## ## ## Policy for kernel security interface, in particular, selinuxfs. ## ######################################## ## ## ## Gets the caller the mountpoint of the selinuxfs filesystem. ## ## ## The process type requesting the selinuxfs mountpoint. ## ## # define(`selinux_get_fs_mount',` # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_read_system_state($1) ') ######################################## ## ## ## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode). ## ## ## The process type to allow to get the enforcing mode. ## ## # define(`selinux_get_enforce_mode',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read }; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read }; ') ######################################## ## ## ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## ## ## The process type to allow to set the enforcement mode. ## ## # define(`selinux_set_enforce_mode',` gen_require(` type security_t; attribute can_setenforce; class dir { read search getattr }; class file { getattr read write }; class security setenforce; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setenforce; auditallow $1 security_t:security setenforce; typeattribute $1 can_setenforce; ') ######################################## ## ## ## Allow caller to load the policy into the kernel. ## ## ## The process type that will load the policy. ## ## # define(`selinux_load_policy',` gen_require(` type security_t; attribute can_load_policy; class dir { read search getattr }; class file { getattr read write }; class security load_policy; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security load_policy; auditallow $1 security_t:security load_policy; typeattribute $1 can_load_policy; ') ######################################## ## ## ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ## ## ## The process type allowed to set the Boolean. ## ## ## The type of Booleans the caller is allowed to set. ## ## # define(`selinux_set_boolean',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read write }; class security setbool; ') ifelse(`$2',`',` allow $1 security_t:dir { getattr search read }; allow $1 security_t:file { getattr read write }; ',` allow $1 $2:dir { getattr search read }; allow $1 $2:file { getattr read write }; ') allow $1 security_t:dir search; allow $1 security_t:security setbool; auditallow $1 security_t:security setbool; ') ######################################## ## ## ## Allow caller to set selinux security parameters. ## ## ## The process type to allow to set security parameters. ## ## # define(`selinux_set_parameters',` gen_require(` type security_t; attribute can_setsecparam; class dir { read search getattr }; class file { getattr read write }; class security setsecparam; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; typeattribute $1 can_setsecparam; ') ######################################## ## ## ## Allows caller to validate security contexts. ## ## ## The process type permitted to validate contexts. ## ## # define(`selinux_validate_context',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read write }; class security check_context; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security check_context; ') ######################################## ## ## ## Allows caller to compute an access vector. ## ## ## The process type allowed to compute an access vector. ## ## # define(`selinux_compute_access_vector',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read write }; class security compute_av; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_av; ') ######################################## ## ## ## ## ## ## ## ## # define(`selinux_compute_create_context',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read write }; class security compute_create; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_create; ') ######################################## ## ## ## ## ## ## The process type to ## ## # define(`selinux_compute_relabel_context',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read write }; class security compute_relabel; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_relabel; ') ######################################## ## ## ## Allows caller to compute possible contexts for a user. ## ## ## The process type allowed to compute user contexts. ## ## # define(`selinux_compute_user_contexts',` gen_require(` type security_t; class dir { read search getattr }; class file { getattr read write }; class security compute_user; ') allow $1 security_t:dir { read search getattr }; allow $1 security_t:file { getattr read write }; allow $1 security_t:security compute_user; ') ##