2426 lines
49 KiB
Plaintext
2426 lines
49 KiB
Plaintext
## <summary>
|
|
## Basic filesystem types and interfaces.
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
## This module contains basic filesystem types and interfaces. This
|
|
## includes:
|
|
## <ul>
|
|
## <li>The concept of different file types including basic
|
|
## files, mount points, tmp files, etc.</li>
|
|
## <li>Access to groups of files and all files.</li>
|
|
## <li>Types and interfaces for the basic filesystem layout
|
|
## (/, /etc, /tmp, /usr, etc.).</li>
|
|
## </ul>
|
|
## </p>
|
|
## </desc>
|
|
## <required val="true">
|
|
## Contains the concept of a file.
|
|
## Comains the file initial SID.
|
|
## </required>
|
|
|
|
########################################
|
|
#
|
|
# files_type(type)
|
|
#
|
|
interface(`files_type',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
')
|
|
|
|
fs_associate($1)
|
|
fs_associate_noxattr($1)
|
|
typeattribute $1 file_type;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_lock_file(type)
|
|
#
|
|
interface(`files_lock_file',`
|
|
gen_require(`
|
|
attribute lockfile;
|
|
')
|
|
|
|
files_type($1)
|
|
typeattribute $1 lockfile;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_mountpoint(type)
|
|
#
|
|
interface(`files_mountpoint',`
|
|
gen_require(`
|
|
attribute mountpoint;
|
|
')
|
|
|
|
files_type($1)
|
|
typeattribute $1 mountpoint;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_pid_file(type)
|
|
#
|
|
interface(`files_pid_file',`
|
|
gen_require(`
|
|
attribute pidfile;
|
|
')
|
|
|
|
files_type($1)
|
|
typeattribute $1 pidfile;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Make the specified type a file
|
|
## used for temporary files.
|
|
## </summary>
|
|
## <param name="file_type">
|
|
## Type of the file to be used as a
|
|
## temporary file.
|
|
## </param>
|
|
interface(`files_tmp_file',`
|
|
gen_require(`
|
|
attribute tmpfile;
|
|
')
|
|
|
|
files_type($1)
|
|
fs_associate_tmpfs($1)
|
|
typeattribute $1 tmpfile;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Transform the type into a file, for use on a
|
|
## virtual memory filesystem (tmpfs).
|
|
## </summary>
|
|
## <param name="type">
|
|
## The type to be transformed.
|
|
## </param>
|
|
#
|
|
interface(`files_tmpfs_file',`
|
|
gen_require(`
|
|
attribute tmpfsfile;
|
|
')
|
|
|
|
files_type($1)
|
|
fs_associate_tmpfs($1)
|
|
typeattribute $1 tmpfsfile;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of all directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_all_dirs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir { getattr search };
|
|
')
|
|
|
|
allow $1 file_type:dir { getattr search };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of all directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_all_dirs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir getattr;
|
|
')
|
|
|
|
dontaudit $1 file_type:dir getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of all directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_list_all_dirs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 file_type:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of all files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_all_files',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
class file getattr;
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
allow $1 file_type:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of all files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_all_files',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class file getattr;
|
|
')
|
|
|
|
dontaudit $1 file_type:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read all files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_all_files',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
allow $1 file_type:file r_file_perms;
|
|
|
|
optional_policy(`authlogin.te',`
|
|
auth_read_shadow($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of all symbolic links.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_all_symlinks',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
class lnk_file getattr;
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
allow $1 file_type:lnk_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of all symbolic links.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_all_symlinks',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class lnk_file getattr;
|
|
')
|
|
|
|
dontaudit $1 file_type:lnk_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read all symbolic links.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_all_symlinks',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
class lnk_file { getattr read };
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
allow $1 file_type:lnk_file { getattr read };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of all named pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_all_pipes',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
class fifo_file getattr;
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
allow $1 file_type:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of all named pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_all_pipes',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class fifo_file getattr;
|
|
')
|
|
|
|
dontaudit $1 file_type:fifo_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of all named sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_all_sockets',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
class sock_file getattr;
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
allow $1 file_type:sock_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of all named sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_all_sockets',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class sock_file getattr;
|
|
')
|
|
|
|
dontaudit $1 file_type:sock_file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel all files on the filesystem, except
|
|
## the listed exceptions.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the domain perfoming this action.
|
|
## </param>
|
|
## <param name="exception_types" optional="true">
|
|
## The types to be excluded. Each type or attribute
|
|
## must be negated by the caller.
|
|
## </param>
|
|
#
|
|
interface(`files_relabel_all_files',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir { r_dir_perms relabelfrom relabelto };
|
|
class file { relabelfrom relabelto };
|
|
class lnk_file { relabelfrom relabelto };
|
|
class fifo_file { relabelfrom relabelto };
|
|
class sock_file { relabelfrom relabelto };
|
|
class blk_file relabelfrom;
|
|
class chr_file relabelfrom;
|
|
')
|
|
|
|
allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto };
|
|
allow $1 { file_type $2 }:file { getattr relabelfrom relabelto };
|
|
allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto };
|
|
allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto };
|
|
allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto };
|
|
allow $1 { file_type $2 }:blk_file { getattr relabelfrom };
|
|
allow $1 { file_type $2 }:chr_file { getattr relabelfrom };
|
|
|
|
# satisfy the assertions:
|
|
seutil_relabelto_binary_pol($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage all files on the filesystem, except
|
|
## the listed exceptions.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the domain perfoming this action.
|
|
## </param>
|
|
## <param name="exception_types" optional="true">
|
|
## The types to be excluded. Each type or attribute
|
|
## must be negated by the caller.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_all_files',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir create_dir_perms;
|
|
class file create_file_perms;
|
|
class lnk_file create_lnk_perms;
|
|
class fifo_file create_file_perms;
|
|
class sock_file create_file_perms;
|
|
')
|
|
|
|
allow $1 { file_type $2 }:dir create_dir_perms;
|
|
allow $1 { file_type $2 }:file create_file_perms;
|
|
allow $1 { file_type $2 }:lnk_file create_lnk_perms;
|
|
allow $1 { file_type $2 }:fifo_file create_file_perms;
|
|
allow $1 { file_type $2 }:sock_file create_file_perms;
|
|
|
|
# satisfy the assertions:
|
|
seutil_create_binary_pol($1)
|
|
bootloader_manage_kernel_modules($1)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_all_dirs(domain)
|
|
#
|
|
interface(`files_search_all_dirs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 file_type:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_list_all_dirs(domain)
|
|
#
|
|
interface(`files_list_all_dirs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 file_type:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_dontaudit_search_all_dirs(domain)
|
|
#
|
|
interface(`files_dontaudit_search_all_dirs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class dir search;
|
|
')
|
|
|
|
dontaudit $1 file_type:dir search;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# files_relabelto_all_file_type_fs(domain)
|
|
#
|
|
interface(`files_relabelto_all_file_type_fs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class filesystem relabelto;
|
|
')
|
|
|
|
allow $1 file_type:filesystem relabelto;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# files_mount_all_file_type_fs(domain)
|
|
#
|
|
interface(`files_mount_all_file_type_fs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class filesystem mount;
|
|
')
|
|
|
|
allow $1 file_type:filesystem mount;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# files_unmount_all_file_type_fs(domain)
|
|
#
|
|
interface(`files_unmount_all_file_type_fs',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class filesystem unmount;
|
|
')
|
|
|
|
allow $1 file_type:filesystem unmount;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_mounton_all_mountpoints(domain)
|
|
#
|
|
interface(`files_mounton_all_mountpoints',`
|
|
gen_require(`
|
|
attribute mountpoint;
|
|
class dir { getattr search mounton };
|
|
')
|
|
|
|
allow $1 mountpoint:dir { getattr search mounton };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_list_root(domain)
|
|
#
|
|
interface(`files_list_root',`
|
|
gen_require(`
|
|
type root_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 root_t:dir r_dir_perms;
|
|
allow $1 root_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create an object in the root directory, with a private
|
|
## type. If no object class is specified, the
|
|
## default is file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
## <param name="private type" optional="true">
|
|
## The type of the object to be created. If no type
|
|
## is specified, the type of the root directory will
|
|
## be used.
|
|
## </param>
|
|
## <param name="object" optional="true">
|
|
## The object class of the object being created. If
|
|
## no class is specified, file will be used.
|
|
## </param>
|
|
#
|
|
interface(`files_create_root',`
|
|
gen_require(`
|
|
type root_t;
|
|
class dir create_dir_perms;
|
|
')
|
|
|
|
allow $1 root_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
ifelse(`$2',`',`
|
|
allow $1 root_t:file create_file_perms;
|
|
',`
|
|
type_transition $1 root_t:file $2;
|
|
')
|
|
',`
|
|
ifelse(`$2',`',`
|
|
allow $1 root_t:$3 create_file_perms;
|
|
',`
|
|
type_transition $1 root_t:$3 $2;
|
|
')
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_dontaudit_read_root_file(domain)
|
|
#
|
|
interface(`files_dontaudit_read_root_file',`
|
|
gen_require(`
|
|
type root_t;
|
|
class file read;
|
|
')
|
|
|
|
dontaudit $1 root_t:file read;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_dontaudit_rw_root_file(domain)
|
|
#
|
|
interface(`files_dontaudit_rw_root_file',`
|
|
gen_require(`
|
|
type root_t;
|
|
class file { read write };
|
|
')
|
|
|
|
dontaudit $1 root_t:file { read write };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_dontaudit_rw_root_chr_dev(domain)
|
|
#
|
|
interface(`files_dontaudit_rw_root_chr_dev',`
|
|
gen_require(`
|
|
type root_t;
|
|
class chr_file { read write };
|
|
')
|
|
|
|
dontaudit $1 root_t:chr_file { read write };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_delete_root_dir_entry(domain)
|
|
#
|
|
interface(`files_delete_root_dir_entry',`
|
|
gen_require(`
|
|
type root_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 root_t:dir rw_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_unmount_rootfs(domain)
|
|
#
|
|
interface(`files_unmount_rootfs',`
|
|
gen_require(`
|
|
type root_t;
|
|
class filesystem unmount;
|
|
')
|
|
|
|
allow $1 root_t:filesystem unmount;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes of
|
|
## directories with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_default_dir',`
|
|
gen_require(`
|
|
type default_t;
|
|
class dir getattr;
|
|
')
|
|
|
|
dontaudit $1 default_t:dir getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List contents of directories with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_list_default',`
|
|
gen_require(`
|
|
type default_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 default_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mount a filesystem on a directory with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_mounton_default',`
|
|
gen_require(`
|
|
type default_t;
|
|
class dir { getattr search mounton };
|
|
')
|
|
|
|
allow $1 default_t:dir { getattr search mounton };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes of
|
|
## files with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_default_files',`
|
|
gen_require(`
|
|
type default_t;
|
|
class files getattr;
|
|
')
|
|
|
|
dontaudit $1 default_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read files with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_default_files',`
|
|
gen_require(`
|
|
type default_t;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 default_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read symbolic links with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_default_symlinks',`
|
|
gen_require(`
|
|
type default_t;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 default_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read sockets with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_default_sockets',`
|
|
gen_require(`
|
|
type default_t;
|
|
class sock_file r_file_perms;
|
|
')
|
|
|
|
allow $1 default_t:sock_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read named pipes with the default file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_default_pipes',`
|
|
gen_require(`
|
|
type default_t;
|
|
class fifo_file r_file_perms;
|
|
')
|
|
|
|
allow $1 default_t:fifo_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_etc(domain)
|
|
#
|
|
interface(`files_search_etc',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 etc_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Set the attributes of the /etc directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_setattr_etc_dir',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir setattr;
|
|
')
|
|
|
|
allow $1 etc_t:dir setattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_list_etc(domain)
|
|
#
|
|
interface(`files_list_etc',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_read_etc_files(domain)
|
|
#
|
|
interface(`files_read_etc_files',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir r_dir_perms;
|
|
allow $1 etc_t:file r_file_perms;
|
|
allow $1 etc_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_rw_etc_files(domain)
|
|
#
|
|
interface(`files_rw_etc_files',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir r_dir_perms;
|
|
class file rw_file_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir r_dir_perms;
|
|
allow $1 etc_t:file rw_file_perms;
|
|
allow $1 etc_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_manage_etc_files(domain)
|
|
#
|
|
interface(`files_manage_etc_files',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir rw_dir_perms;
|
|
class file create_file_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir rw_dir_perms;
|
|
allow $1 etc_t:file create_file_perms;
|
|
allow $1 etc_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Delete system configuration files in /etc.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_delete_etc_files',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir rw_dir_perms;
|
|
class file unlink;
|
|
')
|
|
|
|
allow $1 etc_t:dir rw_dir_perms;
|
|
allow $1 etc_t:file unlink;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_exec_etc_files(domain)
|
|
#
|
|
interface(`files_exec_etc_files',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir r_dir_perms;
|
|
allow $1 etc_t:lnk_file r_file_perms;
|
|
can_exec($1,etc_t)
|
|
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_create_boot_flag(domain)
|
|
#
|
|
# /halt, /.autofsck, etc
|
|
#
|
|
interface(`files_create_boot_flag',`
|
|
gen_require(`
|
|
type root_t, etc_runtime_t;
|
|
class dir rw_dir_perms;
|
|
class file { create read write setattr unlink};
|
|
')
|
|
|
|
allow $1 root_t:dir rw_dir_perms;
|
|
allow $1 etc_runtime_t:file { create read write setattr unlink };
|
|
type_transition $1 root_t:file etc_runtime_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read files in /etc that are dynamically
|
|
## created on boot, such as mtab.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_etc_runtime_files',`
|
|
gen_require(`
|
|
type etc_t, etc_runtime_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir r_dir_perms;
|
|
allow $1 etc_runtime_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read files
|
|
## in /etc that are dynamically
|
|
## created on boot, such as mtab.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_read_etc_runtime_files',`
|
|
gen_require(`
|
|
type etc_runtime_t;
|
|
class file { getattr read };
|
|
')
|
|
|
|
dontaudit $1 etc_runtime_t:file { getattr read };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write files in /etc that are dynamically
|
|
## created on boot, such as mtab.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_rw_etc_runtime_files',`
|
|
gen_require(`
|
|
type etc_t, etc_runtime_t;
|
|
class dir r_dir_perms;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir r_dir_perms;
|
|
allow $1 etc_runtime_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete files in
|
|
## /etc that are dynamically created on boot,
|
|
## such as mtab.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_etc_runtime_files',`
|
|
gen_require(`
|
|
type etc_t, etc_runtime_t;
|
|
class dir rw_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir rw_dir_perms;
|
|
allow $1 etc_runtime_t:file create_file_perms;
|
|
type_transition $1 etc_t:file etc_runtime_t;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_create_etc_config(domain,privatetype,[class(es)])
|
|
#
|
|
interface(`files_create_etc_config',`
|
|
gen_require(`
|
|
type etc_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 etc_t:dir rw_dir_perms;
|
|
ifelse(`$3',`',`
|
|
type_transition $1 etc_t:file $2;
|
|
',`
|
|
type_transition $1 etc_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search directories on new filesystems
|
|
## that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_search_isid_type_dir',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir search;
|
|
')
|
|
|
|
dontaudit $1 file_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of directories on new filesystems
|
|
## that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_list_isid_type_dir',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write directories on new filesystems
|
|
## that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_rw_isid_type_dir',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir rw_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete directories
|
|
## on new filesystems that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_isid_type_dir',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir create_dir_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir create_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mount a filesystem on a directory on new filesystems
|
|
## that has not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_mounton_isid_type_dir',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir { getattr search mounton };
|
|
')
|
|
|
|
allow $1 file_t:dir { getattr search mounton };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read files on new filesystems
|
|
## that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_read_isid_type_file',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir search;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir search;
|
|
allow $1 file_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete files
|
|
## on new filesystems that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_isid_type_file',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir rw_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir rw_dir_perms;
|
|
allow $1 file_t:file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete symbolic links
|
|
## on new filesystems that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_isid_type_symlink',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir rw_dir_perms;
|
|
class lnk_file create_lnk_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir rw_dir_perms;
|
|
allow $1 file_t:lnk_file create_lnk_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read and write block device nodes on new filesystems
|
|
## that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_rw_isid_type_blk_node',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir search;
|
|
class blk_file rw_file_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir search;
|
|
allow $1 file_t:blk_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete block device nodes
|
|
## on new filesystems that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_isid_type_blk_node',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir rw_dir_perms;
|
|
class blk_file create_file_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir rw_dir_perms;
|
|
allow $1 file_t:blk_file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete character device nodes
|
|
## on new filesystems that have not yet been labeled.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_isid_type_chr_node',`
|
|
gen_require(`
|
|
type file_t;
|
|
class dir rw_dir_perms;
|
|
class chr_file create_file_perms;
|
|
')
|
|
|
|
allow $1 file_t:dir rw_dir_perms;
|
|
allow $1 file_t:chr_file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the
|
|
## attributes of the home directories root
|
|
## (/home).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_home_dir',`
|
|
gen_require(`
|
|
type home_root_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 home_root_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search home directories root (/home).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_search_home',`
|
|
gen_require(`
|
|
type home_root_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 home_root_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search
|
|
## home directories root (/home).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_search_home',`
|
|
gen_require(`
|
|
type home_root_t;
|
|
class dir search;
|
|
')
|
|
|
|
dontaudit $1 home_root_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get listing of home directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_list_home',`
|
|
gen_require(`
|
|
type home_root_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 home_root_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create home directories
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
## <param name="home_type">
|
|
## The type of the home directory
|
|
## </param>
|
|
#
|
|
interface(`files_create_home_dirs',`
|
|
gen_require(`
|
|
type home_root_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 home_root_t:dir rw_dir_perms;
|
|
type_transition $1 home_root_t:dir $2;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete objects in
|
|
## lost+found directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_lost_found',`
|
|
gen_require(`
|
|
type lost_found_t;
|
|
class dir create_dir_perms;
|
|
class file create_file_perms;
|
|
class sock_file create_file_perms;
|
|
class fifo_file create_file_perms;
|
|
class lnk_file create_lnk_perms;
|
|
')
|
|
|
|
allow $1 lost_found_t:dir create_dir_perms;
|
|
allow $1 lost_found_t:file create_file_perms;
|
|
allow $1 lost_found_t:sock_file create_file_perms;
|
|
allow $1 lost_found_t:fifo_file create_file_perms;
|
|
allow $1 lost_found_t:lnk_file create_lnk_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_mnt(domain)
|
|
#
|
|
interface(`files_search_mnt',`
|
|
gen_require(`
|
|
type mnt_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 mnt_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_list_mnt(domain)
|
|
#
|
|
interface(`files_list_mnt',`
|
|
gen_require(`
|
|
type mnt_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 mnt_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Mount a filesystem on /mnt.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_mounton_mnt',`
|
|
gen_require(`
|
|
type mnt_t;
|
|
class dir { search mounton };
|
|
')
|
|
|
|
allow $1 mnt_t:dir { search mounton };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete directories in /mnt.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_mnt_dirs',`
|
|
gen_require(`
|
|
type mnt_t;
|
|
class dir create_dir_perms;
|
|
')
|
|
|
|
allow $1 mnt_t:dir create_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete files in /mnt.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_mnt_files',`
|
|
gen_require(`
|
|
type mnt_t;
|
|
class dir rw_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
allow $1 mnt_t:dir rw_dir_perms;
|
|
allow $1 mnt_t:file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete symbolic links in /mnt.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_mnt_symlinks',`
|
|
gen_require(`
|
|
type mnt_t;
|
|
class dir rw_dir_perms;
|
|
class lnk_file create_lnk_perms;
|
|
')
|
|
|
|
allow $1 mnt_t:dir rw_dir_perms;
|
|
allow $1 mnt_t:lnk_file create_lnk_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List world-readable directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_list_world_readable',`
|
|
gen_require(`
|
|
type readable_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 readable_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read world-readable files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_world_readable_files',`
|
|
gen_require(`
|
|
type readable_t;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 readable_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read world-readable symbolic links.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_world_readable_symlinks',`
|
|
gen_require(`
|
|
type readable_t;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 readable_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read world-readable named pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_world_readable_pipes',`
|
|
gen_require(`
|
|
type readable_t;
|
|
class fifo_file r_file_perms;
|
|
')
|
|
|
|
allow $1 readable_t:fifo_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read world-readable sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_world_readable_sockets',`
|
|
gen_require(`
|
|
type readable_t;
|
|
class sock_file r_file_perms;
|
|
')
|
|
|
|
allow $1 readable_t:sock_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the
|
|
## attributes of the tmp directory (/tmp).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_tmp_dir',`
|
|
gen_require(`
|
|
type tmp_t;
|
|
class dir getattr;
|
|
')
|
|
|
|
dontaudit $1 tmp_t:dir getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search the tmp directory (/tmp).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_search_tmp',`
|
|
gen_require(`
|
|
type tmp_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 tmp_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Set the attributes of all tmp directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_setattr_all_tmp_dirs',`
|
|
gen_require(`
|
|
attribute tmpfile;
|
|
class dir { search setattr };
|
|
')
|
|
|
|
allow $1 tmpfile:dir { search getattr };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_create_tmp_files(domain,private_type,[object class(es)])
|
|
#
|
|
interface(`files_create_tmp_files',`
|
|
gen_require(`
|
|
type tmp_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 tmp_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
type_transition $1 tmp_t:file $2;
|
|
',`
|
|
type_transition $1 tmp_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_purge_tmp(domain)
|
|
#
|
|
interface(`files_purge_tmp',`
|
|
gen_require(`
|
|
attribute tmpfile;
|
|
class dir { rw_dir_perms rmdir };
|
|
gen_require_set({ getattr unlink },notdevfile_class_set)
|
|
')
|
|
|
|
allow $1 tmpfile:dir { rw_dir_perms rmdir };
|
|
allow $1 tmpfile:notdevfile_class_set { getattr unlink };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_usr(domain)
|
|
#
|
|
interface(`files_search_usr',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 usr_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of generic
|
|
## directories in /usr.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_list_usr',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 usr_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of files in /usr.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_usr_files',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class dir search;
|
|
class file getattr;
|
|
')
|
|
|
|
allow $1 usr_t:dir search;
|
|
allow $1 usr_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_read_usr_files(domain)
|
|
#
|
|
interface(`files_read_usr_files',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 usr_t:dir r_dir_perms;
|
|
allow $1 usr_t:{ file lnk_file } r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Relabel a file to the type used in /usr.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_relabelto_usr_files',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class file relabelto;
|
|
')
|
|
|
|
allow $1 usr_t:file relabelto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read symbolic links in /usr.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_usr_symlinks',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class dir search;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 usr_t:dir search;
|
|
allow $1 usr_t:lnk_file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create objects in the /usr directory
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
## <param name="file_type">
|
|
## The type of the object to be created
|
|
## </param>
|
|
## <param name="object_class" optional="true">
|
|
## The object class. If not specified, file is used.
|
|
## </param>
|
|
#
|
|
interface(`files_create_usr',`
|
|
gen_require(`
|
|
type usr_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 usr_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
type_transition $1 usr_t:file $2;
|
|
',`
|
|
type_transition $1 usr_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute programs in /usr/src in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_exec_usr_files',`
|
|
gen_require(`
|
|
type usr_t, src_t;
|
|
class dir r_dir_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 usr_t:dir search;
|
|
allow $1 src_t:dir r_dir_perms;
|
|
allow $1 src_t:lnk_file r_file_perms;
|
|
can_exec($1,src_t)
|
|
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_read_usr_src_files(domain)
|
|
#
|
|
interface(`files_read_usr_src_files',`
|
|
gen_require(`
|
|
type usr_t, src_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
class lnk_file r_file_perms;
|
|
')
|
|
|
|
allow $1 usr_t:dir search;
|
|
allow $1 src_t:dir r_dir_perms;
|
|
allow $1 src_t:{ file lnk_file } r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_var(domain)
|
|
#
|
|
interface(`files_search_var',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_dontaudit_search_var(domain)
|
|
#
|
|
interface(`files_dontaudit_search_var',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir search;
|
|
')
|
|
|
|
dontaudit $1 var_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete directories
|
|
## in the /var directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_var_dirs',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir create_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir create_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read files in the /var directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_read_var_files',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir search;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete files in the /var directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_var_files',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir rw_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir rw_dir_perms;
|
|
allow $1 var_t:file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read symbolic links in the /var directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_var_symlink',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir search;
|
|
class lnk_file { getattr read };
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_t:lnk_file { getattr read };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete symbolic
|
|
## links in the /var directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_manage_var_symlinks',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir rw_dir_perms;
|
|
class lnk_file create_lnk_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir rw_dir_perms;
|
|
allow $1 var_t:lnk_file create_lnk_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create objects in the /var directory
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
## <param name="file_type">
|
|
## The type of the object to be created
|
|
## </param>
|
|
## <param name="object_class" optional="true">
|
|
## The object class. If not specified, file is used.
|
|
## </param>
|
|
#
|
|
interface(`files_create_var',`
|
|
gen_require(`
|
|
type var_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
type_transition $1 var_t:file $2;
|
|
',`
|
|
type_transition $1 var_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Get the attributes of the /var/lib directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_getattr_var_lib_dir',`
|
|
gen_require(`
|
|
type var_t, var_lib_t;
|
|
class dir getattr;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_lib_t:dir getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search the /var/lib directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_search_var_lib',`
|
|
gen_require(`
|
|
type var_t, var_lib_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 { var_t var_lib_t }:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## List the contents of the /var/lib directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_list_var_lib',`
|
|
gen_require(`
|
|
type var_t, var_lib_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_lib_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create objects in the /var/lib directory
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
## <param name="file_type">
|
|
## The type of the object to be created
|
|
## </param>
|
|
## <param name="object_class" optional="true">
|
|
## The object class. If not specified, file is used.
|
|
## </param>
|
|
#
|
|
interface(`files_create_var_lib',`
|
|
gen_require(`
|
|
type var_t, var_lib_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_lib_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
type_transition $1 var_lib_t:file $2;
|
|
',`
|
|
type_transition $1 var_lib_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read generic files in /var/lib
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_read_var_lib_files',`
|
|
gen_require(`
|
|
type var_t, var_lib_t;
|
|
class dir search;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 { var_t var_lib_t }:dir search;
|
|
allow $1 var_lib_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_manage_urandom_seed(domain)
|
|
#
|
|
interface(`files_manage_urandom_seed',`
|
|
gen_require(`
|
|
type var_t, var_lib_t;
|
|
class dir rw_file_perms;
|
|
class file { getattr create read write setattr unlink };
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_lib_t:dir rw_dir_perms;
|
|
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_locks(domain)
|
|
#
|
|
interface(`files_search_locks',`
|
|
gen_require(`
|
|
type var_t;
|
|
type var_lock_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 { var_t var_lock_t }:dir search;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search the
|
|
## locks directory (/var/lock).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_search_locks',`
|
|
gen_require(`
|
|
type var_lock_t;
|
|
class dir search;
|
|
')
|
|
|
|
dontaudit $1 var_lock_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_getattr_generic_locks(domain)
|
|
#
|
|
interface(`files_getattr_generic_locks',`
|
|
gen_require(`
|
|
type var_t;
|
|
type var_lock_t;
|
|
class dir r_dir_perms;
|
|
class file getattr;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_lock_t:dir r_dir_perms;
|
|
allow $1 var_lock_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_manage_generic_locks(domain)
|
|
#
|
|
interface(`files_manage_generic_locks',`
|
|
gen_require(`
|
|
type var_lock_t;
|
|
class dir { getattr search create read write setattr add_name remove_name rmdir };
|
|
class file { getattr create read write setattr unlink };
|
|
')
|
|
|
|
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
|
|
allow $1 var_lock_t:file { getattr create read write setattr unlink };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_delete_all_locks(domain)
|
|
#
|
|
interface(`files_delete_all_locks',`
|
|
gen_require(`
|
|
attribute lockfile;
|
|
class dir rw_dir_perms;
|
|
class file { getattr unlink };
|
|
')
|
|
|
|
allow $1 lockfile:dir rw_dir_perms;
|
|
allow $1 lockfile:file { getattr unlink };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_create_lock(domain,private_type,[object class(es)])
|
|
#
|
|
interface(`files_create_lock',`
|
|
gen_require(`
|
|
type var_t, var_lock_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_lock_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
type_transition $1 var_lock_t:file $2;
|
|
',`
|
|
type_transition $1 var_lock_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to get the attributes
|
|
## of the /var/run directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain to not audit.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_getattr_pid_dir',`
|
|
gen_require(`
|
|
type var_run_t;
|
|
class dir getattr;
|
|
')
|
|
|
|
dontaudit $1 var_run_t:dir getattr;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_pids(domain)
|
|
#
|
|
interface(`files_search_pids',`
|
|
gen_require(`
|
|
type var_t, var_run_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_run_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_dontaudit_search_pids(domain)
|
|
#
|
|
interface(`files_dontaudit_search_pids',`
|
|
gen_require(`
|
|
type var_run_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 var_run_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_list_pids(domain)
|
|
#
|
|
interface(`files_list_pids',`
|
|
gen_require(`
|
|
type var_t, var_run_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_run_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_create_pid(domain,pidfile,[object class(es)])
|
|
#
|
|
interface(`files_create_pid',`
|
|
gen_require(`
|
|
type var_t, var_run_t;
|
|
class dir rw_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_run_t:dir rw_dir_perms;
|
|
|
|
ifelse(`$3',`',`
|
|
type_transition $1 var_run_t:file $2;
|
|
',`
|
|
type_transition $1 var_run_t:$3 $2;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_rw_generic_pids(domain)
|
|
#
|
|
interface(`files_rw_generic_pids',`
|
|
gen_require(`
|
|
type var_t, var_run_t;
|
|
class dir r_dir_perms;
|
|
class file rw_file_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_run_t:dir r_dir_perms;
|
|
allow $1 var_run_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to write to daemon runtime data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_write_all_pids',`
|
|
gen_require(`
|
|
attribute pidfile;
|
|
class file write;
|
|
')
|
|
|
|
dontaudit $1 pidfile:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to ioctl daemon runtime data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## The type of the process performing this action.
|
|
## </param>
|
|
#
|
|
interface(`files_dontaudit_ioctl_all_pids',`
|
|
gen_require(`
|
|
attribute pidfile;
|
|
class file ioctl;
|
|
')
|
|
|
|
dontaudit $1 pidfile:file ioctl;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_read_all_pids(domain)
|
|
#
|
|
interface(`files_read_all_pids',`
|
|
gen_require(`
|
|
attribute pidfile;
|
|
type var_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 pidfile:dir r_dir_perms;
|
|
allow $1 pidfile:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_delete_all_pids(domain)
|
|
#
|
|
interface(`files_delete_all_pids',`
|
|
gen_require(`
|
|
attribute pidfile;
|
|
type var_t, var_run_t;
|
|
class dir rw_dir_perms;
|
|
class file { getattr unlink };
|
|
class lnk_file { getattr unlink };
|
|
class sock_file { getattr unlink };
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink };
|
|
allow $1 var_run_t:dir rmdir;
|
|
allow $1 pidfile:dir rw_dir_perms;
|
|
allow $1 pidfile:file { getattr unlink };
|
|
allow $1 pidfile:sock_file { getattr unlink };
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_search_spool(domain)
|
|
#
|
|
interface(`files_search_spool',`
|
|
gen_require(`
|
|
type var_t, var_spool_t;
|
|
class dir search;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_spool_t:dir search;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_list_spool(domain)
|
|
#
|
|
interface(`files_list_spool',`
|
|
gen_require(`
|
|
type var_t, var_spool_t;
|
|
class dir r_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_spool_t:dir r_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_manage_generic_spool_dirs(domain)
|
|
#
|
|
interface(`files_manage_generic_spool_dirs',`
|
|
gen_require(`
|
|
type var_t, var_spool_t;
|
|
class dir create_dir_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_spool_t:dir create_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_read_generic_spools(domain)
|
|
#
|
|
interface(`files_read_generic_spools',`
|
|
gen_require(`
|
|
type var_t, var_spool_t;
|
|
class dir r_dir_perms;
|
|
class file r_file_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_spool_t:dir r_dir_perms;
|
|
allow $1 var_spool_t:file r_file_perms;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# files_manage_generic_spools(domain)
|
|
#
|
|
interface(`files_manage_generic_spools',`
|
|
gen_require(`
|
|
type var_t, var_spool_t;
|
|
class dir rw_dir_perms;
|
|
class file create_file_perms;
|
|
')
|
|
|
|
allow $1 var_t:dir search;
|
|
allow $1 var_spool_t:dir rw_dir_perms;
|
|
allow $1 var_spool_t:file create_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Unconfined access to files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## Domain allowed access.
|
|
## </param>
|
|
#
|
|
interface(`files_unconfined',`
|
|
gen_require(`
|
|
attribute file_type;
|
|
class unix_stream_socket name_bind;
|
|
class unix_dgram_socket name_bind;
|
|
')
|
|
|
|
# Create/access any file in a labeled filesystem;
|
|
allow $1 file_type:{ file chr_file } ~execmod;
|
|
allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
|
|
|
# Mount/unmount any filesystem with the context= option.
|
|
allow $1 file_type:filesystem *;
|
|
|
|
# Bind to any network address.
|
|
# cjp: need to check this, I dont think this has any effect.
|
|
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
|
|
')
|