Blob Blame History Raw
## <summary>Policy for SELinux policy and userland applications.</summary>

#######################################
## <summary>
##	Execute checkpolicy in the checkpolicy domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_domtrans_checkpolicy',`
	gen_require(`
		type checkpolicy_t, checkpolicy_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domtrans_pattern($1,checkpolicy_exec_t,checkpolicy_t)
')

########################################
## <summary>
##	Execute checkpolicy in the checkpolicy domain, and
##	allow the specified role the checkpolicy domain,
##	and use the caller's terminal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the checkpolicy domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the checkpolicy domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_checkpolicy',`
	gen_require(`
		type checkpolicy_t;
	')

	seutil_domtrans_checkpolicy($1)
	role $2 types checkpolicy_t;
	allow checkpolicy_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute checkpolicy in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_exec_checkpolicy',`
	gen_require(`
		type checkpolicy_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	can_exec($1,checkpolicy_exec_t)
')

#######################################
## <summary>
##	Execute load_policy in the load_policy domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_domtrans_loadpolicy',`
	gen_require(`
		type load_policy_t, load_policy_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1,load_policy_exec_t,load_policy_t)
')

########################################
## <summary>
##	Execute load_policy in the load_policy domain, and
##	allow the specified role the load_policy domain,
##	and use the caller's terminal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the load_policy domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the load_policy domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_loadpolicy',`
	gen_require(`
		type load_policy_t;
	')

	seutil_domtrans_loadpolicy($1)
	role $2 types load_policy_t;
	allow load_policy_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute load_policy in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_exec_loadpolicy',`
	gen_require(`
		type load_policy_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1,load_policy_exec_t)
')

########################################
## <summary>
##	Read the load_policy program file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_read_loadpolicy',`
	gen_require(`
		type load_policy_exec_t;
	')

	corecmd_search_bin($1)
	allow $1 load_policy_exec_t:file read_file_perms;
')

#######################################
## <summary>
##	Execute newrole in the load_policy domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_domtrans_newrole',`
	gen_require(`
		type newrole_t, newrole_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domtrans_pattern($1,newrole_exec_t,newrole_t)
')

########################################
## <summary>
##	Execute newrole in the newrole domain, and
##	allow the specified role the newrole domain,
##	and use the caller's terminal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the newrole domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the newrole domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_newrole',`
	gen_require(`
		type newrole_t;
	')

	seutil_domtrans_newrole($1)
	role $2 types newrole_t;
	allow newrole_t $3:chr_file rw_term_perms;

	auth_run_upd_passwd(newrole_t, $2, $3)
')

########################################
## <summary>
##	Execute newrole in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_exec_newrole',`
	gen_require(`
		type newrole_t, newrole_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	can_exec($1,newrole_exec_t)
')

########################################
## <summary>
##	Do not audit the caller attempts to send
##	a signal to newrole.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_dontaudit_signal_newrole',`
	gen_require(`
		type newrole_t;
	')

	dontaudit $1 newrole_t:process signal;
')

########################################
## <summary>
##	Send a SIGCHLD signal to newrole.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_sigchld_newrole',`
	gen_require(`
		type newrole_t;
	')

	allow $1 newrole_t:process sigchld;
')

########################################
## <summary>
##	Inherit and use newrole file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_use_newrole_fds',`
	gen_require(`
		type newrole_t;
	')

	allow $1 newrole_t:fd use;
')

#######################################
## <summary>
##	Execute restorecon in the restorecon domain.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_domtrans_restorecon',`
	refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.')
	seutil_domtrans_setfiles($1)
')

########################################
## <summary>
##	Execute restorecon in the restorecon domain, and
##	allow the specified role the restorecon domain,
##	and use the caller's terminal.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the restorecon domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the restorecon domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_restorecon',`
	refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.')
	seutil_run_setfiles($1,$2,$3)
')

########################################
## <summary>
##	Execute restorecon in the caller domain.  (Deprecated)
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_exec_restorecon',`
	refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.')
	seutil_exec_setfiles($1)
')

########################################
## <summary>
##	Execute run_init in the run_init domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_domtrans_runinit',`
	gen_require(`
		type run_init_t, run_init_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domtrans_pattern($1,run_init_exec_t,run_init_t)
')

########################################
## <summary>
##	Execute init scripts in the run_init domain.
## </summary>
## <desc>
##	<p>
##	Execute init scripts in the run_init domain.
##	This is used for the Gentoo integrated run_init.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_init_script_domtrans_runinit',`
	gen_require(`
		type run_init_t;
	')

	init_script_file_domtrans($1,run_init_t)

	allow run_init_t $1:fd use;
	allow run_init_t $1:fifo_file rw_file_perms;
	allow run_init_t $1:process sigchld;
')

########################################
## <summary>
##	Execute run_init in the run_init domain, and
##	allow the specified role the run_init domain,
##	and use the caller's terminal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the run_init domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the run_init domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_runinit',`
	gen_require(`
		type run_init_t;
		role system_r;
	')

	auth_run_chk_passwd(run_init_t, $2, $3)
	seutil_domtrans_runinit($1)
	role $2 types run_init_t;
	allow run_init_t $3:chr_file rw_term_perms;
	allow $2 system_r;
')

########################################
## <summary>
##	Execute init scripts in the run_init domain, and
##	allow the specified role the run_init domain,
##	and use the caller's terminal.
## </summary>
## <desc>
##	<p>
##	Execute init scripts in the run_init domain, and
##	allow the specified role the run_init domain,
##	and use the caller's terminal.
##	</p>
##	<p>
##	This is used for the Gentoo integrated run_init.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the run_init domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the run_init domain to use.
##	</summary>
## </param>
#
interface(`seutil_init_script_run_runinit',`
	gen_require(`
		type run_init_t;
		role system_r;
	')

	auth_run_chk_passwd(run_init_t, $2, $3)
	seutil_init_script_domtrans_runinit($1)
	role $2 types run_init_t;
	allow run_init_t $3:chr_file rw_term_perms;
	allow $2 system_r;
')

########################################
## <summary>
##	Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_use_runinit_fds',`
	gen_require(`
		type run_init_t;
	')

	allow $1 run_init_t:fd use;
')

########################################
## <summary>
##	Execute setfiles in the setfiles domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_domtrans_setfiles',`
	gen_require(`
		type setfiles_t, setfiles_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domtrans_pattern($1,setfiles_exec_t,setfiles_t)
')

########################################
## <summary>
##	Execute setfiles in the setfiles domain, and
##	allow the specified role the setfiles domain,
##	and use the caller's terminal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the setfiles domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the setfiles domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_setfiles',`
	gen_require(`
		type setfiles_t;
	')

	seutil_domtrans_setfiles($1)
	role $2 types setfiles_t;
	allow setfiles_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_exec_setfiles',`
	gen_require(`
		type setfiles_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	can_exec($1,setfiles_exec_t)
')

########################################
## <summary>
##	Do not audit attempts to search the SELinux
##	configuration directory (/etc/selinux).
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`seutil_dontaudit_search_config',`
	gen_require(`
		type selinux_config_t;
	')

	dontaudit $1 selinux_config_t:dir search;
')

########################################
## <summary>
##	Do not audit attempts to read the SELinux
##	userland configuration (/etc/selinux).
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`seutil_dontaudit_read_config',`
	gen_require(`
		type selinux_config_t;
	')

	dontaudit $1 selinux_config_t:dir search;
	dontaudit $1 selinux_config_t:file { getattr read };
')

########################################
## <summary>
##	Read the general SELinux configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_read_config',`
	gen_require(`
		type selinux_config_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir list_dir_perms;
	read_files_pattern($1,selinux_config_t,selinux_config_t)
	read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')

########################################
## <summary>
##	Read and write the general SELinux configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_rw_config',`
	gen_require(`
		type selinux_config_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir list_dir_perms;
	rw_files_pattern($1,selinux_config_t,selinux_config_t)
')

#######################################
## <summary>
##	Create, read, write, and delete
##	the general selinux configuration files.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Create, read, write, and delete
##	the general selinux configuration files.
##	</p>
##	<p>
##	This interface has been deprecated, please
##	use the seutil_manage_config() interface instead.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_selinux_config',`
	refpolicywarn(`$0($*) has been deprecated.  Please use seutil_manage_config() instead.')
	seutil_manage_config($1)
')

#######################################
## <summary>
##	Create, read, write, and delete
##	the general selinux configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_config',`
	gen_require(`
		type selinux_config_t;
	')

	files_search_etc($1)
	manage_files_pattern($1,selinux_config_t,selinux_config_t)
	read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')

#######################################
## <summary>
##	Create, read, write, and delete
##	the general selinux configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_config_dirs',`
	gen_require(`
		type selinux_config_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir manage_dir_perms;
')

########################################
## <summary>
##	Search the policy directory with default_context files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_search_default_contexts',`
	gen_require(`
		type selinux_config_t, default_context_t;
	')

	files_search_etc($1)
	search_dirs_pattern($1,selinux_config_t,default_context_t)
')

########################################
## <summary>
##	Read the default_contexts files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_read_default_contexts',`
	gen_require(`
		type selinux_config_t, default_context_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search_dir_perms;
	allow $1 default_context_t:dir list_dir_perms;
	read_files_pattern($1,default_context_t,default_context_t)
')

########################################
## <summary>
##	Create, read, write, and delete the default_contexts files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_manage_default_contexts',`
	gen_require(`
		type selinux_config_t, default_context_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search_dir_perms;
	manage_files_pattern($1,default_context_t,default_context_t)
')

########################################
## <summary>
##	Read the file_contexts files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_read_file_contexts',`
	gen_require(`
		type selinux_config_t, default_context_t, file_context_t;
	')

	files_search_etc($1)
	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
	read_files_pattern($1,file_context_t,file_context_t)
')

########################################
## <summary>
##	Read and write the file_contexts files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_rw_file_contexts',`
	gen_require(`
		type selinux_config_t, file_context_t, default_context_t;
	')

	files_search_etc($1)
	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
	rw_files_pattern($1,file_context_t,file_context_t)
')

########################################
## <summary>
##	Create, read, write, and delete the file_contexts files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_file_contexts',`
	gen_require(`
		type selinux_config_t, file_context_t, default_context_t;
	')

	files_search_etc($1)
	allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
	manage_files_pattern($1,file_context_t,file_context_t)
')

########################################
## <summary>
##	Read the SELinux binary policy.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_read_bin_policy',`
	gen_require(`
		type selinux_config_t, policy_config_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search_dir_perms;
	read_files_pattern($1,policy_config_t,policy_config_t)
')

########################################
## <summary>
##	Create the SELinux binary policy.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_create_bin_policy',`
	gen_require(`
#		attribute can_write_binary_policy;
		type selinux_config_t, policy_config_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search_dir_perms;
	create_files_pattern($1,policy_config_t,policy_config_t)
	write_files_pattern($1,policy_config_t,policy_config_t)
#	typeattribute $1 can_write_binary_policy;
')

########################################
## <summary>
##	Allow the caller to relabel a file to the binary policy type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_relabelto_bin_policy',`
	gen_require(`
		attribute can_relabelto_binary_policy;
		type policy_config_t;
	')

	allow $1 policy_config_t:file relabelto;
	typeattribute $1 can_relabelto_binary_policy;
')

########################################
## <summary>
##	Create, read, write, and delete the SELinux
##	binary policy.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_manage_bin_policy',`
	gen_require(`
		attribute can_write_binary_policy;
		type selinux_config_t, policy_config_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search_dir_perms;
	manage_files_pattern($1,policy_config_t,policy_config_t)
	typeattribute $1 can_write_binary_policy;
')

########################################
## <summary>
##	Read SELinux policy source files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_read_src_policy',`
	gen_require(`
		type selinux_config_t, policy_src_t;
	')

	files_search_etc($1)
	list_dirs_pattern($1,selinux_config_t,policy_src_t)
	read_files_pattern($1,policy_src_t,policy_src_t)
')

########################################
## <summary>
##	Create, read, write, and delete SELinux
##	policy source files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_manage_src_policy',`
	gen_require(`
		type selinux_config_t, policy_src_t;
	')

	files_search_etc($1)
	allow $1 selinux_config_t:dir search_dir_perms;
	manage_dirs_pattern($1,policy_src_t,policy_src_t)
	manage_files_pattern($1,policy_src_t,policy_src_t)
')

########################################
## <summary>
##	Execute a domain transition to run semanage.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`seutil_domtrans_semanage',`
	gen_require(`
		type semanage_t, semanage_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domtrans_pattern($1,semanage_exec_t,semanage_t)
')

########################################
## <summary>
##	Execute semanage in the semanage domain, and
##	allow the specified role the semanage domain,
##	and use the caller's terminal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed the checkpolicy domain.
##	</summary>
## </param>
## <param name="terminal">
##	<summary>
##	The type of the terminal allow the semanage domain to use.
##	</summary>
## </param>
## <rolecap/>
#
interface(`seutil_run_semanage',`
	gen_require(`
		type semanage_t;
	')

	seutil_domtrans_semanage($1)
	seutil_run_setfiles(semanage_t, $2, $3)
	seutil_run_loadpolicy(semanage_t, $2, $3)
	role $2 types semanage_t;
	allow semanage_t $3:chr_file rw_term_perms;
')

########################################
## <summary>
##	Full management of the semanage
##	module store.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_manage_module_store',`
	gen_require(`
		type selinux_config_t, semanage_store_t;
	')

	files_search_etc($1)
	manage_dirs_pattern($1,selinux_config_t,semanage_store_t)
	manage_files_pattern($1,semanage_store_t,semanage_store_t)
	filetrans_pattern($1,selinux_config_t,semanage_store_t,dir)
')

#######################################
## <summary>
##	Get read lock on module store
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_get_semanage_read_lock',`
	gen_require(`
		type selinux_config_t, semanage_read_lock_t;
	')

	files_search_etc($1)
	rw_files_pattern($1,selinux_config_t,semanage_read_lock_t)
')

#######################################
## <summary>
##	Get trans lock on module store
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_get_semanage_trans_lock',`
	gen_require(`
		type selinux_config_t, semanage_trans_lock_t;
	')

	files_search_etc($1)
	rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')

########################################
## <summary>
##	SELinux-enabled program access for
##	libselinux-linked programs.
## </summary>
## <desc>
##	<p>
##	SELinux-enabled programs are typically
##	linked to the libselinux library.  This
##	interface will allow access required for
##	the libselinux constructor to function.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_libselinux_linked',`
	selinux_get_fs_mount($1)
	seutil_read_config($1)
')

########################################
## <summary>
##	Do not audit SELinux-enabled program access for
##	libselinux-linked programs.
## </summary>
## <desc>
##	<p>
##	SELinux-enabled programs are typically
##	linked to the libselinux library.  This
##	interface will dontaudit access required for
##	the libselinux constructor to function.
##	</p>
##	<p>
##	Generally this should not be used on anything
##	but simple SELinux-enabled programs that do not
##	rely on data initialized by the libselinux
##	constructor.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`seutil_dontaudit_libselinux_linked',`
	selinux_dontaudit_get_fs_mount($1)
	seutil_dontaudit_read_config($1)
')