## Policy for SELinux policy and userland applications. ####################################### ## ## Execute checkpolicy in the checkpolicy domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_checkpolicy',` gen_require(` type checkpolicy_t, checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t) allow $1 checkpolicy_t:fd use; allow checkpolicy_t $1:fd use; allow checkpolicy_t $1:fifo_file rw_file_perms; allow checkpolicy_t $1:process sigchld; ') ######################################## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the checkpolicy domain. ## ## ## ## ## The type of the terminal allow the checkpolicy domain to use. ## ## ## # interface(`seutil_run_checkpolicy',` gen_require(` type checkpolicy_t; ') seutil_domtrans_checkpolicy($1) role $2 types checkpolicy_t; allow checkpolicy_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute checkpolicy in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_checkpolicy',` gen_require(` type checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1,checkpolicy_exec_t) ') ####################################### ## ## Execute load_policy in the load_policy domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_loadpolicy',` gen_require(` type load_policy_t, load_policy_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1,load_policy_exec_t,load_policy_t) allow $1 load_policy_t:fd use; allow load_policy_t $1:fd use; allow load_policy_t $1:fifo_file rw_file_perms; allow load_policy_t $1:process sigchld; ') ######################################## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the load_policy domain. ## ## ## ## ## The type of the terminal allow the load_policy domain to use. ## ## ## # interface(`seutil_run_loadpolicy',` gen_require(` type load_policy_t; ') seutil_domtrans_loadpolicy($1) role $2 types load_policy_t; allow load_policy_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute load_policy in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_loadpolicy',` gen_require(` type load_policy_exec_t; ') corecmd_search_sbin($1) can_exec($1,load_policy_exec_t) ') ######################################## ## ## Read the load_policy program file. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_loadpolicy',` gen_require(` type load_policy_exec_t; ') corecmd_search_sbin($1) allow $1 load_policy_exec_t:file r_file_perms; ') ####################################### ## ## Execute newrole in the load_policy domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domain_auto_trans($1,newrole_exec_t,newrole_t) allow $1 newrole_t:fd use; allow newrole_t $1:fd use; allow newrole_t $1:fifo_file rw_file_perms; allow newrole_t $1:process sigchld; ') ######################################## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the newrole domain. ## ## ## ## ## The type of the terminal allow the newrole domain to use. ## ## ## # interface(`seutil_run_newrole',` gen_require(` type newrole_t; ') seutil_domtrans_newrole($1) role $2 types newrole_t; allow newrole_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute newrole in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_newrole',` gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1,newrole_exec_t) ') ######################################## ## ## Do not audit the caller attempts to send ## a signal to newrole. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_dontaudit_signal_newrole',` gen_require(` type newrole_t; ') dontaudit $1 newrole_t:process signal; ') ######################################## ## ## Send a SIGCHLD signal to newrole. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_sigchld_newrole',` gen_require(` type newrole_t; ') allow $1 newrole_t:process sigchld; ') ######################################## ## ## Inherit and use newrole file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_use_newrole_fds',` gen_require(` type newrole_t; ') allow $1 newrole_t:fd use; ') ####################################### ## ## Execute restorecon in the restorecon domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_restorecon',` gen_require(` type restorecon_t, restorecon_exec_t; ') corecmd_search_sbin($1) domain_auto_trans($1,restorecon_exec_t,restorecon_t) allow $1 restorecon_t:fd use; allow restorecon_t $1:fd use; allow restorecon_t $1:fifo_file rw_file_perms; allow restorecon_t $1:process sigchld; ') ######################################## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the restorecon domain. ## ## ## ## ## The type of the terminal allow the restorecon domain to use. ## ## ## # interface(`seutil_run_restorecon',` gen_require(` type restorecon_t; ') seutil_domtrans_restorecon($1) role $2 types restorecon_t; allow restorecon_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute restorecon in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_exec_restorecon',` gen_require(` type restorecon_t, restorecon_exec_t; ') corecmd_search_sbin($1) can_exec($1,restorecon_exec_t) ') ######################################## ## ## Execute run_init in the run_init domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_runinit',` gen_require(` type run_init_t, run_init_exec_t; ') files_search_usr($1) corecmd_search_sbin($1) domain_auto_trans($1,run_init_exec_t,run_init_t) allow $1 run_init_t:fd use; allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; ') ######################################## ## ## Execute init scripts in the run_init domain. ## ## ##

## Execute init scripts in the run_init domain. ## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed access. ## ## # interface(`seutil_init_script_domtrans_runinit',` gen_require(` type run_init_t; ') init_script_file_domtrans($1,run_init_t) allow $1 run_init_t:fd use; allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; ') ######################################## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the run_init domain. ## ## ## ## ## The type of the terminal allow the run_init domain to use. ## ## ## # interface(`seutil_run_runinit',` gen_require(` type run_init_t; role system_r; ') seutil_domtrans_runinit($1) role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; allow $2 system_r; ') ######################################## ## ## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ##

## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ##

##

## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the run_init domain. ## ## ## ## ## The type of the terminal allow the run_init domain to use. ## ## # interface(`seutil_init_script_run_runinit',` gen_require(` type run_init_t; role system_r; ') seutil_init_script_domtrans_runinit($1) role $2 types run_init_t; allow run_init_t $3:chr_file rw_term_perms; allow $2 system_r; ') ######################################## ## ## Inherit and use run_init file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_use_runinit_fds',` gen_require(` type run_init_t; ') allow $1 run_init_t:fd use; ') ######################################## ## ## Execute setfiles in the setfiles domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_domtrans_setfiles',` gen_require(` type setfiles_t, setfiles_exec_t; ') files_search_usr($1) corecmd_search_sbin($1) domain_auto_trans($1,setfiles_exec_t,setfiles_t) allow $1 setfiles_t:fd use; allow setfiles_t $1:fd use; allow setfiles_t $1:fifo_file rw_file_perms; allow setfiles_t $1:process sigchld; ') ######################################## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the setfiles domain. ## ## ## ## ## The type of the terminal allow the setfiles domain to use. ## ## ## # interface(`seutil_run_setfiles',` gen_require(` type setfiles_t; ') seutil_domtrans_setfiles($1) role $2 types setfiles_t; allow setfiles_t $3:chr_file rw_term_perms; ') ######################################## ## ## Execute setfiles in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_exec_setfiles',` gen_require(` type setfiles_exec_t; ') files_search_usr($1) corecmd_search_sbin($1) can_exec($1,setfiles_exec_t) ') ######################################## ## ## Do not audit attempts to search the SELinux ## configuration directory (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_search_config',` gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search; ') ######################################## ## ## Do not audit attempts to read the SELinux ## userland configuration (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # interface(`seutil_dontaudit_read_config',` gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search; dontaudit $1 selinux_config_t:file { getattr read }; ') ######################################## ## ## Read the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir r_dir_perms; allow $1 selinux_config_t:file r_file_perms; allow $1 selinux_config_t:lnk_file { getattr read }; ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_selinux_config',` gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir rw_dir_perms; allow $1 selinux_config_t:file manage_file_perms; allow $1 selinux_config_t:lnk_file { getattr read }; ') ######################################## ## ## Search the policy directory with default_context files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_search_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search; ') ######################################## ## ## Read the default_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir list_dir_perms; allow $1 default_context_t:file r_file_perms; ') ######################################## ## ## Create, read, write, and delete the default_contexts files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_default_contexts',` gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir rw_dir_perms; allow $1 default_context_t:file manage_file_perms; ') ######################################## ## ## Read the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_read_file_contexts',` gen_require(` type selinux_config_t, file_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; allow $1 file_context_t:file r_file_perms; allow $1 file_context_t:lnk_file { getattr read }; ') ######################################## ## ## Read and write the file_contexts files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_rw_file_contexts',` gen_require(` type selinux_config_t, file_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 file_context_t:dir r_dir_perms; allow $1 file_context_t:file rw_file_perms; allow $1 file_context_t:lnk_file { getattr read }; ') ######################################## ## ## Create, read, write, and delete the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_file_contexts',` gen_require(` type selinux_config_t, file_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; allow $1 file_context_t:dir rw_dir_perms; allow $1 file_context_t:file manage_file_perms; ') ######################################## ## ## Read the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_bin_policy',` gen_require(` type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 policy_config_t:dir r_dir_perms; allow $1 policy_config_t:file r_file_perms; ') ######################################## ## ## Create the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_create_bin_policy',` gen_require(` # attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 policy_config_t:dir ra_dir_perms; allow $1 policy_config_t:file { getattr create write }; # typeattribute $1 can_write_binary_policy; ') ######################################## ## ## Allow the caller to relabel a file to the binary policy type. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_relabelto_bin_policy',` gen_require(` attribute can_relabelto_binary_policy; type policy_config_t; ') allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; ') ######################################## ## ## Create, read, write, and delete the SELinux ## binary policy. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_bin_policy',` gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 policy_config_t:dir rw_dir_perms; allow $1 policy_config_t:file create_file_perms; typeattribute $1 can_write_binary_policy; ') ######################################## ## ## Read SELinux policy source files. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_read_src_policy',` gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 policy_src_t:dir r_dir_perms; allow $1 policy_src_t:file r_file_perms; ') ######################################## ## ## Create, read, write, and delete SELinux ## policy source files. ## ## ## ## Domain allowed access. ## ## ## # interface(`seutil_manage_src_policy',` gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search; allow $1 policy_src_t:dir create_dir_perms; allow $1 policy_src_t:file create_file_perms; ') ######################################## ## ## Execute a domain transition to run semanage. ## ## ## ## Domain allowed to transition. ## ## # interface(`seutil_domtrans_semanage',` gen_require(` type semanage_t, semanage_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domain_auto_trans($1,semanage_exec_t,semanage_t) allow $1 semanage_t:fd use; allow semanage_t $1:fd use; allow semanage_t $1:fifo_file rw_file_perms; allow semanage_t $1:process sigchld; ') ######################################## ## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the checkpolicy domain. ## ## ## ## ## The type of the terminal allow the semanage domain to use. ## ## ## # interface(`seutil_run_semanage',` gen_require(` type semanage_t; ') seutil_domtrans_semanage($1) role $2 types semanage_t; allow semanage_t $3:chr_file rw_term_perms; ') ######################################## ## ## Full management of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # interface(`seutil_manage_module_store',` gen_require(` type selinux_config_t, semanage_store_t; ') files_search_etc($1) allow $1 selinux_config_t:dir rw_dir_perms; type_transition $1 selinux_config_t:dir semanage_store_t; allow $1 semanage_store_t:dir create_dir_perms; allow $1 semanage_store_t:file create_file_perms; ') ####################################### ## ## Get read lock on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_get_semanage_read_lock',` gen_require(` type selinux_config_t, semanage_read_lock_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 semanage_read_lock_t:file rw_file_perms; ') ####################################### ## ## Get trans lock on module store ## ## ## ## Domain allowed access. ## ## # interface(`seutil_get_semanage_trans_lock',` gen_require(` type selinux_config_t, semanage_trans_lock_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 semanage_trans_lock_t:file rw_file_perms; ')