selinux-policy/refpolicy/policy/modules/kernel/mls.if

217 lines
4.3 KiB
Plaintext

## <summary>Multilevel security policy</summary>
## <desc>
## <p>
## This module contains interfaces for handling multilevel
## security. The interfaces allow the specified subjects
## and objects to be allowed certain privileges in the
## MLS rules.
## </p>
## </desc>
## <required val="true">
## Contains attributes used in MLS policy.
## </required>
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from files at higher levels.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_file_read_up',`
gen_require(`
attribute mlsfileread;
')
typeattribute $1 mlsfileread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to files at lower levels.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_file_write_down',`
gen_require(`
attribute mlsfilewrite;
')
typeattribute $1 mlsfilewrite;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for raising the level of files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_file_upgrade',`
gen_require(`
attribute mlsfileupgrade;
')
typeattribute $1 mlsfileupgrade;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for lowering the level of files.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_file_downgrade',`
gen_require(`
attribute mlsfiledowngrade;
')
typeattribute $1 mlsfiledowngrade;
')
########################################
## <summary>
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_rangetrans_source',`
gen_require(`
attribute privrangetrans;
')
typeattribute $1 privrangetrans;
')
########################################
## <summary>
## Make specified domain a target domain
## for MLS range transitions that change
## the current level.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_rangetrans_target',`
gen_require(`
attribute mlsrangetrans;
')
typeattribute $1 mlsrangetrans;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for reading from processes at higher levels.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_process_read_up',`
gen_require(`
attribute mlsprocread;
')
typeattribute $1 mlsprocread;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for writing to processes at lower levels.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_process_write_down',`
gen_require(`
attribute mlsprocwrite;
')
typeattribute $1 mlsprocwrite;
')
########################################
## <summary>
## Make specified domain MLS trusted
## for setting the level of processes
## it executes.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`mls_process_set_level',`
gen_require(`
attribute mlsprocsetsl;
')
typeattribute $1 mlsprocsetsl;
')
########################################
## <summary>
## Make specified object MLS trusted.
## </summary>
## <desc>
## <p>
## Make specified object MLS trusted. This
## allows all levels to read and write the
## object.
## </p>
## <p>
## This currently only applies to filesystem
## objects, for example, files and directories.
## </p>
## </desc>
## <param name="domain">
## <summary>
## The type of the object.
## </summary>
## </param>
#
interface(`mls_trusted_object',`
gen_require(`
attribute mlstrustedobject;
')
typeattribute $1 mlstrustedobject;
')