## ##

Policy for SELinux policy and userland applications.

####################################### ## ## ## Execute checkpolicy in the checkpolicy domain. ## ## ## The type of the process performing this action. ## ## # define(`selinux_domtrans_checkpol',` gen_require(`$0'_depend) allow $1 checkpolicy_exec_t:file rx_file_perms; allow $1 checkpolicy_t:process transition; type_transition $1 checkpolicy_exec_t:process checkpolicy_t; dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh }; allow $1 checkpolicy_t:fd use; allow checkpolicy_t $1:fd use; allow checkpolicy_t $1:fifo_file rw_file_perms; allow checkpolicy_t $1:process sigchld; ') define(`selinux_domtrans_checkpol_depend',` type checkpolicy_t, checkpolicy_exec_t; class file rx_file_perms class process { transition noatsecure siginh rlimitinh sigchld sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the checkpolicy domain. ## ## ## The type of the terminal allow the checkpolicy domain to use. ## ## # define(`selinux_run_checkpol',` gen_require(`$0'_depend) selinux_domtrans_checkpol($1) role $2 types checkpolicy_t; allow checkpolicy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_checkpol_depend',` type checkpolicy_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_exec_checkpol(domain) # define(`selinux_exec_checkpol',` gen_require(`$0'_depend) can_exec($1,checkpolicy_exec_t) ') define(`selinux_exec_checkpol_depend',` type checkpolicy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### ## ## ## Execute load_policy in the load_policy domain. ## ## ## The type of the process performing this action. ## ## # define(`selinux_domtrans_loadpol',` gen_require(`$0'_depend) allow $1 load_policy_exec_t:file rx_file_perms; allow $1 load_policy_t:process transition; type_transition $1 load_policy_exec_t:process load_policy_t; dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh }; allow $1 load_policy_t:fd use; allow load_policy_t $1:fd use; allow load_policy_t $1:fifo_file rw_file_perms; allow load_policy_t $1:process sigchld; ') define(`selinux_domtrans_loadpol_depend',` type load_policy_t, load_policy_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## Has a SIGCHLD signal backchannel. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the load_policy domain. ## ## ## The type of the terminal allow the load_policy domain to use. ## ## # define(`selinux_run_loadpol',` gen_require(`$0'_depend) selinux_domtrans_loadpol($1) role $2 types load_policy_t; allow load_policy_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_loadpol_depend',` type load_policy_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_exec_loadpol(domain) # define(`selinux_exec_loadpol',` gen_require(`$0'_depend) can_exec($1,load_policy_exec_t) ') define(`selinux_exec_loadpol_depend',` type load_policy_exec_t; class file { rx_file_perms execute_no_trans }; ') ####################################### # # selinux_read_loadpol(domain) # define(`selinux_read_loadpol',` gen_require(`$0'_depend) allow $1 load_policy_exec_t:file r_file_perms; ') define(`selinux_read_loadpol_depend',` type load_policy_exec_t; class file r_file_perms ') ####################################### ## ## ## Execute newrole in the load_policy domain. ## ## ## The type of the process performing this action. ## ## # define(`selinux_domtrans_newrole',` gen_require(`$0'_depend) allow $1 newrole_exec_t:file rx_file_perms; allow $1 newrole_t:process transition; type_transition $1 newrole_exec_t:process newrole_t; dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh }; allow $1 newrole_t:fd use; allow newrole_t $1:fd use; allow newrole_t $1:fifo_file rw_file_perms; allow newrole_t $1:process sigchld; ') define(`selinux_domtrans_newrole_depend',` type newrole_t, newrole_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the newrole domain. ## ## ## The type of the terminal allow the newrole domain to use. ## ## # define(`selinux_run_newrole',` gen_require(`$0'_depend) selinux_domtrans_newrole($1) role $2 types newrole_t; allow newrole_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_newrole_depend',` type newrole_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_exec_newrole(domain) # define(`selinux_exec_newrole',` gen_require(`$0'_depend) can_exec($1,newrole_exec_t) ') define(`selinux_exec_newrole_depend',` type newrole_t, newrole_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## ## ## ## Do not audit the caller attempts to send ## a signal to newrole. ## ## ## The type of the process performing this action. ## ## # define(`selinux_dontaudit_newrole_signal',` gen_require(`$0'_depend) dontaudit $1 newrole_t:process signal; ') define(`selinux_dontaudit_newrole_signal_depend',` type newrole_t; class process signal; ') ####################################### # # selinux_newrole_sigchld(domain) # define(`selinux_newrole_sigchld',` gen_require(`$0'_depend) allow $1 newrole_t:process sigchld; ') define(`selinux_newrole_sigchld_depend',` type newrole_t; class process sigchld; ') ####################################### # # selinux_use_newrole_fd(domain) # define(`selinux_use_newrole_fd',` gen_require(`$0'_depend) allow $1 newrole_t:fd use; ') define(`selinux_use_newrole_fd_depend',` type newrole_t; class fd use; ') ####################################### ## ## ## Execute restorecon in the restorecon domain. ## ## ## The type of the process performing this action. ## ## # define(`selinux_domtrans_restorecon',` gen_require(`$0'_depend) allow $1 restorecon_exec_t:file rx_file_perms; allow $1 restorecon_t:process transition; type_transition $1 restorecon_exec_t:process restorecon_t; dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh }; allow $1 restorecon_t:fd use; allow restorecon_t $1:fd use; allow restorecon_t $1:fifo_file rw_file_perms; allow restorecon_t $1:process sigchld; ') define(`selinux_domtrans_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the restorecon domain. ## ## ## The type of the terminal allow the restorecon domain to use. ## ## # define(`selinux_run_restorecon',` gen_require(`$0'_depend) selinux_domtrans_restorecon($1) role $2 types restorecon_t; allow restorecon_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_restorecon_depend',` type restorecon_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_exec_restorecon(domain) # define(`selinux_exec_restorecon',` gen_require(`$0'_depend) can_exec($1,restorecon_exec_t) ') define(`selinux_exec_restorecon_depend',` type restorecon_t, restorecon_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## ## ## ## Execute run_init in the run_init domain. ## ## ## The type of the process performing this action. ## ## # define(`selinux_domtrans_runinit',` gen_require(`$0'_depend) allow $1 run_init_exec_t:file rx_file_perms; allow $1 run_init_t:process transition; type_transition $1 run_init_exec_t:process run_init_t; dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh }; allow $1 run_init_t:fd use; allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; ') define(`selinux_domtrans_runinit_depend',` type run_init_t, run_init_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the run_init domain. ## ## ## The type of the terminal allow the run_init domain to use. ## ## # define(`selinux_run_runinit',` gen_require(`$0'_depend) selinux_domtrans_runinit($1) role $2 types run_init_t; allow run_init_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_runinit_depend',` type run_init_t; class chr_file { getattr read write ioctl }; ') ######################################## # # selinux_use_runinit_fd(domain) # define(`selinux_use_runinit_fd',` gen_require(`$0'_depend) allow $1 run_init_t:fd use; ') define(`selinux_use_runinit_fd_depend',` type run_init_t; class fd use; ') ######################################## ## ## ## Execute setfiles in the setfiles domain. ## ## ## The type of the process performing this action. ## ## # define(`selinux_domtrans_setfiles',` gen_require(`$0'_depend) allow $1 setfiles_exec_t:file rx_file_perms; allow $1 setfiles_t:process transition; type_transition $1 setfiles_exec_t:process setfiles_t; dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh }; allow $1 setfiles_t:fd use; allow setfiles_t $1:fd use; allow setfiles_t $1:fifo_file rw_file_perms; allow setfiles_t $1:process sigchld; ') define(`selinux_domtrans_setfiles_depend',` type setfiles_t, setfiles_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. ## ## ## The type of the process performing this action. ## ## ## The role to be allowed the setfiles domain. ## ## ## The type of the terminal allow the setfiles domain to use. ## ## # define(`selinux_run_setfiles',` gen_require(`$0'_depend) selinux_domtrans_setfiles($1) role $2 types setfiles_t; allow setfiles_t $3:chr_file { getattr read write ioctl }; ') define(`selinux_run_setfiles_depend',` type setfiles_t; class chr_file { getattr read write ioctl }; ') ####################################### # # selinux_exec_setfiles(domain) # define(`selinux_exec_setfiles',` gen_require(`$0'_depend) can_exec($1,setfiles_exec_t) ') define(`selinux_exec_setfiles_depend',` type setfiles_exec_t; class file { rx_file_perms execute_no_trans }; ') ######################################## # # selinux_read_config(domain) # define(`selinux_read_config',` gen_require(`$0'_depend) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; ') define(`selinux_read_config_depend',` type selinux_config_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_read_default_contexts(domain) # define(`selinux_read_default_contexts',` gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 default_context_t:dir r_dir_perms; allow $1 default_context_t:file r_file_perms; ') define(`selinux_read_default_contexts_depend',` type selinux_config_t, default_context_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_read_file_contexts(domain) # define(`selinux_read_file_contexts',` gen_require(`$0'_depend) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; allow $1 file_context_t:file r_file_perms; ') define(`selinux_read_file_contexts_depend',` type selinux_config_t, file_context_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_read_binary_pol(domain) # define(`selinux_read_binary_pol',` gen_require(`$0'_depend) allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; ') define(`selinux_read_binary_pol_depend',` type policy_config_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_write_binary_pol(domain) # define(`selinux_write_binary_pol',` gen_require(`$0'_depend) allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file { getattr create write unlink }; typeattribute $1 can_write_binary_policy; ') define(`selinux_write_binary_pol_depend',` attribute can_write_binary_policy; type policy_config_t; class dir rw_dir_perms; class file { getattr create write unlink }; ') ######################################## ## ## ## Allow the caller to relabel a file to the binary policy type. ## ## ## The type of the process performing this action. ## ## # define(`selinux_relabelto_binary_pol',` gen_require(`$0'_depend) allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') define(`selinux_relabelto_binary_pol_depend',` attribute can_relabelto_binary_policy; type policy_config_t; class file relabelto; ') ######################################## # # selinux_manage_binary_pol(domain) # define(`selinux_manage_binary_pol',` gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file create_file_perms; typeattribute $1 can_write_binary_policy; ') define(`selinux_manage_binary_pol_depend',` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; class dir create_dir_perms; class file create_file_perms; ') ######################################## # # selinux_read_src_pol(domain) # define(`selinux_read_src_pol',` gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; allow $1 policy_src_t:dir r_dir_perms; allow $1 policy_src_t:file r_file_perms; ') define(`selinux_read_src_pol_depend',` type selinux_config_t, policy_src_t; class dir r_dir_perms; class file r_file_perms; ') ######################################## # # selinux_manage_src_pol(domain) # define(`selinux_manage_src_pol',` gen_require(`$0'_depend) # FIXME: search etc_t:dir allow $1 selinux_config_t:dir search; allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:file create_file_perms; ') define(`selinux_manage_src_pol_depend',` type selinux_config_t, policy_src_t; class dir create_dir_perms; class file create_file_perms; ') ##