Blob Blame History Raw
## <module name="selinux" layer="system">
## <summary>Policy for SELinux policy and userland applications.</summary>

#######################################
## <interface name="selinux_checkpolicy_transition">
##	<description>
##		Execute checkpolicy in the checkpolicy domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_checkpolicy_transition',`
	requires_block_template(`$0'_depend)

	allow $1 checkpolicy_exec_t:file { getattr read execute };
	allow $1 checkpolicy_t:process transition;
	type_transition $1 checkpolicy_exec_t:process checkpolicy_t;
	dontaudit $1 checkpolicy_t:process { noatsecure siginh rlimitinh };

	allow $1 checkpolicy_t:fd use;
	allow checkpolicy_t $1:fd use;
	allow checkpolicy_t $1:fifo_file rw_file_perms;
	allow checkpolicy_t $1:process sigchld;
')

define(`selinux_checkpolicy_transition_depend',`
	type checkpolicy_t, checkpolicy_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="selinux_checkpolicy_transition_add_role_use_terminal">
##	<description>
##		Execute checkpolicy in the checkpolicy domain, and
##		allow the specified role the checkpolicy domain,
##		and use the caller's terminal.
##		Has a SIGCHLD signal backchannel.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the checkpolicy domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the checkpolicy domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_checkpolicy_transition_add_role_use_terminal',`
	requires_block_template(`$0'_depend)

	selinux_checkpolicy_transition($1)
	role $2 types checkpolicy_t;
	allow checkpolicy_t $3:chr_file { getattr read write ioctl };
')

define(`selinux_checkpolicy_transition_add_role_use_terminal_depend',`
	type checkpolicy_t;

	class chr_file { getattr read write ioctl };
')

#######################################
#
# selinux_checkpolicy_execute(domain)
#
define(`selinux_checkpolicy_execute',`
	requires_block_template(`$0'_depend)

	allow $1 checkpolicy_exec_t:file { getattr read execute execute_no_trans };
')

define(`selinux_checkpolicy_execute_depend',`
	type checkpolicy_exec_t;

	class file { getattr read execute execute_no_trans };
')

#######################################
## <interface name="selinux_load_policy_transition">
##	<description>
##		Execute load_policy in the load_policy domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_load_policy_transition',`
	requires_block_template(`$0'_depend)

	allow $1 load_policy_exec_t:file { getattr read execute };
	allow $1 load_policy_t:process transition;
	type_transition $1 load_policy_exec_t:process load_policy_t;
	dontaudit $1 load_policy_t:process { noatsecure siginh rlimitinh };

	allow $1 load_policy_t:fd use;
	allow load_policy_t $1:fd use;
	allow load_policy_t $1:fifo_file rw_file_perms;
	allow load_policy_t $1:process sigchld;
')

define(`selinux_load_policy_transition_depend',`
	type load_policy_t, load_policy_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="selinux_load_policy_transition_add_role_use_terminal">
##	<description>
##		Execute load_policy in the load_policy domain, and
##		allow the specified role the load_policy domain,
##		and use the caller's terminal.
##		Has a SIGCHLD signal backchannel.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the load_policy domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the load_policy domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_load_policy_transition_add_role_use_terminal',`
	requires_block_template(`$0'_depend)

	selinux_load_policy_transition($1)
	role $2 types load_policy_t;
	allow load_policy_t $3:chr_file { getattr read write ioctl };
')

define(`selinux_load_policy_transition_add_role_use_terminal_depend',`
	type load_policy_t;

	class chr_file { getattr read write ioctl };
')

#######################################
#
# selinux_load_policy_execute(domain)
#
define(`selinux_load_policy_execute',`
	requires_block_template(`$0'_depend)

	allow $1 load_policy_exec_t:file { getattr read execute execute_no_trans };
')

define(`selinux_load_policy_execute_depend',`
	type load_policy_exec_t;

	class file { getattr read execute execute_no_trans };
')

#######################################
#
# selinux_read_load_policy_binary(domain)
#
define(`selinux_read_load_policy_binary',`
	requires_block_template(`$0'_depend)

	allow $1 load_policy_exec_t:file { getattr read };
')

define(`selinux_read_load_policy_binary_depend',`
	type load_policy_exec_t;

	class file { getattr read };
')

#######################################
## <interface name="selinux_newrole_transition">
##	<description>
##		Execute newrole in the load_policy domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_newrole_transition',`
	requires_block_template(`$0'_depend)

	allow $1 newrole_exec_t:file { getattr read execute };
	allow $1 newrole_t:process transition;
	type_transition $1 newrole_exec_t:process newrole_t;
	dontaudit $1 newrole_t:process { noatsecure siginh rlimitinh };

	allow $1 newrole_t:fd use;
	allow newrole_t $1:fd use;
	allow newrole_t $1:fifo_file rw_file_perms;
	allow newrole_t $1:process sigchld;
')

define(`selinux_newrole_transition_depend',`
	type newrole_t, newrole_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="selinux_newrole_transition_add_role_use_terminal">
##	<description>
##		Execute newrole in the newrole domain, and
##		allow the specified role the newrole domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the newrole domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the newrole domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_newrole_transition_add_role_use_terminal',`
	requires_block_template(`$0'_depend)

	selinux_newrole_transition($1)
	role $2 types newrole_t;
	allow newrole_t $3:chr_file { getattr read write ioctl };
')

define(`selinux_newrole_transition_add_role_use_terminal_depend',`
	type newrole_t;

	class chr_file { getattr read write ioctl };
')

#######################################
#
# selinux_newrole_execute(domain)
#
define(`selinux_newrole_execute',`
	requires_block_template(`$0'_depend)

	allow $1 newrole_exec_t:file { getattr read execute execute_no_trans };
')

define(`selinux_newrole_execute_depend',`
	type newrole_t, newrole_exec_t;

	class file { getattr read execute execute_no_trans };
')

########################################
## <interface name="selinux_newrole_ignore_signal">
##	<description>
##		Do not audit the caller attempts to send
##		a signal to newrole.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="none"/>
## </interface>
#
define(`selinux_newrole_ignore_signal',`
	requires_block_template(`$0'_depend)

	dontaudit $1 newrole_t:process signal;
')

define(`selinux_newrole_ignore_signal_depend',`
	type newrole_t;

	class process signal;
')

#######################################
#
# selinux_newrole_sigchld(domain)
#
define(`selinux_newrole_sigchld',`
	requires_block_template(`$0'_depend)

	allow $1 newrole_t:process sigchld;
')

define(`selinux_newrole_sigchld_depend',`
	type newrole_t;

	class process sigchld;
')

#######################################
#
# selinux_newrole_use_file_descriptors(domain)
#
define(`selinux_newrole_use_file_descriptors',`
	requires_block_template(`$0'_depend)

	allow $1 newrole_t:fd use;
')

define(`selinux_newrole_use_file_descriptors_depend',`
	type newrole_t;

	class fd use;
')

#######################################
## <interface name="selinux_restorecon_transition">
##	<description>
##		Execute restorecon in the restorecon domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_restorecon_transition',`
	requires_block_template(`$0'_depend)

	allow $1 restorecon_exec_t:file { getattr read execute };
	allow $1 restorecon_t:process transition;
	type_transition $1 restorecon_exec_t:process restorecon_t;
	dontaudit $1 restorecon_t:process { noatsecure siginh rlimitinh };

	allow $1 restorecon_t:fd use;
	allow restorecon_t $1:fd use;
	allow restorecon_t $1:fifo_file rw_file_perms;
	allow restorecon_t $1:process sigchld;
')

define(`selinux_restorecon_transition_depend',`
	type restorecon_t, restorecon_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="selinux_restorecon_transition_add_role_use_terminal">
##	<description>
##		Execute restorecon in the restorecon domain, and
##		allow the specified role the restorecon domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the restorecon domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the restorecon domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_restorecon_transition_add_role_use_terminal',`
	requires_block_template(`$0'_depend)

	selinux_restorecon_transition($1)
	role $2 types restorecon_t;
	allow restorecon_t $3:chr_file { getattr read write ioctl };
')

define(`selinux_restorecon_transition_add_role_use_terminal_depend',`
	type restorecon_t;

	class chr_file { getattr read write ioctl };
')

#######################################
#
# selinux_restorecon_execute(domain)
#
define(`selinux_restorecon_execute',`
requires_block_template(`$0'_depend)
allow $1 restorecon_exec_t:file { getattr read execute execute_no_trans };
')

define(`selinux_restorecon_execute_depend',`
	type restorecon_t, restorecon_exec_t;

	class file { getattr read execute execute_no_trans };
')

########################################
## <interface name="selinux_run_init_transition">
##	<description>
##		Execute run_init in the run_init domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_run_init_transition',`
	requires_block_template(`$0'_depend)

	allow $1 run_init_exec_t:file { getattr read execute };
	allow $1 run_init_t:process transition;
	type_transition $1 run_init_exec_t:process run_init_t;
	dontaudit $1 run_init_t:process { noatsecure siginh rlimitinh };

	allow $1 run_init_t:fd use;
	allow run_init_t $1:fd use;
	allow run_init_t $1:fifo_file rw_file_perms;
	allow run_init_t $1:process sigchld;
')

define(`selinux_run_init_transition_depend',`
	type run_init_t, run_init_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="selinux_run_init_transition_add_role_use_terminal">
##	<description>
##		Execute run_init in the run_init domain, and
##		allow the specified role the run_init domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the run_init domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the run_init domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_run_init_transition_add_role_use_terminal',`
	requires_block_template(`$0'_depend)

	selinux_run_init_transition($1)
	role $2 types run_init_t;
	allow run_init_t $3:chr_file { getattr read write ioctl };
')

define(`selinux_run_init_transition_add_role_use_terminal_depend',`
	type run_init_t;

	class chr_file { getattr read write ioctl };
')

########################################
#
# selinux_run_init_use_file_descriptors(domain)
#
define(`selinux_run_init_use_file_descriptors',`
	requires_block_template(`$0'_depend)

	allow $1 run_init_t:fd use;
')

define(`selinux_run_init_use_file_descriptors_depend',`
	type run_init_t;

	class fd use;
')

########################################
## <interface name="selinux_setfiles_transition">
##	<description>
##		Execute setfiles in the setfiles domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_setfiles_transition',`
	requires_block_template(`$0'_depend)

	allow $1 setfiles_exec_t:file { getattr read execute };
	allow $1 setfiles_t:process transition;
	type_transition $1 setfiles_exec_t:process setfiles_t;
	dontaudit $1 setfiles_t:process { noatsecure siginh rlimitinh };

	allow $1 setfiles_t:fd use;
	allow setfiles_t $1:fd use;
	allow setfiles_t $1:fifo_file rw_file_perms;
	allow setfiles_t $1:process sigchld;
')

define(`selinux_setfiles_transition_depend',`
	type setfiles_t, setfiles_exec_t;

	class file { getattr read execute };
	class process { transition noatsecure siginh rlimitinh sigchld };
	class fd use;
	class fifo_file rw_file_perms;
')

########################################
## <interface name="selinux_setfiles_transition_add_role_use_terminal">
##	<description>
##		Execute setfiles in the setfiles domain, and
##		allow the specified role the setfiles domain,
##		and use the caller's terminal.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to be allowed the setfiles domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the setfiles domain to use.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_setfiles_transition_add_role_use_terminal',`
	requires_block_template(`$0'_depend)

	selinux_setfiles_transition($1)
	role $2 types setfiles_t;
	allow setfiles_t $3:chr_file { getattr read write ioctl };
')

define(`selinux_setfiles_transition_add_role_use_terminal_depend',`
	type setfiles_t;

	class chr_file { getattr read write ioctl };
')

#######################################
#
# selinux_setfiles_execute(domain)
#
define(`selinux_setfiles_execute',`
	requires_block_template(`$0'_depend)

	allow $1 setfiles_exec_t:file { getattr read execute execute_no_trans };
')

define(`selinux_setfiles_execute_depend',`
	type setfiles_exec_t;

	class file { getattr read execute execute_no_trans };
')

########################################
#
# selinux_read_config(domain)
#
define(`selinux_read_config',`
	requires_block_template(`$0'_depend)

	allow $1 selinux_config_t:dir { getattr search read };
	allow $1 selinux_config_t:file { getattr read };
')

define(`selinux_read_config_depend',`
	type selinux_config_t;

	class dir { getattr search read };
	class file { getattr read };
')

########################################
#
# selinux_read_default_contexts(domain)
#
define(`selinux_read_default_contexts',`
	requires_block_template(`$0'_depend)

	allow $1 selinux_config_t:dir search;
	allow $1 default_context_t:dir { getattr search read };
	allow $1 default_context_t:file { getattr read };
')

define(`selinux_read_default_contexts_depend',`
	type selinux_config_t, default_context_t;

	class dir { getattr search read };
	class file { getattr read };
')

########################################
#
# selinux_read_file_contexts(domain)
#
define(`selinux_read_file_contexts',`
	requires_block_template(`$0'_depend)

	allow $1 selinux_config_t:dir search;
	allow $1 file_context_t:dir { getattr search read };
	allow $1 file_context_t:file { getattr read };
')

define(`selinux_read_file_contexts_depend',`
	type selinux_config_t, file_context_t;

	class dir { getattr search read };
	class file { getattr read };
')

########################################
#
# selinux_read_binary_policy(domain)
#
define(`selinux_read_binary_policy',`
	requires_block_template(`$0'_depend)

	allow $1 policy_config_t:dir { getattr search read };
	allow $1 policy_config_t:file { getattr read };
')

define(`selinux_read_binary_policy_depend',`
	type policy_config_t;

	class dir { getattr search read };
	class file { getattr read };
')

########################################
#
# selinux_write_binary_policy(domain)
#
define(`selinux_write_binary_policy',`
	requires_block_template(`$0'_depend)

	allow $1 policy_config_t:dir { getattr search read write add_name remove_name };
	allow $1 policy_config_t:file { getattr create write unlink };
	typeattribute $1 can_write_binary_policy;
')

define(`selinux_write_binary_policy_depend',`
	attribute can_write_binary_policy;

	type policy_config_t;

	class dir { getattr search read write add_name remove_name };
	class file { getattr create write unlink };
')

########################################
## <interface name="selinux_relabelto_binary_policy">
##	<description>
##		Allow the caller to relabel a file to the binary policy type.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`selinux_relabelto_binary_policy',`
	requires_block_template(`$0'_depend)

	allow $1 policy_config_t:file relabelto;
	typeattribute $1 can_relabelto_binary_policy;
')

define(`selinux_relabelto_binary_policy_depend',`
	attribute can_relabelto_binary_policy;

	type policy_config_t;

	class file relabelto;
')

########################################
#
# selinux_manage_binary_policy(domain)
#
define(`selinux_manage_binary_policy',`
	requires_block_template(`$0'_depend)

	# FIXME: search etc_t:dir
	allow $1 selinux_config_t:dir search;
	allow $1 policy_config_t:dir { getattr search read };
	allow $1 policy_config_t:file { create ioctl read getattr lock write setattr append link unlink rename };
	typeattribute $1 can_write_binary_policy;
')

define(`selinux_manage_binary_policy_depend',`
	attribute can_write_binary_policy;

	type selinux_config_t, policy_config_t;
	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
	class file { create ioctl read getattr lock write setattr append link unlink rename };
')

########################################
#
# selinux_read_source_policy(domain)
#
define(`selinux_read_source_policy',`
	requires_block_template(`$0'_depend)

	# FIXME: search etc_t:dir
	allow $1 selinux_config_t:dir search;
	allow $1 policy_src_t:dir { getattr search read };
	allow $1 policy_src_t:file { getattr read };
')

define(`selinux_read_source_policy_depend',`
	type selinux_config_t, policy_src_t;

	class dir { getattr search read };
	class file { getattr read };
')

########################################
#
# selinux_manage_source_policy(domain)
#
define(`selinux_manage_source_policy',`
	requires_block_template(`$0'_depend)

	# FIXME: search etc_t:dir
	allow $1 selinux_config_t:dir search;
	allow $1 policy_src_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
	allow $1 policy_src_t:file { create ioctl read getattr lock write setattr append link unlink rename };
')

define(`selinux_manage_source_policy_depend',`
	type selinux_config_t, policy_src_t;

	class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
	class file { create ioctl read getattr lock write setattr append link unlink rename };
')

## </module>