selinux-policy/policy/modules/system/miscfiles.if
2009-11-24 11:11:38 -05:00

590 lines
12 KiB
Plaintext

## <summary>Miscelaneous files.</summary>
########################################
## <summary>
## Read system SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_certs',`
gen_require(`
type cert_t;
')
allow $1 cert_t:dir list_dir_perms;
read_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## manange system SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_cert_dirs',`
gen_require(`
type cert_t;
')
manage_dirs_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## manange system SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_cert_files',`
gen_require(`
type cert_t;
')
manage_files_pattern($1, cert_t, cert_t)
read_lnk_files_pattern($1, cert_t, cert_t)
')
########################################
## <summary>
## Read fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_fonts',`
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
allow $1 fonts_t:dir list_dir_perms;
read_files_pattern($1, fonts_t, fonts_t)
read_lnk_files_pattern($1, fonts_t, fonts_t)
')
########################################
## <summary>
## Set the attributes on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
allow $1 fonts_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## on a fonts directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_setattr_fonts_dirs',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir setattr;
')
########################################
## <summary>
## Do not audit attempts to write fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_dontaudit_write_fonts',`
gen_require(`
type fonts_t;
')
dontaudit $1 fonts_t:dir { write setattr };
dontaudit $1 fonts_t:file write;
')
########################################
## <summary>
## Create, read, write, and delete fonts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_fonts',`
gen_require(`
type fonts_t;
')
# cjp: fonts can be in either of these dirs
files_search_usr($1)
libs_search_lib($1)
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
')
########################################
## <summary>
## Read hardware identification data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_hwdata',`
gen_require(`
type hwdata_t;
')
allow $1 hwdata_t:dir list_dir_perms;
read_files_pattern($1, hwdata_t, hwdata_t)
read_lnk_files_pattern($1, hwdata_t, hwdata_t)
')
########################################
## <summary>
## Allow process to setattr localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_setattr_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
allow $1 locale_t:file setattr;
')
########################################
## <summary>
## Allow process to read localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_localization',`
gen_require(`
type locale_t;
')
files_read_etc_symlinks($1)
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
# why?
libs_read_lib_files($1)
')
########################################
## <summary>
## Allow process to write localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_rw_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
allow $1 locale_t:dir list_dir_perms;
rw_files_pattern($1, locale_t, locale_t)
')
########################################
## <summary>
## Allow process to relabel localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_relabel_localization',`
gen_require(`
type locale_t;
')
files_search_usr($1)
relabel_files_pattern($1, locale_t, locale_t)
')
########################################
## <summary>
## Allow process to read legacy time localization info
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_legacy_read_localization',`
gen_require(`
type locale_t;
')
miscfiles_read_localization($1)
allow $1 locale_t:file execute;
')
########################################
## <summary>
## Search man pages.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`miscfiles_search_man_pages',`
gen_require(`
type man_t;
')
allow $1 man_t:dir search_dir_perms;
files_search_usr($1)
')
########################################
## <summary>
## Do not audit attempts to search man pages.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`miscfiles_dontaudit_search_man_pages',`
gen_require(`
type man_t;
')
dontaudit $1 man_t:dir search_dir_perms;
')
########################################
## <summary>
## Read man pages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir list_dir_perms;
read_files_pattern($1, man_t, man_t)
read_lnk_files_pattern($1, man_t, man_t)
')
########################################
## <summary>
## Delete man pages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
# cjp: added for tmpreaper
#
interface(`miscfiles_delete_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
allow $1 man_t:dir setattr;
# RH bug #309351
allow $1 man_t:dir list_dir_perms;
delete_dirs_pattern($1, man_t, man_t)
delete_files_pattern($1, man_t, man_t)
delete_lnk_files_pattern($1, man_t, man_t)
')
########################################
## <summary>
## Create, read, write, and delete man pages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_manage_man_pages',`
gen_require(`
type man_t;
')
files_search_usr($1)
manage_dirs_pattern($1, man_t, man_t)
manage_files_pattern($1, man_t, man_t)
read_lnk_files_pattern($1, man_t, man_t)
')
########################################
## <summary>
## Read public files used for file
## transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_read_public_files',`
gen_require(`
type public_content_t, public_content_rw_t;
')
allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms;
read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t })
')
########################################
## <summary>
## Create, read, write, and delete public files
## and directories used for file transfer services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_public_files',`
gen_require(`
type public_content_rw_t;
')
manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t)
manage_files_pattern($1, public_content_rw_t, public_content_rw_t)
manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t)
')
########################################
## <summary>
## Read TeX data
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_tetex_data',`
gen_require(`
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
read_files_pattern($1, tetex_data_t, tetex_data_t)
read_lnk_files_pattern($1, tetex_data_t, tetex_data_t)
')
########################################
## <summary>
## Execute TeX data programs in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_tetex_data',`
gen_require(`
type fonts_t;
type tetex_data_t;
')
files_search_var($1)
files_search_var_lib($1)
# cjp: TeX data can be in either of the above dirs
allow $1 tetex_data_t:dir list_dir_perms;
exec_files_pattern($1, tetex_data_t, tetex_data_t)
')
########################################
## <summary>
## Let test files be an entry point for
## a specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain to be entered.
## </summary>
## </param>
#
interface(`miscfiles_domain_entry_test_files',`
gen_require(`
type test_file_t;
')
domain_entry_file($1, test_file_t)
')
########################################
## <summary>
## Read test files and directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_read_test_files',`
gen_require(`
type test_file_t;
')
read_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
## <summary>
## Execute test files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_exec_test_files',`
gen_require(`
type test_file_t;
')
exec_files_pattern($1, test_file_t, test_file_t)
read_lnk_files_pattern($1, test_file_t, test_file_t)
')
########################################
## <summary>
## Execute test files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`miscfiles_etc_filetrans_localization',`
gen_require(`
type locale_t;
')
files_etc_filetrans($1, locale_t, file)
')
########################################
## <summary>
## Create, read, write, and delete localization
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`miscfiles_manage_localization',`
gen_require(`
type locale_t;
')
manage_dirs_pattern($1, locale_t, locale_t)
manage_files_pattern($1, locale_t, locale_t)
manage_lnk_files_pattern($1, locale_t, locale_t)
')