selinux-policy/refpolicy/policy/modules/system/selinuxutil.if

## <module name="selinuxutil" layer="system">
## <summary>Policy for SELinux policy and userland applications.</summary>

#######################################
## <interface name="seutil_domtrans_checkpol">
##	<description>
##		Execute checkpolicy in the checkpolicy domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_domtrans_checkpol',`
	gen_require(`
		type checkpolicy_t, checkpolicy_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domain_auto_trans($1,checkpolicy_exec_t,checkpolicy_t)

	allow $1 checkpolicy_t:fd use;
	allow checkpolicy_t $1:fd use;
	allow checkpolicy_t $1:fifo_file rw_file_perms;
	allow checkpolicy_t $1:process sigchld;
')

########################################
## <interface name="seutil_run_checkpol">
##	<description>
##		Execute checkpolicy in the checkpolicy domain, and
##		allow the specified role the checkpolicy domain,
##		and use the caller's terminal.
##		Has a SIGCHLD signal backchannel.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the checkpolicy domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the checkpolicy domain to use.
##	</parameter>
## </interface>
#
define(`seutil_run_checkpol',`
	gen_require(`
		type checkpolicy_t;
		class chr_file rw_term_perms;
	')

	seutil_domtrans_checkpol($1)
	role $2 types checkpolicy_t;
	allow checkpolicy_t $3:chr_file rw_term_perms;
')

#######################################
#
# seutil_exec_checkpol(domain)
#
define(`seutil_exec_checkpol',`
	gen_require(`
		type checkpolicy_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	can_exec($1,checkpolicy_exec_t)
')

#######################################
## <interface name="seutil_domtrans_loadpol">
##	<description>
##		Execute load_policy in the load_policy domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_domtrans_loadpol',`
	gen_require(`
		type load_policy_t, load_policy_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,load_policy_exec_t,load_policy_t)

	allow $1 load_policy_t:fd use;
	allow load_policy_t $1:fd use;
	allow load_policy_t $1:fifo_file rw_file_perms;
	allow load_policy_t $1:process sigchld;
')

########################################
## <interface name="seutil_run_loadpol">
##	<description>
##		Execute load_policy in the load_policy domain, and
##		allow the specified role the load_policy domain,
##		and use the caller's terminal.
##		Has a SIGCHLD signal backchannel.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the load_policy domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the load_policy domain to use.
##	</parameter>
## </interface>
#
define(`seutil_run_loadpol',`
	gen_require(`
		type load_policy_t;
		class chr_file rw_term_perms;
	')

	seutil_domtrans_loadpol($1)
	role $2 types load_policy_t;
	allow load_policy_t $3:chr_file rw_term_perms;
')

#######################################
#
# seutil_exec_loadpol(domain)
#
define(`seutil_exec_loadpol',`
	gen_require(`
		type load_policy_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1,load_policy_exec_t)
')

#######################################
#
# seutil_read_loadpol(domain)
#
define(`seutil_read_loadpol',`
	gen_require(`
		type load_policy_exec_t;
		class file r_file_perms
	')

	corecmd_search_sbin($1)
	allow $1 load_policy_exec_t:file r_file_perms;
')

#######################################
## <interface name="seutil_domtrans_newrole">
##	<description>
##		Execute newrole in the load_policy domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_domtrans_newrole',`
	gen_require(`
		type newrole_t, newrole_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domain_auto_trans($1,newrole_exec_t,newrole_t)

	allow $1 newrole_t:fd use;
	allow newrole_t $1:fd use;
	allow newrole_t $1:fifo_file rw_file_perms;
	allow newrole_t $1:process sigchld;
')

########################################
## <interface name="seutil_run_newrole">
##	<description>
##		Execute newrole in the newrole domain, and
##		allow the specified role the newrole domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the newrole domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the newrole domain to use.
##	</parameter>
## </interface>
#
define(`seutil_run_newrole',`
	gen_require(`
		type newrole_t;
		class chr_file rw_term_perms;
	')

	seutil_domtrans_newrole($1)
	role $2 types newrole_t;
	allow newrole_t $3:chr_file rw_term_perms;
')

#######################################
#
# seutil_exec_newrole(domain)
#
define(`seutil_exec_newrole',`
	gen_require(`
		type newrole_t, newrole_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	can_exec($1,newrole_exec_t)
')

########################################
## <interface name="seutil_dontaudit_newrole_signal">
##	<description>
##		Do not audit the caller attempts to send
##		a signal to newrole.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_dontaudit_newrole_signal',`
	gen_require(`
		type newrole_t;
		class process signal;
	')

	dontaudit $1 newrole_t:process signal;
')

#######################################
#
# seutil_newrole_sigchld(domain)
#
define(`seutil_newrole_sigchld',`
	gen_require(`
		type newrole_t;
		class process sigchld;
	')

	allow $1 newrole_t:process sigchld;
')

#######################################
#
# seutil_use_newrole_fd(domain)
#
define(`seutil_use_newrole_fd',`
	gen_require(`
		type newrole_t;
		class fd use;
	')

	allow $1 newrole_t:fd use;
')

#######################################
## <interface name="seutil_domtrans_restorecon">
##	<description>
##		Execute restorecon in the restorecon domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_domtrans_restorecon',`
	gen_require(`
		type restorecon_t, restorecon_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	corecmd_search_sbin($1)
	domain_auto_trans($1,restorecon_exec_t,restorecon_t)

	allow $1 restorecon_t:fd use;
	allow restorecon_t $1:fd use;
	allow restorecon_t $1:fifo_file rw_file_perms;
	allow restorecon_t $1:process sigchld;
')

########################################
## <interface name="seutil_run_restorecon">
##	<description>
##		Execute restorecon in the restorecon domain, and
##		allow the specified role the restorecon domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the restorecon domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the restorecon domain to use.
##	</parameter>
## </interface>
#
define(`seutil_run_restorecon',`
	gen_require(`
		type restorecon_t;
		class chr_file rw_term_perms;
	')

	seutil_domtrans_restorecon($1)
	role $2 types restorecon_t;
	allow restorecon_t $3:chr_file rw_term_perms;
')

#######################################
#
# seutil_exec_restorecon(domain)
#
define(`seutil_exec_restorecon',`
	gen_require(`
		type restorecon_t, restorecon_exec_t;
	')

	corecmd_search_sbin($1)
	can_exec($1,restorecon_exec_t)
')

########################################
## <interface name="seutil_domtrans_runinit">
##	<description>
##		Execute run_init in the run_init domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_domtrans_runinit',`
	gen_require(`
		type run_init_t, run_init_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	files_search_usr($1)
	corecmd_search_sbin($1)
	domain_auto_trans($1,run_init_exec_t,run_init_t)

	allow $1 run_init_t:fd use;
	allow run_init_t $1:fd use;
	allow run_init_t $1:fifo_file rw_file_perms;
	allow run_init_t $1:process sigchld;
')

########################################
## <interface name="seutil_run_runinit">
##	<description>
##		Execute run_init in the run_init domain, and
##		allow the specified role the run_init domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the run_init domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the run_init domain to use.
##	</parameter>
## </interface>
#
define(`seutil_run_runinit',`
	gen_require(`
		type run_init_t;
		class chr_file rw_term_perms;
	')

	seutil_domtrans_runinit($1)
	role $2 types run_init_t;
	allow run_init_t $3:chr_file rw_term_perms;
')

########################################
#
# seutil_use_runinit_fd(domain)
#
define(`seutil_use_runinit_fd',`
	gen_require(`
		type run_init_t;
		class fd use;
	')

	allow $1 run_init_t:fd use;
')

########################################
## <interface name="seutil_domtrans_setfiles">
##	<description>
##		Execute setfiles in the setfiles domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_domtrans_setfiles',`
	gen_require(`
		type setfiles_t, setfiles_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	files_search_usr($1)
	corecmd_search_sbin($1)
	domain_auto_trans($1,setfiles_exec_t,setfiles_t)

	allow $1 setfiles_t:fd use;
	allow setfiles_t $1:fd use;
	allow setfiles_t $1:fifo_file rw_file_perms;
	allow setfiles_t $1:process sigchld;
')

########################################
## <interface name="seutil_run_setfiles">
##	<description>
##		Execute setfiles in the setfiles domain, and
##		allow the specified role the setfiles domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the setfiles domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the setfiles domain to use.
##	</parameter>
## </interface>
#
define(`seutil_run_setfiles',`
	gen_require(`
		type setfiles_t;
		class chr_file rw_term_perms;
	')

	seutil_domtrans_setfiles($1)
	role $2 types setfiles_t;
	allow setfiles_t $3:chr_file rw_term_perms;
')

#######################################
#
# seutil_exec_setfiles(domain)
#
define(`seutil_exec_setfiles',`
	gen_require(`
		type setfiles_exec_t;
	')

	files_search_usr($1)
	corecmd_search_sbin($1)
	can_exec($1,setfiles_exec_t)
')

########################################
#
# seutil_read_config(domain)
#
define(`seutil_read_config',`
	gen_require(`
		type selinux_config_t;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir r_dir_perms;
	allow $1 selinux_config_t:file r_file_perms;
')

########################################
#
# seutil_read_default_contexts(domain)
#
define(`seutil_read_default_contexts',`
	gen_require(`
		type selinux_config_t, default_context_t;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 default_context_t:dir r_dir_perms;
	allow $1 default_context_t:file r_file_perms;
')

########################################
#
# seutil_read_file_contexts(domain)
#
define(`seutil_read_file_contexts',`
	gen_require(`
		type selinux_config_t, file_context_t;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 file_context_t:dir r_dir_perms;
	allow $1 file_context_t:file r_file_perms;
')

########################################
#
# seutil_read_binary_pol(domain)
#
define(`seutil_read_binary_pol',`
	gen_require(`
		type selinux_config_t, policy_config_t;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 policy_config_t:dir r_dir_perms;
	allow $1 policy_config_t:file r_file_perms;
')

########################################
#
# seutil_create_binary_pol(domain)
#
define(`seutil_create_binary_pol',`
	gen_require(`
		attribute can_write_binary_policy;
		type selinux_config_t, policy_config_t;
		class dir ra_dir_perms;
		class file { getattr create write };
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 policy_config_t:dir ra_dir_perms;
	allow $1 policy_config_t:file { getattr create write };
	typeattribute $1 can_write_binary_policy;
')

########################################
## <interface name="seutil_relabelto_binary_pol">
##	<description>
##		Allow the caller to relabel a file to the binary policy type.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`seutil_relabelto_binary_pol',`
	gen_require(`
		attribute can_relabelto_binary_policy;
		type policy_config_t;
		class file relabelto;
	')

	allow $1 policy_config_t:file relabelto;
	typeattribute $1 can_relabelto_binary_policy;
')

########################################
#
# seutil_manage_binary_pol(domain)
#
define(`seutil_manage_binary_pol',`
	gen_require(`
		attribute can_write_binary_policy;
		type selinux_config_t, policy_config_t;
		class dir rw_dir_perms;
		class file create_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 policy_config_t:dir rw_dir_perms;
	allow $1 policy_config_t:file create_file_perms;
	typeattribute $1 can_write_binary_policy;
')

########################################
#
# seutil_read_src_pol(domain)
#
define(`seutil_read_src_pol',`
	gen_require(`
		type selinux_config_t, policy_src_t;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 policy_src_t:dir r_dir_perms;
	allow $1 policy_src_t:file r_file_perms;
')

########################################
#
# seutil_manage_src_pol(domain)
#
define(`seutil_manage_src_pol',`
	gen_require(`
		type selinux_config_t, policy_src_t;
		class dir create_dir_perms;
		class file create_file_perms;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search;
	allow $1 policy_src_t:dir create_dir_perms;
	allow $1 policy_src_t:file create_file_perms;
')

## </module>