain,
@ -368,15 +368,15 @@ define(`selinux_restorecon_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_restorecon_transition_add_role_use_terminal',` define(`selinux_run_restorecon',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_restorecon_transition($1) selinux_domtrans_restorecon($1)
role $2 types restorecon_t; role $2 types restorecon_t;
allow restorecon_t $3:chr_file { getattr read write ioctl }; allow restorecon_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_restorecon_transition_add_role_use_terminal_depend',` define(`selinux_run_restorecon_depend',`
type restorecon_t; type restorecon_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -384,21 +384,21 @@ define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_restorecon_execute(domain) # selinux_exec_restorecon(domain)
# #
define(`selinux_restorecon_execute',` define(`selinux_exec_restorecon',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,restorecon_exec_t) can_exec($1,restorecon_exec_t)
') ')
define(`selinux_restorecon_execute_depend',` define(`selinux_exec_restorecon_depend',`
type restorecon_t, restorecon_exec_t; type restorecon_t, restorecon_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
') ')
######################################## ########################################
## <interface name="selinux_run_init_transition"> ## <interface name="selinux_domtrans_runinit">
## <description> ## <description>
## Execute run_init in the run_init domain. ## Execute run_init in the run_init domain.
## </description> ## </description>
@ -407,7 +407,7 @@ define(`selinux_restorecon_execute_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_init_transition',` define(`selinux_domtrans_runinit',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_exec_t:file rx_file_perms;
@ -421,7 +421,7 @@ define(`selinux_run_init_transition',`
allow run_init_t $1:process sigchld; allow run_init_t $1:process sigchld;
') ')
define(`selinux_run_init_transition_depend',` define(`selinux_domtrans_runinit_depend',`
type run_init_t, run_init_exec_t; type run_init_t, run_init_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -431,7 +431,7 @@ define(`selinux_run_init_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_run_init_transition_add_role_use_terminal"> ## <interface name="selinux_run_runinit">
## <description> ## <description>
## Execute run_init in the run_init domain, and ## Execute run_init in the run_init domain, and
## allow the specified role the run_init domain, ## allow the specified role the run_init domain,
@ -448,15 +448,15 @@ define(`selinux_run_init_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_run_init_transition_add_role_use_terminal',` define(`selinux_run_runinit',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_run_init_transition($1) selinux_domtrans_runinit($1)
role $2 types run_init_t; role $2 types run_init_t;
allow run_init_t $3:chr_file { getattr read write ioctl }; allow run_init_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_run_init_transition_add_role_use_terminal_depend',` define(`selinux_run_runinit_depend',`
type run_init_t; type run_init_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -464,22 +464,22 @@ define(`selinux_run_init_transition_add_role_use_terminal_depend',`
######################################## ########################################
# #
# selinux_run_init_use_file_descriptors(domain) # selinux_use_runinit_fd(domain)
# #
define(`selinux_run_init_use_file_descriptors',` define(`selinux_use_runinit_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 run_init_t:fd use; allow $1 run_init_t:fd use;
') ')
define(`selinux_run_init_use_file_descriptors_depend',` define(`selinux_use_runinit_fd_depend',`
type run_init_t; type run_init_t;
class fd use; class fd use;
') ')
######################################## ########################################
## <interface name="selinux_setfiles_transition"> ## <interface name="selinux_domtrans_setfiles">
## <description> ## <description>
## Execute setfiles in the setfiles domain. ## Execute setfiles in the setfiles domain.
## </description> ## </description>
@ -488,7 +488,7 @@ define(`selinux_run_init_use_file_descriptors_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_setfiles_transition',` define(`selinux_domtrans_setfiles',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_exec_t:file rx_file_perms;
@ -502,7 +502,7 @@ define(`selinux_setfiles_transition',`
allow setfiles_t $1:process sigchld; allow setfiles_t $1:process sigchld;
') ')
define(`selinux_setfiles_transition_depend',` define(`selinux_domtrans_setfiles_depend',`
type setfiles_t, setfiles_exec_t; type setfiles_t, setfiles_exec_t;
class file rx_file_perms; class file rx_file_perms;
@ -512,7 +512,7 @@ define(`selinux_setfiles_transition_depend',`
') ')
######################################## ########################################
## <interface name="selinux_setfiles_transition_add_role_use_terminal"> ## <interface name="selinux_run_setfiles">
## <description> ## <description>
## Execute setfiles in the setfiles domain, and ## Execute setfiles in the setfiles domain, and
## allow the specified role the setfiles domain, ## allow the specified role the setfiles domain,
@ -529,15 +529,15 @@ define(`selinux_setfiles_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_setfiles_transition_add_role_use_terminal',` define(`selinux_run_setfiles',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
selinux_setfiles_transition($1) selinux_domtrans_setfiles($1)
role $2 types setfiles_t; role $2 types setfiles_t;
allow setfiles_t $3:chr_file { getattr read write ioctl }; allow setfiles_t $3:chr_file { getattr read write ioctl };
') ')
define(`selinux_setfiles_transition_add_role_use_terminal_depend',` define(`selinux_run_setfiles_depend',`
type setfiles_t; type setfiles_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
@ -545,15 +545,15 @@ define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
####################################### #######################################
# #
# selinux_setfiles_execute(domain) # selinux_exec_setfiles(domain)
# #
define(`selinux_setfiles_execute',` define(`selinux_exec_setfiles',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
can_exec($1,setfiles_exec_t) can_exec($1,setfiles_exec_t)
') ')
define(`selinux_setfiles_execute_depend',` define(`selinux_exec_setfiles_depend',`
type setfiles_exec_t; type setfiles_exec_t;
class file { rx_file_perms execute_no_trans }; class file { rx_file_perms execute_no_trans };
@ -617,16 +617,16 @@ define(`selinux_read_file_contexts_depend',`
######################################## ########################################
# #
# selinux_read_binary_policy(domain) # selinux_read_binary_pol(domain)
# #
define(`selinux_read_binary_policy',` define(`selinux_read_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:dir r_dir_perms;
allow $1 policy_config_t:file r_file_perms; allow $1 policy_config_t:file r_file_perms;
') ')
define(`selinux_read_binary_policy_depend',` define(`selinux_read_binary_pol_depend',`
type policy_config_t; type policy_config_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -635,9 +635,9 @@ define(`selinux_read_binary_policy_depend',`
######################################## ########################################
# #
# selinux_write_binary_policy(domain) # selinux_write_binary_pol(domain)
# #
define(`selinux_write_binary_policy',` define(`selinux_write_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:dir rw_dir_perms;
@ -645,7 +645,7 @@ define(`selinux_write_binary_policy',`
typeattribute $1 can_write_binary_policy; typeattribute $1 can_write_binary_policy;
') ')
define(`selinux_write_binary_policy_depend',` define(`selinux_write_binary_pol_depend',`
attribute can_write_binary_policy; attribute can_write_binary_policy;
type policy_config_t; type policy_config_t;
@ -655,7 +655,7 @@ define(`selinux_write_binary_policy_depend',`
') ')
######################################## ########################################
## <interface name="selinux_relabelto_binary_policy"> ## <interface name="selinux_relabelto_binary_pol">
## <description> ## <description>
## Allow the caller to relabel a file to the binary policy type. ## Allow the caller to relabel a file to the binary policy type.
## </description> ## </description>
@ -664,14 +664,14 @@ define(`selinux_write_binary_policy_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`selinux_relabelto_binary_policy',` define(`selinux_relabelto_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 policy_config_t:file relabelto; allow $1 policy_config_t:file relabelto;
typeattribute $1 can_relabelto_binary_policy; typeattribute $1 can_relabelto_binary_policy;
') ')
define(`selinux_relabelto_binary_policy_depend',` define(`selinux_relabelto_binary_pol_depend',`
attribute can_relabelto_binary_policy; attribute can_relabelto_binary_policy;
type policy_config_t; type policy_config_t;
@ -681,9 +681,9 @@ define(`selinux_relabelto_binary_policy_depend',`
######################################## ########################################
# #
# selinux_manage_binary_policy(domain) # selinux_manage_binary_pol(domain)
# #
define(`selinux_manage_binary_policy',` define(`selinux_manage_binary_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -693,7 +693,7 @@ define(`selinux_manage_binary_policy',`
typeattribute $1 can_write_binary_policy; typeattribute $1 can_write_binary_policy;
') ')
define(`selinux_manage_binary_policy_depend',` define(`selinux_manage_binary_pol_depend',`
attribute can_write_binary_policy; attribute can_write_binary_policy;
type selinux_config_t, policy_config_t; type selinux_config_t, policy_config_t;
@ -703,9 +703,9 @@ define(`selinux_manage_binary_policy_depend',`
######################################## ########################################
# #
# selinux_read_source_policy(domain) # selinux_read_src_pol(domain)
# #
define(`selinux_read_source_policy',` define(`selinux_read_src_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -714,7 +714,7 @@ define(`selinux_read_source_policy',`
allow $1 policy_src_t:file r_file_perms; allow $1 policy_src_t:file r_file_perms;
') ')
define(`selinux_read_source_policy_depend',` define(`selinux_read_src_pol_depend',`
type selinux_config_t, policy_src_t; type selinux_config_t, policy_src_t;
class dir r_dir_perms; class dir r_dir_perms;
@ -723,9 +723,9 @@ define(`selinux_read_source_policy_depend',`
######################################## ########################################
# #
# selinux_manage_source_policy(domain) # selinux_manage_src_pol(domain)
# #
define(`selinux_manage_source_policy',` define(`selinux_manage_src_pol',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
# FIXME: search etc_t:dir # FIXME: search etc_t:dir
@ -734,7 +734,7 @@ define(`selinux_manage_source_policy',`
allow $1 policy_src_t:file create_file_perms; allow $1 policy_src_t:file create_file_perms;
') ')
define(`selinux_manage_source_policy_depend',` define(`selinux_manage_src_pol_depend',`
type selinux_config_t, policy_src_t; type selinux_config_t, policy_src_t;
class dir create_dir_perms; class dir create_dir_perms;

View File

@ -10,48 +10,48 @@ attribute can_write_binary_policy;
attribute can_relabelto_binary_policy; attribute can_relabelto_binary_policy;
type checkpolicy_t, can_write_binary_policy; type checkpolicy_t, can_write_binary_policy;
domain_make_domain(checkpolicy_t) domain_type(checkpolicy_t)
role system_r types checkpolicy_t; role system_r types checkpolicy_t;
type checkpolicy_exec_t; type checkpolicy_exec_t;
domain_make_entrypoint_file(checkpolicy_t,checkpolicy_exec_t) domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
# #
# default_context_t is the type applied to # default_context_t is the type applied to
# /etc/selinux/*/contexts/* # /etc/selinux/*/contexts/*
# #
type default_context_t; type default_context_t;
files_make_file(default_context_t) files_file_type(default_context_t)
# #
# file_context_t is the type applied to # file_context_t is the type applied to
# /etc/selinux/*/contexts/files # /etc/selinux/*/contexts/files
# #
type file_context_t; type file_context_t;
files_make_file(file_context_t) files_file_type(file_context_t)
type load_policy_t; type load_policy_t;
domain_make_domain(load_policy_t) domain_type(load_policy_t)
role system_r types load_policy_t; role system_r types load_policy_t;
type load_policy_exec_t; type load_policy_exec_t;
domain_make_entrypoint_file(load_policy_t,load_policy_exec_t) domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
kernel_make_role_change_constraint_exception(newrole_t) kernel_role_change_exempt(newrole_t)
kernel_make_object_identity_change_constraint_exception(newrole_t) kernel_obj_id_change_exempt(newrole_t)
domain_make_domain(newrole_t) domain_type(newrole_t)
domain_make_file_descriptors_widely_inheritable(newrole_t) domain_wide_inherit_fd(newrole_t)
type newrole_exec_t; type newrole_exec_t;
domain_make_entrypoint_file(newrole_t,newrole_exec_t) domain_entry_file(newrole_t,newrole_exec_t)
# #
# policy_config_t is the type of /etc/security/selinux/* # policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration. # the security server policy configuration.
# #
type policy_config_t; type policy_config_t;
files_make_file(policy_config_t) files_file_type(policy_config_t)
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto; neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
neverallow ~can_write_binary_policy policy_config_t:file { write append }; neverallow ~can_write_binary_policy policy_config_t:file { write append };
@ -61,34 +61,34 @@ neverallow ~can_write_binary_policy policy_config_t:file { write append };
# files. # files.
# #
type policy_src_t; type policy_src_t;
files_make_file(policy_src_t) files_file_type(policy_src_t)
type restorecon_t, can_relabelto_binary_policy; type restorecon_t, can_relabelto_binary_policy;
type restorecon_exec_t; type restorecon_exec_t;
kernel_make_object_identity_change_constraint_exception(restorecon_t) kernel_obj_id_change_exempt(restorecon_t)
init_make_system_domain(restorecon_t,restorecon_exec_t) init_system_domain(restorecon_t,restorecon_exec_t)
role system_r types restorecon_t; role system_r types restorecon_t;
type run_init_t; type run_init_t;
domain_make_domain(run_init_t) domain_type(run_init_t)
type run_init_exec_t; type run_init_exec_t;
domain_make_entrypoint_file(run_init_t,run_init_exec_t) domain_entry_file(run_init_t,run_init_exec_t)
# #
# selinux_config_t is the type applied to # selinux_config_t is the type applied to
# /etc/selinux/config # /etc/selinux/config
# #
type selinux_config_t; type selinux_config_t;
files_make_file(selinux_config_t) files_file_type(selinux_config_t)
type setfiles_t, can_relabelto_binary_policy; type setfiles_t, can_relabelto_binary_policy;
kernel_make_object_identity_change_constraint_exception(setfiles_t) kernel_obj_id_change_exempt(setfiles_t)
domain_make_domain(setfiles_t) domain_type(setfiles_t)
role system_r types setfiles_t; role system_r types setfiles_t;
type setfiles_exec_t; type setfiles_exec_t;
domain_make_entrypoint_file(setfiles_t,setfiles_exec_t) domain_entry_file(setfiles_t,setfiles_exec_t)
######################################## ########################################
# #
@ -115,18 +115,18 @@ fs_getattr_xattr_fs(checkpolicy_t)
term_use_console(checkpolicy_t) term_use_console(checkpolicy_t)
domain_use_widely_inheritable_file_descriptors(checkpolicy_t) domain_use_wide_inherit_fd(checkpolicy_t)
# directory search permissions for path to source and binary policy files # directory search permissions for path to source and binary policy files
files_search_general_system_config_directory(checkpolicy_t) files_search_etc(checkpolicy_t)
init_use_file_descriptors(checkpolicy_t) init_use_fd(checkpolicy_t)
init_script_use_pseudoterminal(checkpolicy_t) init_use_script_pty(checkpolicy_t)
libraries_use_dynamic_loader(checkpolicy_t) libs_use_ld_so(checkpolicy_t)
libraries_use_shared_libraries(checkpolicy_t) libs_use_shared_libs(checkpolicy_t)
userdomain_use_all_users_file_descriptors(checkpolicy_t) userdom_use_all_user_fd(checkpolicy_t)
ifdef(`TODO',` ifdef(`TODO',`
# Read the devpts root directory. # Read the devpts root directory.
@ -158,19 +158,19 @@ fs_getattr_xattr_fs(load_policy_t)
term_use_console(load_policy_t) term_use_console(load_policy_t)
term_list_ptys(load_policy_t) term_list_ptys(load_policy_t)
init_script_use_file_descriptors(load_policy_t) init_use_script_fd(load_policy_t)
init_script_use_pseudoterminal(load_policy_t) init_use_script_pty(load_policy_t)
domain_use_widely_inheritable_file_descriptors(load_policy_t) domain_use_wide_inherit_fd(load_policy_t)
files_search_general_system_config_directory(load_policy_t) files_search_etc(load_policy_t)
libraries_use_dynamic_loader(load_policy_t) libs_use_ld_so(load_policy_t)
libraries_use_shared_libraries(load_policy_t) libs_use_shared_libs(load_policy_t)
miscfiles_read_localization(load_policy_t) miscfiles_read_localization(load_policy_t)
userdomain_use_all_users_file_descriptors(load_policy_t) userdom_use_all_user_fd(load_policy_t)
######################################## ########################################
# #
@ -210,23 +210,23 @@ fs_getattr_xattr_fs(newrole_t)
term_use_all_user_ttys(newrole_t) term_use_all_user_ttys(newrole_t)
term_use_all_user_ptys(newrole_t) term_use_all_user_ptys(newrole_t)
authlogin_check_password_transition(newrole_t) auth_domtrans_chk_passwd(newrole_t)
domain_use_widely_inheritable_file_descriptors(newrole_t) domain_use_wide_inherit_fd(newrole_t)
# Write to utmp. # Write to utmp.
init_script_modify_runtime_data(newrole_t) init_rw_script_pid(newrole_t)
files_read_general_system_config(newrole_t) files_read_generic_etc_files(newrole_t)
libraries_use_dynamic_loader(newrole_t) libs_use_ld_so(newrole_t)
libraries_use_shared_libraries(newrole_t) libs_use_shared_libs(newrole_t)
logging_send_system_log_message(newrole_t) logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t) miscfiles_read_localization(newrole_t)
userdomain_use_all_unprivileged_users_file_descriptors(newrole_t) userdom_use_unpriv_users_fd(newrole_t)
ifdef(`TODO',` ifdef(`TODO',`
@ -291,23 +291,23 @@ fs_getattr_xattr_fs(restorecon_t)
term_use_unallocated_tty(restorecon_t) term_use_unallocated_tty(restorecon_t)
init_use_file_descriptors(restorecon_t) init_use_fd(restorecon_t)
init_script_use_pseudoterminal(restorecon_t) init_use_script_pty(restorecon_t)
domain_use_widely_inheritable_file_descriptors(restorecon_t) domain_use_wide_inherit_fd(restorecon_t)
files_read_runtime_system_config(restorecon_t) files_read_etc_runtime_files(restorecon_t)
files_read_general_system_config(restorecon_t) files_read_generic_etc_files(restorecon_t)
libraries_use_dynamic_loader(restorecon_t) libs_use_ld_so(restorecon_t)
libraries_use_shared_libraries(restorecon_t) libs_use_shared_libs(restorecon_t)
logging_send_system_log_message(restorecon_t) logging_send_syslog_msg(restorecon_t)
userdomain_use_all_users_file_descriptors(restorecon_t) userdom_use_all_user_fd(restorecon_t)
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_use_file_descriptors(restorecon_t) hotplug_use_fd(restorecon_t)
') ')
# relabeling rules # relabeling rules
@ -315,9 +315,9 @@ kernel_relabel_unlabeled(restorecon_t)
dev_relabel_all_dev_nodes(restorecon_t) dev_relabel_all_dev_nodes(restorecon_t)
files_relabel_all_files(restorecon_t) files_relabel_all_files(restorecon_t)
files_read_all_directories(restorecon_t) files_list_all_dirs(restorecon_t)
# this is to satisfy the assertion: # this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(restorecon_t) auth_relabelto_shadow(restorecon_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
fs_use_tmpfs_character_devices(restorecon_t) fs_use_tmpfs_character_devices(restorecon_t)
@ -363,34 +363,34 @@ ifdef(`targeted_policy',`',`
fs_getattr_xattr_fs(run_init_t) fs_getattr_xattr_fs(run_init_t)
dev_dontaudit_list_all_nodes(run_init_t) dev_dontaudit_list_all_dev_nodes(run_init_t)
term_dontaudit_list_ptys(run_init_t) term_dontaudit_list_ptys(run_init_t)
authlogin_check_password_transition(run_init_t) auth_domtrans_chk_passwd(run_init_t)
authlogin_ignore_read_shadow_passwords(run_init_t) auth_dontaudit_read_shadow(run_init_t)
corecommands_execute_general_programs(run_init_t) corecmd_exec_bin(run_init_t)
corecommands_execute_shell(run_init_t) corecmd_exec_shell(run_init_t)
domain_use_widely_inheritable_file_descriptors(run_init_t) domain_use_wide_inherit_fd(run_init_t)
files_read_general_system_config(run_init_t) files_read_generic_etc_files(run_init_t)
files_ignore_search_all_directories(run_init_t) files_dontaudit_search_all_dirs(run_init_t)
init_script_transition(run_init_t) init_domtrans_script(run_init_t)
# for utmp # for utmp
init_script_modify_runtime_data(run_init_t) init_rw_script_pid(run_init_t)
libraries_use_dynamic_loader(run_init_t) libs_use_ld_so(run_init_t)
libraries_use_shared_libraries(run_init_t) libs_use_shared_libs(run_init_t)
selinux_read_config(run_init_t) selinux_read_config(run_init_t)
selinux_read_default_contexts(run_init_t) selinux_read_default_contexts(run_init_t)
miscfiles_read_localization(run_init_t) miscfiles_read_localization(run_init_t)
logging_send_system_log_message(run_init_t) logging_send_syslog_msg(run_init_t)
') dnl end ifdef targeted policy ') dnl end ifdef targeted policy
ifdef(`TODO',` ifdef(`TODO',`
@ -398,7 +398,7 @@ ifdef(`TODO',`
ifdef(`distro_gentoo', ` ifdef(`distro_gentoo', `
# Gentoo integrated run_init+open_init_pty-runscript: # Gentoo integrated run_init+open_init_pty-runscript:
domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t) domain_auto_trans(sysadm_t,initrc_exec_t,run_init_t)
domain_make_entrypoint_file(run_init_t,initrc_exec_t) domain_entry_file(run_init_t,initrc_exec_t)
') ')
') dnl end TODO ') dnl end TODO
@ -427,34 +427,33 @@ term_use_all_user_ttys(setfiles_t)
term_use_all_user_ptys(setfiles_t) term_use_all_user_ptys(setfiles_t)
term_use_unallocated_tty(setfiles_t) term_use_unallocated_tty(setfiles_t)
init_use_file_descriptors(setfiles_t) init_use_fd(setfiles_t)
init_script_use_file_descriptors(setfiles_t) init_use_script_fd(setfiles_t)
init_script_use_pseudoterminal(setfiles_t) init_use_script_pty(setfiles_t)
domain_use_widely_inheritable_file_descriptors(setfiles_t) domain_use_wide_inherit_fd(setfiles_t)
libraries_use_dynamic_loader(setfiles_t) libs_use_ld_so(setfiles_t)
libraries_use_shared_libraries(setfiles_t) libs_use_shared_libs(setfiles_t)
files_read_runtime_system_config(setfiles_t) files_read_etc_runtime_files(setfiles_t)
files_read_general_system_config(setfiles_t) files_read_generic_etc_files(setfiles_t)
logging_send_system_log_message(setfiles_t) logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t) miscfiles_read_localization(setfiles_t)
userdomain_use_all_users_file_descriptors(setfiles_t) userdom_use_all_user_fd(setfiles_t)
# for config files in a home directory # for config files in a home directory
userdomain_read_all_users_data(setfiles_t) userdom_read_all_user_data(setfiles_t)
# relabeling rules # relabeling rules
kernel_relabel_unlabeled(setfiles_t) kernel_relabel_unlabeled(setfiles_t)
dev_relabel_all_dev_nodes(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t)
files_list_all_dirs(setfiles_t)
files_read_all_directories(setfiles_t)
files_relabel_all_files(setfiles_t) files_relabel_all_files(setfiles_t)
# this is to satisfy the assertion: # this is to satisfy the assertion:
authlogin_relabel_to_shadow_passwords(setfiles_t) auth_relabelto_shadow(setfiles_t)
ifdef(`TODO',` ifdef(`TODO',`
# for upgrading glibc and other shared objects - without this the upgrade # for upgrading glibc and other shared objects - without this the upgrade

View File

@ -2,7 +2,7 @@
## <summary>Policy for network configuration: ifconfig and dhcp client.</summary> ## <summary>Policy for network configuration: ifconfig and dhcp client.</summary>
####################################### #######################################
## <interface name="sysnetwork_dhcpc_transition"> ## <interface name="sysnet_domtrans_dhcpc">
## <description> ## <description>
## Execute dhcp client in dhcpc domain. ## Execute dhcp client in dhcpc domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`sysnetwork_dhcpc_transition',` define(`sysnet_domtrans_dhcpc',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, dhcpc_exec_t, dhcpc_t) domain_auto_trans($1, dhcpc_exec_t, dhcpc_t)
@ -22,7 +22,7 @@ define(`sysnetwork_dhcpc_transition',`
allow dhcpc_t $1:process sigchld; allow dhcpc_t $1:process sigchld;
') ')
define(`sysnetwork_dhcpc_transition_depend',` define(`sysnet_domtrans_dhcpc_depend',`
type dhcpc_t, dhcpc_exec_t; type dhcpc_t, dhcpc_exec_t;
class file { getattr read execute }; class file { getattr read execute };
@ -32,7 +32,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
') ')
####################################### #######################################
## <interface name="sysnetwork_ifconfig_transition"> ## <interface name="sysnet_domtrans_ifconfig">
## <description> ## <description>
## Execute ifconfig in the ifconfig domain. ## Execute ifconfig in the ifconfig domain.
## </description> ## </description>
@ -41,7 +41,7 @@ define(`sysnetwork_dhcpc_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`sysnetwork_ifconfig_transition',` define(`sysnet_domtrans_ifconfig',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, ifconfig_exec_t, ifconfig_t) domain_auto_trans($1, ifconfig_exec_t, ifconfig_t)
@ -52,7 +52,7 @@ define(`sysnetwork_ifconfig_transition',`
allow ifconfig_t $1:process sigchld; allow ifconfig_t $1:process sigchld;
') ')
define(`sysnetwork_ifconfig_transition_depend',` define(`sysnet_domtrans_ifconfig_depend',`
type ifconfig_t, ifconfig_exec_t; type ifconfig_t, ifconfig_exec_t;
class file { getattr read execute }; class file { getattr read execute };
@ -62,7 +62,7 @@ define(`sysnetwork_ifconfig_transition_depend',`
') ')
######################################## ########################################
## <interface name="sysnetwork_ifconfig_transition_add_role_use_terminal"> ## <interface name="sysnet_run_ifconfig">
## <description> ## <description>
## Execute ifconfig in the ifconfig domain, and ## Execute ifconfig in the ifconfig domain, and
## allow the specified role the ifconfig domain, ## allow the specified role the ifconfig domain,
@ -79,22 +79,22 @@ define(`sysnetwork_ifconfig_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`sysnetwork_ifconfig_transition_add_role_use_terminal',` define(`sysnet_run_ifconfig',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
sysnetwork_ifconfig_transition($1) sysnet_domtrans_ifconfig($1)
role $2 types ifconfig_t; role $2 types ifconfig_t;
allow ifconfig_t $3:chr_file { getattr read write ioctl }; allow ifconfig_t $3:chr_file { getattr read write ioctl };
') ')
define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',` define(`sysnet_run_ifconfig_depend',`
type ifconfig_t; type ifconfig_t;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
####################################### #######################################
## <interface name="sysnetwork_read_network_config"> ## <interface name="sysnet_read_config">
## <description> ## <description>
## Allow network init to read network config files. ## Allow network init to read network config files.
## </description> ## </description>
@ -103,14 +103,14 @@ define(`sysnetwork_ifconfig_transition_add_role_use_terminal_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`sysnetwork_read_network_config',` define(`sysnet_read_config',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_search_general_system_config_directory($1) files_search_etc($1)
allow $1 net_conf_t:file r_file_perms; allow $1 net_conf_t:file r_file_perms;
') ')
define(`sysnetwork_read_network_config_depend',` define(`sysnet_read_config_depend',`
type net_conf_t; type net_conf_t;
class file r_file_perms; class file r_file_perms;

View File

@ -9,33 +9,33 @@ policy_module(sysnetwork,1.0)
# this is shared between dhcpc and dhcpd: # this is shared between dhcpc and dhcpd:
type dhcp_etc_t; #, usercanread; type dhcp_etc_t; #, usercanread;
typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t }; typealias dhcp_etc_t alias { etc_dhcp_t etc_dhcpc_t etc_dhcpd_t };
files_make_file(dhcp_etc_t) files_file_type(dhcp_etc_t)
# this is shared between dhcpc and dhcpd: # this is shared between dhcpc and dhcpd:
type dhcp_state_t; type dhcp_state_t;
files_make_file(dhcp_state_t) files_file_type(dhcp_state_t)
type dhcpc_t; type dhcpc_t;
type dhcpc_exec_t; type dhcpc_exec_t;
init_make_daemon_domain(dhcpc_t,dhcpc_exec_t) init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t; role system_r types dhcpc_t;
type dhcpc_state_t; type dhcpc_state_t;
files_make_file(dhcpc_state_t) files_file_type(dhcpc_state_t)
type dhcpc_tmp_t; type dhcpc_tmp_t;
files_make_temporary_file(dhcpc_tmp_t) files_tmp_file(dhcpc_tmp_t)
type dhcpc_var_run_t; type dhcpc_var_run_t;
files_make_daemon_runtime_file(dhcpc_var_run_t) files_pid_file(dhcpc_var_run_t)
type ifconfig_t; type ifconfig_t;
type ifconfig_exec_t; type ifconfig_exec_t;
init_make_system_domain(ifconfig_t, ifconfig_exec_t) init_system_domain(ifconfig_t, ifconfig_exec_t)
role system_r types ifconfig_t; role system_r types ifconfig_t;
type net_conf_t alias resolv_conf_t; type net_conf_t alias resolv_conf_t;
files_make_file(net_conf_t) files_file_type(net_conf_t)
######################################## ########################################
# #
@ -62,17 +62,17 @@ type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
# create pid file # create pid file
allow dhcpc_t dhcpc_var_run_t:file create_file_perms; allow dhcpc_t dhcpc_var_run_t:file create_file_perms;
files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t) files_create_pid(dhcpc_t,dhcpc_var_run_t)
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t. # in /etc created by dhcpcd will be labelled net_conf_t.
allow dhcpc_t net_conf_t:file create_file_perms; allow dhcpc_t net_conf_t:file create_file_perms;
files_create_private_config(dhcpc_t,net_conf_t,file) files_create_etc_config(dhcpc_t,net_conf_t,file)
# create temp files # create temp files
allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms; allow dhcpc_t dhcpc_tmp_t:dir create_dir_perms;
allow dhcpc_t dhcpc_tmp_t:file create_file_perms; allow dhcpc_t dhcpc_tmp_t:file create_file_perms;
files_create_private_tmp_data(dhcpc_t, dhcpc_tmp_t, { file dir }) files_create_tmp_files(dhcpc_t, dhcpc_tmp_t, { file dir })
can_exec(dhcpc_t, dhcpc_exec_t) can_exec(dhcpc_t, dhcpc_exec_t)
@ -111,45 +111,45 @@ term_dontaudit_use_all_user_ttys(dhcpc_t)
term_dontaudit_use_all_user_ptys(dhcpc_t) term_dontaudit_use_all_user_ptys(dhcpc_t)
term_dontaudit_use_unallocated_tty(dhcpc_t) term_dontaudit_use_unallocated_tty(dhcpc_t)
corecommands_execute_general_programs(dhcpc_t) corecmd_exec_bin(dhcpc_t)
corecommands_execute_system_programs(dhcpc_t) corecmd_exec_sbin(dhcpc_t)
corecommands_execute_shell(dhcpc_t) corecmd_exec_shell(dhcpc_t)
domain_use_widely_inheritable_file_descriptors(dhcpc_t) domain_use_wide_inherit_fd(dhcpc_t)
files_read_general_system_config(dhcpc_t) files_read_generic_etc_files(dhcpc_t)
files_read_runtime_system_config(dhcpc_t) files_read_etc_runtime_files(dhcpc_t)
init_use_file_descriptors(dhcpc_t) init_use_fd(dhcpc_t)
init_script_use_pseudoterminal(dhcpc_t) init_use_script_pty(dhcpc_t)
init_script_modify_runtime_data(dhcpc_t) init_rw_script_pid(dhcpc_t)
logging_send_system_log_message(dhcpc_t) logging_send_syslog_msg(dhcpc_t)
libraries_use_dynamic_loader(dhcpc_t) libs_use_ld_so(dhcpc_t)
libraries_use_shared_libraries(dhcpc_t) libs_use_shared_libs(dhcpc_t)
miscfiles_read_localization(dhcpc_t) miscfiles_read_localization(dhcpc_t)
modutils_insmod_transition(dhcpc_t) modutils_domtrans_insmod(dhcpc_t)
ifdef(`distro_redhat', ` ifdef(`distro_redhat', `
files_execute_system_config_script(dhcpc_t) files_exec_generic_etc_files(dhcpc_t)
') ')
ifdef(`targeted_policy', ` ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(dhcpc_t) term_dontaudit_use_unallocated_tty(dhcpc_t)
terminal_ignore_use_general_pseudoterminal(dhcpc_t) terminal_ignore_use_general_pseudoterminal(dhcpc_t)
files_ignore_read_rootfs_file(dhcpc_t) files_dontaudit_read_root_file(dhcpc_t)
') ')
optional_policy(`consoletype.te',` optional_policy(`consoletype.te',`
consoletype_transition(dhcpc_t) consoletype_domtrans(dhcpc_t)
') ')
optional_policy(`hostname.te',` optional_policy(`hostname.te',`
hostname_transition(dhcpc_t) hostname_domtrans(dhcpc_t)
') ')
optional_policy(`nscd.te',` optional_policy(`nscd.te',`
@ -161,17 +161,17 @@ optional_policy(`selinux.te',`
') ')
optional_policy(`udev.te',` optional_policy(`udev.te',`
udev_read_database(dhcpc_t) udev_read_db(dhcpc_t)
') ')
optional_policy(`userdomain.te',` optional_policy(`userdomain.te',`
userdomain_use_all_users_file_descriptors(dhcpc_t) userdom_use_all_user_fd(dhcpc_t)
') ')
# #
# dhclient sometimes starts ypbind and ntpd # dhclient sometimes starts ypbind and ntpd
# #
init_script_execute(dhcpc_t) init_exec_script(dhcpc_t)
optional_policy(`ypbind.te',` optional_policy(`ypbind.te',`
ypbind_transition(dhcpc_t) ypbind_transition(dhcpc_t)
') ')
@ -257,7 +257,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip # for /sbin/ip
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms; allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl }; allow ifconfig_t self:tcp_socket { create ioctl };
files_read_general_system_config(ifconfig_t); files_read_generic_etc_files(ifconfig_t);
kernel_use_fd(ifconfig_t) kernel_use_fd(ifconfig_t)
kernel_read_system_state(ifconfig_t) kernel_read_system_state(ifconfig_t)
@ -270,24 +270,24 @@ fs_getattr_xattr_fs(ifconfig_t)
term_dontaudit_use_all_user_ttys(ifconfig_t) term_dontaudit_use_all_user_ttys(ifconfig_t)
term_dontaudit_use_all_user_ptys(ifconfig_t) term_dontaudit_use_all_user_ptys(ifconfig_t)
domain_use_widely_inheritable_file_descriptors(ifconfig_t) domain_use_wide_inherit_fd(ifconfig_t)
files_ignore_read_rootfs_file(ifconfig_t) files_dontaudit_read_root_file(ifconfig_t)
init_use_file_descriptors(ifconfig_t) init_use_fd(ifconfig_t)
init_script_use_pseudoterminal(ifconfig_t) init_use_script_pty(ifconfig_t)
libraries_use_dynamic_loader(ifconfig_t) libs_use_ld_so(ifconfig_t)
libraries_use_shared_libraries(ifconfig_t) libs_use_shared_libs(ifconfig_t)
libraries_read_library_resources(ifconfig_t) libs_read_lib(ifconfig_t)
logging_send_system_log_message(ifconfig_t) logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t) miscfiles_read_localization(ifconfig_t)
selinux_run_init_use_file_descriptors(ifconfig_t) selinux_use_runinit_fd(ifconfig_t)
userdomain_use_all_users_file_descriptors(ifconfig_t) userdom_use_all_user_fd(ifconfig_t)
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -2,7 +2,7 @@
## <summary>Policy for udev.</summary> ## <summary>Policy for udev.</summary>
######################################## ########################################
## <interface name="udev_transition"> ## <interface name="udev_domtrans">
## <description> ## <description>
## Execute udev in the udev domain. ## Execute udev in the udev domain.
## </description> ## </description>
@ -11,7 +11,7 @@
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`udev_transition',` define(`udev_domtrans',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
domain_auto_trans($1, udev_exec_t, udev_t) domain_auto_trans($1, udev_exec_t, udev_t)
@ -22,7 +22,7 @@ define(`udev_transition',`
allow udev_t $1:process sigchld; allow udev_t $1:process sigchld;
') ')
define(`udev_transition_depend',` define(`udev_domtrans_depend',`
type udev_t, udev_exec_t; type udev_t, udev_exec_t;
class file { getattr read execute }; class file { getattr read execute };
@ -32,7 +32,7 @@ define(`udev_transition_depend',`
') ')
######################################## ########################################
## <interface name="udev_read_database"> ## <interface name="udev_read_db">
## <description> ## <description>
## Allow process to read list of devices. ## Allow process to read list of devices.
## </description> ## </description>
@ -41,20 +41,20 @@ define(`udev_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`udev_read_database',` define(`udev_read_db',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 udev_tdb_t:file r_file_perms; allow $1 udev_tdb_t:file r_file_perms;
') ')
define(`udev_read_database_depend',` define(`udev_read_db_depend',`
type udev_tdb_t; type udev_tdb_t;
class file r_file_perms; class file r_file_perms;
') ')
######################################## ########################################
## <interface name="udev_modify_database"> ## <interface name="udev_rw_db">
## <description> ## <description>
## Allow process to modify list of devices. ## Allow process to modify list of devices.
## </description> ## </description>
@ -63,13 +63,13 @@ define(`udev_read_database_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`udev_modify_database',` define(`udev_rw_db',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 udev_tdb_t:file rw_file_perms; allow $1 udev_tdb_t:file rw_file_perms;
') ')
define(`udev_modify_database_depend',` define(`udev_rw_db_depend',`
type udev_tdb_t; type udev_tdb_t;
class file rw_file_perms; class file rw_file_perms;

View File

@ -10,24 +10,24 @@ type udev_t; # nscd_client_domain
type udev_exec_t; type udev_exec_t;
type udev_helper_exec_t; type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t) kernel_userland_entry(udev_t,udev_exec_t)
kernel_make_object_identity_change_constraint_exception(udev_t) kernel_obj_id_change_exempt(udev_t)
domain_make_entrypoint_file(udev_t,udev_helper_exec_t) domain_entry_file(udev_t,udev_helper_exec_t)
domain_make_file_descriptors_widely_inheritable(udev_t) domain_wide_inherit_fd(udev_t)
init_make_daemon_domain(udev_t,udev_exec_t) init_daemon_domain(udev_t,udev_exec_t)
type udev_etc_t alias etc_udev_t; type udev_etc_t alias etc_udev_t;
files_make_file(udev_etc_t) files_file_type(udev_etc_t)
# udev_runtime_t is the type of the udev table file # udev_runtime_t is the type of the udev table file
# cjp: this is probably a copy of udev_tbl_t and can be removed # cjp: this is probably a copy of udev_tbl_t and can be removed
type udev_runtime_t; type udev_runtime_t;
files_make_file(udev_runtime_t) files_file_type(udev_runtime_t)
type udev_tbl_t alias udev_tdb_t; type udev_tbl_t alias udev_tdb_t;
files_make_file(udev_tbl_t) files_file_type(udev_tbl_t)
type udev_var_run_t; type udev_var_run_t;
files_make_daemon_runtime_file(udev_var_run_t) files_pid_file(udev_var_run_t)
######################################## ########################################
# #
@ -82,53 +82,53 @@ dev_manage_dev_nodes(udev_t)
fs_getattr_all_fs(udev_t) fs_getattr_all_fs(udev_t)
corecommands_execute_general_programs(udev_t) corecmd_exec_bin(udev_t)
corecommands_execute_system_programs(udev_t) corecmd_exec_sbin(udev_t)
corecommands_execute_shell(udev_t) corecmd_exec_shell(udev_t)
domain_execute_all_entrypoint_programs(udev_t) domain_exec_all_entry_files(udev_t)
domain_ignore_read_all_domains_process_dirs(udev_t) domain_dontaudit_list_all_domains_proc(udev_t)
files_read_runtime_system_config(udev_t) files_read_etc_runtime_files(udev_t)
files_read_general_system_config(udev_t) files_read_generic_etc_files(udev_t)
files_execute_system_config_script(udev_t) files_exec_generic_etc_files(udev_t)
files_ignore_search_isid_type_dir(udev_t) files_dontaudit_search_isid_type_dir(udev_t)
init_use_file_descriptors(udev_t) init_use_fd(udev_t)
init_script_read_runtime_data(udev_t) init_read_script_pid(udev_t)
init_script_ignore_write_runtime_data(udev_t) init_dontaudit_write_script_pid(udev_t)
libraries_use_dynamic_loader(udev_t) libs_use_ld_so(udev_t)
libraries_use_shared_libraries(udev_t) libs_use_shared_libs(udev_t)
logging_send_system_log_message(udev_t) logging_send_syslog_msg(udev_t)
miscfiles_read_localization(udev_t) miscfiles_read_localization(udev_t)
modutils_insmod_transition(udev_t) modutils_domtrans_insmod(udev_t)
selinux_read_config(udev_t) selinux_read_config(udev_t)
selinux_read_default_contexts(udev_t) selinux_read_default_contexts(udev_t)
selinux_read_file_contexts(udev_t) selinux_read_file_contexts(udev_t)
selinux_restorecon_transition(udev_t) selinux_domtrans_restorecon(udev_t)
sysnetwork_ifconfig_transition(udev_t) sysnet_domtrans_ifconfig(udev_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
fs_manage_tmpfs_block_devices(udev_t) fs_manage_tmpfs_block_devices(udev_t)
fs_manage_tmpfs_character_devices(udev_t) fs_manage_tmpfs_character_devices(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet # for arping used for static IP addresses on PCMCIA ethernet
netutils_transition(udev_t) netutils_domtrans(udev_t)
') ')
optional_policy(`authlogin.te',` optional_policy(`authlogin.te',`
authlogin_pam_console_read_runtime_data(udev_t) auth_read_pam_console_data(udev_t)
authlogin_pam_console_transition(udev_t) auth_domtrans_pam_console(udev_t)
') ')
optional_policy(`consoletype.te',` optional_policy(`consoletype.te',`
consoletype_execute(udev_t) consoletype_exec(udev_t)
') ')
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
@ -136,7 +136,7 @@ optional_policy(`hotplug.te',`
') ')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`
sysnetwork_dhcpc_transition(udev_t) sysnet_domtrans_dhcpc(udev_t)
') ')
ifdef(`TODO',` ifdef(`TODO',`

View File

@ -12,8 +12,8 @@ define(`base_user_domain',`
attribute $1_file_type; attribute $1_file_type;
type $1_t, userdomain; type $1_t, userdomain;
domain_make_domain($1_t) domain_type($1_t)
corecommands_make_shell_entrypoint($1_t) corecmd_shell_entry_type($1_t)
role $1_r types $1_t; role $1_r types $1_t;
allow system_r $1_r; allow system_r $1_r;
@ -23,17 +23,17 @@ define(`base_user_domain',`
# type for contents of home directory # type for contents of home directory
type $1_home_t, $1_file_type, home_type; type $1_home_t, $1_file_type, home_type;
files_make_file($1_home_t) files_file_type($1_home_t)
# type of home directory # type of home directory
type $1_home_dir_t, home_dir_type, home_type; type $1_home_dir_t, home_dir_type, home_type;
files_make_file($1_home_t) files_file_type($1_home_t)
type $1_tmp_t, $1_file_type; type $1_tmp_t, $1_file_type;
files_make_temporary_file($1_tmp_t) files_tmp_file($1_tmp_t)
type $1_tmpfs_t; type $1_tmpfs_t;
files_make_tmpfs_file($1_tmpfs_t) files_tmpfs_file($1_tmpfs_t)
type $1_tty_device_t; type $1_tty_device_t;
term_tty($1_t,$1_tty_device_t) term_tty($1_t,$1_tty_device_t)
@ -142,37 +142,37 @@ define(`base_user_domain',`
# for eject # for eject
storage_getattr_fixed_disk($1_t) storage_getattr_fixed_disk($1_t)
authlogin_read_login_records($1_t) auth_read_login_records($1_t)
authlogin_ignore_write_login_records($1_t) auth_dontaudit_write_login_records($1_t)
authlogin_pam_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
authlogin_utempter_transition_add_role_use_terminal($1_t,$1_r,{ $1_tty_device_t $1_devpts_t }) auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
corecommands_execute_general_programs($1_t) corecmd_exec_bin($1_t)
corecommands_execute_system_programs($1_t) corecmd_exec_sbin($1_t)
corecommands_execute_ls($1_t) corecmd_exec_ls($1_t)
domain_execute_all_entrypoint_programs($1_t) domain_exec_all_entry_files($1_t)
domain_use_widely_inheritable_file_descriptors($1_t) domain_use_wide_inherit_fd($1_t)
files_execute_system_config_script($1_t) files_exec_generic_etc_files($1_t)
files_read_system_source_code($1_t) files_read_usr_src($1_t)
# Caused by su - init scripts # Caused by su - init scripts
init_script_ignore_use_pseudoterminal($1_t) init_dontaudit_use_script_pty($1_t)
libraries_use_dynamic_loader($1_t) libs_use_ld_so($1_t)
libraries_use_shared_libraries($1_t) libs_use_shared_libs($1_t)
libraries_execute_dynamic_loader($1_t) libs_exec_ld_so($1_t)
libraries_execute_library_scripts($1_t) libs_exec_lib_files($1_t)
logging_ignore_get_all_logs_attributes($1_t) logging_dontaudit_getattr_all_logs($1_t)
miscfiles_read_localization($1_t) miscfiles_read_localization($1_t)
miscfiles_manage_man_page_cache($1_t) miscfiles_rw_man_cache($1_t)
selinux_newrole_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) selinux_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
mta_modify_mail_spool($1_t) mta_rw_spool($1_t)
if (allow_execmem) { if (allow_execmem) {
# Allow loading DSOs that require executable stack. # Allow loading DSOs that require executable stack.
@ -206,8 +206,8 @@ define(`base_user_domain',`
} }
optional_policy(`usermanage.te',` optional_policy(`usermanage.te',`
usermanage_chfn_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usermanage_run_chfn($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
usermanage_passwd_transition_add_role_use_terminal($1_t,$1_r,{ $1_devpts_t $1_tty_device_t }) usermanage_run_passwd($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
') ')
ifdef(`TODO',` ifdef(`TODO',`
@ -411,7 +411,7 @@ define(`user_domain_template', `
base_user_domain($1) base_user_domain($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
domain_make_file_descriptors_widely_inheritable($1_t) domain_wide_inherit_fd($1_t)
#typeattribute $1_devpts_t userpty_type, user_tty_type; #typeattribute $1_devpts_t userpty_type, user_tty_type;
#typeattribute $1_home_dir_t user_home_dir_type; #typeattribute $1_home_dir_t user_home_dir_type;
@ -439,7 +439,7 @@ define(`user_domain_template', `
allow $1_t $1_tmp_t:dir create_dir_perms; allow $1_t $1_tmp_t:dir create_dir_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms; allow $1_t $1_tmp_t:sock_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms;
files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
# privileged home directory writers # privileged home directory writers
allow privhome $1_home_t:file create_file_perms; allow privhome $1_home_t:file create_file_perms;
@ -459,24 +459,24 @@ define(`user_domain_template', `
# port access is audited even if dac would not have allowed it, so dontaudit it here # port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
files_read_general_system_config($1_t) files_read_generic_etc_files($1_t)
files_list_home_directories($1_t) files_list_home($1_t)
files_read_general_application_resources($1_t) files_read_usr_files($1_t)
init_script_read_runtime_data($1_t) init_read_script_pid($1_t)
# The library functions always try to open read-write first, # The library functions always try to open read-write first,
# then fall back to read-only if it fails. # then fall back to read-only if it fails.
init_script_ignore_write_runtime_data($1_t) init_dontaudit_write_script_pid($1_t)
# Stop warnings about access to /dev/console # Stop warnings about access to /dev/console
init_ignore_use_file_descriptors($1_t) init_dontaudit_use_fd($1_t)
init_script_ignore_use_file_descriptors($1_t) init_dontaudit_use_script_fd($1_t)
miscfiles_read_man_pages($1_t) miscfiles_read_man_pages($1_t)
selinux_read_config($1_t) selinux_read_config($1_t)
# Allow users to execute checkpolicy without a domain transition # Allow users to execute checkpolicy without a domain transition
# so it can be used without privilege to write real binary policy file # so it can be used without privilege to write real binary policy file
selinux_checkpolicy_execute($1_t) selinux_exec_checkpol($1_t)
if (user_dmesg) { if (user_dmesg) {
kernel_read_ring_buffer($1_t) kernel_read_ring_buffer($1_t)
@ -493,12 +493,12 @@ define(`user_domain_template', `
# for running depmod as part of the kernel packaging process # for running depmod as part of the kernel packaging process
optional_policy(`modutils.te',` optional_policy(`modutils.te',`
modutils_read_kernel_module_loading_config($1_t) modutils_read_module_conf($1_t)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
# for when the network connection is killed # for when the network connection is killed
selinux_newrole_ignore_signal($1_t) selinux_dontaudit_newrole_signal($1_t)
') ')
# Need the following rule to allow users to run vpnc # Need the following rule to allow users to run vpnc
@ -612,7 +612,7 @@ define(`admin_domain_template',`
base_user_domain($1) base_user_domain($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
kernel_make_object_identity_change_constraint_exception($1_t) kernel_obj_id_change_exempt($1_t)
role system_r types $1_t; role system_r types $1_t;
#ifdef(`direct_sysadm_daemon', `, priv_system_role') #ifdef(`direct_sysadm_daemon', `, priv_system_role')
@ -650,7 +650,7 @@ define(`admin_domain_template',`
allow $1_t $1_tmp_t:lnk_file create_file_perms; allow $1_t $1_tmp_t:lnk_file create_file_perms;
allow $1_t $1_tmp_t:fifo_file create_file_perms; allow $1_t $1_tmp_t:fifo_file create_file_perms;
allow $1_t $1_tmp_t:sock_file create_file_perms; allow $1_t $1_tmp_t:sock_file create_file_perms;
files_create_private_tmp_data($1_t, $1_tmp_t, { dir notdevfile_class_set }) files_create_tmp_files($1_t, $1_tmp_t, { dir notdevfile_class_set })
kernel_read_system_state($1_t) kernel_read_system_state($1_t)
kernel_read_network_state($1_t) kernel_read_network_state($1_t)
@ -698,12 +698,12 @@ define(`admin_domain_template',`
term_use_all_user_ttys($1_t) term_use_all_user_ttys($1_t)
# Manage almost all files # Manage almost all files
authlogin_manage_all_files_except_shadow($1_t) auth_manage_all_files_except_shadow($1_t)
# Relabel almost all files # Relabel almost all files
authlogin_relabel_all_files_except_shadow($1_t) auth_relabel_all_files_except_shadow($1_t)
domain_set_all_domains_priorities($1_t) domain_setpriority_all_domains($1_t)
domain_read_all_domains_process_state($1_t) domain_read_all_domains_state($1_t)
# signal all domains: # signal all domains:
domain_kill_all_domains($1_t) domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t) domain_signal_all_domains($1_t)
@ -712,22 +712,22 @@ define(`admin_domain_template',`
domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t)
domain_sigchld_all_domains($1_t) domain_sigchld_all_domains($1_t)
files_execute_system_source_code_scripts($1_t) files_exec_usr_files($1_t)
init_use_control_channel($1_t) init_use_initctl($1_t)
logging_send_system_log_message($1_t) logging_send_syslog_msg($1_t)
modutils_insmod_transition($1_t) modutils_domtrans_insmod($1_t)
selinux_read_config($1_t) selinux_read_config($1_t)
# The following rule is temporary until such time that a complete # The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator # policy management infrastructure is in place so that an administrator
# cannot directly manipulate policy files with arbitrary programs. # cannot directly manipulate policy files with arbitrary programs.
selinux_manage_source_policy($1_t) selinux_manage_src_pol($1_t)
# Violates the goal of limiting write access to checkpolicy. # Violates the goal of limiting write access to checkpolicy.
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
selinux_manage_binary_policy($1_t) selinux_manage_binary_pol($1_t)
optional_policy(`cron.te',` optional_policy(`cron.te',`
cron_admin_template($1) cron_admin_template($1)
@ -807,7 +807,7 @@ define(`admin_domain_template',`
') ')
######################################## ########################################
## <interface name="userdomain_all_users_explicit_transition"> ## <interface name="userdom_spec_domtrans_all_users">
## <description> ## <description>
## Execute a shell in all user domains. This ## Execute a shell in all user domains. This
## is an explicit transition, requiring the ## is an explicit transition, requiring the
@ -818,17 +818,17 @@ define(`admin_domain_template',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_all_users_explicit_transition',` define(`userdom_spec_domtrans_all_users',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
corecommands_shell_explicit_transition($1,userdomain) corecmd_shell_spec_domtrans($1,userdomain)
') ')
define(`userdomain_all_users_explicit_transition_depend',` define(`userdom_spec_domtrans_all_users_depend',`
type sysadm_t; type sysadm_t;
') ')
######################################## ########################################
## <interface name="userdomain_sysadm_shell_transition"> ## <interface name="userdom_shell_domtrans_sysadm">
## <description> ## <description>
## Execute a shell in the sysadm domain. ## Execute a shell in the sysadm domain.
## </description> ## </description>
@ -837,18 +837,18 @@ define(`userdomain_all_users_explicit_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_sysadm_shell_transition',` define(`userdom_shell_domtrans_sysadm',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
corecommands_shell_transition($1,sysadm_t) corecmd_domtrans_shell($1,sysadm_t)
') ')
define(`userdomain_sysadm_shell_transition_depend',` define(`userdom_shell_domtrans_sysadm_depend',`
type sysadm_t; type sysadm_t;
') ')
######################################## ########################################
## <interface name="userdomain_use_admin_terminals"> ## <interface name="userdom_use_sysadm_terms">
## <description> ## <description>
## Read and write administrative users ## Read and write administrative users
## physical and pseudo terminals. ## physical and pseudo terminals.
@ -858,7 +858,7 @@ define(`userdomain_sysadm_shell_transition_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_use_admin_terminals',` define(`userdom_use_sysadm_terms',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
@ -866,14 +866,14 @@ define(`userdomain_use_admin_terminals',`
allow $1 admin_terminal:chr_file { getattr read write ioctl }; allow $1 admin_terminal:chr_file { getattr read write ioctl };
') ')
define(`userdomain_use_admin_terminals_depend',` define(`userdom_use_sysadm_terms_depend',`
attribute admin_terminal; attribute admin_terminal;
class chr_file { getattr read write ioctl }; class chr_file { getattr read write ioctl };
') ')
######################################## ########################################
## <interface name="userdomain_dontaudit_use_admin_terminals"> ## <interface name="userdom_dontaudit_use_sysadm_terms">
## <description> ## <description>
## Do not audit attempts to use admin ttys and ptys. ## Do not audit attempts to use admin ttys and ptys.
## </description> ## </description>
@ -882,20 +882,20 @@ define(`userdomain_use_admin_terminals_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_dontaudit_use_admin_terminals',` define(`userdom_dontaudit_use_sysadm_terms',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 admin_terminal:chr_file { read write }; dontaudit $1 admin_terminal:chr_file { read write };
') ')
define(`userdomain_dontaudit_use_admin_terminals_depend',` define(`userdom_dontaudit_use_sysadm_terms_depend',`
attribute admin_terminal; attribute admin_terminal;
class chr_file { read write }; class chr_file { read write };
') ')
######################################## ########################################
## <interface name="userdomain_search_all_users_home_dirs"> ## <interface name="userdom_search_all_users_home">
## <description> ## <description>
## Search all users home directories. ## Search all users home directories.
## </description> ## </description>
@ -904,21 +904,21 @@ define(`userdomain_dontaudit_use_admin_terminals_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_search_all_users_home_dirs',` define(`userdom_search_all_users_home',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_list_home_directories($1) files_list_home($1)
allow $1 { home_dir_type home_type }:dir search; allow $1 { home_dir_type home_type }:dir search;
') ')
define(`userdomain_search_all_users_home_dirs_depend',` define(`userdom_search_all_users_home_depend',`
attribute home_dir_type, home_type; attribute home_dir_type, home_type;
class dir search; class dir search;
') ')
######################################## ########################################
## <interface name="userdomain_read_all_users_data"> ## <interface name="userdom_read_all_user_data">
## <description> ## <description>
## Read all files in all users home directories. ## Read all files in all users home directories.
## </description> ## </description>
@ -927,15 +927,15 @@ define(`userdomain_search_all_users_home_dirs_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_read_all_users_data',` define(`userdom_read_all_user_data',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
files_list_home_directories($1) files_list_home($1)
allow $1 home_type:dir r_dir_perms; allow $1 home_type:dir r_dir_perms;
allow $1 home_type:file r_file_perms; allow $1 home_type:file r_file_perms;
') ')
define(`userdomain_read_all_users_data_depend',` define(`userdom_read_all_user_data_depend',`
attribute home_type; attribute home_type;
class dir r_dir_perms; class dir r_dir_perms;
@ -943,7 +943,7 @@ define(`userdomain_read_all_users_data_depend',`
') ')
######################################## ########################################
## <interface name="userdomain_use_all_users_file_descriptors"> ## <interface name="userdom_use_all_user_fd">
## <description> ## <description>
## Inherit the file descriptors from all user domains ## Inherit the file descriptors from all user domains
## </description> ## </description>
@ -952,20 +952,20 @@ define(`userdomain_read_all_users_data_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_use_all_users_file_descriptors',` define(`userdom_use_all_user_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 userdomain:fd use; allow $1 userdomain:fd use;
') ')
define(`userdomain_use_all_users_file_descriptors_depend',` define(`userdom_use_all_user_fd_depend',`
attribute userdomain; attribute userdomain;
class fd use; class fd use;
') ')
######################################## ########################################
## <interface name="userdomain_signal_all_userdomains"> ## <interface name="userdom_signal_all_users">
## <description> ## <description>
## Send general signals to all user domains. ## Send general signals to all user domains.
## </description> ## </description>
@ -974,20 +974,20 @@ define(`userdomain_use_all_users_file_descriptors_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_signal_all_userdomains',` define(`userdom_signal_all_users',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 userdomain:process signal; allow $1 userdomain:process signal;
') ')
define(`userdomain_signal_all_userdomains_depend',` define(`userdom_signal_all_users_depend',`
attribute userdomain; attribute userdomain;
class process signal; class process signal;
') ')
######################################## ########################################
## <interface name="userdomain_use_all_unprivileged_users_file_descriptors"> ## <interface name="userdom_use_unpriv_users_fd">
## <description> ## <description>
## Inherit the file descriptors from all user domains. ## Inherit the file descriptors from all user domains.
## </description> ## </description>
@ -996,20 +996,20 @@ define(`userdomain_signal_all_userdomains_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_use_all_unprivileged_users_file_descriptors',` define(`userdom_use_unpriv_users_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
allow $1 unpriv_userdomain:fd use; allow $1 unpriv_userdomain:fd use;
') ')
define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',` define(`userdom_use_unpriv_users_fd_depend',`
attribute unpriv_userdomain; attribute unpriv_userdomain;
class fd use; class fd use;
') ')
######################################## ########################################
## <interface name="userdomain_ignore_use_all_unprivileged_users_file_descriptors"> ## <interface name="userdom_dontaudit_use_unpriv_user_fd">
## <description> ## <description>
## Do not audit attempts to inherit the ## Do not audit attempts to inherit the
## file descriptors from all user domains. ## file descriptors from all user domains.
@ -1019,13 +1019,13 @@ define(`userdomain_use_all_unprivileged_users_file_descriptors_depend',`
## </parameter> ## </parameter>
## </interface> ## </interface>
# #
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors',` define(`userdom_dontaudit_use_unpriv_user_fd',`
requires_block_template(`$0'_depend) requires_block_template(`$0'_depend)
dontaudit $1 unpriv_userdomain:fd use; dontaudit $1 unpriv_userdomain:fd use;
') ')
define(`userdomain_ignore_use_all_unprivileged_users_file_descriptors_depend',` define(`userdom_dontaudit_use_unpriv_user_fd_depend',`
attribute unpriv_userdomain; attribute unpriv_userdomain;
class fd use; class fd use;

View File

@ -126,54 +126,54 @@ optional_policy(`bootloader.te',`
') ')
optional_policy(`clock.te',` optional_policy(`clock.te',`
clock_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) clock_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`hostname.te',` optional_policy(`hostname.te',`
hostname_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) hostname_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`iptables.te',` optional_policy(`iptables.te',`
iptables_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) iptables_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`libraries.te',` optional_policy(`libraries.te',`
libraries_ldconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) libs_run_ldconfig(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`lvm.te',` optional_policy(`lvm.te',`
lvm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) lvm_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`modutils.te',` optional_policy(`modutils.te',`
modutils_depmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) modutils_run_depmod(sysadm_t,sysadm_r,admin_terminal)
modutils_insmod_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) modutils_run_insmod(sysadm_t,sysadm_r,admin_terminal)
modutils_update_modules_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`mount.te',` optional_policy(`mount.te',`
mount_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) mount_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
rpm_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) rpm_run(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`selinux.te',` optional_policy(`selinux.te',`
selinux_checkpolicy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
selinux_load_policy_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
selinux_restorecon_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_run_restorecon(sysadm_t,sysadm_r,admin_terminal)
selinux_setfiles_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_run_setfiles(sysadm_t,sysadm_r,admin_terminal)
optional_policy(`targeted_policy',`',` optional_policy(`targeted_policy',`',`
selinux_run_init_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) selinux_run_runinit(sysadm_t,sysadm_r,admin_terminal)
') ')
') ')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`
sysnetwork_ifconfig_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) sysnet_run_ifconfig(sysadm_t,sysadm_r,admin_terminal)
') ')
optional_policy(`usermanage.te',` optional_policy(`usermanage.te',`
usermanage_groupadd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_useradd_transition_add_role_use_terminal(sysadm_t,sysadm_r,admin_terminal) usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
') ')