Chris PeBenito ff7bc1
## <summary>
Chris PeBenito 884309
##	Policy for kernel security interface, in particular, selinuxfs.
Chris PeBenito ff7bc1
## </summary>
Chris PeBenito 274547
## <required val="true">
Chris PeBenito 274547
##	Contains the policy for the kernel SELinux security interface.
Chris PeBenito 274547
## </required>
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito f0435b
##	Make the specified type used for labeling SELinux Booleans.
Chris PeBenito f0435b
##	This interface is only usable in the base module.
Chris PeBenito f0435b
## </summary>
Chris PeBenito f0435b
## <desc>
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	Make the specified type used for labeling SELinux Booleans.
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	This makes use of genfscon statements, which are only
Chris PeBenito f0435b
##	available in the base module.  Thus any module which calls this
Chris PeBenito f0435b
##	interface must be included in the base module.
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
## </desc>
Chris PeBenito f0435b
## <param name="type">
Chris PeBenito f0435b
##	<summary>
Chris PeBenito f0435b
##	Type used for labeling a Boolean.
Chris PeBenito f0435b
##	</summary>
Chris PeBenito f0435b
## </param>
Chris PeBenito f0435b
## <param name="boolean">
Chris PeBenito f0435b
##	<summary>
Chris PeBenito f0435b
##	Name of the Boolean.
Chris PeBenito f0435b
##	</summary>
Chris PeBenito f0435b
## </param>
Chris PeBenito f0435b
#
Chris PeBenito f0435b
interface(`selinux_labeled_boolean',`
Chris PeBenito f0435b
	gen_require(`
Chris PeBenito f0435b
		attribute boolean_type;
Chris PeBenito f0435b
	')
Chris PeBenito f0435b
Chris PeBenito f0435b
	typeattribute $1 boolean_type;
Chris PeBenito f0435b
Chris PeBenito f0435b
	# because of this statement, any module which
Chris PeBenito f0435b
	# calls this interface must be in the base module:
Chris PeBenito f0435b
	genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
Chris PeBenito f0435b
')
Chris PeBenito f0435b
Chris PeBenito f0435b
########################################
Chris PeBenito f0435b
## <summary>
Chris PeBenito eeef8d
##	Get the mountpoint of the selinuxfs filesystem.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito eeef8d
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_get_fs_mount',`
Chris PeBenito 86d754
	gen_require(`
Chris PeBenito 86d754
		type security_t;
Chris PeBenito 86d754
	')
Chris PeBenito 86d754
Chris PeBenito 86d754
	# starting in libselinux 2.0.5, init_selinuxmnt() will
Chris PeBenito 86d754
	# attempt to short circuit by checking if SELINUXMNT
Chris PeBenito 86d754
	# (/selinux) is already a selinuxfs
Chris PeBenito 86d754
	allow $1 security_t:filesystem getattr;
Chris PeBenito 86d754
Chris PeBenito ff7bc1
	# read /proc/filesystems to see if selinuxfs is supported
Chris PeBenito ff7bc1
	# then read /proc/self/mount to see where selinuxfs is mounted
Chris PeBenito ff7bc1
	kernel_read_system_state($1)
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito eeef8d
##	Do not audit attempts to get the mountpoint
Chris PeBenito eeef8d
##	of the selinuxfs filesystem.
Chris PeBenito eeef8d
## </summary>
Chris PeBenito eeef8d
## <param name="domain">
Chris PeBenito eeef8d
##	<summary>
Chris PeBenito eeef8d
##	Domain to not audit.
Chris PeBenito eeef8d
##	</summary>
Chris PeBenito eeef8d
## </param>
Chris PeBenito eeef8d
#
Chris PeBenito eeef8d
interface(`selinux_dontaudit_get_fs_mount',`
Chris PeBenito eeef8d
	gen_require(`
Chris PeBenito eeef8d
		type security_t;
Chris PeBenito eeef8d
	')
Chris PeBenito eeef8d
Chris PeBenito eeef8d
	# starting in libselinux 2.0.5, init_selinuxmnt() will
Chris PeBenito eeef8d
	# attempt to short circuit by checking if SELINUXMNT
Chris PeBenito eeef8d
	# (/selinux) is already a selinuxfs
Chris PeBenito eeef8d
	dontaudit $1 security_t:filesystem getattr;
Chris PeBenito eeef8d
Chris PeBenito eeef8d
	# read /proc/filesystems to see if selinuxfs is supported
Chris PeBenito eeef8d
	# then read /proc/self/mount to see where selinuxfs is mounted
Chris PeBenito eeef8d
	kernel_dontaudit_read_system_state($1)
Chris PeBenito eeef8d
')
Chris PeBenito eeef8d
Chris PeBenito eeef8d
########################################
Chris PeBenito eeef8d
## <summary>
Chris PeBenito 5bf9de
##	Get the attributes of the selinuxfs filesystem
Chris PeBenito 5bf9de
## </summary>
Chris PeBenito 5bf9de
## <param name="domain">
Chris PeBenito 5bf9de
##	<summary>
Chris PeBenito 5bf9de
##	Domain allowed access.
Chris PeBenito 5bf9de
##	</summary>
Chris PeBenito 5bf9de
## </param>
Chris PeBenito 5bf9de
#
Chris PeBenito 5bf9de
interface(`selinux_getattr_fs',`
Chris PeBenito 5bf9de
	gen_require(`
Chris PeBenito 5bf9de
		type security_t;
Chris PeBenito 5bf9de
	')
Chris PeBenito 5bf9de
Chris PeBenito 5bf9de
	allow $1 security_t:filesystem getattr;
Chris PeBenito 5bf9de
')
Chris PeBenito 5bf9de
Chris PeBenito 5bf9de
########################################
Chris PeBenito 5bf9de
## <summary>
Chris PeBenito 5bf9de
##	Do not audit attempts to get the
Chris PeBenito 5bf9de
##	attributes of the selinuxfs filesystem
Chris PeBenito 5bf9de
## </summary>
Chris PeBenito 5bf9de
## <param name="domain">
Chris PeBenito 5bf9de
##	<summary>
Chris PeBenito 5bf9de
##	Domain to not audit.
Chris PeBenito 5bf9de
##	</summary>
Chris PeBenito 5bf9de
## </param>
Chris PeBenito 5bf9de
#
Chris PeBenito 5bf9de
interface(`selinux_dontaudit_getattr_fs',`
Chris PeBenito 5bf9de
	gen_require(`
Chris PeBenito 5bf9de
		type security_t;
Chris PeBenito 5bf9de
	')
Chris PeBenito 5bf9de
Chris PeBenito 5bf9de
	dontaudit $1 security_t:filesystem getattr;
Chris PeBenito 5bf9de
')
Chris PeBenito 5bf9de
Chris PeBenito 5bf9de
########################################
Chris PeBenito 5bf9de
## <summary>
Chris PeBenito 0f707d
##	Do not audit attempts to get the
Chris PeBenito 0f707d
##	attributes of the selinuxfs directory.
Chris PeBenito 0f707d
## </summary>
Chris PeBenito 0f707d
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 0f707d
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 0f707d
## </param>
Chris PeBenito 0f707d
#
Chris PeBenito 0f707d
interface(`selinux_dontaudit_getattr_dir',`
Chris PeBenito 0f707d
	gen_require(`
Chris PeBenito 0f707d
		type security_t;
Chris PeBenito 0f707d
	')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
	dontaudit $1 security_t:dir getattr;
Chris PeBenito 0f707d
')
Chris PeBenito 0f707d
Chris PeBenito 0f707d
########################################
Chris PeBenito 0f707d
## <summary>
Chris PeBenito 77f6e2
##	Search selinuxfs.
Chris PeBenito 77f6e2
## </summary>
Chris PeBenito 77f6e2
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 77f6e2
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 77f6e2
## </param>
Chris PeBenito 77f6e2
#
Chris PeBenito 77f6e2
interface(`selinux_search_fs',`
Chris PeBenito 77f6e2
	gen_require(`
Chris PeBenito 77f6e2
		type security_t;
Chris PeBenito 77f6e2
	')
Chris PeBenito 77f6e2
Chris PeBenito 8b9ebd
	allow $1 security_t:dir search_dir_perms;
Chris PeBenito 77f6e2
')
Chris PeBenito 77f6e2
Chris PeBenito 77f6e2
########################################
Chris PeBenito 77f6e2
## <summary>
Chris PeBenito df00b2
##	Do not audit attempts to search selinuxfs.
Chris PeBenito df00b2
## </summary>
Chris PeBenito df00b2
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito df00b2
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
#
Chris PeBenito df00b2
interface(`selinux_dontaudit_search_fs',`
Chris PeBenito df00b2
	gen_require(`
Chris PeBenito df00b2
		type security_t;
Chris PeBenito df00b2
	')
Chris PeBenito df00b2
Chris PeBenito 8b9ebd
	dontaudit $1 security_t:dir search_dir_perms;
Chris PeBenito df00b2
')
Chris PeBenito df00b2
Chris PeBenito df00b2
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 30705b
##	Do not audit attempts to read
Chris PeBenito 30705b
##	generic selinuxfs entries
Chris PeBenito 30705b
## </summary>
Chris PeBenito 30705b
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 30705b
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 30705b
## </param>
Chris PeBenito 30705b
#
Chris PeBenito 30705b
interface(`selinux_dontaudit_read_fs',`
Chris PeBenito 30705b
	gen_require(`
Chris PeBenito 30705b
		type security_t;
Chris PeBenito 30705b
	')
Chris PeBenito 30705b
Chris PeBenito 8b9ebd
	dontaudit $1 security_t:dir search_dir_perms;
Chris PeBenito 82d277
	dontaudit $1 security_t:file read_file_perms;
Chris PeBenito 30705b
')
Chris PeBenito 30705b
Chris PeBenito 30705b
########################################
Chris PeBenito 30705b
## <summary>
Chris PeBenito 414e41
##	Allows the caller to get the mode of policy enforcement
Chris PeBenito 414e41
##	(enforcing or permissive mode).
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type to allow to get the enforcing mode.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_get_enforce_mode',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file read_file_perms;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Allow caller to set the mode of policy enforcement
Chris PeBenito 414e41
##	(enforcing or permissive mode).
Chris PeBenito df00b2
## </summary>
Chris PeBenito 884309
## <desc>
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Allow caller to set the mode of policy enforcement
Chris PeBenito 884309
##	(enforcing or permissive mode).
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Since this is a security event, this action is
Chris PeBenito 884309
##	always audited.
Chris PeBenito 884309
##	

Chris PeBenito 884309
## </desc>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type to allow to set the enforcement mode.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_set_enforce_mode',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
		attribute can_setenforce;
Chris PeBenito 8967bf
		bool secure_mode_policyload;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	typeattribute $1 can_setenforce;
Chris PeBenito 8967bf
Chris PeBenito 8967bf
	if(!secure_mode_policyload) {
Chris PeBenito 8967bf
		allow $1 security_t:security setenforce;
Chris PeBenito 465510
Chris PeBenito 465510
		ifdef(`distro_rhel4',`
Chris PeBenito 465510
			# needed for systems without audit support
Chris PeBenito 465510
			auditallow $1 security_t:security setenforce;
Chris PeBenito 465510
		')
Chris PeBenito 8967bf
	}
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Allow caller to load the policy into the kernel.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type that will load the policy.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_load_policy',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
		attribute can_load_policy;
Chris PeBenito 8967bf
		bool secure_mode_policyload;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	typeattribute $1 can_load_policy;
Chris PeBenito 8967bf
Chris PeBenito 8967bf
	if(!secure_mode_policyload) {
Chris PeBenito 8967bf
		allow $1 security_t:security load_policy;
Chris PeBenito 465510
Chris PeBenito 465510
		ifdef(`distro_rhel4',`
Chris PeBenito 465510
			# needed for systems without audit support
Chris PeBenito 465510
			auditallow $1 security_t:security load_policy;
Chris PeBenito 465510
		')
Chris PeBenito 8967bf
	}
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Allow caller to set the state of Booleans to
Chris PeBenito f0435b
##	enable or disable conditional portions of the policy.  (Deprecated)
Chris PeBenito df00b2
## </summary>
Chris PeBenito 884309
## <desc>
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Allow caller to set the state of Booleans to
Chris PeBenito 884309
##	enable or disable conditional portions of the policy.
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Since this is a security event, this action is
Chris PeBenito 884309
##	always audited.
Chris PeBenito 884309
##	

Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	This interface has been deprecated.  Please use
Chris PeBenito f0435b
##	selinux_set_generic_booleans() or selinux_set_all_booleans()
Chris PeBenito f0435b
##	instead.
Chris PeBenito f0435b
##	

Chris PeBenito 884309
## </desc>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type allowed to set the Boolean.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_set_boolean',`
Chris PeBenito f0435b
	refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.')
Chris PeBenito f0435b
	selinux_set_generic_booleans($1)
Chris PeBenito f0435b
')
Chris PeBenito f0435b
Chris PeBenito f0435b
########################################
Chris PeBenito f0435b
## <summary>
Chris PeBenito f0435b
##	Allow caller to set the state of generic Booleans to
Chris PeBenito f0435b
##	enable or disable conditional portions of the policy.
Chris PeBenito f0435b
## </summary>
Chris PeBenito f0435b
## <desc>
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	Allow caller to set the state of generic Booleans to
Chris PeBenito f0435b
##	enable or disable conditional portions of the policy.
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	Since this is a security event, this action is
Chris PeBenito f0435b
##	always audited.
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
## </desc>
Chris PeBenito f0435b
## <param name="domain">
Chris PeBenito f0435b
##	<summary>
Chris PeBenito f0435b
##	The process type allowed to set the Boolean.
Chris PeBenito f0435b
##	</summary>
Chris PeBenito f0435b
## </param>
Chris PeBenito f0435b
## <rolecap/>
Chris PeBenito f0435b
#
Chris PeBenito f0435b
interface(`selinux_set_generic_booleans',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito 439aaa
		bool secure_mode_policyload;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito 8967bf
Chris PeBenito 8967bf
	if(!secure_mode_policyload) {
Chris PeBenito 8967bf
		allow $1 security_t:security setbool;
Chris PeBenito 133000
Chris PeBenito 133000
		ifdef(`distro_rhel4',`
Chris PeBenito 133000
			# needed for systems without audit support
Chris PeBenito 133000
			auditallow $1 security_t:security setbool;
Chris PeBenito 133000
		')
Chris PeBenito 8967bf
	}
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito f0435b
##	Allow caller to set the state of all Booleans to
Chris PeBenito f0435b
##	enable or disable conditional portions of the policy.
Chris PeBenito f0435b
## </summary>
Chris PeBenito f0435b
## <desc>
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	Allow caller to set the state of all Booleans to
Chris PeBenito f0435b
##	enable or disable conditional portions of the policy.
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	

Chris PeBenito f0435b
##	Since this is a security event, this action is
Chris PeBenito f0435b
##	always audited.
Chris PeBenito f0435b
##	

Chris PeBenito f0435b
## </desc>
Chris PeBenito f0435b
## <param name="domain">
Chris PeBenito f0435b
##	<summary>
Chris PeBenito f0435b
##	The process type allowed to set the Boolean.
Chris PeBenito f0435b
##	</summary>
Chris PeBenito f0435b
## </param>
Chris PeBenito f0435b
## <rolecap/>
Chris PeBenito f0435b
#
Chris PeBenito f0435b
interface(`selinux_set_all_booleans',`
Chris PeBenito f0435b
	gen_require(`
Chris PeBenito f0435b
		type security_t;
Chris PeBenito f0435b
		attribute boolean_type;
Chris PeBenito f0435b
		bool secure_mode_policyload;
Chris PeBenito f0435b
	')
Chris PeBenito f0435b
Chris PeBenito f0435b
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito f0435b
	allow $1 boolean_type:file rw_file_perms;
Chris PeBenito f0435b
Chris PeBenito f0435b
	if(!secure_mode_policyload) {
Chris PeBenito f0435b
		allow $1 security_t:security setbool;
Chris PeBenito f0435b
Chris PeBenito f0435b
		ifdef(`distro_rhel4',`
Chris PeBenito f0435b
			# needed for systems without audit support
Chris PeBenito f0435b
			auditallow $1 security_t:security setbool;
Chris PeBenito f0435b
		')
Chris PeBenito f0435b
	}
Chris PeBenito f0435b
')
Chris PeBenito f0435b
Chris PeBenito f0435b
########################################
Chris PeBenito f0435b
## <summary>
Chris PeBenito 884309
##	Allow caller to set SELinux access vector cache parameters.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 884309
## <desc>
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Allow caller to set SELinux access vector cache parameters.
Chris PeBenito 884309
##	The allows the domain to set performance related parameters
Chris PeBenito 884309
##	of the AVC, such as cache threshold.
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Since this is a security event, this action is
Chris PeBenito 884309
##	always audited.
Chris PeBenito 884309
##	

Chris PeBenito 884309
## </desc>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type to allow to set security parameters.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_set_parameters',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
		attribute can_setsecparam;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	allow $1 security_t:security setsecparam;
Chris PeBenito ff7bc1
	auditallow $1 security_t:security setsecparam;
Chris PeBenito ff7bc1
	typeattribute $1 can_setsecparam;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Allows caller to validate security contexts.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type permitted to validate contexts.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_validate_context',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	allow $1 security_t:security check_context;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 04d286
##	Do not audit attempts to validate security contexts.
Chris PeBenito 04d286
## </summary>
Chris PeBenito 04d286
## <param name="domain">
Chris PeBenito 04d286
##	<summary>
Chris PeBenito 04d286
##	Domain to not audit.
Chris PeBenito 04d286
##	</summary>
Chris PeBenito 04d286
## </param>
Chris PeBenito 04d286
## <rolecap/>
Chris PeBenito 04d286
#
Chris PeBenito 04d286
interface(`selinux_dontaudit_validate_context',`
Chris PeBenito 04d286
	gen_require(`
Chris PeBenito 04d286
		type security_t;
Chris PeBenito 04d286
	')
Chris PeBenito 04d286
Chris PeBenito 04d286
	dontaudit $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	dontaudit $1 security_t:file rw_file_perms;
Chris PeBenito 04d286
	dontaudit $1 security_t:security check_context;
Chris PeBenito 04d286
')
Chris PeBenito 04d286
Chris PeBenito 04d286
########################################
Chris PeBenito 04d286
## <summary>
Chris PeBenito 414e41
##	Allows caller to compute an access vector.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type allowed to compute an access vector.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_compute_access_vector',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	allow $1 security_t:security compute_av;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 884309
##	Calculate the default type for object creation.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 884309
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito bbcd3c
## <rolecap/>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_compute_create_context',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	allow $1 security_t:security compute_create;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 98a8ea
##	Allows caller to compute polyinstatntiated
Chris PeBenito 98a8ea
##	directory members.
Chris PeBenito 98a8ea
## </summary>
Chris PeBenito 98a8ea
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 98a8ea
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 98a8ea
## </param>
Chris PeBenito 98a8ea
#
Chris PeBenito 98a8ea
interface(`selinux_compute_member',`
Chris PeBenito 98a8ea
	gen_require(`
Chris PeBenito 98a8ea
		type security_t;
Chris PeBenito 98a8ea
	')
Chris PeBenito 98a8ea
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito 98a8ea
	allow $1 security_t:security compute_member;
Chris PeBenito 98a8ea
')
Chris PeBenito 98a8ea
Chris PeBenito 98a8ea
########################################
Chris PeBenito 98a8ea
## <summary>
Chris PeBenito 884309
##	Calculate the context for relabeling objects.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 884309
## <desc>
Chris PeBenito 884309
##	

Chris PeBenito 884309
##	Calculate the context for relabeling objects.
Chris PeBenito 884309
##	This is determined by using the type_change
Chris PeBenito 884309
##	rules in the policy, and is generally used
Chris PeBenito 884309
##	for determining the context for relabeling
Chris PeBenito 884309
##	a terminal when a user logs in.
Chris PeBenito 884309
##	

Chris PeBenito 884309
## </desc>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 884309
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_compute_relabel_context',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	allow $1 security_t:security compute_relabel;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito ff7bc1
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Allows caller to compute possible contexts for a user.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The process type allowed to compute user contexts.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito ff7bc1
#
Chris PeBenito 199895
interface(`selinux_compute_user_contexts',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type security_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito ff7bc1
Chris PeBenito 8b9ebd
	allow $1 security_t:dir list_dir_perms;
Chris PeBenito 82d277
	allow $1 security_t:file rw_file_perms;
Chris PeBenito ff7bc1
	allow $1 security_t:security compute_user;
Chris PeBenito ff7bc1
')
Chris PeBenito ff7bc1
Chris PeBenito 9726b3
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 884309
##	Unconfined access to the SELinux kernel security server.
Chris PeBenito df00b2
## </summary>
Chris PeBenito 9726b3
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 9726b3
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 9726b3
## </param>
Chris PeBenito 9726b3
#
Chris PeBenito 9726b3
interface(`selinux_unconfined',`
Chris PeBenito 9726b3
	gen_require(`
Chris PeBenito 41a0f8
		attribute selinux_unconfined_type;
Chris PeBenito 9726b3
	')
Chris PeBenito 9726b3
Chris PeBenito 41a0f8
	typeattribute $1 selinux_unconfined_type;
Chris PeBenito 9726b3
')