|
Chris PeBenito |
c0868a |
#
|
|
Chris PeBenito |
c0868a |
# Specified domain transition patterns
|
|
Chris PeBenito |
c0868a |
#
|
|
Chris PeBenito |
c0868a |
define(`domain_transition_pattern',`
|
|
Chris PeBenito |
82d277 |
allow $1 $2:file { getattr open read execute };
|
|
Chris PeBenito |
c0868a |
allow $1 $3:process transition;
|
|
Chris PeBenito |
c0868a |
dontaudit $1 $3:process { noatsecure siginh rlimitinh };
|
|
Chris PeBenito |
c0868a |
')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
# compatibility:
|
|
Chris PeBenito |
c0868a |
define(`domain_trans',`domain_transition_pattern($*)')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
define(`spec_domtrans_pattern',`
|
|
Chris PeBenito |
c0868a |
allow $1 self:process setexec;
|
|
Chris PeBenito |
c0868a |
domain_transition_pattern($1,$2,$3)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
allow $3 $1:fd use;
|
|
Chris PeBenito |
c040ea |
allow $3 $1:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
c0868a |
allow $3 $1:process sigchld;
|
|
Chris PeBenito |
c0868a |
')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
#
|
|
Chris PeBenito |
c0868a |
# Automatic domain transition patterns
|
|
Chris PeBenito |
c0868a |
#
|
|
Chris PeBenito |
c0868a |
define(`domain_auto_transition_pattern',`
|
|
Chris PeBenito |
c0868a |
domain_transition_pattern($1,$2,$3)
|
|
Chris PeBenito |
c0868a |
type_transition $1 $2:process $3;
|
|
Chris PeBenito |
c0868a |
')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
# compatibility:
|
|
Chris PeBenito |
c0868a |
define(`domain_auto_trans',`domain_auto_transition_pattern($*)')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
define(`domtrans_pattern',`
|
|
Chris PeBenito |
c0868a |
domain_auto_transition_pattern($1,$2,$3)
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
allow $3 $1:fd use;
|
|
Chris PeBenito |
63acaf |
allow $3 $1:fifo_file rw_fifo_file_perms;
|
|
Chris PeBenito |
c0868a |
allow $3 $1:process sigchld;
|
|
Chris PeBenito |
c0868a |
')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
#
|
|
Chris PeBenito |
a53c6c |
# Dynamic transition pattern
|
|
Chris PeBenito |
a53c6c |
#
|
|
Chris PeBenito |
a53c6c |
define(`dyntrans_pattern',`
|
|
Chris PeBenito |
a53c6c |
allow $1 self:process setcurrent;
|
|
Chris PeBenito |
a53c6c |
allow $1 $2:process dyntransition;
|
|
Chris PeBenito |
a53c6c |
allow $2 $1:process sigchld;
|
|
Chris PeBenito |
a53c6c |
')
|
|
Chris PeBenito |
a53c6c |
|
|
Chris PeBenito |
a53c6c |
#
|
|
Chris PeBenito |
c0868a |
# Other process permissions
|
|
Chris PeBenito |
c0868a |
#
|
|
Chris PeBenito |
c0868a |
define(`send_audit_msgs_pattern',`
|
|
Chris PeBenito |
d5b81a |
refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
|
|
Chris PeBenito |
c0868a |
allow $1 self:capability audit_write;
|
|
Chris PeBenito |
c0868a |
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
Chris PeBenito |
c0868a |
')
|
|
Chris PeBenito |
c0868a |
|
|
Chris PeBenito |
c0868a |
define(`ps_process_pattern',`
|
|
Chris PeBenito |
82d277 |
allow $1 $2:dir list_dir_perms;
|
|
Chris PeBenito |
82d277 |
allow $1 $2:file read_file_perms;
|
|
Chris PeBenito |
82d277 |
allow $1 $2:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
c0868a |
allow $1 $2:process getattr;
|
|
Chris PeBenito |
c0868a |
')
|