Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# This is the guide for converting old macros to local policy
Chris PeBenito 835b6a
# and new interfaces.
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# $1, $2, etc. are replaced with and the first and second, etc.
Chris PeBenito 835b6a
# parameters to the old macro.
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
########################################
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# Object class sets
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# devfile_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ chr_file blk_file }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# dgram_socket_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ udp_socket unix_dgram_socket }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# dir_file_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ dir file lnk_file sock_file fifo_file chr_file blk_file }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# file_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ file lnk_file sock_file fifo_file chr_file blk_file }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# notdevfile_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ file lnk_file sock_file fifo_file }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# socket_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# stream_socket_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ tcp_socket unix_stream_socket }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# unpriv_socket_class_set
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
########################################
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# Permission Sets
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# connected_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind getopt setopt shutdown }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# connected_stream_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind getopt setopt shutdown listen accept }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_dir_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr lock write setattr append link unlink rename }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_lnk_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create read getattr setattr link unlink rename }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_msgq_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr setattr create destroy read write enqueue unix_read unix_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_netlink_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_sem_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr setattr create destroy read write unix_read unix_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_shm_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr setattr create destroy read write lock unix_read unix_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_stream_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# link_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ getattr link unlink rename }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# mount_fs_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ mount remount unmount getattr }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# packet_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_dir_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ read getattr lock search ioctl }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ read getattr lock ioctl }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_msgq_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr read unix_read }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_netlink_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_sem_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr read unix_read }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_shm_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr read unix_read }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# ra_dir_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ read getattr lock search ioctl add_name write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# ra_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ ioctl read getattr lock append }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_dir_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ read getattr lock search ioctl add_name remove_name write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito b2dc7f
{ getattr read write append ioctl lock  }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_msgq_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr read write enqueue unix_read unix_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_netlink_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_sem_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr read write unix_read unix_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_shm_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ associate getattr read write lock unix_read unix_write }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ ioctl read getattr write setattr append bind connect getopt setopt shutdown }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_stream_socket_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rx_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ read getattr lock execute ioctl }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# signal_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ sigchld sigkill sigstop signull signal }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# stat_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ getattr }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# x_file_perms
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
{ getattr execute }
Chris PeBenito 835b6a
Chris PeBenito 835b6a
########################################
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# Attributes
Chris PeBenito f48a2a
#
Chris PeBenito 465a5e
# $1 is the type this attribute is on
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 428b57
# admin_tty_type: complete
Chris PeBenito 428b57
#
Chris PeBenito 428b57
{ sysadm_tty_device_t sysadm_devpts_t }
Chris PeBenito 428b57
Chris PeBenito 428b57
#
Chris PeBenito 465a5e
# auth: complete
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
authlogin_read_shadow_passwords($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# auth_chkpwd: complete
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
authlogin_check_password_transition($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito f48a2a
# file_type: complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
files_make_file($1)
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito b2dc7f
# fs_domain: complete
Chris PeBenito b2dc7f
#
Chris PeBenito b2dc7f
# one or both of these:
Chris PeBenito b2dc7f
storage_raw_read_fixed_disk($1)
Chris PeBenito b2dc7f
storage_raw_write_fixed_disk($1)
Chris PeBenito b2dc7f
Chris PeBenito b2dc7f
#
Chris PeBenito b2dc7f
# privfd: complete
Chris PeBenito b2dc7f
#
Chris PeBenito b2dc7f
domain_make_file_descriptors_widely_inheritable($1)
Chris PeBenito b2dc7f
Chris PeBenito b2dc7f
#
Chris PeBenito f48a2a
# privlog: complete
Chris PeBenito c28c4b
#
Chris PeBenito f48a2a
logging_send_system_log_message($1)
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito c28c4b
# privmail: 
Chris PeBenito c28c4b
#
Chris PeBenito 35519c
mta_send_mail($1)
Chris PeBenito c28c4b
# this needs more work:
Chris PeBenito c28c4b
allow mta_user_agent $1:fd use;
Chris PeBenito c28c4b
allow mta_user_agent $1:process sigchld;
Chris PeBenito c28c4b
allow mta_user_agent $1:fifo_file { read write };
Chris PeBenito c28c4b
Chris PeBenito c28c4b
#
Chris PeBenito f48a2a
# privmodule: complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
modutils_insmod_transition($1)
Chris PeBenito f48a2a
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# privowner: complete
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
kernel_make_object_identity_change_constraint_exception($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# privrole: complete
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
kernel_make_role_change_constraint_exception($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# privuser: complete
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
kernel_make_process_identity_change_constraint_exception($1)
Chris PeBenito f48a2a
Chris PeBenito f48a2a
########################################
Chris PeBenito f48a2a
#
Chris PeBenito 835b6a
# Access macros
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# access_terminal():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
Chris PeBenito 835b6a
allow $1 devtty_t:chr_file { read write getattr ioctl };
Chris PeBenito 835b6a
allow $1 devpts_t:dir { read search getattr };
Chris PeBenito 835b6a
allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# admin_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# append_log_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_log_t;
Chris PeBenito 835b6a
logging_make_log_file($1_log_t)
Chris PeBenito 835b6a
allow $1_t var_log_t:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1_t $1_log_t:file  { create ra_file_perms };
Chris PeBenito 835b6a
type_transition $1_t var_log_t:file $1_log_t;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# append_logdir_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_log_t;
Chris PeBenito 835b6a
logging_make_log_file($1_log_t)
Chris PeBenito 835b6a
allow $1_t var_log_t:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1_t $1_log_t:dir { setattr ra_dir_perms };
Chris PeBenito 835b6a
allow $1_t $1_log_t:file  { create ra_file_perms };
Chris PeBenito 835b6a
type_transition $1_t var_log_t:file $1_log_t;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# application_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t;
Chris PeBenito 835b6a
type $1_exec_t;
Chris PeBenito 835b6a
domain_make_domain($1_t)
Chris PeBenito 835b6a
domain_make_entrypoint_file($1_t,$1_exec_t)
Chris PeBenito 835b6a
role sysadm_r types $1_t;
Chris PeBenito 835b6a
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
Chris PeBenito 835b6a
libraries_use_dynamic_loader($1_t)
Chris PeBenito 835b6a
libraries_read_shared_libraries($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_can_network($1,$2):
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
Chris PeBenito 835b6a
corenetwork_network_$2_on_all_interfaces($1)
Chris PeBenito 835b6a
corenetwork_network_raw_on_all_interfaces($1)
Chris PeBenito 835b6a
corenetwork_network_$2_on_all_nodes($1)
Chris PeBenito 835b6a
corenetwork_network_raw_on_all_nodes($1)
Chris PeBenito 835b6a
corenetwork_bind_$2_on_all_nodes($1)
Chris PeBenito 835b6a
corenetwork_network_$2_on_all_ports($1)
Chris PeBenito 835b6a
sysnetwork_read_network_config($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_can_network($1,$2,$3):
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:$2_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
Chris PeBenito 835b6a
corenetwork_network_$2_on_all_interfaces($1)
Chris PeBenito 835b6a
corenetwork_network_raw_on_all_interfaces($1)
Chris PeBenito 835b6a
corenetwork_network_$2_on_all_nodes($1)
Chris PeBenito 835b6a
corenetwork_network_raw_on_all_nodes($1)
Chris PeBenito 835b6a
corenetwork_bind_$2_on_all_nodes($1)
Chris PeBenito 835b6a
corenetwork_network_$2_on_$3_port($1)
Chris PeBenito 835b6a
sysnetwork_read_network_config($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_file_read_access():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
files_list_home_directories($1)
Chris PeBenito 465a5e
files_read_general_application_resources($1)
Chris PeBenito 835b6a
allow $1 bin_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $1 bin_t:notdevfile_class_set r_file_perms;
Chris PeBenito 835b6a
allow $1 sbin_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $1 sbin_t:notdevfile_class_set r_file_perms;
Chris PeBenito 835b6a
kernel_read_kernel_sysctl($1)
Chris PeBenito 835b6a
selinux_read_config($1)
Chris PeBenito 835b6a
if (read_default_t) {
Chris PeBenito 835b6a
allow $1 default_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $1 default_t:notdevfile_class_set r_file_perms;
Chris PeBenito 835b6a
}
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_pty_perms():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1_t ptmx_t:chr_file rw_file_perms;
Chris PeBenito 835b6a
allow $1_t devpts_t:filesystem getattr;
Chris PeBenito 835b6a
allow $1_t devpts_t:dir { getattr read search };
Chris PeBenito 835b6a
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_user_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# for each i in $3
Chris PeBenito 835b6a
can_create_internal($1,$2,$i)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_internal($1,$2,dir):
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:$3 { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_internal($1,$2,lnk_file):
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:$3 { create read getattr setattr link unlink rename };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_internal($1,$2,[file,chr_file,blk_file,sock_file,fifo_file]):
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:$3 { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_other_pty(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
terminal_make_pseudoterminal($1_t,$2_devpts_t)
Chris PeBenito 835b6a
allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_pty(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# $2 may require more conversion
Chris PeBenito 835b6a
type $1_devpts_t $2;
Chris PeBenito 835b6a
terminal_make_pseudoterminal($1_t,$1_devpts_t)
Chris PeBenito 835b6a
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_exec(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:file { getattr read execute execute_no_trans };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 36f72d
# can_exec_any(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 36f72d
domain_execute_all_entrypoint_programs($1)
Chris PeBenito 835b6a
files_execute_system_config_script($1)
Chris PeBenito 835b6a
corecommands_execute_general_programs($1)
Chris PeBenito 835b6a
corecommands_execute_system_programs($1)
Chris PeBenito 36f72d
libraries_use_dynamic_loader($1)
Chris PeBenito 36f72d
libraries_read_shared_libraries($1)
Chris PeBenito 36f72d
libraries_execute_dynamic_loader($1)
Chris PeBenito 36f72d
libraries_execute_library_scripts($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_getcon():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process getattr;
Chris PeBenito 465a5e
kernel_read_system_state($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_getsecurity(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
kernel_validate_selinux_context($1)
Chris PeBenito 835b6a
kernel_compute_selinux_av($1)
Chris PeBenito 835b6a
kernel_compute_create($1)
Chris PeBenito 835b6a
kernel_compute_relabel($1)
Chris PeBenito 835b6a
kernel_compute_reachable_user_contexts($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 428b57
# can_kerberos():
Chris PeBenito 428b57
#
Chris PeBenito 428b57
ifdef(`kerberos.te',`
Chris PeBenito 428b57
if (allow_kerberos) {
Chris PeBenito 428b57
can_network_client($1, `kerberos_port_t')
Chris PeBenito 428b57
can_resolve($1)
Chris PeBenito 428b57
}
Chris PeBenito 428b57
') dnl kerberos.te
Chris PeBenito 428b57
dontaudit $1 krb5_conf_t:file write;
Chris PeBenito 428b57
allow $1 krb5_conf_t:file { getattr read };
Chris PeBenito 428b57
Chris PeBenito 428b57
#
Chris PeBenito 835b6a
# can_ldap():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
ifdef(`slapd.te',`
Chris PeBenito 835b6a
can_network_client_tcp($1, `ldap_port_t')
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_loadpol(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
kernel_load_selinux_policy($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
can_network_tcp($1, `$2')
Chris PeBenito 835b6a
can_network_udp($1, `$2')
Chris PeBenito 835b6a
ifdef(`mount.te', `
Chris PeBenito 835b6a
allow $1 mount_t:udp_socket rw_socket_perms;
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_client():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
can_network_client_tcp($1, `$2')
Chris PeBenito 835b6a
can_network_udp($1, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 36f72d
# can_network_client_tcp($1): complete
Chris PeBenito 835b6a
#
Chris PeBenito 36f72d
allow $1 self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
Chris PeBenito 36f72d
corenetwork_network_tcp_on_all_interfaces($1)
Chris PeBenito 36f72d
corenetwork_network_raw_on_all_interfaces($1)
Chris PeBenito 36f72d
corenetwork_network_tcp_on_all_nodes($1)
Chris PeBenito 36f72d
corenetwork_network_raw_on_all_nodes($1)
Chris PeBenito 36f72d
corenetwork_bind_tcp_on_all_nodes($1)
Chris PeBenito 36f72d
corenetwork_network_tcp_on_all_ports($1)
Chris PeBenito 36f72d
sysnetwork_read_network_config($1)
Chris PeBenito 36f72d
Chris PeBenito 36f72d
#
Chris PeBenito 36f72d
# can_network_client_tcp($1,$2):
Chris PeBenito 36f72d
#
Chris PeBenito 36f72d
# remove _port_t from $2
Chris PeBenito 36f72d
allow system_mail_t self:tcp_socket { create connect ioctl read getattr write setattr append bind getopt setopt shutdown };
Chris PeBenito 36f72d
corenetwork_network_tcp_on_all_interfaces(system_mail_t)
Chris PeBenito 36f72d
corenetwork_network_raw_on_all_interfaces(system_mail_t)
Chris PeBenito 36f72d
corenetwork_network_tcp_on_all_nodes(system_mail_t)
Chris PeBenito 36f72d
corenetwork_network_raw_on_all_nodes(system_mail_t)
Chris PeBenito 36f72d
corenetwork_bind_tcp_on_all_nodes(system_mail_t)
Chris PeBenito 36f72d
corenetwork_network_tcp_on_$2_port(system_mail_t)
Chris PeBenito 36f72d
sysnetwork_read_network_config(system_mail_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_server():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:tcp_socket { listen accept };
Chris PeBenito 835b6a
base_can_network($1, tcp, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_server_tcp():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:tcp_socket { listen accept };
Chris PeBenito 835b6a
base_can_network($1, tcp, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_tcp(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
can_network_server_tcp($1, `$2')
Chris PeBenito 835b6a
can_network_client_tcp($1, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_udp(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
base_can_network($1, udp, `$2')
Chris PeBenito 835b6a
allow $1 self:udp_socket { connect };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_ps():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir { search getattr read };
Chris PeBenito 835b6a
allow $1 $2:{ file lnk_file } { read getattr };
Chris PeBenito 835b6a
allow $1 $2:process getattr;
Chris PeBenito 835b6a
# We need to suppress this denial because procps tries to access
Chris PeBenito 835b6a
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
Chris PeBenito 835b6a
# (2.4 and 2.6).  Might want to change procps to not do this, or only if
Chris PeBenito 835b6a
# running in a privileged domain.
Chris PeBenito 835b6a
dontaudit $1 $2:process ptrace;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_ptrace():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:process ptrace;
Chris PeBenito 835b6a
allow $2 $1:process sigchld;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_resolve():
Chris PeBenito 835b6a
#
Chris PeBenito 465a5e
tunable_policy(`use_dns',`
Chris PeBenito 465a5e
allow $1 self:udp_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown connect };
Chris PeBenito 465a5e
corenetwork_network_udp_on_all_interfaces($1)
Chris PeBenito 465a5e
corenetwork_network_raw_on_all_interfaces($1)
Chris PeBenito 465a5e
corenetwork_network_udp_on_all_nodes($1)
Chris PeBenito 465a5e
corenetwork_network_raw_on_all_nodes($1)
Chris PeBenito 465a5e
corenetwork_bind_udp_on_all_nodes($1)
Chris PeBenito 465a5e
corenetwork_network_udp_on_dns_port($1)
Chris PeBenito 465a5e
sysnetwork_read_network_config($1)
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_setbool(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
kernel_set_selinux_boolean($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setcon(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process setcurrent;
Chris PeBenito f48a2a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_setenforce(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito f48a2a
#
Chris PeBenito 835b6a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
kernel_set_selinux_enforcement_mode($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setexec(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process setexec;
Chris PeBenito f48a2a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setfscreate(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process setfscreate;
Chris PeBenito f48a2a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setsecparam(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_get_selinuxfs_mount_point($1)
Chris PeBenito f48a2a
kernel_setsecparam($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_sysctl(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_modify_all_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_tcp_connect
Chris PeBenito 835b6a
# (policy is commented out)
Chris PeBenito 835b6a
# Irrelevant until we have labeled networking.
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
#allow $1 $2:tcp_socket { connectto recvfrom };
Chris PeBenito 835b6a
#allow $2 $1:tcp_socket { acceptfrom recvfrom };
Chris PeBenito 835b6a
#allow $2 kernel_t:tcp_socket recvfrom;
Chris PeBenito 835b6a
#allow $1 kernel_t:tcp_socket recvfrom;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_udp_send():
Chris PeBenito 835b6a
# (policy is commented out)
Chris PeBenito 835b6a
# Irrelevant until we have labeled networking.
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
#allow $1 $2:udp_socket sendto;
Chris PeBenito 835b6a
#allow $2 $1:udp_socket recvfrom;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_unix_connect():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:unix_stream_socket connectto;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_unix_send():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:unix_dgram_socket sendto;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_ypbind():
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 835b6a
# create_append_log_file():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir { read getattr search add_name write };
Chris PeBenito 835b6a
allow $1 $2:file { create ioctl getattr setattr append link };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_dir_file():
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
Chris PeBenito f48a2a
allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_dir_notdevfile():
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
Chris PeBenito f48a2a
allow $1 $2:{ file sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# daemon_base_domain():
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
type $1_t;
Chris PeBenito f48a2a
type $1_exec_t;
Chris PeBenito c28c4b
init_make_daemon_domain($1_t,$1_exec_t)
Chris PeBenito f48a2a
role system_r types $1_t;
Chris PeBenito f48a2a
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito f48a2a
allow $1_t self:process { sigchld sigkill sigstop signull signal };
Chris PeBenito f48a2a
kernel_read_kernel_sysctl($1_t)
Chris PeBenito f48a2a
kernel_read_hardware_state($1_t)
Chris PeBenito f48a2a
terminal_ignore_use_console($1_t)
Chris PeBenito f48a2a
init_use_file_descriptors($1_t)
Chris PeBenito f48a2a
init_script_use_pseudoterminal($1_t)
Chris PeBenito f48a2a
domain_use_widely_inheritable_file_descriptors($1_t)
Chris PeBenito f48a2a
libraries_use_dynamic_loader($1_t)
Chris PeBenito f48a2a
libraries_read_shared_libraries($1_t)
Chris PeBenito f48a2a
logging_send_system_log_message($1_t)
Chris PeBenito b2dc7f
allow $1_t proc_t:dir r_dir_perms;
Chris PeBenito b2dc7f
allow $1_t proc_t:lnk_file read;
Chris PeBenito b2dc7f
tunable_policy(`direct_sysadm_daemon', `
Chris PeBenito b2dc7f
dontaudit $1_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito b2dc7f
')
Chris PeBenito 428b57
tunable_policy(`targeted_policy', `
Chris PeBenito 428b57
terminal_ignore_use_general_physical_terminal($1_t)
Chris PeBenito 428b57
terminal_ignore_use_general_pseudoterminal($1_t)
Chris PeBenito 428b57
files_ignore_read_rootfs_file($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito 428b57
optional_policy(`rhgb.te', `
Chris PeBenito f48a2a
allow $1_t rhgb_t:process sigchld;
Chris PeBenito f48a2a
allow $1_t rhgb_t:fd use;
Chris PeBenito f48a2a
allow $1_t rhgb_t:fifo_file { read write };
Chris PeBenito f48a2a
')
Chris PeBenito b2dc7f
optional_policy(`selinux.te',`
Chris PeBenito b2dc7f
selinux_newrole_sigchld($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito f48a2a
optional_policy(`udev.te', `
Chris PeBenito f48a2a
udev_read_database($1_t)
Chris PeBenito f48a2a
')
Chris PeBenito f48a2a
dontaudit $1_t unpriv_userdomain:fd use;
Chris PeBenito f48a2a
allow $1_t autofs_t:dir { search getattr };
Chris PeBenito f48a2a
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# daemon_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t;
Chris PeBenito 835b6a
type $1_exec_t;
Chris PeBenito c28c4b
init_make_daemon_domain($1_t,$1_exec_t)
Chris PeBenito 835b6a
type $1_var_run_t;
Chris PeBenito b2dc7f
files_make_daemon_runtime_file($1_var_run_t)
Chris PeBenito 835b6a
allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
Chris PeBenito 835b6a
files_create_daemon_runtime_data($1_t,$1_var_run_t)
Chris PeBenito 835b6a
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito f48a2a
kernel_read_kernel_sysctl($1_t)
Chris PeBenito f48a2a
kernel_read_hardware_state($1_t)
Chris PeBenito a01ab8
filesystem_get_all_filesystems_attributes($1_t)
Chris PeBenito f48a2a
terminal_ignore_use_console($1_t)
Chris PeBenito f48a2a
init_use_file_descriptors($1_t)
Chris PeBenito f48a2a
init_script_use_pseudoterminal($1_t)
Chris PeBenito f48a2a
domain_use_widely_inheritable_file_descriptors($1_t)
Chris PeBenito f48a2a
logging_send_system_log_message($1_t)
Chris PeBenito 835b6a
libraries_use_dynamic_loader($1_t)
Chris PeBenito 835b6a
libraries_read_shared_libraries($1_t)
Chris PeBenito f48a2a
miscfiles_read_localization($1_t)
Chris PeBenito 428b57
tunable_policy(`targeted_policy', `
Chris PeBenito 428b57
terminal_ignore_use_general_physical_terminal($1_t)
Chris PeBenito 428b57
terminal_ignore_use_general_pseudoterminal($1_t)
Chris PeBenito 428b57
files_ignore_read_rootfs_file($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito 428b57
optional_policy(`rhgb.te', `
Chris PeBenito f48a2a
allow $1_t rhgb_t:process sigchld;
Chris PeBenito f48a2a
allow $1_t rhgb_t:fd use;
Chris PeBenito f48a2a
allow $1_t rhgb_t:fifo_file { read write };
Chris PeBenito 835b6a
')
Chris PeBenito 428b57
optional_policy(`selinux.te',`
Chris PeBenito 428b57
selinux_newrole_sigchld($1_t)
Chris PeBenito 428b57
')
Chris PeBenito b2dc7f
optional_policy(`udev.te', `
Chris PeBenito b2dc7f
udev_read_database($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito b2dc7f
allow $1_t proc_t:dir r_dir_perms;
Chris PeBenito b2dc7f
allow $1_t proc_t:lnk_file read;
Chris PeBenito b2dc7f
dontaudit $1_t unpriv_userdomain:fd use;
Chris PeBenito b2dc7f
allow $1_t autofs_t:dir { search getattr };
Chris PeBenito b2dc7f
dontaudit $1_t sysadm_home_dir_t:dir search;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# daemon_sub_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# $1 is the parent domain (or domains), $2_t is the child domain,
Chris PeBenito 835b6a
# and $3 is any attributes to apply to the child
Chris PeBenito 835b6a
type $2_t, domain, privlog, daemon $3;
Chris PeBenito 835b6a
type $2_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 835b6a
role system_r types $2_t;
Chris PeBenito 835b6a
domain_auto_trans($1, $2_exec_t, $2_t)
Chris PeBenito 835b6a
allow $2_t $1:fd use;
Chris PeBenito 835b6a
allow $2_t $1:process sigchld;
Chris PeBenito 835b6a
allow $2_t self:process signal_perms;
Chris PeBenito 835b6a
libraries_use_dynamic_loader($2_t)
Chris PeBenito 835b6a
libraries_read_shared_libraries($2_t)
Chris PeBenito 835b6a
allow $2_t proc_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $2_t proc_t:lnk_file read;
Chris PeBenito 835b6a
allow $2_t device_t:dir getattr;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# etc_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_etc_t; #, usercanread;
Chris PeBenito 835b6a
files_make_file($1_etc_t)
Chris PeBenito 465a5e
allow $1_t $1_etc_t:file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# etcdir_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_etc_t; #, usercanread;
Chris PeBenito 835b6a
files_make_file($1_etc_t)
Chris PeBenito 835b6a
allow $1_t $1_etc_t:file r_file_perms;
Chris PeBenito 835b6a
allow $1_t $1_etc_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $1_t $1_etc_t:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# file_type_auto_trans():
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito f48a2a
allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
Chris PeBenito f48a2a
allow $1 $2:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $2:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 835b6a
type_transition $1 $2:dir $3;
Chris PeBenito 835b6a
type_transition $1 $2:{ file lnk_file sock_file fifo_file } $3;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 465a5e
# file_type_auto_trans($1,$2,$3):
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $3:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito f48a2a
allow $1 $3:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $3:lnk_file { create read getattr setattr link unlink rename };
Chris PeBenito f48a2a
allow $1 $3:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $3:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 835b6a
type_transition $1 $2:{ dir file lnk_file sock_file fifo_file } $3;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 465a5e
# file_type_auto_trans($1,$2,$3,$4):
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito 70abf8
# for each i in $4:
Chris PeBenito 70abf8
can_create_internal($1,$3,$i)
Chris PeBenito 835b6a
type_transition $1 $2:$i $3;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# full_user_role():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# general_domain_access():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
Chris PeBenito 835b6a
allow $1 self:fd use;
Chris PeBenito 835b6a
allow $1 self:fifo_file { read getattr lock ioctl write append };
Chris PeBenito 835b6a
allow $1 self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
Chris PeBenito 835b6a
allow $1 self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
Chris PeBenito 835b6a
allow $1 self:unix_dgram_socket sendto;
Chris PeBenito 835b6a
allow $1 self:unix_stream_socket connectto;
Chris PeBenito 835b6a
allow $1 self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
Chris PeBenito 835b6a
allow $1 self:sem { associate getattr setattr create destroy read write unix_read unix_write };
Chris PeBenito 835b6a
allow $1 self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
Chris PeBenito 835b6a
allow $1 self:msg { send receive };
Chris PeBenito 835b6a
allow $1 unpriv_userdomain:fd use;
Chris PeBenito 835b6a
can_ypbind($1)
Chris PeBenito 835b6a
ifdef(`automount.te', `
Chris PeBenito 835b6a
allow $1 autofs_t:dir { search getattr };
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# general_proc_read_access(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_read_system_state($1)
Chris PeBenito 835b6a
kernel_read_network_state($1)
Chris PeBenito 835b6a
kernel_read_software_raid_state($1)
Chris PeBenito 835b6a
kernel_get_core_interface_attributes($1)
Chris PeBenito 835b6a
kernel_get_message_interface_attributes($1)
Chris PeBenito 835b6a
kernel_read_kernel_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# home_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# home_domain_access():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# home_domain_ro():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# home_domain_ro_access():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# in_user_role():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
role user_r types $1;
Chris PeBenito 835b6a
role staff_r types $1;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# init_service_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t;
Chris PeBenito 835b6a
type $1_exec_t;
Chris PeBenito c28c4b
init_make_daemon_domain($1_t,$1_exec_t)
Chris PeBenito f48a2a
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito 835b6a
kernel_read_hardware_state($1_t)
Chris PeBenito f48a2a
terminal_ignore_use_console($1_t)
Chris PeBenito f48a2a
init_use_file_descriptors($1_t)
Chris PeBenito 835b6a
libraries_use_dynamic_loader($1_t)
Chris PeBenito 835b6a
libraries_read_shared_libraries($1_t)
Chris PeBenito f48a2a
logging_send_system_log_message($1_t)
Chris PeBenito 428b57
tunable_policy(`targeted_policy', `
Chris PeBenito 428b57
terminal_ignore_use_general_physical_terminal($1_t)
Chris PeBenito 428b57
terminal_ignore_use_general_pseudoterminal($1_t)
Chris PeBenito 428b57
files_ignore_read_rootfs_file($1_t)
Chris PeBenito 428b57
')dnl end targeted_policy tunable
Chris PeBenito 835b6a
allow $1_t proc_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $1_t proc_t:lnk_file read;
Chris PeBenito f48a2a
optional_policy(`udev.te', `
Chris PeBenito f48a2a
udev_read_database($1_t)
Chris PeBenito f48a2a
')
Chris PeBenito 835b6a
allow $1_t autofs_t:dir { search getattr };
Chris PeBenito 835b6a
dontaudit $1_t unpriv_userdomain:fd use;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# legacy_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1_t self:process execmem;
Chris PeBenito 835b6a
libraries_legacy_read_shared_libraries($1_t)
Chris PeBenito 835b6a
libraries_legacy_use_dynamic_loader($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 70abf8
# lock_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 70abf8
type $1_lock_t;
Chris PeBenito 70abf8
files_make_lock_file($1_lock_t)
Chris PeBenito 70abf8
allow $1_t $1_lock_t:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 70abf8
files_create_private_lock_file($1_t,$1_lock_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# log_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
type $1_log_t;
Chris PeBenito b2dc7f
logging_make_log_file($1_log_t)
Chris PeBenito f48a2a
allow $1_t $1_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito b2dc7f
logging_create_private_log($1_t,$1_log_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# logdir_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
type $1_log_t;
Chris PeBenito b2dc7f
logging_make_log_file($1_log_t)
Chris PeBenito f48a2a
allow $1_t $1_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1_t $1_log_t:dir { getattr search read lock ioctl add_name remove_name write setattr };
Chris PeBenito b2dc7f
logging_create_private_log($1_t,$1_log_t,{ file dir })
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# mini_user_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# network_home_dir():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
create_dir_file($1, $2)
Chris PeBenito 835b6a
can_exec($1, $2)
Chris PeBenito f48a2a
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# pty_slave_label():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
Chris PeBenito 835b6a
allow $1_devpts_t devpts_t:filesystem associate;
Chris PeBenito 835b6a
type_transition $1_t devpts_t:chr_file $1_devpts_t;
Chris PeBenito 835b6a
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# r_dir_file():
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { getattr read search };
Chris PeBenito f48a2a
allow $1 $2:file { read getattr };
Chris PeBenito 835b6a
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# ra_dir_create_file():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1 $2:file { create ra_file_perms };
Chris PeBenito 835b6a
allow $1 $2:lnk_file { create read getattr };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# ra_dir_file():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1 $2:file ra_file_perms;
Chris PeBenito 835b6a
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# read_locale(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
miscfiles_read_localization($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# read_sysctl($1): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_read_kernel_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# read_sysctl($1,full): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_read_all_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rhgb_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
ifdef(`rhgb.te', `
Chris PeBenito 835b6a
allow $1 rhgb_t:process sigchld;
Chris PeBenito 835b6a
allow $1 rhgb_t:fd use;
Chris PeBenito 835b6a
allow $1 rhgb_t:fifo_file { read write };
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_dir_create_file():
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito f48a2a
allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito f48a2a
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rw_dir_file():
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito 835b6a
allow $1 $2:file rw_file_perms;
Chris PeBenito 835b6a
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# system_domain():
Chris PeBenito 835b6a
#
Chris PeBenito a01ab8
type $1_t;
Chris PeBenito a01ab8
domain_make_domain($1_t)
Chris PeBenito 835b6a
role system_r types $1_t;
Chris PeBenito a01ab8
type $1_exec_t;
Chris PeBenito a01ab8
domain_make_entrypoint_file($1_t,$1_exec_t)
Chris PeBenito 835b6a
libraries_use_dynamic_loader($1_t)
Chris PeBenito 835b6a
libraries_read_shared_libraries($1_t)
Chris PeBenito a01ab8
logging_send_system_log_message($1_t)
Chris PeBenito 835b6a
allow $1_t etc_t:dir r_dir_perms;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# tmp_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# $2 may need more handling
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_tmp_t $2;
Chris PeBenito b2dc7f
files_make_temporary_file($1_tmp_t)
Chris PeBenito 835b6a
# no class specified:
Chris PeBenito 835b6a
allow $1_t $1_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
Chris PeBenito 835b6a
allow $1_t $1_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 835b6a
files_create_private_tmp_data($1_t, $1_tmp_t, { file dir })
Chris PeBenito 835b6a
# class specified:
Chris PeBenito 835b6a
files_create_private_tmp_data($1_t, $1_tmp_t, $3)
Chris PeBenito 835b6a
# $3 manage object perms here
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# tmp_domain($1,$2,$3): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# $2 may need more handling
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
type $1_tmp_t $2;
Chris PeBenito b2dc7f
files_make_temporary_file($1_tmp_t)
Chris PeBenito f48a2a
files_create_private_tmp_data($1_t, $1_tmp_t, $3)
Chris PeBenito f48a2a
allow $1_t $1_tmp_t:$3 manage_obj_perms;
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 835b6a
# tmpfs_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_tmpfs_t, file_type, sysadmfile, tmpfsfile;
Chris PeBenito 835b6a
file_type_auto_trans($1_t, tmpfs_t, $1_tmpfs_t)
Chris PeBenito 835b6a
allow $1_tmpfs_t tmpfs_t:filesystem associate;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# unconfined_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# user_application_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t, domain, privlog $2;
Chris PeBenito 835b6a
type $1_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 835b6a
role sysadm_r types $1_t;
Chris PeBenito 835b6a
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
Chris PeBenito 835b6a
libraries_use_dynamic_loader($1_t)
Chris PeBenito 835b6a
libraries_read_shared_libraries($1_t)
Chris PeBenito 835b6a
in_user_role($1_t)
Chris PeBenito 835b6a
domain_auto_trans(userdomain, $1_exec_t, $1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# user_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# uses_authbind():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
domain_auto_trans($1, authbind_exec_t, authbind_t)
Chris PeBenito 835b6a
allow authbind_t $1:process sigchld;
Chris PeBenito 835b6a
allow authbind_t $1:fd use;
Chris PeBenito 835b6a
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# uses_shlib(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
libraries_use_dynamic_loader($1)
Chris PeBenito 835b6a
libraries_read_shared_libraries($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# var_lib_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_var_lib_t, file_type, sysadmfile;
Chris PeBenito 835b6a
typealias $1_var_lib_t alias var_lib_$1_t;
Chris PeBenito 835b6a
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
Chris PeBenito f48a2a
allow $1_t $1_var_lib_t:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# var_run_domain($1):
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_var_run_t, file_type, sysadmfile, pidfile;
Chris PeBenito 835b6a
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, file)
Chris PeBenito 835b6a
allow $1_t var_t:dir search;
Chris PeBenito f48a2a
allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# var_run_domain($1,$2):
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_var_run_t, file_type, sysadmfile, pidfile;
Chris PeBenito 835b6a
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
Chris PeBenito 835b6a
allow $1_t var_t:dir search;
Chris PeBenito f48a2a
allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write };