## <module name="selinux" layer="system"> ## <summary>Policy for SELinux policy and userland applications.</summary> ####################################### ## <interface name="selinux_checkpolicy_transition"> ## <description> ## Execute checkpolicy in the checkpolicy domain. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_checkpolicy_transition',` requires_block_template(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; allow $1 checkpolicy_t:fd use; allow checkpolicy_t $1:fd use; allow checkpolicy_t $1:fifo_file rw_file_perms; allow checkpolicy_t $1:process sigchld; ') define(`selinux_checkpolicy_transition_depend',` type checkpolicy_t, checkpolicy_exec_t; class file rx_file_perms class process { transition noatsecure siginh rlimitinh sigchld sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## <interface name="selinux_checkpolicy_transition_add_role_use_terminal"> ## <description> ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## <parameter name="role"> ## The role to be allowed the checkpolicy domain. ## </parameter> ## <parameter name="terminal"> ## The type of the terminal allow the checkpolicy domain to use. ## </parameter> ## </interface> # define(`selinux_checkpolicy_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) selinux_checkpolicy_transition($1) role $2 types checkpolicy_t; allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',` type checkpolicy_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_checkpolicy_execute(domain) # define(`selinux_checkpolicy_execute',` requires_block_template(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') define(`selinux_checkpolicy_execute_depend',` type checkpolicy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### ## <interface name="selinux_load_policy_transition"> ## <description> ## Execute load_policy in the load_policy domain. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_load_policy_transition',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; allow $1 load_policy_t:fd use; allow load_policy_t $1:fd use; allow load_policy_t $1:fifo_file rw_file_perms; allow load_policy_t $1:process sigchld; ') define(`selinux_load_policy_transition_depend',` type load_policy_t, load_policy_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## <interface name="selinux_load_policy_transition_add_role_use_terminal"> ## <description> ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## <parameter name="role"> ## The role to be allowed the load_policy domain. ## </parameter> ## <parameter name="terminal"> ## The type of the terminal allow the load_policy domain to use. ## </parameter> ## </interface> # define(`selinux_load_policy_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) selinux_load_policy_transition($1) role $2 types load_policy_t; allow load_policy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_load_policy_transition_add_role_use_terminal_depend',` type load_policy_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_load_policy_execute(domain) # define(`selinux_load_policy_execute',` requires_block_template(`$0'_depend) can_exec($1,load_policy_exec_t) ') define(`selinux_load_policy_execute_depend',` type load_policy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### # # selinux_read_load_policy_binary(domain) # define(`selinux_read_load_policy_binary',` requires_block_template(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') define(`selinux_read_load_policy_binary_depend',` type load_policy_exec_t; class file r_file_perms ') ####################################### ## <interface name="selinux_newrole_transition"> ## <description> ## Execute newrole in the load_policy domain. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_newrole_transition',` requires_block_template(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; allow $1 newrole_t:fd use; allow newrole_t $1:fd use; allow newrole_t $1:fifo_file rw_file_perms; allow newrole_t $1:process sigchld; ') define(`selinux_newrole_transition_depend',` type newrole_t, newrole_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## <interface name="selinux_newrole_transition_add_role_use_terminal"> ## <description> ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## <parameter name="role"> ## The role to be allowed the newrole domain. ## </parameter> ## <parameter name="terminal"> ## The type of the terminal allow the newrole domain to use. ## </parameter> ## </interface> # define(`selinux_newrole_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) selinux_newrole_transition($1) role $2 types newrole_t; allow newrole_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_newrole_transition_add_role_use_terminal_depend',` type newrole_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_newrole_execute(domain) # define(`selinux_newrole_execute',` requires_block_template(`$0'_depend) can_exec($1,newrole_exec_t) ') define(`selinux_newrole_execute_depend',` type newrole_t, newrole_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## ## <interface name="selinux_newrole_ignore_signal"> ## <description> ## Do not audit the caller attempts to send ## a signal to newrole. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_newrole_ignore_signal',` requires_block_template(`$0'_depend) dontaudit $1 newrole_t:process signal; ') define(`selinux_newrole_ignore_signal_depend',` type newrole_t; class process signal; ') ####################################### # # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` requires_block_template(`$0'_depend) allow $1 newrole_t:process sigchld; ') define(`selinux_newrole_sigchld_depend',` type newrole_t; class process sigchld; ') ####################################### # # selinux_newrole_use_file_descriptors(domain) # define(`selinux_newrole_use_file_descriptors',` requires_block_template(`$0'_depend) allow $1 newrole_t:fd use; ') define(`selinux_newrole_use_file_descriptors_depend',` type newrole_t; class fd use; ') ####################################### ## <interface name="selinux_restorecon_transition"> ## <description> ## Execute restorecon in the restorecon domain. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_restorecon_transition',` requires_block_template(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; allow $1 restorecon_t:fd use; allow restorecon_t $1:fd use; allow restorecon_t $1:fifo_file rw_file_perms; allow restorecon_t $1:process sigchld; ') define(`selinux_restorecon_transition_depend',` type restorecon_t, restorecon_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## <interface name="selinux_restorecon_transition_add_role_use_terminal"> ## <description> ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## <parameter name="role"> ## The role to be allowed the restorecon domain. ## </parameter> ## <parameter name="terminal"> ## The type of the terminal allow the restorecon domain to use. ## </parameter> ## </interface> # define(`selinux_restorecon_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) selinux_restorecon_transition($1) role $2 types restorecon_t; allow restorecon_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_restorecon_transition_add_role_use_terminal_depend',` type restorecon_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_restorecon_execute(domain) # define(`selinux_restorecon_execute',` requires_block_template(`$0'_depend) can_exec($1,restorecon_exec_t) ') define(`selinux_restorecon_execute_depend',` type restorecon_t, restorecon_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## ## <interface name="selinux_run_init_transition"> ## <description> ## Execute run_init in the run_init domain. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_run_init_transition',` requires_block_template(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_t:process transition; type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; allow $1 run_init_t:fd use; allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; ') define(`selinux_run_init_transition_depend',` type run_init_t, run_init_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## <interface name="selinux_run_init_transition_add_role_use_terminal"> ## <description> ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## <parameter name="role"> ## The role to be allowed the run_init domain. ## </parameter> ## <parameter name="terminal"> ## The type of the terminal allow the run_init domain to use. ## </parameter> ## </interface> # define(`selinux_run_init_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) selinux_run_init_transition($1) role $2 types run_init_t; allow run_init_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_init_transition_add_role_use_terminal_depend',` type run_init_t; class chr_file { getattr read write ioctl }; ') ######################################## # # selinux_run_init_use_file_descriptors(domain) # define(`selinux_run_init_use_file_descriptors',` requires_block_template(`$0'_depend) allow $1 run_init_t:fd use; ') define(`selinux_run_init_use_file_descriptors_depend',` type run_init_t; class fd use; ') ######################################## ## <interface name="selinux_setfiles_transition"> ## <description> ## Execute setfiles in the setfiles domain. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_setfiles_transition',` requires_block_template(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; allow $1 setfiles_t:fd use; allow setfiles_t $1:fd use; allow setfiles_t $1:fifo_file rw_file_perms; allow setfiles_t $1:process sigchld; ') define(`selinux_setfiles_transition_depend',` type setfiles_t, setfiles_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## <interface name="selinux_setfiles_transition_add_role_use_terminal"> ## <description> ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## <parameter name="role"> ## The role to be allowed the setfiles domain. ## </parameter> ## <parameter name="terminal"> ## The type of the terminal allow the setfiles domain to use. ## </parameter> ## </interface> # define(`selinux_setfiles_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) selinux_setfiles_transition($1) role $2 types setfiles_t; allow setfiles_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_setfiles_transition_add_role_use_terminal_depend',` type setfiles_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_setfiles_execute(domain) # define(`selinux_setfiles_execute',` requires_block_template(`$0'_depend) can_exec($1,setfiles_exec_t) ') define(`selinux_setfiles_execute_depend',` type setfiles_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## # # selinux_read_config(domain) # define(`selinux_read_config',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; ') define(`selinux_read_config_depend',` type selinux_config_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir r_dir_perms; allow $1 default_context_t:file r_file_perms; ') define(`selinux_read_default_contexts_depend',` type selinux_config_t, default_context_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` requires_block_template(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; allow $1 file_context_t:file r_file_perms; ') define(`selinux_read_file_contexts_depend',` type selinux_config_t, file_context_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_read_binary_policy(domain) # define(`selinux_read_binary_policy',` requires_block_template(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; ') define(`selinux_read_binary_policy_depend',` type policy_config_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_write_binary_policy(domain) # define(`selinux_write_binary_policy',` requires_block_template(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file { getattr create write unlink }; typeattribute $1 can_write_binary_policy; ') define(`selinux_write_binary_policy_depend',` attribute can_write_binary_policy; type policy_config_t; class dir rw_dir_perms; class file { getattr create write unlink }; ') ######################################## ## <interface name="selinux_relabelto_binary_policy"> ## <description> ## Allow the caller to relabel a file to the binary policy type. ## </description> ## <parameter name="domain"> ## The type of the process performing this action. ## </parameter> ## </interface> # define(`selinux_relabelto_binary_policy',` requires_block_template(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') define(`selinux_relabelto_binary_policy_depend',` attribute can_relabelto_binary_policy; type policy_config_t; class file relabelto; ') ######################################## # # selinux_manage_binary_policy(domain) # define(`selinux_manage_binary_policy',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file create_file_perms; typeattribute $1 can_write_binary_policy; ') define(`selinux_manage_binary_policy_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; class dir create_dir_perms; class file create_file_perms; ') ######################################## # # selinux_read_source_policy(domain) # define(`selinux_read_source_policy',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; allow $1 policy_src_t:dir r_dir_perms; allow $1 policy_src_t:file r_file_perms; ') define(`selinux_read_source_policy_depend',` type selinux_config_t, policy_src_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_manage_source_policy(domain) # define(`selinux_manage_source_policy',` requires_block_template(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:file create_file_perms; ') define(`selinux_manage_source_policy_depend',` type selinux_config_t, policy_src_t; class dir create_dir_perms; class file create_file_perms; ') ## </module>