## Miscelaneous files. ######################################## ## ## Read system SSL certificates. ## ## ## Domain allowed access. ## # interface(`miscfiles_read_certs',` gen_require(` type cert_t; ') allow $1 cert_t:dir r_dir_perms; allow $1 cert_t:file r_file_perms; allow $1 cert_t:lnk_file { getattr read }; ') ######################################## ## ## Read fonts. ## ## ## Domain allowed access. ## # interface(`miscfiles_read_fonts',` gen_require(` type fonts_t; ') files_search_usr($1) libs_search_lib($1) # cjp: fonts can be in either of the above dirs allow $1 fonts_t:dir r_dir_perms; allow $1 fonts_t:file r_file_perms; allow $1 fonts_t:lnk_file { getattr read }; ') ######################################## ## ## Read hardware identification data. ## ## ## Domain allowed access. ## # interface(`miscfiles_read_hwdata',` gen_require(` type hwdata_t; ') allow $1 hwdata_t:dir r_dir_perms; allow $1 hwdata_t:file r_file_perms; allow $1 hwdata_t:file { getattr read }; ') ######################################## ## ## Allow process to read localization info ## ## ## Domain allowed access. ## # interface(`miscfiles_read_localization',` gen_require(` type locale_t; ') files_search_etc($1) # FIXME: $1 read etc_t:lnk_file here files_search_usr($1) allow $1 locale_t:dir r_dir_perms; allow $1 locale_t:lnk_file r_file_perms; allow $1 locale_t:file r_file_perms; # why? libs_read_lib($1) ') ######################################## ## ## Allow process to read legacy time localization info ## ## ## Domain allowed access. ## # interface(`miscfiles_legacy_read_localization',` gen_require(` type locale_t; ') miscfiles_read_localization($1) allow $1 locale_t:file execute; ') ######################################## ## ## Do not audit attempts to search man pages. ## ## ## Domain to not audit. ## # interface(`miscfiles_dontaudit_search_man_pages',` gen_require(` type man_t; ') dontaudit $1 man_t:dir search; ') ######################################## ## ## Read man pages ## ## ## Domain allowed access. ## # interface(`miscfiles_read_man_pages',` gen_require(` type man_t; ') files_search_usr($1) allow $1 man_t:dir r_dir_perms; allow $1 man_t:file r_file_perms; allow $1 man_t:lnk_file r_file_perms; ') ######################################## ## ## Delete man pages ## ## ## Domain allowed access. ## # cjp: added for tmpreaper # interface(`miscfiles_delete_man_pages',` gen_require(` type man_t; ') files_search_usr($1) allow $1 man_t:dir { setattr rw_dir_perms rmdir }; allow $1 man_t:file { getattr unlink }; allow $1 man_t:lnk_file { getattr unlink }; ') ######################################## ## ## Create, read, write, and delete man pages ## ## ## Domain allowed access. ## # interface(`miscfiles_manage_man_pages',` gen_require(` type man_t; ') files_search_usr($1) allow $1 man_t:dir create_dir_perms; allow $1 man_t:file create_file_perms; allow $1 man_t:lnk_file r_file_perms; ') ######################################## ## ## Read public files used for file ## transfer services. ## ## ## Domain allowed access. ## # interface(`miscfiles_read_public_files',` gen_require(` type public_content_t, public_content_rw_t; ') allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms; allow $1 { public_content_t public_content_rw_t }:file r_file_perms; allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read }; ') ######################################## ## ## Create, read, write, and delete public files ## and directories used for file transfer services. ## ## ## Domain allowed access. ## # interface(`miscfiles_manage_public_files',` gen_require(` type public_content_rw_t; ') allow $1 public_content_rw_t:dir create_dir_perms; allow $1 public_content_rw_t:file create_file_perms; allow $1 public_content_rw_t:lnk_file create_lnk_perms; ') ######################################## ## ## Read TeX data ## ## ## Domain allowed access. ## # interface(`miscfiles_read_tetex_data',` gen_require(` type tetex_data_t; ') files_search_var($1) files_search_var_lib($1) # cjp: TeX data can be in either of the above dirs allow $1 tetex_data_t:dir r_dir_perms; allow $1 tetex_data_t:file r_file_perms; allow $1 tetex_data_t:lnk_file r_file_perms; ') ######################################## ## ## Execute TeX data programs in the caller domain. ## ## ## Domain allowed access. ## # interface(`miscfiles_exec_tetex_data',` gen_require(` type fonts_t; ') files_search_var($1) files_search_var_lib($1) # cjp: TeX data can be in either of the above dirs allow $1 tetex_data_t:dir r_dir_perms; can_exec($1,tetex_data_t) ')