selinux-policy/policy/modules/kernel/mls.if
2006-09-15 19:05:03 +00:00

454 lines
8.5 KiB
Plaintext

## <summary>Multilevel security policy</summary>
## <desc>
## <p>
## This module contains interfaces for handling multilevel
## security. The interfaces allow the specified subjects
## and objects to be allowed certain privileges in the
## MLS rules.
## </p>
## </desc>
## <required val="true">
## Contains attributes used in MLS policy.
## </required>
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from files at higher levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mls_file_read_up',`
gen_require(`
attribute mlsfileread;
')
typeattribute $1 mlsfileread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to files at lower levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mls_file_write_down',`
gen_require(`
attribute mlsfilewrite;
')
typeattribute $1 mlsfilewrite;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for raising the level of files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mls_file_upgrade',`
gen_require(`
attribute mlsfileupgrade;
')
typeattribute $1 mlsfileupgrade;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for lowering the level of files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`mls_file_downgrade',`
gen_require(`
attribute mlsfiledowngrade;
')
typeattribute $1 mlsfiledowngrade;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from sockets at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_socket_read_all_levels',`
gen_require(`
attribute mlsnetread;
')
typeattribute $1 mlsnetread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from sockets at any level
## that is dominated by the process clearance.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_socket_read_to_clearance',`
gen_require(`
attribute mlsnetreadtoclr;
')
typeattribute $1 mlsnetreadtoclr;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to sockets at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_socket_write_all_levels',`
gen_require(`
attribute mlsnetwrite;
')
typeattribute $1 mlsnetwrite;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for receiving network data from
## network interfaces or hosts at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_net_receive_all_levels',`
gen_require(`
attribute mlsnetrecvall;
')
typeattribute $1 mlsnetrecvall;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from System V IPC objects
## at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_sysvipc_read_all_levels',`
gen_require(`
attribute mlsipcread;
')
typeattribute $1 mlsipcread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to System V IPC objects
## at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_sysvipc_write_all_levels',`
gen_require(`
attribute mlsipcwrite;
')
typeattribute $1 mlsipcwrite;
')
########################################
## <summary>
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_rangetrans_source',`
gen_require(`
attribute privrangetrans;
')
typeattribute $1 privrangetrans;
')
########################################
## <summary>
## Make specified domain a target domain
## for MLS range transitions that change
## the current level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_rangetrans_target',`
gen_require(`
attribute mlsrangetrans;
')
typeattribute $1 mlsrangetrans;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from processes at higher levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_process_read_up',`
gen_require(`
attribute mlsprocread;
')
typeattribute $1 mlsprocread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to processes at lower levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_process_write_down',`
gen_require(`
attribute mlsprocwrite;
')
typeattribute $1 mlsprocwrite;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for setting the level of processes
## it executes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_process_set_level',`
gen_require(`
attribute mlsprocsetsl;
')
typeattribute $1 mlsprocsetsl;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from X objects at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_xwin_read_all_levels',`
gen_require(`
attribute mlsxwinread;
')
typeattribute $1 mlsxwinread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to X objects at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_xwin_write_all_levels',`
gen_require(`
attribute mlsxwinwrite;
')
typeattribute $1 mlsxwinwrite;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from X colormaps at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_colormap_read_all_levels',`
gen_require(`
attribute mlsxwinreadcolormap;
')
typeattribute $1 mlsxwinreadcolormap;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to X colormaps at any level.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_colormap_write_all_levels',`
gen_require(`
attribute mlsxwinwritecolormap;
')
typeattribute $1 mlsxwinwritecolormap;
')
########################################
## <summary>
## Make specified object MLS trusted.
## </summary>
## <desc>
## <p>
## Make specified object MLS trusted. This
## allows all levels to read and write the
## object.
## </p>
## <p>
## This currently only applies to filesystem
## objects, for example, files and directories.
## </p>
## </desc>
## <param name="domain">
## <summary>
## The type of the object.
## </summary>
## </param>
#
interface(`mls_trusted_object',`
gen_require(`
attribute mlstrustedobject;
')
typeattribute $1 mlstrustedobject;
')
########################################
## <summary>
## Make the specified domain trusted
## to inherit and use file descriptors
## from all levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_fd_use_all_levels',`
gen_require(`
attribute mlsfduse;
')
typeattribute $1 mlsfduse;
')
########################################
## <summary>
## Make the file descriptors from the
## specifed domain inheritable by
## all levels.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mls_fd_share_all_levels',`
gen_require(`
attribute mlsfdshare;
')
typeattribute $1 mlsfdshare;
')