## <summary>Policy for user executable applications.</summary> ######################################## ## <summary> ## Make the specified type usable as an application domain. ## </summary> ## <param name="type"> ## <summary> ## Type to be used as a domain type. ## </summary> ## </param> # interface(`application_type',` gen_require(` attribute application_domain_type; ') typeattribute $1 application_domain_type; # start with basic domain domain_type($1) ') ######################################## ## <summary> ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## </summary> ## <param name="type"> ## <summary> ## Type to be used for files. ## </summary> ## </param> # interface(`application_executable_file',` gen_require(` attribute application_exec_type; ') typeattribute $1 application_exec_type; corecmd_executable_file($1) ') ######################################## ## <summary> ## Execute application executables in the caller domain. ## </summary> ## <param name="type"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`application_exec',` gen_require(` attribute application_exec_type; ') can_exec($1, application_exec_type) ') ######################################## ## <summary> ## Execute all executable files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`application_exec_all',` corecmd_dontaudit_exec_all_executables($1) corecmd_exec_bin($1) corecmd_exec_shell($1) corecmd_exec_chroot($1) application_exec($1) ') ######################################## ## <summary> ## Create a domain for applications. ## </summary> ## <desc> ## <p> ## Create a domain for applications. Typically these are ## programs that are run interactively. ## </p> ## <p> ## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ## </p> ## </desc> ## <param name="domain"> ## <summary> ## Type to be used as an application domain. ## </summary> ## </param> ## <param name="entry_point"> ## <summary> ## Type of the program to be used as an entry point to this domain. ## </summary> ## </param> ## <infoflow type="none"/> # interface(`application_domain',` application_type($1) application_executable_file($2) domain_entry_file($1, $2) ') ######################################## ## <summary> ## Send signull to all application domains. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`application_signull',` gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process signull; ')