Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# This is the guide for converting old macros to local policy
Chris PeBenito 835b6a
# and new interfaces.
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# $1, $2, etc. are replaced with and the first and second, etc.
Chris PeBenito 835b6a
# parameters to the old macro.
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
########################################
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# Attributes
Chris PeBenito f48a2a
#
Chris PeBenito 465a5e
# $1 is the type this attribute is on
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 465a5e
# auth: complete
Chris PeBenito 465a5e
#
Chris PeBenito 58c777
auth_read_shadow($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# auth_chkpwd: complete
Chris PeBenito 465a5e
#
Chris PeBenito 58c777
auth_domtrans_chk_passwd($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 5fd4a1
# auth_write: complete
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
# handled by appropriate interfaces
Chris PeBenito 5fd4a1
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
# domain: complete
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
domain_type($1)
Chris PeBenito 5fd4a1
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
# etc_writer: complete
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
# handled by appropriate interfaces
Chris PeBenito 5fd4a1
Chris PeBenito 5fd4a1
#
Chris PeBenito f48a2a
# file_type: complete
Chris PeBenito f48a2a
#
Chris PeBenito 7bb610
files_type($1)
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito b2dc7f
# fs_domain: complete
Chris PeBenito b2dc7f
#
Chris PeBenito e7498c
# handled by appropriate interfaces
Chris PeBenito b2dc7f
Chris PeBenito b2dc7f
#
Chris PeBenito 1d1d21
# mta_delivery_agent:
Chris PeBenito 1d1d21
#
Chris PeBenito 1d1d21
mta_mailserver_delivery($1)
Chris PeBenito 1d1d21
# for piping mail to a command
Chris PeBenito 1d1d21
kernel_read_system_state($1)
Chris PeBenito 1d1d21
corecmd_exec_shell($1)
Chris PeBenito 1d1d21
files_read_etc_runtime_files($1)
Chris PeBenito 1d1d21
mta_append_spool($1)
Chris PeBenito 777d80
ifdef(`TODO',`
Chris PeBenito 1d1d21
optional_policy(`arpwatch.te',`
Chris PeBenito 1d1d21
	# why is mail delivered to a directory of type arpwatch_data_t?
Chris PeBenito 1d1d21
	allow mta_delivery_agent arpwatch_data_t:dir search;
Chris PeBenito 1d1d21
')
Chris PeBenito 777d80
') dnl end TODO
Chris PeBenito 1d1d21
Chris PeBenito 1d1d21
#
Chris PeBenito 1d1d21
# mta_user_agent:
Chris PeBenito 1d1d21
#
Chris PeBenito 1d1d21
mta_mailserver_user_agent($1)
Chris PeBenito 1d1d21
domain_use_wide_inherit_fd($1)
Chris PeBenito 1d1d21
userdom_sigchld_all_users($1)
Chris PeBenito 1d1d21
userdom_use_all_user_fd($1)
Chris PeBenito 1d1d21
userdom_use_sysadm_terms($1)
Chris PeBenito 1d1d21
allow mta_user_agent privmail:fd use;
Chris PeBenito 1d1d21
allow mta_user_agent privmail:process sigchld;
Chris PeBenito 1d1d21
allow mta_user_agent privmail:fifo_file { read write };
Chris PeBenito 1d1d21
allow mta_user_agent sysadm_t:fifo_file { read write };
Chris PeBenito 1d1d21
optional_policy(`arpwatch.te',`
Chris PeBenito 1d1d21
	# why is mail delivered to a directory of type arpwatch_data_t?
Chris PeBenito 1d1d21
	allow mta_user_agent arpwatch_tmp_t:file rw_file_perms;
Chris PeBenito 1d1d21
	ifdef(`hide_broken_symptoms', `
Chris PeBenito 1d1d21
		dontaudit mta_user_agent arpwatch_t:packet_socket { read write };
Chris PeBenito 1d1d21
	')
Chris PeBenito 1d1d21
')
Chris PeBenito 1d1d21
optional_policy(`cron.te',`
Chris PeBenito 1d1d21
	cron_sigchld($1)
Chris PeBenito 1d1d21
	cron_read_system_job_tmp_files($1)
Chris PeBenito 1d1d21
')
Chris PeBenito 1d1d21
optional_policy(`logrotate.te',`
Chris PeBenito 1d1d21
	logrotate_read_tmp_files($1)
Chris PeBenito 1d1d21
')
Chris PeBenito 1d1d21
Chris PeBenito 1d1d21
#
Chris PeBenito 8125c9
# nscd_client_domain: complete
Chris PeBenito 8125c9
#
Chris PeBenito 7bb610
optional_policy(`nscd.te',`
Chris PeBenito 7bb610
	nscd_use_socket($1)
Chris PeBenito 7bb610
')
Chris PeBenito 8125c9
Chris PeBenito 8125c9
#
Chris PeBenito b2dc7f
# privfd: complete
Chris PeBenito b2dc7f
#
Chris PeBenito 58c777
domain_wide_inherit_fd($1)
Chris PeBenito b2dc7f
Chris PeBenito b2dc7f
#
Chris PeBenito f48a2a
# privlog: complete
Chris PeBenito c28c4b
#
Chris PeBenito 58c777
logging_send_syslog_msg($1)
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 7bb610
# privmail: complete
Chris PeBenito c28c4b
#
Chris PeBenito 35519c
mta_send_mail($1)
Chris PeBenito c28c4b
Chris PeBenito c28c4b
#
Chris PeBenito 5fd4a1
# privmem: complete
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
# handled by appropriate interfaces
Chris PeBenito 5fd4a1
Chris PeBenito 5fd4a1
#
Chris PeBenito f48a2a
# privmodule: complete
Chris PeBenito f48a2a
#
Chris PeBenito 58c777
modutils_domtrans_insmod($1)
Chris PeBenito f48a2a
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# privowner: complete
Chris PeBenito 465a5e
#
Chris PeBenito 58c777
domain_obj_id_change_exempt($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# privrole: complete
Chris PeBenito 465a5e
#
Chris PeBenito 58c777
domain_role_change_exempt($1)
Chris PeBenito 465a5e
Chris PeBenito 465a5e
#
Chris PeBenito 465a5e
# privuser: complete
Chris PeBenito 465a5e
#
Chris PeBenito 58c777
domain_subj_id_change_exempt($1)
Chris PeBenito f48a2a
Chris PeBenito 8125c9
#
Chris PeBenito 11ba8e
# priv_system_role: complete
Chris PeBenito 11ba8e
#
Chris PeBenito 11ba8e
domain_system_change_exempt($1)
Chris PeBenito 11ba8e
Chris PeBenito 11ba8e
#
Chris PeBenito e7498c
# sysadmfile: complete
Chris PeBenito e7498c
#
Chris PeBenito e7498c
files_type($1)
Chris PeBenito e7498c
Chris PeBenito e7498c
#
Chris PeBenito 5fd4a1
# sysctl_kernel_writer: complete
Chris PeBenito 5fd4a1
#
Chris PeBenito 5fd4a1
# handled by appropriate interfaces
Chris PeBenito 5fd4a1
Chris PeBenito 5fd4a1
#
Chris PeBenito 8125c9
# userspace_objmgr: complete
Chris PeBenito 8125c9
#
Chris PeBenito 8125c9
allow $1 self:process getattr;
Chris PeBenito 8125c9
# Receive notifications of policy reloads and enforcing status changes.
Chris PeBenito 8125c9
allow $1 self:netlink_selinux_socket { create bind read };
Chris PeBenito 8125c9
selinux_get_fs_mount($1)
Chris PeBenito 8125c9
selinux_validate_context($1)
Chris PeBenito 8125c9
selinux_compute_access_vector($1)
Chris PeBenito 8125c9
selinux_compute_create_context($1)
Chris PeBenito 8125c9
selinux_compute_relabel_context($1)
Chris PeBenito 8125c9
selinux_compute_user_contexts($1)
Chris PeBenito 8125c9
seutil_read_config($1)
Chris PeBenito 8125c9
seutil_read_default_contexts($1)
Chris PeBenito 8125c9
Chris PeBenito 07b01c
#
Chris PeBenito 07b01c
# web_client_domain:
Chris PeBenito 07b01c
#
Chris PeBenito 07b01c
optional_policy(`squid.te',`
Chris PeBenito 07b01c
	squid_use($1)
Chris PeBenito 07b01c
')
Chris PeBenito 07b01c
Chris PeBenito f48a2a
########################################
Chris PeBenito f48a2a
#
Chris PeBenito 835b6a
# Access macros
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# access_terminal():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
Chris PeBenito 835b6a
allow $1 devtty_t:chr_file { read write getattr ioctl };
Chris PeBenito 835b6a
allow $1 devpts_t:dir { read search getattr };
Chris PeBenito 835b6a
allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# append_log_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_log_t;
Chris PeBenito 58c777
logging_log_file($1_log_t)
Chris PeBenito 835b6a
allow $1_t var_log_t:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1_t $1_log_t:file  { create ra_file_perms };
Chris PeBenito 835b6a
type_transition $1_t var_log_t:file $1_log_t;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# append_logdir_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_log_t;
Chris PeBenito 58c777
logging_log_file($1_log_t)
Chris PeBenito 835b6a
allow $1_t var_log_t:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1_t $1_log_t:dir { setattr ra_dir_perms };
Chris PeBenito 835b6a
allow $1_t $1_log_t:file  { create ra_file_perms };
Chris PeBenito 835b6a
type_transition $1_t var_log_t:file $1_log_t;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# application_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t;
Chris PeBenito 835b6a
type $1_exec_t;
Chris PeBenito 58c777
domain_type($1_t)
Chris PeBenito 58c777
domain_entry_file($1_t,$1_exec_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 7bb610
# a "run" interface needs to be
Chris PeBenito 7bb610
# added, and have sysadm_t use it
Chris PeBenito 7bb610
# in a optional_policy block.
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_can_network($1,$2,$3):
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
allow $1 self:$2_socket connected_socket_perms;
Chris PeBenito 58c777
corenet_$2_sendrecv_all_if($1)
Chris PeBenito 58c777
corenet_raw_sendrecv_all_if($1)
Chris PeBenito 58c777
corenet_$2_sendrecv_all_nodes($1)
Chris PeBenito 58c777
corenet_raw_sendrecv_all_nodes($1)
Chris PeBenito 58c777
corenet_$2_bind_all_nodes($1)
Chris PeBenito 58c777
sysnet_read_config($1)
Chris PeBenito 7bb610
# if $3 is specified (remove _port_t from $3):
Chris PeBenito 7bb610
corenet_$2_sendrecv_$3_port($1)
Chris PeBenito 7bb610
# else:
Chris PeBenito 7bb610
corenet_$2_sendrecv_all_ports($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# base_file_read_access(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
kernel_read_kernel_sysctl($1)
Chris PeBenito 7bb610
corecmd_list_bin($1)
Chris PeBenito 7bb610
corecmd_read_bin_symlink($1)
Chris PeBenito 7bb610
corecmd_read_bin_file($1)
Chris PeBenito 7bb610
corecmd_read_bin_pipe($1)
Chris PeBenito 7bb610
corecmd_read_bin_socket($1)
Chris PeBenito 7bb610
corecmd_list_sbin($1)
Chris PeBenito 7bb610
corecmd_read_sbin_symlink($1)
Chris PeBenito 7bb610
corecmd_read_sbin_file($1)
Chris PeBenito 7bb610
corecmd_read_sbin_pipe($1)
Chris PeBenito 7bb610
corecmd_read_sbin_socket($1)
Chris PeBenito 58c777
files_list_home($1)
Chris PeBenito 58c777
files_read_usr_files($1)
Chris PeBenito 58c777
seutil_read_config($1)
Chris PeBenito 8125c9
tunable_policy(`read_default_t',`
Chris PeBenito 8125c9
	files_list_default($1)
Chris PeBenito 8125c9
	files_read_default_files($1)
Chris PeBenito 8125c9
	files_read_default_symlinks($1)
Chris PeBenito 8125c9
	files_read_default_sockets($1)
Chris PeBenito 8125c9
	files_read_default_pipes($1)
Chris PeBenito 8125c9
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# base_pty_perms():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1_t ptmx_t:chr_file rw_file_perms;
Chris PeBenito 835b6a
allow $1_t devpts_t:filesystem getattr;
Chris PeBenito 835b6a
allow $1_t devpts_t:dir { getattr read search };
Chris PeBenito 835b6a
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# can_create($1,$2,$3): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# for each object class in $3:
Chris PeBenito 7bb610
# if dir:
Chris PeBenito 7bb610
allow $1 $2:dir create_dir_perms;
Chris PeBenito 7bb610
# else if lnk_file:
Chris PeBenito 7bb610
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito 7bb610
# else:
Chris PeBenito 7bb610
allow $1 $2:$3 create_file_perms;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_other_pty(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
allow $1_t $2_devpts_t:chr_file { rw_file_perms setattr };
Chris PeBenito 58c777
term_create_pty($1_t,$2_devpts_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_create_pty(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# $2 may require more conversion
Chris PeBenito 835b6a
type $1_devpts_t $2;
Chris PeBenito 58c777
term_pty($1_devpts_t)
Chris PeBenito 7bb610
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
Chris PeBenito 58c777
term_create_pty($1_t,$1_devpts_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 36f72d
# can_exec_any(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
corecmd_exec_bin($1)
Chris PeBenito 58c777
corecmd_exec_sbin($1)
Chris PeBenito 7bb610
domain_exec_all_entry_files($1)
Chris PeBenito 7bb610
files_exec_etc_files($1)
Chris PeBenito 58c777
libs_use_ld_so($1)
Chris PeBenito 58c777
libs_use_shared_libs($1)
Chris PeBenito 58c777
libs_exec_ld_so($1)
Chris PeBenito 58c777
libs_exec_lib_files($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 8125c9
# can_getcon(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process getattr;
Chris PeBenito 465a5e
kernel_read_system_state($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_getsecurity(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 58c777
selinux_validate_context($1)
Chris PeBenito 58c777
selinux_compute_access_vector($1)
Chris PeBenito 58c777
selinux_compute_create_context($1)
Chris PeBenito 58c777
selinux_compute_relabel_context($1)
Chris PeBenito 58c777
selinux_compute_user_contexts($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
# can_kerberos(): complete
Chris PeBenito 428b57
#
Chris PeBenito 58c777
optional_policy(`kerberos.te',`
Chris PeBenito 58c777
	kerberos_use($1)
Chris PeBenito 58c777
')
Chris PeBenito 428b57
Chris PeBenito 428b57
#
Chris PeBenito 58c777
# can_ldap(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 5493c2
sysnet_use_ldap($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_loadpol(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 58c777
selinux_load_policy($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 07b01c
# can_network($1):
Chris PeBenito 07b01c
#
Chris PeBenito 07b01c
allow $1 self:tcp_socket create_stream_socket_perms;
Chris PeBenito 07b01c
allow $1 self:udp_socket create_socket_perms;
Chris PeBenito 07b01c
corenet_tcp_sendrecv_all_if($1)
Chris PeBenito 07b01c
corenet_udp_sendrecv_all_if($1)
Chris PeBenito 07b01c
corenet_raw_sendrecv_all_if($1)
Chris PeBenito 07b01c
corenet_tcp_sendrecv_all_nodes($1)
Chris PeBenito 07b01c
corenet_udp_sendrecv_all_nodes($1)
Chris PeBenito 07b01c
corenet_raw_sendrecv_all_nodes($1)
Chris PeBenito 07b01c
corenet_tcp_sendrecv_all_ports($1)
Chris PeBenito 07b01c
corenet_udp_sendrecv_all_ports($1)
Chris PeBenito 07b01c
corenet_tcp_bind_all_nodes($1)
Chris PeBenito 07b01c
corenet_udp_bind_all_nodes($1)
Chris PeBenito 07b01c
sysnet_read_config($1)
Chris PeBenito 07b01c
optional_policy(`mount.te',`
Chris PeBenito 07b01c
	mount_send_nfs_client_request($1)
Chris PeBenito 07b01c
')
Chris PeBenito 07b01c
Chris PeBenito 07b01c
#
Chris PeBenito 07b01c
# can_network($1,$2):
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
can_network_tcp($1, `$2')
Chris PeBenito 835b6a
can_network_udp($1, `$2')
Chris PeBenito 07b01c
optional_policy(`mount.te',`
Chris PeBenito 07b01c
	mount_send_nfs_client_request($1)
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_client():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
can_network_client_tcp($1, `$2')
Chris PeBenito 835b6a
can_network_udp($1, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 36f72d
# can_network_client_tcp($1): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
allow $1 self:tcp_socket create_socket_perms;
Chris PeBenito 58c777
corenet_tcp_sendrecv_all_if($1)
Chris PeBenito 58c777
corenet_raw_sendrecv_all_if($1)
Chris PeBenito 58c777
corenet_tcp_sendrecv_all_nodes($1)
Chris PeBenito 58c777
corenet_raw_sendrecv_all_nodes($1)
Chris PeBenito 58c777
corenet_tcp_sendrecv_all_ports($1)
Chris PeBenito 58c777
corenet_tcp_bind_all_nodes($1)
Chris PeBenito 58c777
sysnet_read_config($1)
Chris PeBenito 36f72d
Chris PeBenito 36f72d
#
Chris PeBenito 36f72d
# can_network_client_tcp($1,$2):
Chris PeBenito 36f72d
#
Chris PeBenito 36f72d
# remove _port_t from $2
Chris PeBenito 58c777
allow $1 self:tcp_socket create_socket_perms;
Chris PeBenito 58c777
corenet_tcp_sendrecv_all_if($1)
Chris PeBenito 58c777
corenet_raw_sendrecv_all_if($1)
Chris PeBenito 58c777
corenet_tcp_sendrecv_all_nodes($1)
Chris PeBenito 58c777
corenet_raw_sendrecv_all_nodes($1)
Chris PeBenito 58c777
corenet_tcp_sendrecv_$2_port($1)
Chris PeBenito 58c777
corenet_tcp_bind_all_nodes($1)
Chris PeBenito 58c777
sysnet_read_config($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_server():
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
allow $1 self:tcp_socket create_stream_socket_perms;
Chris PeBenito a47ea6
allow $1 self:udp_socket { connect };
Chris PeBenito 835b6a
base_can_network($1, tcp, `$2')
Chris PeBenito a47ea6
base_can_network($1, udp, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_server_tcp():
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
allow $1 self:tcp_socket create_stream_socket_perms;
Chris PeBenito 835b6a
base_can_network($1, tcp, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# can_network_tcp():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
can_network_server_tcp($1, `$2')
Chris PeBenito 835b6a
can_network_client_tcp($1, `$2')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_network_udp(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
base_can_network($1, udp, `$2')
Chris PeBenito 835b6a
allow $1 self:udp_socket { connect };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_ps():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir { search getattr read };
Chris PeBenito 835b6a
allow $1 $2:{ file lnk_file } { read getattr };
Chris PeBenito 835b6a
allow $1 $2:process getattr;
Chris PeBenito 835b6a
# We need to suppress this denial because procps tries to access
Chris PeBenito 835b6a
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
Chris PeBenito 835b6a
# (2.4 and 2.6).  Might want to change procps to not do this, or only if
Chris PeBenito 835b6a
# running in a privileged domain.
Chris PeBenito 835b6a
dontaudit $1 $2:process ptrace;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_ptrace():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:process ptrace;
Chris PeBenito 835b6a
allow $2 $1:process sigchld;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 5493c2
# can_portmap():
Chris PeBenito 5493c2
#
Chris PeBenito 5493c2
sysnet_use_portmap($1)
Chris PeBenito 5493c2
Chris PeBenito 5493c2
#
Chris PeBenito 58c777
# can_resolve(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 5493c2
sysnet_dns_name_resolve($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_setbool(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 58c777
selinux_set_boolean($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setcon(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process setcurrent;
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_setenforce(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito f48a2a
#
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 58c777
selinux_set_enforce_mode($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setexec(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process setexec;
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setfscreate(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 self:process setfscreate;
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# can_setsecparam(): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# get mount point is due to libselinux init
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
selinux_get_fs_mount($1)
Chris PeBenito f48a2a
kernel_setsecparam($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_sysctl(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
kernel_rw_all_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# can_tcp_connect():
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
allow $1 $2:tcp_socket { connectto recvfrom };
Chris PeBenito 58c777
allow $2 $1:tcp_socket { acceptfrom recvfrom };
Chris PeBenito 58c777
allow $2 kernel_t:tcp_socket recvfrom;
Chris PeBenito 58c777
allow $1 kernel_t:tcp_socket recvfrom;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_udp_send():
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
allow $1 $2:udp_socket sendto;
Chris PeBenito 58c777
allow $2 $1:udp_socket recvfrom;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_unix_connect():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:unix_stream_socket connectto;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# can_unix_send():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:unix_dgram_socket sendto;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
# can_ypbind(): complete
Chris PeBenito f48a2a
#
Chris PeBenito 58c777
optional_policy(`nis.te',`
Chris PeBenito 58c777
	nis_use_ypbind($1)
Chris PeBenito 58c777
')
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 835b6a
# create_append_log_file():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir { read getattr search add_name write };
Chris PeBenito 835b6a
allow $1 $2:file { create ioctl getattr setattr append link };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_dir_file():
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
allow $1 $2:dir create_dir_perms;
Chris PeBenito 7bb610
allow $1 $2:file create_file_perms;
Chris PeBenito 7bb610
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# create_dir_notdevfile():
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
allow $1 $2:dir create_dir_perms;
Chris PeBenito 7bb610
allow $1 $2:{ file sock_file fifo_file } create_file_perms;
Chris PeBenito 7bb610
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# daemon_base_domain():
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
type $1_t;
Chris PeBenito f48a2a
type $1_exec_t;
Chris PeBenito 58c777
init_daemon_domain($1_t,$1_exec_t)
Chris PeBenito f48a2a
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito 7bb610
allow $1_t self:process signal_perms;
Chris PeBenito 7bb610
kernel_list_proc($1_t)
Chris PeBenito 7bb610
kernel_read_proc_symlinks($1_t)
Chris PeBenito f48a2a
kernel_read_kernel_sysctl($1_t)
Chris PeBenito 58c777
dev_read_sysfs($1_t)
Chris PeBenito 58c777
fs_search_auto_mountpoints($1_t)
Chris PeBenito 58c777
term_dontaudit_use_console($1_t)
Chris PeBenito 58c777
domain_use_wide_inherit_fd($1_t)
Chris PeBenito 58c777
init_use_fd($1_t)
Chris PeBenito 58c777
init_use_script_pty($1_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 58c777
logging_send_syslog_msg($1_t)
Chris PeBenito 58c777
userdom_dontaudit_use_unpriv_user_fd($1_t)
Chris PeBenito 58c777
ifdef(`targeted_policy',`
Chris PeBenito 58c777
	term_dontaudit_use_unallocated_tty($1_t)
Chris PeBenito 58c777
	term_dontaudit_use_generic_pty($1_t)
Chris PeBenito 58c777
	files_dontaudit_read_root_file($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito 7bb610
optional_policy(`selinuxutil.te',`
Chris PeBenito e7498c
	seutil_sigchld_newrole($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito f48a2a
optional_policy(`udev.te', `
Chris PeBenito 58c777
	udev_read_db($1_t)
Chris PeBenito f48a2a
')
Chris PeBenito aa8995
ifdef(`TODO',`
Chris PeBenito aa8995
optional_policy(`rhgb.te',`
Chris PeBenito aa8995
	rhgb_domain($1_t)
Chris PeBenito aa8995
')
Chris PeBenito aa8995
') dnl end TODO
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# daemon_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t;
Chris PeBenito 835b6a
type $1_exec_t;
Chris PeBenito 58c777
init_daemon_domain($1_t,$1_exec_t)
Chris PeBenito 835b6a
type $1_var_run_t;
Chris PeBenito 58c777
files_pid_file($1_var_run_t)
Chris PeBenito 835b6a
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito 7bb610
allow $1_t $1_var_run_t:file create_file_perms;
Chris PeBenito 3c8c1b
allow $1_t $1_var_run_t:dir rw_dir_perms;
Chris PeBenito 58c777
files_create_pid($1_t,$1_var_run_t)
Chris PeBenito f48a2a
kernel_read_kernel_sysctl($1_t)
Chris PeBenito 8125c9
kernel_list_proc($1_t)
Chris PeBenito 7bb610
kernel_read_proc_symlinks($1_t)
Chris PeBenito 58c777
dev_read_sysfs($1_t)
Chris PeBenito 58c777
fs_getattr_all_fs($1_t)
Chris PeBenito 58c777
fs_search_auto_mountpoints($1_t)
Chris PeBenito 58c777
term_dontaudit_use_console($1_t)
Chris PeBenito 58c777
domain_use_wide_inherit_fd($1_t)
Chris PeBenito 58c777
init_use_fd($1_t)
Chris PeBenito 58c777
init_use_script_pty($1_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 58c777
logging_send_syslog_msg($1_t)
Chris PeBenito f48a2a
miscfiles_read_localization($1_t)
Chris PeBenito 58c777
userdom_dontaudit_use_unpriv_user_fd($1_t)
Chris PeBenito 8125c9
userdom_dontaudit_search_sysadm_home_dir($1_t)
Chris PeBenito 58c777
ifdef(`targeted_policy', `
Chris PeBenito 58c777
	term_dontaudit_use_unallocated_tty($1_t)
Chris PeBenito 58c777
	term_dontaudit_use_generic_pty($1_t)
Chris PeBenito 58c777
	files_dontaudit_read_root_file($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito 7bb610
optional_policy(`selinuxutil.te',`
Chris PeBenito 8125c9
	seutil_sigchld_newrole($1_t)
Chris PeBenito 428b57
')
Chris PeBenito b2dc7f
optional_policy(`udev.te', `
Chris PeBenito 58c777
	udev_read_db($1_t)
Chris PeBenito b2dc7f
')
Chris PeBenito aa8995
ifdef(`TODO',`
Chris PeBenito aa8995
optional_policy(`rhgb.te',`
Chris PeBenito aa8995
	rhgb_domain($1_t)
Chris PeBenito aa8995
')
Chris PeBenito aa8995
') dnl end TODO
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# daemon_sub_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# $3 may need more work
Chris PeBenito 7bb610
type $2_t; #, daemon $3;
Chris PeBenito 7bb610
domain_type($2_t)
Chris PeBenito 7bb610
type $2_exec_t;
Chris PeBenito 7bb610
domain_entry_file($2_t,$2_exec_t)
Chris PeBenito 835b6a
role system_r types $2_t;
Chris PeBenito 835b6a
allow $2_t self:process signal_perms;
Chris PeBenito 7bb610
domain_auto_trans($1, $2_exec_t, $2_t)
Chris PeBenito 7bb610
logging_send_syslog_msg($1_t)
Chris PeBenito 58c777
libs_use_ld_so($2_t)
Chris PeBenito 58c777
libs_use_shared_libs($2_t)
Chris PeBenito 7bb610
kernel_list_proc($1_t)
Chris PeBenito 7bb610
kernel_read_proc_symlinks($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# etc_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_etc_t; #, usercanread;
Chris PeBenito 7bb610
files_type($1_etc_t)
Chris PeBenito 465a5e
allow $1_t $1_etc_t:file { getattr read };
Chris PeBenito 7bb610
files_search_etc($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# etcdir_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_etc_t; #, usercanread;
Chris PeBenito 58c777
files_file_type($1_etc_t)
Chris PeBenito 835b6a
allow $1_t $1_etc_t:file r_file_perms;
Chris PeBenito 835b6a
allow $1_t $1_etc_t:dir r_dir_perms;
Chris PeBenito 835b6a
allow $1_t $1_etc_t:lnk_file { getattr read };
Chris PeBenito 7bb610
files_search_etc($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# file_type_auto_trans($1,$2,$3): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 7bb610
allow $1 $3:dir create_dir_perms;
Chris PeBenito 7bb610
allow $1 $3:file create_file_perms;
Chris PeBenito 7bb610
allow $1 $3:lnk_file create_lnk_perms;
Chris PeBenito 7bb610
allow $1 $3:sock_file create_file_perms;
Chris PeBenito d91350
allow $1 $3:fifo_file create_file_perms;
Chris PeBenito 7bb610
type_transition $1 $2:{ file lnk_file sock_file fifo_file } $3;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# file_type_auto_trans($1,$2,$3,$4): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 70abf8
# for each i in $4:
Chris PeBenito 70abf8
can_create_internal($1,$3,$i)
Chris PeBenito 835b6a
type_transition $1 $2:$i $3;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
# general_domain_access(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 07b01c
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
Chris PeBenito 835b6a
allow $1 self:fd use;
Chris PeBenito 58c777
allow $1 self:fifo_file rw_file_perms;
Chris PeBenito 58c777
allow $1 self:unix_dgram_socket create_socket_perms;
Chris PeBenito 58c777
allow $1 self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 835b6a
allow $1 self:unix_dgram_socket sendto;
Chris PeBenito 835b6a
allow $1 self:unix_stream_socket connectto;
Chris PeBenito 58c777
allow $1 self:shm create_shm_perms;
Chris PeBenito 58c777
allow $1 self:sem create_sem_perms;
Chris PeBenito 58c777
allow $1 self:msgq create_msgq_perms;
Chris PeBenito 835b6a
allow $1 self:msg { send receive };
Chris PeBenito 58c777
fs_search_auto_mountpoints($1)
Chris PeBenito aa8995
userdom_use_unpriv_users_fd($1)
Chris PeBenito 58c777
optional_policy(`nis.te',`
Chris PeBenito 58c777
	nis_use_ypbind($1)
Chris PeBenito 835b6a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# general_proc_read_access(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_read_system_state($1)
Chris PeBenito 7bb610
kernel_read_network_state($1)
Chris PeBenito 835b6a
kernel_read_software_raid_state($1)
Chris PeBenito 58c777
kernel_getattr_core($1)
Chris PeBenito 58c777
kernel_getattr_message_if($1)
Chris PeBenito 835b6a
kernel_read_kernel_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# in_user_role():
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# this is replaced by run interfaces
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# init_service_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_t;
Chris PeBenito 835b6a
type $1_exec_t;
Chris PeBenito 7bb610
init_domain($1_t,$1_exec_t)
Chris PeBenito f48a2a
dontaudit $1_t self:capability sys_tty_config;
Chris PeBenito 7bb610
allow self:process signal_perms;
Chris PeBenito 7bb610
kernel_list_proc($1_t)
Chris PeBenito 7bb610
kernel_read_proc_symlinks($1_t)
Chris PeBenito 58c777
dev_read_sysfs($1_t)
Chris PeBenito 58c777
term_dontaudit_use_console($1_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 58c777
logging_send_syslog_msg($1_t)
Chris PeBenito 7bb610
userdom_dontaudit_use_unpriv_user_fd($1_t)
Chris PeBenito 7bb610
ifdef(`targeted_policy',`
Chris PeBenito 7bb610
	term_dontaudit_use_unallocated_tty($1_t)
Chris PeBenito 7bb610
	term_dontaudit_use_generic_pty($1_t)
Chris PeBenito 7bb610
	files_dontaudit_read_root_file($1_t)
Chris PeBenito 7bb610
')
Chris PeBenito 7bb610
optional_policy(`udev.te',`
Chris PeBenito 7bb610
	udev_read_db($1_t)
Chris PeBenito f48a2a
')
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
# inetd_child_domain():
Chris PeBenito 58c777
#
Chris PeBenito aa8995
type $1_t;
Chris PeBenito 58c777
type $1_exec_t;
Chris PeBenito 58c777
inetd_(udp_|tcp_)?service_domain($1_t,$1_exec_t)
Chris PeBenito 58c777
role system_r types $1_t;
Chris PeBenito 58c777
type $1_tmp_t;
Chris PeBenito 58c777
files_tmp_file($1_tmp_t)
Chris PeBenito 58c777
type $1_var_run_t;
Chris PeBenito 58c777
files_pid_file($1_var_run_t)
Chris PeBenito 58c777
allow $1_t self:process signal_perms;
Chris PeBenito 58c777
allow $1_t self:fifo_file rw_file_perms;
Chris PeBenito 777d80
allow $1_t self:tcp_socket connected_stream_socket_perms;
Chris PeBenito 58c777
# for identd
Chris PeBenito 58c777
# cjp: this should probably only be inetd_child rules?
Chris PeBenito 58c777
allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
Chris PeBenito 58c777
allow $1_t self:capability { setuid setgid };
Chris PeBenito aa8995
files_search_home($1_t)
Chris PeBenito aa8995
optional_policy(`kerberos.te',`
Chris PeBenito aa8995
	kerberos_use($1_t)
Chris PeBenito aa8995
')
Chris PeBenito 58c777
#end for identd
Chris PeBenito 58c777
allow $1_t $1_tmp_t:dir create_dir_perms;
Chris PeBenito 58c777
allow $1_t $1_tmp_t:file create_file_perms;
Chris PeBenito 58c777
files_create_tmp_files($1_t, $1_tmp_t, { file dir })
Chris PeBenito 58c777
allow $1_t $1_var_run_t:file create_file_perms;
Chris PeBenito 58c777
files_create_pid($1_t,$1_var_run_t)
Chris PeBenito 58c777
kernel_read_kernel_sysctl($1_t)
Chris PeBenito 58c777
kernel_read_system_state($1_t)
Chris PeBenito 58c777
kernel_read_network_state($1_t)
Chris PeBenito 1d1d21
corenet_tcp_sendrecv_all_if($1_t)
Chris PeBenito a47ea6
corenet_udp_sendrecv_all_if($1_t)
Chris PeBenito 1d1d21
corenet_raw_sendrecv_all_if($1_t)
Chris PeBenito 1d1d21
corenet_tcp_sendrecv_all_nodes($1_t)
Chris PeBenito a47ea6
corenet_udp_sendrecv_all_nodes($1_t)
Chris PeBenito 1d1d21
corenet_raw_sendrecv_all_nodes($1_t)
Chris PeBenito 1d1d21
corenet_tcp_sendrecv_all_ports($1_t)
Chris PeBenito a47ea6
corenet_udp_sendrecv_all_ports($1_t)
Chris PeBenito a47ea6
corenet_tcp_bind_all_nodes($1_t)
Chris PeBenito a47ea6
corenet_udp_bind_all_nodes($1_t)
Chris PeBenito 58c777
dev_read_urand($1_t)
Chris PeBenito 58c777
fs_getattr_xattr_fs($1_t)
Chris PeBenito 1d1d21
files_read_etc_files($1_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 58c777
logging_send_syslog_msg($1_t)
Chris PeBenito 58c777
miscfiles_read_localization($1_t)
Chris PeBenito 58c777
sysnet_read_config($1_t)
Chris PeBenito 58c777
optional_policy(`nis.te',`
Chris PeBenito 58c777
	nis_use_ypbind($1_t)
Chris PeBenito 58c777
')
Chris PeBenito aa8995
optional_policy(`nscd.te',`
Chris PeBenito aa8995
	nscd_use_socket($1_t)
Chris PeBenito aa8995
')
Chris PeBenito 58c777
Chris PeBenito 58c777
#
Chris PeBenito 835b6a
# legacy_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 5493c2
allow $1_t self:process { execmem execstack };
Chris PeBenito 58c777
libs_legacy_use_shared_libs($1_t)
Chris PeBenito 58c777
libs_legacy_use_ld_so($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 70abf8
# lock_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 70abf8
type $1_lock_t;
Chris PeBenito 58c777
files_lock_file($1_lock_t)
Chris PeBenito 58c777
allow $1_t $1_lock_t:file create_file_perms;
Chris PeBenito 83515f
files_create_lock($1_t,$1_lock_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# log_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
type $1_log_t;
Chris PeBenito 58c777
logging_log_file($1_log_t)
Chris PeBenito 58c777
allow $1_t $1_log_t:file create_file_perms;
Chris PeBenito 58c777
logging_create_log($1_t,$1_log_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# logdir_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
type $1_log_t;
Chris PeBenito 58c777
logging_log_file($1_log_t)
Chris PeBenito 58c777
allow $1_t $1_log_t:file create_file_perms;
Chris PeBenito 58c777
allow $1_t $1_log_t:dir rw_dir_perms;
Chris PeBenito 07b01c
logging_create_log($1_t,$1_log_t,{ file dir })
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# network_home_dir():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
create_dir_file($1, $2)
Chris PeBenito 835b6a
can_exec($1, $2)
Chris PeBenito f48a2a
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 5493c2
# polyinstantiater():
Chris PeBenito 5493c2
#
Chris PeBenito 5493c2
ifdef(`support_polyinstantiation', `
Chris PeBenito 5493c2
# Need to give access to /selinux/member
Chris PeBenito 5493c2
selinux_compute_member($1)
Chris PeBenito 5493c2
# Need sys_admin capability for mounting
Chris PeBenito 5493c2
allow $1 self:capability sys_admin;
Chris PeBenito 5493c2
# Need to give access to the directories to be polyinstantiated
Chris PeBenito 5493c2
allow $1 polydir:dir { getattr mounton add_name create setattr write search };
Chris PeBenito 5493c2
# Need to give access to the polyinstantiated subdirectories
Chris PeBenito 5493c2
allow $1 polymember:dir {getattr search };
Chris PeBenito 5493c2
# Need to give access to parent directories where original
Chris PeBenito 5493c2
# is remounted for polyinstantiation aware programs (like gdm)
Chris PeBenito 5493c2
allow $1 polyparent:dir { getattr mounton };
Chris PeBenito 5493c2
# Need to give permission to create directories where applicable
Chris PeBenito 5493c2
allow $1 polymember: dir { create setattr };
Chris PeBenito 5493c2
allow $1 polydir: dir { write add_name };
Chris PeBenito 5493c2
allow $1 self:process setfscreate;
Chris PeBenito 5493c2
allow $1 polyparent:dir { write add_name };
Chris PeBenito 5493c2
# Default type for mountpoints
Chris PeBenito 5493c2
allow $1 poly_t:dir { create mounton };
Chris PeBenito 5493c2
')
Chris PeBenito 5493c2
Chris PeBenito 5493c2
#
Chris PeBenito 835b6a
# pty_slave_label():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
Chris PeBenito 835b6a
allow $1_devpts_t devpts_t:filesystem associate;
Chris PeBenito 835b6a
type_transition $1_t devpts_t:chr_file $1_devpts_t;
Chris PeBenito 835b6a
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# r_dir_file(): complete
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
allow $1 $2:dir { getattr read search };
Chris PeBenito f48a2a
allow $1 $2:file { read getattr };
Chris PeBenito 835b6a
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# ra_dir_create_file(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1 $2:file { create ra_file_perms };
Chris PeBenito 835b6a
allow $1 $2:lnk_file { create read getattr };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# ra_dir_file(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
allow $1 $2:dir ra_dir_perms;
Chris PeBenito 835b6a
allow $1 $2:file ra_file_perms;
Chris PeBenito 835b6a
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# read_locale(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
miscfiles_read_localization($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# read_sysctl($1): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_read_kernel_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# read_sysctl($1,full): complete
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
kernel_read_all_sysctl($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# rhgb_domain():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# rw_dir_create_file(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 7bb610
allow $1 $2:file create_file_perms;
Chris PeBenito 7bb610
allow $1 $2:lnk_file create_lnk_perms;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# rw_dir_file(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# cjp: rw_dir_perms here doesnt make sense
Chris PeBenito 7bb610
allow $1 $2:dir rw_dir_perms;
Chris PeBenito 835b6a
allow $1 $2:file rw_file_perms;
Chris PeBenito 835b6a
allow $1 $2:lnk_file { getattr read };
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# system_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito a01ab8
type $1_t;
Chris PeBenito a01ab8
type $1_exec_t;
Chris PeBenito 7bb610
init_system_domain($1_t,$1_exec_t)
Chris PeBenito 7bb610
files_list_etc($1_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 58c777
logging_send_syslog_msg($1_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 80a63c
# tmp_domain($1): complete
Chris PeBenito 835b6a
#
Chris PeBenito 80a63c
type $1_tmp_t;
Chris PeBenito 58c777
files_tmp_file($1_tmp_t)
Chris PeBenito 58c777
allow $1_t $1_tmp_t:dir create_dir_perms;
Chris PeBenito 58c777
allow $1_t $1_tmp_t:file create_file_perms;
Chris PeBenito 58c777
files_create_tmp_files($1_t, $1_tmp_t, { file dir })
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito f48a2a
# tmp_domain($1,$2,$3): complete
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
# $2 may need more handling
Chris PeBenito f48a2a
#
Chris PeBenito f48a2a
type $1_tmp_t $2;
Chris PeBenito 58c777
files_tmp_file($1_tmp_t)
Chris PeBenito f48a2a
allow $1_t $1_tmp_t:$3 manage_obj_perms;
Chris PeBenito 7bb610
files_create_tmp_files($1_t, $1_tmp_t, $3)
Chris PeBenito f48a2a
Chris PeBenito f48a2a
#
Chris PeBenito 58c777
# tmpfs_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
type $1_tmpfs_t;
Chris PeBenito 58c777
files_tmpfs_file($1_tmpfs_t)
Chris PeBenito 58c777
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
Chris PeBenito 58c777
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 58c777
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
Chris PeBenito 58c777
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 58c777
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
Chris PeBenito 58c777
filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# unconfined_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
unconfined_domain_template($1)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# user_application_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
type $1_t $2;
Chris PeBenito 7bb610
domain_type($1_t)
Chris PeBenito 7bb610
type $1_exec_t;
Chris PeBenito 7bb610
domain_entry_file($1_t,$1_exec_t)
Chris PeBenito 58c777
libs_use_ld_so($1_t)
Chris PeBenito 58c777
libs_use_shared_libs($1_t)
Chris PeBenito 7bb610
logging_send_syslog_msg($1_t)
Chris PeBenito 7bb610
# a "run" interface needs to be
Chris PeBenito 7bb610
# added, and use it in the base user domain
Chris PeBenito 7bb610
# template, in a optional_policy block.
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
# uses_authbind():
Chris PeBenito 835b6a
#
Chris PeBenito 835b6a
domain_auto_trans($1, authbind_exec_t, authbind_t)
Chris PeBenito 835b6a
allow authbind_t $1:process sigchld;
Chris PeBenito 835b6a
allow authbind_t $1:fd use;
Chris PeBenito 835b6a
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7e40f1
# uses_shlib(): complete
Chris PeBenito 7e40f1
#
Chris PeBenito 7e40f1
libs_use_ld_so($1)
Chris PeBenito 7e40f1
libs_use_shared_libs($1)
Chris PeBenito 7e40f1
Chris PeBenito 7e40f1
#
Chris PeBenito 7bb610
# var_lib_domain(): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
type $1_var_lib_t;
Chris PeBenito 7bb610
files_type($1_var_lib_t)
Chris PeBenito 7bb610
allow $1_t $1_var_lib_t:file create_file_perms;
Chris PeBenito 07b01c
allow $1_t $1_var_lib_t:dir create_dir_perms;
Chris PeBenito 7bb610
files_create_var_lib($1_t,$1_var_lib_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# var_run_domain($1): complete
Chris PeBenito 835b6a
#
Chris PeBenito 58c777
type $1_var_run_t;
Chris PeBenito 58c777
files_pid_file($1_var_run_t)
Chris PeBenito 58c777
allow $1_t $1_var_run_t:file create_file_perms;
Chris PeBenito 07b01c
allow $1_t $1_var_run_t:dir create_dir_perms;
Chris PeBenito 58c777
files_create_pid($1_t,$1_var_run_t)
Chris PeBenito 835b6a
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
# var_run_domain($1,$2): complete
Chris PeBenito 835b6a
#
Chris PeBenito 7bb610
type $1_var_run_t;
Chris PeBenito 7bb610
files_pid_file($1_var_run_t)
Chris PeBenito 7bb610
files_create_pid($1_t,$1_var_run_t,$2)
Chris PeBenito 7bb610
# for each object class in $2:
Chris PeBenito 7bb610
# if dir:
Chris PeBenito 7bb610
allow $1 $1_var_run_t:dir create_dir_perms;
Chris PeBenito 7bb610
# else if lnk_file:
Chris PeBenito 7bb610
allow $1 $1_var_run_t:lnk_file create_lnk_perms;
Chris PeBenito 7bb610
# else:
Chris PeBenito 7bb610
allow $1 $1_var_run_t:$2 create_file_perms;