Chris PeBenito 8cf671
Chris PeBenito fa2c74
policy_module(mcs,1.0.2)
Chris PeBenito 8cf671
Chris PeBenito 8cf671
########################################
Chris PeBenito 8cf671
#
Chris PeBenito 8cf671
# Declarations
Chris PeBenito 8cf671
#
Chris PeBenito 8cf671
Chris PeBenito 8cf671
attribute mcskillall;
Chris PeBenito 9779f0
attribute mcssetcats;
Chris PeBenito 8cf671
Chris PeBenito 8cf671
########################################
Chris PeBenito 8cf671
#
Chris PeBenito 8cf671
# THIS IS A HACK
Chris PeBenito 8cf671
#
Chris PeBenito 8cf671
# Only the base module can have range_transitions, so we
Chris PeBenito 8cf671
# temporarily have to break encapsulation to work around this.
Chris PeBenito 8cf671
#
Chris PeBenito 8cf671
Chris PeBenito 8cf671
type auditd_exec_t;
Chris PeBenito 8cf671
type crond_exec_t;
Chris PeBenito 8cf671
type cupsd_exec_t;
Chris PeBenito 8cf671
type getty_t;
Chris PeBenito 8cf671
type init_t;
Chris PeBenito 8cf671
type init_exec_t;
Chris PeBenito 8cf671
type initrc_t;
Chris PeBenito 8cf671
type initrc_exec_t;
Chris PeBenito 8cf671
type login_exec_t;
Chris PeBenito 8cf671
type sshd_exec_t;
Chris PeBenito 8cf671
type udev_exec_t;
Chris PeBenito 8cf671
type unconfined_t;
Chris PeBenito 8cf671
type xdm_exec_t;
Chris PeBenito 8cf671
Chris PeBenito 8cf671
ifdef(`enable_mcs',`
Chris PeBenito cdc86e
# The eventual plan is to have a range_transition to s0 for the daemon by
Chris PeBenito cdc86e
# default and have the daemons which need to run with all categories be
Chris PeBenito cdc86e
# exceptions.  But while range_transitions have to be in the base module
Chris PeBenito cdc86e
# this is not possible.
Chris PeBenito 8cf671
range_transition getty_t login_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
Chris PeBenito 8cf671
Chris PeBenito 8cf671
# these might be targeted_policy only
Chris PeBenito 8cf671
range_transition unconfined_t initrc_exec_t s0;
Chris PeBenito 8cf671
')