policy_module(selinux, 1.6.0) ######################################## # # Declarations # attribute can_load_policy; attribute can_setenforce; attribute can_setsecparam; attribute selinux_unconfined_type; # # security_t is the target type when checking # the permissions in the security class. It is also # applied to selinuxfs inodes. # type security_t; fs_type(security_t) mls_trusted_object(security_t) sid security gen_context(system_u:object_r:security_t,mls_systemhigh) genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0) genfscon securityfs / gen_context(system_u:object_r:security_t,s0) neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; ######################################## # # Unconfined access to this module # # use SELinuxfs allow selinux_unconfined_type security_t:dir { getattr search read }; allow selinux_unconfined_type security_t:file { getattr read write }; # Access the security API. allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setbool }; if(!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; ifdef(`distro_rhel4',` # needed for systems without audit support auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool }; ') }