Blob Blame History Raw
## <summary>Multilevel security policy</summary>
## <desc>
##	<p>
##	This module contains interfaces for handling multilevel
##	security.  The interfaces allow the specified subjects
##	and objects to be allowed certain privileges in the
##	MLS rules.
##	</p>
## </desc>
## <required val="true">
##	Contains attributes used in MLS policy.
## </required>

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from files up to its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_read_to_clearance',`
	gen_require(`
		attribute mlsfilereadtoclr;
	')

	typeattribute $1 mlsfilereadtoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from files at all levels.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Make specified domain MLS trusted
##	for reading from files at all levels.
##	</p>
##	<p>
##	This interface has been deprecated, please use
##	mls_file_read_all_levels() instead.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mls_file_read_up',`
	refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.')
	mls_file_read_all_levels($1)
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from files at all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_read_all_levels',`
	gen_require(`
		attribute mlsfileread;
	')

	typeattribute $1 mlsfileread;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for write to files up to its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_write_to_clearance',`
	gen_require(`
		attribute mlsfilewritetoclr;
	')

	typeattribute $1 mlsfilewritetoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to files at all levels.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Make specified domain MLS trusted
##	for writing to files at all levels.
##	</p>
##	<p>
##	This interface has been deprecated, please use
##	mls_file_write_all_levels() instead.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mls_file_write_down',`
	refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.')
	mls_file_write_all_levels($1)
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to files at all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_write_all_levels',`
	gen_require(`
		attribute mlsfilewrite;
	')

	typeattribute $1 mlsfilewrite;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for raising the level of files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_upgrade',`
	gen_require(`
		attribute mlsfileupgrade;
	')

	typeattribute $1 mlsfileupgrade;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for lowering the level of files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_downgrade',`
	gen_require(`
		attribute mlsfiledowngrade;
	')

	typeattribute $1 mlsfiledowngrade;
')

########################################
## <summary>
##	Make specified domain trusted to
##	be written to within its MLS range.
##	The subject's MLS range must be a
##	proper subset of the object's MLS range.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_file_write_within_range',`
	gen_require(`
		attribute mlsfilewriteinrange;
	')

	typeattribute $1 mlsfilewriteinrange;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from sockets at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_socket_read_all_levels',`
	gen_require(`
		attribute mlsnetread;
	')

	typeattribute $1 mlsnetread;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from sockets at any level
##	that is dominated by the process clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_socket_read_to_clearance',`
	gen_require(`
		attribute mlsnetreadtoclr;
	')

	typeattribute $1 mlsnetreadtoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to sockets up to
##	its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_socket_write_to_clearance',`
	gen_require(`
		attribute mlsnetwritetoclr;
	')

	typeattribute $1 mlsnetwritetoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to sockets at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_socket_write_all_levels',`
	gen_require(`
		attribute mlsnetwrite;
	')

	typeattribute $1 mlsnetwrite;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for receiving network data from 
##	network interfaces or hosts at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_net_receive_all_levels',`
	gen_require(`
		attribute mlsnetrecvall;
	')

	typeattribute $1 mlsnetrecvall;
')

########################################
## <summary>
##	Make specified domain trusted to
##	write to network objects within its MLS range.
##	The subject's MLS range must be a
##	proper subset of the object's MLS range.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_net_write_within_range',`
	gen_require(`
		attribute mlsnetwriteranged;
	')

	typeattribute $1 mlsnetwriteranged;
')

########################################
## <summary>
##	Make specified domain trusted to
##	write inbound packets regardless of the
##	network's or node's MLS range.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_net_inbound_all_levels',`
	gen_require(`
		attribute mlsnetinbound;
	')

	typeattribute $1 mlsnetinbound;
')

########################################
## <summary>
##	Make specified domain trusted to
##	write outbound packets regardless of the
##	network's or node's MLS range.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_net_outbound_all_levels',`
	gen_require(`
		attribute mlsnetoutbound;
	')

	typeattribute $1 mlsnetoutbound;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from System V IPC objects
##	up to its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_sysvipc_read_to_clearance',`
	gen_require(`
		attribute mlsipcreadtoclr;
	')

	typeattribute $1 mlsipcreadtoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from System V IPC objects
##	at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_sysvipc_read_all_levels',`
	gen_require(`
		attribute mlsipcread;
	')

	typeattribute $1 mlsipcread;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to System V IPC objects
##	up to its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_sysvipc_write_to_clearance',`
	gen_require(`
		attribute mlsipcwritetoclr;
	')

	typeattribute $1 mlsipcwritetoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to System V IPC objects
##	at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_sysvipc_write_all_levels',`
	gen_require(`
		attribute mlsipcwrite;
	')

	typeattribute $1 mlsipcwrite;
')

########################################
## <summary>
##	Allow the specified domain to do a MLS
##	range transition that changes
##	the current level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mls_rangetrans_source',`
	gen_require(`
		attribute privrangetrans;
	')

	typeattribute $1 privrangetrans;
')

########################################
## <summary>
##	Make specified domain a target domain
##	for MLS range transitions that change
##	the current level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mls_rangetrans_target',`
	gen_require(`
		attribute mlsrangetrans;
	')

	typeattribute $1 mlsrangetrans;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from processes up to
##	its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_process_read_to_clearance',`
	gen_require(`
		attribute mlsprocreadtoclr;
	')

	typeattribute $1 mlsprocreadtoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from processes at all levels.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Make specified domain MLS trusted
##	for reading from processes at all levels.
##	</p>
##	<p>
##	This interface has been deprecated, please use
##	mls_process_read_all_levels() instead.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mls_process_read_up',`
#	refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.')
	mls_process_read_all_levels($1)
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from processes at all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_process_read_all_levels',`
	gen_require(`
		attribute mlsprocread;
	')

	typeattribute $1 mlsprocread;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to processes up to
##	its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_process_write_to_clearance',`
	gen_require(`
		attribute mlsprocwritetoclr;
	')

	typeattribute $1 mlsprocwritetoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to processes at all levels.  (Deprecated)
## </summary>
## <desc>
##	<p>
##	Make specified domain MLS trusted
##	for writing to processes at all levels.
##	</p>
##	<p>
##	This interface has been deprecated, please use
##	mls_process_write_all_levels() instead.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`mls_process_write_down',`
#	refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.')
	mls_process_write_all_levels($1)
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to processes at all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_process_write_all_levels',`
	gen_require(`
		attribute mlsprocwrite;
	')

	typeattribute $1 mlsprocwrite;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for setting the level of processes
##	it executes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_process_set_level',`
	gen_require(`
		attribute mlsprocsetsl;
	')

	typeattribute $1 mlsprocsetsl;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from X objects up to its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_xwin_read_to_clearance',`
	gen_require(`
		attribute mlsxwinreadtoclr;
	')

	typeattribute $1 mlsxwinreadtoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from X objects at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_xwin_read_all_levels',`
	gen_require(`
		attribute mlsxwinread;
	')

	typeattribute $1 mlsxwinread;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for write to X objects up to its clearance.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_xwin_write_to_clearance',`
	gen_require(`
		attribute mlsxwinwritetoclr;
	')

	typeattribute $1 mlsxwinwritetoclr;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to X objects at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_xwin_write_all_levels',`
	gen_require(`
		attribute mlsxwinwrite;
	')

	typeattribute $1 mlsxwinwrite;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from X colormaps at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_colormap_read_all_levels',`
	gen_require(`
		attribute mlsxwinreadcolormap;
	')

	typeattribute $1 mlsxwinreadcolormap;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to X colormaps at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_colormap_write_all_levels',`
	gen_require(`
		attribute mlsxwinwritecolormap;
	')

	typeattribute $1 mlsxwinwritecolormap;
')

########################################
## <summary>
##	Make specified object MLS trusted.
## </summary>
## <desc>
##	<p>
##	Make specified object MLS trusted.  This
##	allows all levels to read and write the
##	object.
##	</p>
##	<p>
##	This currently only applies to filesystem
##	objects, for example, files and directories.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	The type of the object.
##	</summary>
## </param>
#
interface(`mls_trusted_object',`
	gen_require(`
		attribute mlstrustedobject;
	')

	typeattribute $1 mlstrustedobject;
')

########################################
## <summary>
##	Make the specified domain trusted
##	to inherit and use file descriptors
##	from all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_fd_use_all_levels',`
	gen_require(`
		attribute mlsfduse;
	')

	typeattribute $1 mlsfduse;
')

########################################
## <summary>
##	Make the file descriptors from the
##	specifed domain inheritable by
##	all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_fd_share_all_levels',`
	gen_require(`
		attribute mlsfdshare;
	')

	typeattribute $1 mlsfdshare;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for translating contexts at all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_context_translate_all_levels',`
	gen_require(`
		attribute mlstranslate;
	')

	typeattribute $1 mlstranslate;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for reading from databases at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_db_read_all_levels',`
	gen_require(`
		attribute mlsdbread;
	')

	typeattribute $1 mlsdbread;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for writing to databases at any level.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_db_write_all_levels',`
	gen_require(`
		attribute mlsdbwrite;
	')

	typeattribute $1 mlsdbwrite;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for raising the level of databases.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_db_upgrade',`
	gen_require(`
		attribute mlsdbupgrade;
	')

	typeattribute $1 mlsdbupgrade;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for lowering the level of databases.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_db_downgrade',`
	gen_require(`
		attribute mlsdbdowngrade;
	')

	typeattribute $1 mlsdbdowngrade;
')
########################################
## <summary>
##	Make specified domain MLS trusted
##	for sending dbus messages to 
##	all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_dbus_send_all_levels',`
	gen_require(`
		attribute mlsdbussend;
	')

       typeattribute $1 mlsdbussend;
')

########################################
## <summary>
##	Make specified domain MLS trusted
##	for receiving dbus messages from 
##	all levels.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`mls_dbus_recv_all_levels',`
	gen_require(`
		attribute mlsdbusrecv;
	')

       typeattribute $1 mlsdbusrecv;
')