745 lines
18 KiB
Plaintext
745 lines
18 KiB
Plaintext
## <module name="selinux" layer="system">
|
|
## <summary>Policy for SELinux policy and userland applications.</summary>
|
|
|
|
#######################################
|
|
## <interface name="selinux_domtrans_checkpol">
|
|
## <description>
|
|
## Execute checkpolicy in the checkpolicy domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_domtrans_checkpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 checkpolicy_exec_t:file rx_file_perms;
|
|
allow $1 checkpolicy_t:process transition;
|
|
type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
|
|
dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1 checkpolicy_t:fd use;
|
|
allow checkpolicy_t $1:fd use;
|
|
allow checkpolicy_t $1:fifo_file rw_file_perms;
|
|
allow checkpolicy_t $1:process sigchld;
|
|
')
|
|
|
|
define(`selinux_domtrans_checkpol_depend',`
|
|
type checkpolicy_t, checkpolicy_exec_t;
|
|
|
|
class file rx_file_perms
|
|
class process { transition noatsecure siginh rlimitinh sigchld sigchld };
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_run_checkpol">
|
|
## <description>
|
|
## Execute checkpolicy in the checkpolicy domain, and
|
|
## allow the specified role the checkpolicy domain,
|
|
## and use the caller's terminal.
|
|
## Has a SIGCHLD signal backchannel.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="role">
|
|
## The role to be allowed the checkpolicy domain.
|
|
## </parameter>
|
|
## <parameter name="terminal">
|
|
## The type of the terminal allow the checkpolicy domain to use.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_run_checkpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
selinux_domtrans_checkpol($1)
|
|
role $2 types checkpolicy_t;
|
|
allow checkpolicy_t $3:chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
define(`selinux_run_checkpol_depend',`
|
|
type checkpolicy_t;
|
|
|
|
class chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_exec_checkpol(domain)
|
|
#
|
|
define(`selinux_exec_checkpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
can_exec($1,checkpolicy_exec_t)
|
|
')
|
|
|
|
define(`selinux_exec_checkpol_depend',`
|
|
type checkpolicy_exec_t;
|
|
|
|
class file { rx_file_perms execute_no_trans };
|
|
')
|
|
|
|
#######################################
|
|
## <interface name="selinux_domtrans_loadpol">
|
|
## <description>
|
|
## Execute load_policy in the load_policy domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_domtrans_loadpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 load_policy_exec_t:file rx_file_perms;
|
|
allow $1 load_policy_t:process transition;
|
|
type_transition $1 load_policy_exec_t:process load_policy_t;
|
|
dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1 load_policy_t:fd use;
|
|
allow load_policy_t $1:fd use;
|
|
allow load_policy_t $1:fifo_file rw_file_perms;
|
|
allow load_policy_t $1:process sigchld;
|
|
')
|
|
|
|
define(`selinux_domtrans_loadpol_depend',`
|
|
type load_policy_t, load_policy_exec_t;
|
|
|
|
class file rx_file_perms;
|
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_run_loadpol">
|
|
## <description>
|
|
## Execute load_policy in the load_policy domain, and
|
|
## allow the specified role the load_policy domain,
|
|
## and use the caller's terminal.
|
|
## Has a SIGCHLD signal backchannel.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="role">
|
|
## The role to be allowed the load_policy domain.
|
|
## </parameter>
|
|
## <parameter name="terminal">
|
|
## The type of the terminal allow the load_policy domain to use.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_run_loadpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
selinux_domtrans_loadpol($1)
|
|
role $2 types load_policy_t;
|
|
allow load_policy_t $3:chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
define(`selinux_run_loadpol_depend',`
|
|
type load_policy_t;
|
|
|
|
class chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_exec_loadpol(domain)
|
|
#
|
|
define(`selinux_exec_loadpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
can_exec($1,load_policy_exec_t)
|
|
')
|
|
|
|
define(`selinux_exec_loadpol_depend',`
|
|
type load_policy_exec_t;
|
|
|
|
class file { rx_file_perms execute_no_trans };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_read_loadpol(domain)
|
|
#
|
|
define(`selinux_read_loadpol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 load_policy_exec_t:file r_file_perms;
|
|
')
|
|
|
|
define(`selinux_read_loadpol_depend',`
|
|
type load_policy_exec_t;
|
|
|
|
class file r_file_perms
|
|
')
|
|
|
|
#######################################
|
|
## <interface name="selinux_domtrans_newrole">
|
|
## <description>
|
|
## Execute newrole in the load_policy domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_domtrans_newrole',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 newrole_exec_t:file rx_file_perms;
|
|
allow $1 newrole_t:process transition;
|
|
type_transition $1 newrole_exec_t:process newrole_t;
|
|
dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1 newrole_t:fd use;
|
|
allow newrole_t $1:fd use;
|
|
allow newrole_t $1:fifo_file rw_file_perms;
|
|
allow newrole_t $1:process sigchld;
|
|
')
|
|
|
|
define(`selinux_domtrans_newrole_depend',`
|
|
type newrole_t, newrole_exec_t;
|
|
|
|
class file rx_file_perms;
|
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_run_newrole">
|
|
## <description>
|
|
## Execute newrole in the newrole domain, and
|
|
## allow the specified role the newrole domain,
|
|
## and use the caller's terminal.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="role">
|
|
## The role to be allowed the newrole domain.
|
|
## </parameter>
|
|
## <parameter name="terminal">
|
|
## The type of the terminal allow the newrole domain to use.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_run_newrole',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
selinux_domtrans_newrole($1)
|
|
role $2 types newrole_t;
|
|
allow newrole_t $3:chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
define(`selinux_run_newrole_depend',`
|
|
type newrole_t;
|
|
|
|
class chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_exec_newrole(domain)
|
|
#
|
|
define(`selinux_exec_newrole',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
can_exec($1,newrole_exec_t)
|
|
')
|
|
|
|
define(`selinux_exec_newrole_depend',`
|
|
type newrole_t, newrole_exec_t;
|
|
|
|
class file { rx_file_perms execute_no_trans };
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_dontaudit_newrole_signal">
|
|
## <description>
|
|
## Do not audit the caller attempts to send
|
|
## a signal to newrole.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_dontaudit_newrole_signal',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
dontaudit $1 newrole_t:process signal;
|
|
')
|
|
|
|
define(`selinux_dontaudit_newrole_signal_depend',`
|
|
type newrole_t;
|
|
|
|
class process signal;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_newrole_sigchld(domain)
|
|
#
|
|
define(`selinux_newrole_sigchld',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 newrole_t:process sigchld;
|
|
')
|
|
|
|
define(`selinux_newrole_sigchld_depend',`
|
|
type newrole_t;
|
|
|
|
class process sigchld;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_use_newrole_fd(domain)
|
|
#
|
|
define(`selinux_use_newrole_fd',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 newrole_t:fd use;
|
|
')
|
|
|
|
define(`selinux_use_newrole_fd_depend',`
|
|
type newrole_t;
|
|
|
|
class fd use;
|
|
')
|
|
|
|
#######################################
|
|
## <interface name="selinux_domtrans_restorecon">
|
|
## <description>
|
|
## Execute restorecon in the restorecon domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_domtrans_restorecon',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 restorecon_exec_t:file rx_file_perms;
|
|
allow $1 restorecon_t:process transition;
|
|
type_transition $1 restorecon_exec_t:process restorecon_t;
|
|
dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1 restorecon_t:fd use;
|
|
allow restorecon_t $1:fd use;
|
|
allow restorecon_t $1:fifo_file rw_file_perms;
|
|
allow restorecon_t $1:process sigchld;
|
|
')
|
|
|
|
define(`selinux_domtrans_restorecon_depend',`
|
|
type restorecon_t, restorecon_exec_t;
|
|
|
|
class file rx_file_perms;
|
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_run_restorecon">
|
|
## <description>
|
|
## Execute restorecon in the restorecon domain, and
|
|
## allow the specified role the restorecon domain,
|
|
## and use the caller's terminal.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="role">
|
|
## The role to be allowed the restorecon domain.
|
|
## </parameter>
|
|
## <parameter name="terminal">
|
|
## The type of the terminal allow the restorecon domain to use.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_run_restorecon',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
selinux_domtrans_restorecon($1)
|
|
role $2 types restorecon_t;
|
|
allow restorecon_t $3:chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
define(`selinux_run_restorecon_depend',`
|
|
type restorecon_t;
|
|
|
|
class chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_exec_restorecon(domain)
|
|
#
|
|
define(`selinux_exec_restorecon',`
|
|
requires_block_template(`$0'_depend)
|
|
can_exec($1,restorecon_exec_t)
|
|
')
|
|
|
|
define(`selinux_exec_restorecon_depend',`
|
|
type restorecon_t, restorecon_exec_t;
|
|
|
|
class file { rx_file_perms execute_no_trans };
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_domtrans_runinit">
|
|
## <description>
|
|
## Execute run_init in the run_init domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_domtrans_runinit',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 run_init_exec_t:file rx_file_perms;
|
|
allow $1 run_init_t:process transition;
|
|
type_transition $1 run_init_exec_t:process run_init_t;
|
|
dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1 run_init_t:fd use;
|
|
allow run_init_t $1:fd use;
|
|
allow run_init_t $1:fifo_file rw_file_perms;
|
|
allow run_init_t $1:process sigchld;
|
|
')
|
|
|
|
define(`selinux_domtrans_runinit_depend',`
|
|
type run_init_t, run_init_exec_t;
|
|
|
|
class file rx_file_perms;
|
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_run_runinit">
|
|
## <description>
|
|
## Execute run_init in the run_init domain, and
|
|
## allow the specified role the run_init domain,
|
|
## and use the caller's terminal.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="role">
|
|
## The role to be allowed the run_init domain.
|
|
## </parameter>
|
|
## <parameter name="terminal">
|
|
## The type of the terminal allow the run_init domain to use.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_run_runinit',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
selinux_domtrans_runinit($1)
|
|
role $2 types run_init_t;
|
|
allow run_init_t $3:chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
define(`selinux_run_runinit_depend',`
|
|
type run_init_t;
|
|
|
|
class chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_use_runinit_fd(domain)
|
|
#
|
|
define(`selinux_use_runinit_fd',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 run_init_t:fd use;
|
|
')
|
|
|
|
define(`selinux_use_runinit_fd_depend',`
|
|
type run_init_t;
|
|
|
|
class fd use;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_domtrans_setfiles">
|
|
## <description>
|
|
## Execute setfiles in the setfiles domain.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_domtrans_setfiles',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 setfiles_exec_t:file rx_file_perms;
|
|
allow $1 setfiles_t:process transition;
|
|
type_transition $1 setfiles_exec_t:process setfiles_t;
|
|
dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };
|
|
|
|
allow $1 setfiles_t:fd use;
|
|
allow setfiles_t $1:fd use;
|
|
allow setfiles_t $1:fifo_file rw_file_perms;
|
|
allow setfiles_t $1:process sigchld;
|
|
')
|
|
|
|
define(`selinux_domtrans_setfiles_depend',`
|
|
type setfiles_t, setfiles_exec_t;
|
|
|
|
class file rx_file_perms;
|
|
class process { transition noatsecure siginh rlimitinh sigchld };
|
|
class fd use;
|
|
class fifo_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_run_setfiles">
|
|
## <description>
|
|
## Execute setfiles in the setfiles domain, and
|
|
## allow the specified role the setfiles domain,
|
|
## and use the caller's terminal.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## <parameter name="role">
|
|
## The role to be allowed the setfiles domain.
|
|
## </parameter>
|
|
## <parameter name="terminal">
|
|
## The type of the terminal allow the setfiles domain to use.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_run_setfiles',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
selinux_domtrans_setfiles($1)
|
|
role $2 types setfiles_t;
|
|
allow setfiles_t $3:chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
define(`selinux_run_setfiles_depend',`
|
|
type setfiles_t;
|
|
|
|
class chr_file { getattr read write ioctl };
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# selinux_exec_setfiles(domain)
|
|
#
|
|
define(`selinux_exec_setfiles',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
can_exec($1,setfiles_exec_t)
|
|
')
|
|
|
|
define(`selinux_exec_setfiles_depend',`
|
|
type setfiles_exec_t;
|
|
|
|
class file { rx_file_perms execute_no_trans };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_read_config(domain)
|
|
#
|
|
define(`selinux_read_config',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 selinux_config_t:dir r_dir_perms;
|
|
allow $1 selinux_config_t:file r_file_perms;
|
|
')
|
|
|
|
define(`selinux_read_config_depend',`
|
|
type selinux_config_t;
|
|
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_read_default_contexts(domain)
|
|
#
|
|
define(`selinux_read_default_contexts',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 selinux_config_t:dir search;
|
|
allow $1 default_context_t:dir r_dir_perms;
|
|
allow $1 default_context_t:file r_file_perms;
|
|
')
|
|
|
|
define(`selinux_read_default_contexts_depend',`
|
|
type selinux_config_t, default_context_t;
|
|
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_read_file_contexts(domain)
|
|
#
|
|
define(`selinux_read_file_contexts',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 selinux_config_t:dir search;
|
|
allow $1 file_context_t:dir r_dir_perms;
|
|
allow $1 file_context_t:file r_file_perms;
|
|
')
|
|
|
|
define(`selinux_read_file_contexts_depend',`
|
|
type selinux_config_t, file_context_t;
|
|
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_read_binary_pol(domain)
|
|
#
|
|
define(`selinux_read_binary_pol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 policy_config_t:dir r_dir_perms;
|
|
allow $1 policy_config_t:file r_file_perms;
|
|
')
|
|
|
|
define(`selinux_read_binary_pol_depend',`
|
|
type policy_config_t;
|
|
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_write_binary_pol(domain)
|
|
#
|
|
define(`selinux_write_binary_pol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 policy_config_t:dir rw_dir_perms;
|
|
allow $1 policy_config_t:file { getattr create write unlink };
|
|
typeattribute $1 can_write_binary_policy;
|
|
')
|
|
|
|
define(`selinux_write_binary_pol_depend',`
|
|
attribute can_write_binary_policy;
|
|
|
|
type policy_config_t;
|
|
|
|
class dir rw_dir_perms;
|
|
class file { getattr create write unlink };
|
|
')
|
|
|
|
########################################
|
|
## <interface name="selinux_relabelto_binary_pol">
|
|
## <description>
|
|
## Allow the caller to relabel a file to the binary policy type.
|
|
## </description>
|
|
## <parameter name="domain">
|
|
## The type of the process performing this action.
|
|
## </parameter>
|
|
## </interface>
|
|
#
|
|
define(`selinux_relabelto_binary_pol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
allow $1 policy_config_t:file relabelto;
|
|
typeattribute $1 can_relabelto_binary_policy;
|
|
')
|
|
|
|
define(`selinux_relabelto_binary_pol_depend',`
|
|
attribute can_relabelto_binary_policy;
|
|
|
|
type policy_config_t;
|
|
|
|
class file relabelto;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_manage_binary_pol(domain)
|
|
#
|
|
define(`selinux_manage_binary_pol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
# FIXME: search etc_t:dir
|
|
allow $1 selinux_config_t:dir search;
|
|
allow $1 policy_config_t:dir r_dir_perms;
|
|
allow $1 policy_config_t:file create_file_perms;
|
|
typeattribute $1 can_write_binary_policy;
|
|
')
|
|
|
|
define(`selinux_manage_binary_pol_depend',`
|
|
attribute can_write_binary_policy;
|
|
|
|
type selinux_config_t, policy_config_t;
|
|
class dir create_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_read_src_pol(domain)
|
|
#
|
|
define(`selinux_read_src_pol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
# FIXME: search etc_t:dir
|
|
allow $1 selinux_config_t:dir search;
|
|
allow $1 policy_src_t:dir r_dir_perms;
|
|
allow $1 policy_src_t:file r_file_perms;
|
|
')
|
|
|
|
define(`selinux_read_src_pol_depend',`
|
|
type selinux_config_t, policy_src_t;
|
|
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# selinux_manage_src_pol(domain)
|
|
#
|
|
define(`selinux_manage_src_pol',`
|
|
requires_block_template(`$0'_depend)
|
|
|
|
# FIXME: search etc_t:dir
|
|
allow $1 selinux_config_t:dir search;
|
|
allow $1 policy_src_t:dir create_dir_perms;
|
|
allow $1 policy_src_t:file create_file_perms;
|
|
')
|
|
|
|
define(`selinux_manage_src_pol_depend',`
|
|
type selinux_config_t, policy_src_t;
|
|
|
|
class dir create_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
## </module>
|