## <module name="selinux" layer="kernel">

## <summary>

##	Policy for kernel security interface, in particular, selinuxfs.

## </summary>

########################################

## <interface name="selinux_get_fs_mount">

##	<description>

## 		Gets the caller the mountpoint of the selinuxfs filesystem.

##	</description>

##	<parameter name="domain">

##		The process type requesting the selinuxfs mountpoint.

##	</parameter>

## </interface>

#

define(`selinux_get_fs_mount',`

	# read /proc/filesystems to see if selinuxfs is supported

	# then read /proc/self/mount to see where selinuxfs is mounted

	kernel_read_system_state($1)

')

########################################

## <interface name="selinux_get_enforce_mode">

##	<description>

## 		Allows the caller to get the mode of policy enforcement

## 		(enforcing or permissive mode).

##	</description>

##	<parameter name="domain">

##		The process type to allow to get the enforcing mode.

##	</parameter>

## </interface>

#

define(`selinux_get_enforce_mode',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read };

')

define(`selinux_get_enforce_mode_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read };

')

########################################

## <interface name="selinux_set_enforce_mode">

##	<description>

## 		Allow caller to set the mode of policy enforcement

## 		(enforcing or permissive mode).

##	</description>

##	<parameter name="domain">

##		The process type to allow to set the enforcement mode.

##	</parameter>

## </interface>

#

define(`selinux_set_enforce_mode',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security setenforce;

	auditallow $1 security_t:security setenforce;

	typeattribute $1 can_setenforce;

')

define(`selinux_set_enforce_mode_depend',`

	type security_t;

	attribute can_setenforce;

	class dir { read search getattr };

	class file { getattr read write };

	class security setenforce;

')

########################################

## <interface name="selinux_load_policy">

##	<description>

## 		Allow caller to load the policy into the kernel.

##	</description>

##	<parameter name="domain">

##		The process type that will load the policy.

##	</parameter>

## </interface>

#

define(`selinux_load_policy',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security load_policy;

	auditallow $1 security_t:security load_policy;

	typeattribute $1 can_load_policy;

')

define(`selinux_load_policy_depend',`

	type security_t;

	attribute can_load_policy;

	class dir { read search getattr };

	class file { getattr read write };

	class security load_policy;

')

########################################

## <interface name="selinux_set_boolean">

##	<description>

## 		Allow caller to set the state of Booleans to

## 		enable or disable conditional portions of the policy.

##	</description>

##	<parameter name="domain">

##		The process type allowed to set the Boolean.

##	</parameter>

##	<parameter name="booltype" optional="true">

##		The type of Booleans the caller is allowed to set.

##	</parameter>

## </interface>

#

define(`selinux_set_boolean',`

	gen_require(`$0'_depend)

	ifelse(`$2',`',`

		allow $1 security_t:dir { getattr search read };

		allow $1 security_t:file { getattr read write };

	',`

		allow $1 $2:dir { getattr search read };

		allow $1 $2:file { getattr read write };

	')

	allow $1 security_t:dir search;

	allow $1 security_t:security setbool;

	auditallow $1 security_t:security setbool;

')

define(`selinux_set_boolean_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read write };

	class security setbool;

')

########################################

## <interface name="selinux_set_parameters">

##	<description>

## 		Allow caller to set selinux security parameters.

##	</description>

##	<parameter name="domain">

##		The process type to allow to set security parameters.

##	</parameter>

## </interface>

#

define(`selinux_set_parameters',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security setsecparam;

	auditallow $1 security_t:security setsecparam;

	typeattribute $1 can_setsecparam;

')

define(`selinux_set_parameters_depend',`

	type security_t;

	attribute can_setsecparam;

	class dir { read search getattr };

	class file { getattr read write };

	class security setsecparam;

')

########################################

## <interface name="selinux_validate_context">

##	<description>

## 		Allows caller to validate security contexts.

##	</description>

##	<parameter name="domain">

##		The process type permitted to validate contexts.

##	</parameter>

## </interface>

#

define(`selinux_validate_context',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security check_context;

')

define(`selinux_validate_context_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read write };

	class security check_context;

')

########################################

## <interface name="selinux_compute_access_vector">

##	<description>

## 		Allows caller to compute an access vector.

##	</description>

##	<parameter name="domain">

##		The process type allowed to compute an access vector.

##	</parameter>

## </interface>

#

define(`selinux_compute_access_vector',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security compute_av;

')

define(`selinux_compute_access_vector_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read write };

	class security compute_av;

')

########################################

## <interface name="selinux_compute_create_context">

##	<description>

## 		

##	</description>

##	<parameter name="domain">

##		

##	</parameter>

## </interface>

#

define(`selinux_compute_create_context',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security compute_create;

')

define(`selinux_compute_create_context_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read write };

	class security compute_create;

')

########################################

## <interface name="selinux_compute_relabel_context">

##	<description>

## 		

##	</description>

##	<parameter name="domain">

##		The process type to 

##	</parameter>

## </interface>

#

define(`selinux_compute_relabel_context',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security compute_relabel;

')

define(`selinux_compute_relabel_context_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read write };

	class security compute_relabel;

')

########################################

## <interface name="selinux_compute_user_contexts">

##	<description>

## 		Allows caller to compute possible contexts for a user.

##	</description>

##	<parameter name="domain">

##		The process type allowed to compute user contexts.

##	</parameter>

## </interface>

#

define(`selinux_compute_user_contexts',`

	gen_require(`$0'_depend)

	allow $1 security_t:dir { read search getattr };

	allow $1 security_t:file { getattr read write };

	allow $1 security_t:security compute_user;

')

define(`selinux_compute_user_contexts_depend',`

	type security_t;

	class dir { read search getattr };

	class file { getattr read write };

	class security compute_user;

')

## </module>