|
Chris PeBenito |
000394 |
## <summary>User-based access control policy</summary>
|
|
Chris PeBenito |
000394 |
## <required val="true">
|
|
Chris PeBenito |
000394 |
## Contains attributes used in UBAC policy.
|
|
Chris PeBenito |
000394 |
## </required>
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
888d9e |
## Constrain by user-based access control (UBAC).
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
888d9e |
## <desc>
|
|
Chris PeBenito |
888d9e |
##
|
|
Chris PeBenito |
888d9e |
## Constrain the specified type by user-based
|
|
Chris PeBenito |
888d9e |
## access control (UBAC). Typically, these are
|
|
Chris PeBenito |
888d9e |
## user processes or user files that need to be
|
|
Chris PeBenito |
888d9e |
## differentiated by SELinux user. Normally this
|
|
Chris PeBenito |
888d9e |
## does not include administrative or privileged
|
|
Chris PeBenito |
888d9e |
## programs. For the UBAC rules to be enforced,
|
|
Chris PeBenito |
888d9e |
## both the subject (source) type and the object
|
|
Chris PeBenito |
888d9e |
## (target) types must be UBAC constrained.
|
|
Chris PeBenito |
888d9e |
##
|
|
Chris PeBenito |
888d9e |
## </desc>
|
|
Chris PeBenito |
000394 |
## <param name="type">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Type to be constrained by UBAC.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
888d9e |
## <infoflow type="none"/>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_constrained',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubac_constrained_type;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubac_constrained_type;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for files.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_file_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacfile;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacfile;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for processes.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_process_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacproc;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacproc;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for file descriptors.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_fd_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacfd;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacfd;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for sockets.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_socket_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacsock;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacsock;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for SysV IPC.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_sysvipc_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacipc;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacipc;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for X Windows.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_xwin_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacxwin;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacxwin;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for dbus.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_dbus_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacdbus;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacdbus;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for keys.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_key_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubackey;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubackey;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
########################################
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Exempt user-based access control for databases.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## <param name="domain">
|
|
Chris PeBenito |
000394 |
## <summary>
|
|
Chris PeBenito |
000394 |
## Domain to be exempted.
|
|
Chris PeBenito |
000394 |
## </summary>
|
|
Chris PeBenito |
000394 |
## </param>
|
|
Chris PeBenito |
000394 |
#
|
|
Chris PeBenito |
000394 |
interface(`ubac_db_exempt',`
|
|
Chris PeBenito |
000394 |
gen_require(`
|
|
Chris PeBenito |
000394 |
attribute ubacdb;
|
|
Chris PeBenito |
000394 |
')
|
|
Chris PeBenito |
000394 |
|
|
Chris PeBenito |
000394 |
typeattribute $1 ubacdb;
|
|
Chris PeBenito |
000394 |
')
|