## ## Basic filesystem types and interfaces. ## ## ##

## This module contains basic filesystem types and interfaces. This ## includes: ##

##

##
## ## Contains the concept of a file. ## Comains the file initial SID. ## ######################################## ## ## Make the specified type usable for files ## in a filesystem. ## ## ## Type to be used for files. ## # interface(`files_type',` gen_require(` attribute file_type; ') fs_associate($1) fs_associate_noxattr($1) typeattribute $1 file_type; ') ######################################## # # files_lock_file(type) # interface(`files_lock_file',` gen_require(` attribute lockfile; ') files_type($1) typeattribute $1 lockfile; ') ######################################## # # files_mountpoint(type) # interface(`files_mountpoint',` gen_require(` attribute mountpoint; ') files_type($1) typeattribute $1 mountpoint; ') ######################################## # # files_pid_file(type) # interface(`files_pid_file',` gen_require(` attribute pidfile; ') files_type($1) typeattribute $1 pidfile; ') ######################################## ## ## Make the specified type a ## polyinstantiated directory. ## ## ## Type of the file to be used as a ## polyinstantiated directory. ## # interface(`files_poly',` gen_require(` attribute polydir; ') files_type($1) typeattribute $1 polydir; ') ######################################## ## ## Make the specified type a parent ## of a polyinstantiated directory. ## ## ## Type of the file to be used as a ## parent directory. ## # interface(`files_poly_parent',` gen_require(` attribute polyparent; ') files_type($1) typeattribute $1 polyparent; ') ######################################## ## ## Make the specified type a ## polyinstantiation member directory. ## ## ## Type of the file to be used as a ## member directory. ## # interface(`files_poly_member',` gen_require(` attribute polymember; ') files_type($1) typeattribute $1 polymember; ') ######################################## ## ## Make the domain use the specified ## type of polyinstantiated directory. ## ## ## Domain using the polyinstantiated ## directory. ## ## ## Type of the file to be used as a ## member directory. ## # interface(`files_poly_member_tmp',` gen_require(` type tmp_t; ') type_member $1 tmp_t:dir $2; ') ######################################## ## ## Make the specified type a file that ## should not be dontaudited from ## browsing from user domains. ## ## ## Type of the file to be used as a ## member directory. ## # interface(`files_security_file',` gen_require(` attribute security_file_type; ') files_type($1) typeattribute $1 security_file_type; ') ######################################## ## ## Make the specified type a file ## used for temporary files. ## ## ## Type of the file to be used as a ## temporary file. ## # interface(`files_tmp_file',` gen_require(` attribute tmpfile; type tmp_t; ') files_type($1) files_poly_member($1) fs_associate_tmpfs($1) typeattribute $1 tmpfile; allow $1 tmp_t:filesystem associate; ') ######################################## ## ## Transform the type into a file, for use on a ## virtual memory filesystem (tmpfs). ## ## ## The type to be transformed. ## # interface(`files_tmpfs_file',` gen_require(` attribute tmpfsfile; ') files_type($1) fs_associate_tmpfs($1) typeattribute $1 tmpfsfile; ') ######################################## ## ## Get the attributes of all directories. ## ## ## Domain allowed access. ## # # cjp: this is an odd interface, because to getattr # all dirs, you need to search all the parent directories # interface(`files_getattr_all_dirs',` gen_require(` attribute file_type; class dir { getattr search }; ') allow $1 file_type:dir { getattr search }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all directories. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_all_dirs',` gen_require(` attribute file_type; class dir getattr; ') dontaudit $1 file_type:dir getattr; ') ######################################## ## ## Search all directories. ## ## ## Domain allowed access. ## # interface(`files_search_all',` gen_require(` attribute file_type; ') allow $1 file_type:dir { getattr search }; ') ######################################## ## ## List the contents of all directories. ## ## ## Domain allowed access. ## # interface(`files_list_all_dirs',` gen_require(` attribute file_type; class dir r_dir_perms; ') allow $1 file_type:dir r_dir_perms; ') ######################################## ## ## Do not audit attempts to list all ## non security directories. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_list_non_security',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:dir r_dir_perms; ') ######################################## ## ## Get the attributes of all files. ## ## ## Domain allowed access. ## # interface(`files_getattr_all_files',` gen_require(` attribute file_type; class dir search; class file getattr; ') allow $1 file_type:dir search; allow $1 file_type:file getattr; ') ######################################## ## ## Get the attributes of all sockets ## with the type of a file. ## ## ## Domain allowed access. ## # # cjp: added for initrc_t/distro_redhat. I # do not think it has any effect. interface(`files_getattr_all_file_type_sockets',` gen_require(` attribute file_type; ') allow $1 file_type:socket_class_set getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all files. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_all_files',` gen_require(` attribute file_type; ') dontaudit $1 file_type:file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security files. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_non_security_files',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:file getattr; ') ######################################## ## ## Read all files. ## ## ## Domain allowed access. ## # interface(`files_read_all_files',` gen_require(` attribute file_type; class dir search; class file r_file_perms; ') allow $1 file_type:dir search; allow $1 file_type:file r_file_perms; optional_policy(`authlogin.te',` auth_read_shadow($1) ') ') ######################################## ## ## Get the attributes of all symbolic links. ## ## ## Domain allowed access. ## # interface(`files_getattr_all_symlinks',` gen_require(` attribute file_type; class dir search; class lnk_file getattr; ') allow $1 file_type:dir search; allow $1 file_type:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all symbolic links. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_all_symlinks',` gen_require(` attribute file_type; class lnk_file getattr; ') dontaudit $1 file_type:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security symbolic links. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_non_security_symlinks',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:lnk_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security block devices. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_non_security_blk_dev',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:blk_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security character devices. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_non_security_chr_dev',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:chr_file getattr; ') ######################################## ## ## Read all symbolic links. ## ## ## Domain allowed access. ## # interface(`files_read_all_symlinks',` gen_require(` attribute file_type; class dir search; class lnk_file { getattr read }; ') allow $1 file_type:dir search; allow $1 file_type:lnk_file { getattr read }; ') ######################################## ## ## Get the attributes of all named pipes. ## ## ## Domain allowed access. ## # interface(`files_getattr_all_pipes',` gen_require(` attribute file_type; class dir search; class fifo_file getattr; ') allow $1 file_type:dir search; allow $1 file_type:fifo_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named pipes. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_all_pipes',` gen_require(` attribute file_type; class fifo_file getattr; ') dontaudit $1 file_type:fifo_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security named pipes. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_non_security_pipes',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:fifo_file getattr; ') ######################################## ## ## Get the attributes of all named sockets. ## ## ## Domain allowed access. ## # interface(`files_getattr_all_sockets',` gen_require(` attribute file_type; class dir search; class sock_file getattr; ') allow $1 file_type:dir search; allow $1 file_type:sock_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named sockets. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_all_sockets',` gen_require(` attribute file_type; class sock_file getattr; ') dontaudit $1 file_type:sock_file getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security named sockets. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_non_security_sockets',` gen_require(` attribute file_type, security_file_type; ') dontaudit $1 { file_type -security_file_type }:sock_file getattr; ') ######################################## ## ## Read all block nodes with file types. ## ## ## Domain allowed access. ## # interface(`files_read_all_blk_nodes',` gen_require(` attribute file_type; ') allow $1 file_type:dir search; allow $1 file_type:blk_file { getattr read }; ') ######################################## ## ## Read all character nodes with file types. ## ## ## Domain allowed access. ## # interface(`files_read_all_chr_nodes',` gen_require(` attribute file_type; ') allow $1 file_type:dir search; allow $1 file_type:chr_file { getattr read }; ') ######################################## ## ## Relabel all files on the filesystem, except ## the listed exceptions. ## ## ## The type of the domain perfoming this action. ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## # interface(`files_relabel_all_files',` gen_require(` attribute file_type; class dir { r_dir_perms relabelfrom relabelto }; class file { relabelfrom relabelto }; class lnk_file { relabelfrom relabelto }; class fifo_file { relabelfrom relabelto }; class sock_file { relabelfrom relabelto }; class blk_file relabelfrom; class chr_file relabelfrom; ') allow $1 { file_type $2 }:dir { r_dir_perms relabelfrom relabelto }; allow $1 { file_type $2 }:file { getattr relabelfrom relabelto }; allow $1 { file_type $2 }:lnk_file { getattr relabelfrom relabelto }; allow $1 { file_type $2 }:fifo_file { getattr relabelfrom relabelto }; allow $1 { file_type $2 }:sock_file { getattr relabelfrom relabelto }; allow $1 { file_type $2 }:blk_file { getattr relabelfrom }; allow $1 { file_type $2 }:chr_file { getattr relabelfrom }; # satisfy the assertions: seutil_relabelto_binary_pol($1) ') ######################################## ## ## Manage all files on the filesystem, except ## the listed exceptions. ## ## ## The type of the domain perfoming this action. ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## # interface(`files_manage_all_files',` gen_require(` attribute file_type; class dir create_dir_perms; class file create_file_perms; class lnk_file create_lnk_perms; class fifo_file create_file_perms; class sock_file create_file_perms; ') allow $1 { file_type $2 }:dir create_dir_perms; allow $1 { file_type $2 }:file create_file_perms; allow $1 { file_type $2 }:lnk_file create_lnk_perms; allow $1 { file_type $2 }:fifo_file create_file_perms; allow $1 { file_type $2 }:sock_file create_file_perms; # satisfy the assertions: seutil_create_binary_pol($1) bootloader_manage_kernel_modules($1) ') ######################################## # # files_search_all_dirs(domain) # interface(`files_search_all_dirs',` gen_require(` attribute file_type; class dir search; ') allow $1 file_type:dir search; ') ######################################## # # files_list_all_dirs(domain) # interface(`files_list_all_dirs',` gen_require(` attribute file_type; class dir r_dir_perms; ') allow $1 file_type:dir r_dir_perms; ') ######################################## # # files_dontaudit_search_all_dirs(domain) # interface(`files_dontaudit_search_all_dirs',` gen_require(` attribute file_type; class dir search; ') dontaudit $1 file_type:dir search; ') ####################################### # # files_relabelto_all_file_type_fs(domain) # interface(`files_relabelto_all_file_type_fs',` gen_require(` attribute file_type; class filesystem relabelto; ') allow $1 file_type:filesystem relabelto; ') ####################################### # # files_mount_all_file_type_fs(domain) # interface(`files_mount_all_file_type_fs',` gen_require(` attribute file_type; class filesystem mount; ') allow $1 file_type:filesystem mount; ') ####################################### # # files_unmount_all_file_type_fs(domain) # interface(`files_unmount_all_file_type_fs',` gen_require(` attribute file_type; class filesystem unmount; ') allow $1 file_type:filesystem unmount; ') ######################################## # # files_mounton_all_mountpoints(domain) # interface(`files_mounton_all_mountpoints',` gen_require(` attribute mountpoint; class dir { getattr search mounton }; ') allow $1 mountpoint:dir { getattr search mounton }; ') ######################################## # # files_list_root(domain) # interface(`files_list_root',` gen_require(` type root_t; class dir r_dir_perms; class lnk_file r_file_perms; ') allow $1 root_t:dir r_dir_perms; allow $1 root_t:lnk_file r_file_perms; ') ######################################## ## ## Create an object in the root directory, with a private ## type. If no object class is specified, the ## default is file. ## ## ## The type of the process performing this action. ## ## ## The type of the object to be created. If no type ## is specified, the type of the root directory will ## be used. ## ## ## The object class of the object being created. If ## no class is specified, file will be used. ## # interface(`files_create_root',` gen_require(` type root_t; class dir create_dir_perms; ') allow $1 root_t:dir rw_dir_perms; ifelse(`$3',`',` ifelse(`$2',`',` allow $1 root_t:file create_file_perms; ',` type_transition $1 root_t:file $2; ') ',` ifelse(`$2',`',` allow $1 root_t:$3 create_file_perms; ',` type_transition $1 root_t:$3 $2; ') ') ') ######################################## # # files_dontaudit_read_root_file(domain) # interface(`files_dontaudit_read_root_file',` gen_require(` type root_t; ') dontaudit $1 root_t:file { getattr read }; ') ######################################## # # files_dontaudit_rw_root_file(domain) # interface(`files_dontaudit_rw_root_file',` gen_require(` type root_t; class file { read write }; ') dontaudit $1 root_t:file { read write }; ') ######################################## # # files_dontaudit_rw_root_chr_dev(domain) # interface(`files_dontaudit_rw_root_chr_dev',` gen_require(` type root_t; class chr_file { read write }; ') dontaudit $1 root_t:chr_file { read write }; ') ######################################## # # files_delete_root_dir_entry(domain) # interface(`files_delete_root_dir_entry',` gen_require(` type root_t; class dir rw_dir_perms; ') allow $1 root_t:dir rw_dir_perms; ') ######################################## # # files_unmount_rootfs(domain) # interface(`files_unmount_rootfs',` gen_require(` type root_t; class filesystem unmount; ') allow $1 root_t:filesystem unmount; ') ######################################## ## ## Do not audit attempts to get the attributes of ## directories with the default file type. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_default_dir',` gen_require(` type default_t; ') dontaudit $1 default_t:dir getattr; ') ######################################## ## ## Search the contents of directories with the default file type. ## ## ## Domain allowed access. ## # interface(`files_search_default',` gen_require(` type default_t; ') allow $1 default_t:dir search; ') ######################################## ## ## List contents of directories with the default file type. ## ## ## Domain allowed access. ## # interface(`files_list_default',` gen_require(` type default_t; ') allow $1 default_t:dir r_dir_perms; ') ######################################## ## ## Do not audit attempts to list contents of ## directories with the default file type. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_list_default',` gen_require(` type default_t; ') dontaudit $1 default_t:dir r_dir_perms; ') ######################################## ## ## Mount a filesystem on a directory with the default file type. ## ## ## Domain allowed access. ## # interface(`files_mounton_default',` gen_require(` type default_t; ') allow $1 default_t:dir { getattr search mounton }; ') ######################################## ## ## Do not audit attempts to get the attributes of ## files with the default file type. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_default_files',` gen_require(` type default_t; ') dontaudit $1 default_t:file getattr; ') ######################################## ## ## Read files with the default file type. ## ## ## Domain allowed access. ## # interface(`files_read_default_files',` gen_require(` type default_t; ') allow $1 default_t:file r_file_perms; ') ######################################## ## ## Do not audit attempts to read files ## with the default file type. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_read_default_files',` gen_require(` type default_t; ') dontaudit $1 default_t:file r_file_perms; ') ######################################## ## ## Read symbolic links with the default file type. ## ## ## Domain allowed access. ## # interface(`files_read_default_symlinks',` gen_require(` type default_t; class lnk_file r_file_perms; ') allow $1 default_t:lnk_file r_file_perms; ') ######################################## ## ## Read sockets with the default file type. ## ## ## Domain allowed access. ## # interface(`files_read_default_sockets',` gen_require(` type default_t; class sock_file r_file_perms; ') allow $1 default_t:sock_file r_file_perms; ') ######################################## ## ## Read named pipes with the default file type. ## ## ## Domain allowed access. ## # interface(`files_read_default_pipes',` gen_require(` type default_t; class fifo_file r_file_perms; ') allow $1 default_t:fifo_file r_file_perms; ') ######################################## # # files_search_etc(domain) # interface(`files_search_etc',` gen_require(` type etc_t; class dir search; ') allow $1 etc_t:dir search; ') ######################################## ## ## Set the attributes of the /etc directories. ## ## ## Domain allowed access. ## # interface(`files_setattr_etc_dir',` gen_require(` type etc_t; class dir setattr; ') allow $1 etc_t:dir setattr; ') ######################################## # # files_list_etc(domain) # interface(`files_list_etc',` gen_require(` type etc_t; class dir r_dir_perms; ') allow $1 etc_t:dir r_dir_perms; ') ######################################## # # files_read_etc_files(domain) # interface(`files_read_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; allow $1 etc_t:file r_file_perms; allow $1 etc_t:lnk_file r_file_perms; ') ######################################## # # files_rw_etc_files(domain) # interface(`files_rw_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; class file rw_file_perms; class lnk_file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; allow $1 etc_t:file rw_file_perms; allow $1 etc_t:lnk_file r_file_perms; ') ######################################## # # files_manage_etc_files(domain) # interface(`files_manage_etc_files',` gen_require(` type etc_t; class dir rw_dir_perms; class file create_file_perms; class lnk_file r_file_perms; ') allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:file create_file_perms; allow $1 etc_t:lnk_file r_file_perms; ') ######################################## ## ## Delete system configuration files in /etc. ## ## ## The type of the process performing this action. ## # interface(`files_delete_etc_files',` gen_require(` type etc_t; class dir rw_dir_perms; class file unlink; ') allow $1 etc_t:dir rw_dir_perms; allow $1 etc_t:file unlink; ') ######################################## # # files_exec_etc_files(domain) # interface(`files_exec_etc_files',` gen_require(` type etc_t; class dir r_dir_perms; class lnk_file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; allow $1 etc_t:lnk_file r_file_perms; can_exec($1,etc_t) ') ######################################## # # files_create_boot_flag(domain) # # /halt, /.autofsck, etc # interface(`files_create_boot_flag',` gen_require(` type root_t, etc_runtime_t; class dir rw_dir_perms; class file { create read write setattr unlink}; ') allow $1 root_t:dir rw_dir_perms; allow $1 etc_runtime_t:file { create read write setattr unlink }; type_transition $1 root_t:file etc_runtime_t; ') ######################################## ## ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## ## ## Domain allowed access. ## # interface(`files_read_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; class dir r_dir_perms; class file r_file_perms; ') allow $1 etc_t:dir r_dir_perms; allow $1 etc_runtime_t:file r_file_perms; ') ######################################## ## ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_read_etc_runtime_files',` gen_require(` type etc_runtime_t; class file { getattr read }; ') dontaudit $1 etc_runtime_t:file { getattr read }; ') ######################################## ## ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## ## ## Domain allowed access. ## # interface(`files_rw_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; class dir r_dir_perms; class file rw_file_perms; ') allow $1 etc_t:dir r_dir_perms; allow $1 etc_runtime_t:file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete files in ## /etc that are dynamically created on boot, ## such as mtab. ## ## ## Domain allowed access. ## # interface(`files_manage_etc_runtime_files',` gen_require(` type etc_t, etc_runtime_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 etc_t:dir rw_dir_perms; allow $1 etc_runtime_t:file create_file_perms; type_transition $1 etc_t:file etc_runtime_t; ') ######################################## # # files_create_etc_config(domain,privatetype,[class(es)]) # interface(`files_create_etc_config',` gen_require(` type etc_t; class dir rw_dir_perms; ') allow $1 etc_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 etc_t:file $2; ',` type_transition $1 etc_t:$3 $2; ') ') ######################################## ## ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_dontaudit_search_isid_type_dir',` gen_require(` type file_t; ') dontaudit $1 file_t:dir search_dir_perms; ') ######################################## ## ## List the contents of directories on new filesystems ## that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_list_isid_type_dir',` gen_require(` type file_t; class dir r_dir_perms; ') allow $1 file_t:dir r_dir_perms; ') ######################################## ## ## Read and write directories on new filesystems ## that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_rw_isid_type_dir',` gen_require(` type file_t; class dir rw_dir_perms; ') allow $1 file_t:dir rw_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_manage_isid_type_dir',` gen_require(` type file_t; class dir create_dir_perms; ') allow $1 file_t:dir create_dir_perms; ') ######################################## ## ## Mount a filesystem on a directory on new filesystems ## that has not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_mounton_isid_type_dir',` gen_require(` type file_t; class dir { getattr search mounton }; ') allow $1 file_t:dir { getattr search mounton }; ') ######################################## ## ## Read files on new filesystems ## that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_read_isid_type_file',` gen_require(` type file_t; class dir search; class file r_file_perms; ') allow $1 file_t:dir search; allow $1 file_t:file r_file_perms; ') ######################################## ## ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_manage_isid_type_file',` gen_require(` type file_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 file_t:dir rw_dir_perms; allow $1 file_t:file create_file_perms; ') ######################################## ## ## Create, read, write, and delete symbolic links ## on new filesystems that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_manage_isid_type_symlink',` gen_require(` type file_t; class dir rw_dir_perms; class lnk_file create_lnk_perms; ') allow $1 file_t:dir rw_dir_perms; allow $1 file_t:lnk_file create_lnk_perms; ') ######################################## ## ## Read and write block device nodes on new filesystems ## that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_rw_isid_type_blk_node',` gen_require(` type file_t; class dir search; class blk_file rw_file_perms; ') allow $1 file_t:dir search; allow $1 file_t:blk_file rw_file_perms; ') ######################################## ## ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_manage_isid_type_blk_node',` gen_require(` type file_t; class dir rw_dir_perms; class blk_file create_file_perms; ') allow $1 file_t:dir rw_dir_perms; allow $1 file_t:blk_file create_file_perms; ') ######################################## ## ## Create, read, write, and delete character device nodes ## on new filesystems that have not yet been labeled. ## ## ## The type of the process performing this action. ## # interface(`files_manage_isid_type_chr_node',` gen_require(` type file_t; class dir rw_dir_perms; class chr_file create_file_perms; ') allow $1 file_t:dir rw_dir_perms; allow $1 file_t:chr_file create_file_perms; ') ######################################## ## ## Get the attributes of the home directories root ## (/home). ## ## ## The type of the process performing this action. ## # interface(`files_getattr_home_dir',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the home directories root ## (/home). ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_home_dir',` gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir getattr; ') ######################################## ## ## Search home directories root (/home). ## ## ## The type of the process performing this action. ## # interface(`files_search_home',` gen_require(` type home_root_t; ') allow $1 home_root_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search ## home directories root (/home). ## ## ## Domain to not audit. ## # interface(`files_dontaudit_search_home',` gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir search_dir_perms; ') ######################################## ## ## Get listing of home directories. ## ## ## The type of the process performing this action. ## # interface(`files_list_home',` gen_require(` type home_root_t; class dir r_dir_perms; ') allow $1 home_root_t:dir r_dir_perms; ') ######################################## ## ## Create home directories ## ## ## The type of the process performing this action. ## ## ## The type of the home directory ## # interface(`files_create_home_dirs',` gen_require(` type home_root_t; class dir rw_dir_perms; ') allow $1 home_root_t:dir rw_dir_perms; type_transition $1 home_root_t:dir $2; ') ######################################## ## ## Create, read, write, and delete objects in ## lost+found directories. ## ## ## The type of the process performing this action. ## # interface(`files_manage_lost_found',` gen_require(` type lost_found_t; class dir create_dir_perms; class file create_file_perms; class sock_file create_file_perms; class fifo_file create_file_perms; class lnk_file create_lnk_perms; ') allow $1 lost_found_t:dir create_dir_perms; allow $1 lost_found_t:file create_file_perms; allow $1 lost_found_t:sock_file create_file_perms; allow $1 lost_found_t:fifo_file create_file_perms; allow $1 lost_found_t:lnk_file create_lnk_perms; ') ######################################## # # files_search_mnt(domain) # interface(`files_search_mnt',` gen_require(` type mnt_t; class dir search; ') allow $1 mnt_t:dir search; ') ######################################## # # files_list_mnt(domain) # interface(`files_list_mnt',` gen_require(` type mnt_t; class dir r_dir_perms; ') allow $1 mnt_t:dir r_dir_perms; ') ######################################## ## ## Mount a filesystem on /mnt. ## ## ## Domain allowed access. ## # interface(`files_mounton_mnt',` gen_require(` type mnt_t; class dir { search mounton }; ') allow $1 mnt_t:dir { search mounton }; ') ######################################## ## ## Create, read, write, and delete directories in /mnt. ## ## ## Domain allowed access. ## # interface(`files_manage_mnt_dirs',` gen_require(` type mnt_t; class dir create_dir_perms; ') allow $1 mnt_t:dir create_dir_perms; ') ######################################## ## ## Create, read, write, and delete files in /mnt. ## ## ## Domain allowed access. ## # interface(`files_manage_mnt_files',` gen_require(` type mnt_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 mnt_t:dir rw_dir_perms; allow $1 mnt_t:file create_file_perms; ') ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. ## ## ## Domain allowed access. ## # interface(`files_manage_mnt_symlinks',` gen_require(` type mnt_t; class dir rw_dir_perms; class lnk_file create_lnk_perms; ') allow $1 mnt_t:dir rw_dir_perms; allow $1 mnt_t:lnk_file create_lnk_perms; ') ######################################## ## ## List world-readable directories. ## ## ## Domain allowed access. ## # interface(`files_list_world_readable',` gen_require(` type readable_t; class dir r_dir_perms; ') allow $1 readable_t:dir r_dir_perms; ') ######################################## ## ## Read world-readable files. ## ## ## Domain allowed access. ## # interface(`files_read_world_readable_files',` gen_require(` type readable_t; class file r_file_perms; ') allow $1 readable_t:file r_file_perms; ') ######################################## ## ## Read world-readable symbolic links. ## ## ## Domain allowed access. ## # interface(`files_read_world_readable_symlinks',` gen_require(` type readable_t; class lnk_file r_file_perms; ') allow $1 readable_t:lnk_file r_file_perms; ') ######################################## ## ## Read world-readable named pipes. ## ## ## Domain allowed access. ## # interface(`files_read_world_readable_pipes',` gen_require(` type readable_t; class fifo_file r_file_perms; ') allow $1 readable_t:fifo_file r_file_perms; ') ######################################## ## ## Read world-readable sockets. ## ## ## Domain allowed access. ## # interface(`files_read_world_readable_sockets',` gen_require(` type readable_t; class sock_file r_file_perms; ') allow $1 readable_t:sock_file r_file_perms; ') ######################################## ## ## Allow the specified type to associate ## to a filesystem with the type of the ## temporary directory (/tmp). ## ## ## Type of the file to associate. ## # interface(`files_associate_tmp',` gen_require(` type tmp_t; ') allow $1 tmp_t:filesystem associate; ') ######################################## ## ## Get the attributes of the tmp directory (/tmp). ## ## ## Domain allowed access. ## # interface(`files_getattr_tmp_dir',` gen_require(` type tmp_t; ') allow $1 tmp_t:dir getattr; ') ######################################## ## ## Do not audit attempts to get the ## attributes of the tmp directory (/tmp). ## ## ## The type of the process performing this action. ## # interface(`files_dontaudit_getattr_tmp_dir',` gen_require(` type tmp_t; class dir getattr; ') dontaudit $1 tmp_t:dir getattr; ') ######################################## ## ## Search the tmp directory (/tmp). ## ## ## The type of the process performing this action. ## # interface(`files_search_tmp',` gen_require(` type tmp_t; class dir search; ') allow $1 tmp_t:dir search; ') ######################################## ## ## Set the attributes of all tmp directories. ## ## ## The type of the process performing this action. ## # interface(`files_setattr_all_tmp_dirs',` gen_require(` attribute tmpfile; class dir { search setattr }; ') allow $1 tmpfile:dir { search getattr }; ') ######################################## # # files_create_tmp_files(domain,private_type,[object class(es)]) # interface(`files_create_tmp_files',` gen_require(` type tmp_t; class dir rw_dir_perms; ') allow $1 tmp_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 tmp_t:file $2; ',` type_transition $1 tmp_t:$3 $2; ') ') ######################################## # # files_purge_tmp(domain) # interface(`files_purge_tmp',` gen_require(` attribute tmpfile; class dir { rw_dir_perms rmdir }; gen_require_set({ getattr unlink },notdevfile_class_set) ') allow $1 tmpfile:dir { rw_dir_perms rmdir }; allow $1 tmpfile:notdevfile_class_set { getattr unlink }; ') ######################################## # # files_search_usr(domain) # interface(`files_search_usr',` gen_require(` type usr_t; class dir search; ') allow $1 usr_t:dir search; ') ######################################## ## ## List the contents of generic ## directories in /usr. ## ## ## Domain allowed access. ## # interface(`files_list_usr',` gen_require(` type usr_t; class dir r_dir_perms; ') allow $1 usr_t:dir r_dir_perms; ') ######################################## ## ## Get the attributes of files in /usr. ## ## ## Domain allowed access. ## # interface(`files_getattr_usr_files',` gen_require(` type usr_t; class dir search; class file getattr; ') allow $1 usr_t:dir search; allow $1 usr_t:file getattr; ') ######################################## # # files_read_usr_files(domain) # interface(`files_read_usr_files',` gen_require(` type usr_t; class dir r_dir_perms; class file r_file_perms; class lnk_file r_file_perms; ') allow $1 usr_t:dir r_dir_perms; allow $1 usr_t:{ file lnk_file } r_file_perms; ') ######################################## ## ## Execute generic programs in /usr in the caller domain. ## ## ## The type of the process performing this action. ## # interface(`files_exec_usr_files',` gen_require(` type usr_t; ') allow $1 usr_t:dir r_dir_perms; allow $1 usr_t:lnk_file r_file_perms; can_exec($1,usr_t) ') ######################################## ## ## Relabel a file to the type used in /usr. ## ## ## Domain allowed access. ## # interface(`files_relabelto_usr_files',` gen_require(` type usr_t; class file relabelto; ') allow $1 usr_t:file relabelto; ') ######################################## ## ## Read symbolic links in /usr. ## ## ## Domain allowed access. ## # interface(`files_read_usr_symlinks',` gen_require(` type usr_t; class dir search; class file r_file_perms; ') allow $1 usr_t:dir search; allow $1 usr_t:lnk_file r_file_perms; ') ######################################## ## ## Create objects in the /usr directory ## ## ## Domain allowed access. ## ## ## The type of the object to be created ## ## ## The object class. If not specified, file is used. ## # interface(`files_create_usr',` gen_require(` type usr_t; class dir rw_dir_perms; ') allow $1 usr_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 usr_t:file $2; ',` type_transition $1 usr_t:$3 $2; ') ') ######################################## ## ## Execute programs in /usr/src in the caller domain. ## ## ## The type of the process performing this action. ## # interface(`files_exec_usr_src_files',` gen_require(` type usr_t, src_t; ') allow $1 usr_t:dir search; allow $1 src_t:dir r_dir_perms; allow $1 src_t:lnk_file r_file_perms; can_exec($1,src_t) ') ######################################## # # files_dontaudit_search_src(domain) # interface(`files_dontaudit_search_src',` gen_require(` type src_t; ') allow $1 src_t:dir search; ') ######################################## # # files_read_usr_src_files(domain) # interface(`files_read_usr_src_files',` gen_require(` type usr_t, src_t; ') allow $1 usr_t:dir search; allow $1 src_t:dir r_dir_perms; allow $1 src_t:{ file lnk_file } r_file_perms; ') ######################################## ## ## Search the contents of /var. ## ## ## Domain allowed access. ## # interface(`files_search_var',` gen_require(` type var_t; ') allow $1 var_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search ## the contents of /var. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_search_var',` gen_require(` type var_t; ') dontaudit $1 var_t:dir search; ') ######################################## ## ## List the contents of /var. ## ## ## Domain allowed access. ## # interface(`files_list_var',` gen_require(` type var_t; ') allow $1 var_t:dir r_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories ## in the /var directory. ## ## ## Domain allowed access. ## # interface(`files_manage_var_dirs',` gen_require(` type var_t; class dir create_dir_perms; ') allow $1 var_t:dir create_dir_perms; ') ######################################## ## ## Read files in the /var directory. ## ## ## The type of the process performing this action. ## # interface(`files_read_var_files',` gen_require(` type var_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_t:file r_file_perms; ') ######################################## ## ## Create, read, write, and delete files in the /var directory. ## ## ## Domain allowed access. ## # interface(`files_manage_var_files',` gen_require(` type var_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 var_t:dir rw_dir_perms; allow $1 var_t:file create_file_perms; ') ######################################## ## ## Read symbolic links in the /var directory. ## ## ## Domain allowed access. ## # interface(`files_read_var_symlink',` gen_require(` type var_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_t:lnk_file { getattr read }; ') ######################################## ## ## Create, read, write, and delete symbolic ## links in the /var directory. ## ## ## Domain allowed access. ## # interface(`files_manage_var_symlinks',` gen_require(` type var_t; ') allow $1 var_t:dir rw_dir_perms; allow $1 var_t:lnk_file create_lnk_perms; ') ######################################## ## ## Create objects in the /var directory ## ## ## Domain allowed access. ## ## ## The type of the object to be created ## ## ## The object class. If not specified, file is used. ## # interface(`files_create_var',` gen_require(` type var_t; class dir rw_dir_perms; ') allow $1 var_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 var_t:file $2; ',` type_transition $1 var_t:$3 $2; ') ') ######################################## ## ## Get the attributes of the /var/lib directory. ## ## ## The type of the process performing this action. ## # interface(`files_getattr_var_lib_dir',` gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir getattr; ') ######################################## ## ## Search the /var/lib directory. ## ## ## The type of the process performing this action. ## # interface(`files_search_var_lib',` gen_require(` type var_t, var_lib_t; ') allow $1 { var_t var_lib_t }:dir search_dir_perms; ') ######################################## ## ## List the contents of the /var/lib directory. ## ## ## Domain allowed access. ## # interface(`files_list_var_lib',` gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir r_dir_perms; ') ######################################## ## ## Create objects in the /var/lib directory ## ## ## Domain allowed access. ## ## ## The type of the object to be created ## ## ## The object class. If not specified, file is used. ## # interface(`files_create_var_lib',` gen_require(` type var_t, var_lib_t; class dir rw_dir_perms; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 var_lib_t:file $2; ',` type_transition $1 var_lib_t:$3 $2; ') ') ######################################## ## ## Read generic files in /var/lib. ## ## ## Domain allowed access. ## # interface(`files_read_var_lib_files',` gen_require(` type var_t, var_lib_t; ') allow $1 { var_t var_lib_t }:dir search_dir_perms; allow $1 var_lib_t:file r_file_perms; ') ######################################## ## ## Read generic symbolic links in /var/lib ## ## ## Domain allowed access. ## # interface(`files_read_var_lib_symlinks',` gen_require(` type var_t, var_lib_t; ') allow $1 { var_t var_lib_t }:dir search_dir_perms; allow $1 var_lib_t:lnk_file { getattr read }; ') ######################################## # # files_manage_urandom_seed(domain) # interface(`files_manage_urandom_seed',` gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lib_t:dir rw_dir_perms; allow $1 var_lib_t:file { getattr create read write setattr unlink }; ') ######################################## # # files_search_locks(domain) # interface(`files_search_locks',` gen_require(` type var_t, var_lock_t; ') allow $1 { var_t var_lock_t }:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to search the ## locks directory (/var/lock). ## ## ## Domain to not audit. ## # interface(`files_dontaudit_search_locks',` gen_require(` type var_lock_t; ') dontaudit $1 var_lock_t:dir search; ') ######################################## ## ## Add and remove entries in the /var/lock ## directories. ## ## ## Domain allowed access. ## # interface(`files_rw_locks_dir',` gen_require(` type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:dir rw_dir_perms; ') ######################################## # # files_getattr_generic_locks(domain) # interface(`files_getattr_generic_locks',` gen_require(` type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:dir r_dir_perms; allow $1 var_lock_t:file getattr; ') ######################################## # # files_manage_generic_locks(domain) # interface(`files_manage_generic_locks',` gen_require(` type var_lock_t; ') allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir }; allow $1 var_lock_t:file { getattr create read write setattr unlink }; ') ######################################## # # files_delete_all_locks(domain) # interface(`files_delete_all_locks',` gen_require(` attribute lockfile; class dir rw_dir_perms; class file { getattr unlink }; ') allow $1 lockfile:dir rw_dir_perms; allow $1 lockfile:file { getattr unlink }; ') ######################################## # # files_create_lock(domain,private_type,[object class(es)]) # interface(`files_create_lock',` gen_require(` type var_t, var_lock_t; class dir rw_dir_perms; ') allow $1 var_t:dir search; allow $1 var_lock_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 var_lock_t:file $2; ',` type_transition $1 var_lock_t:$3 $2; ') ') ######################################## ## ## Do not audit attempts to get the attributes ## of the /var/run directory. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_getattr_pid_dir',` gen_require(` type var_run_t; class dir getattr; ') dontaudit $1 var_run_t:dir getattr; ') ######################################## # # files_search_pids(domain) # interface(`files_search_pids',` gen_require(` type var_t, var_run_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir search; ') ######################################## ## ## Do not audit attempts to search ## the /var/run directory. ## ## ## Domain to not audit. ## # interface(`files_dontaudit_search_pids',` gen_require(` type var_run_t; ') dontaudit $1 var_run_t:dir search; ') ######################################## # # files_list_pids(domain) # interface(`files_list_pids',` gen_require(` type var_t, var_run_t; class dir r_dir_perms; ') allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir r_dir_perms; ') ######################################## # # files_create_pid(domain,pidfile,[object class(es)]) # interface(`files_create_pid',` gen_require(` type var_t, var_run_t; class dir rw_dir_perms; ') allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 var_run_t:file $2; ',` type_transition $1 var_run_t:$3 $2; ') ') ######################################## # # files_rw_generic_pids(domain) # interface(`files_rw_generic_pids',` gen_require(` type var_t, var_run_t; class dir r_dir_perms; class file rw_file_perms; ') allow $1 var_t:dir search; allow $1 var_run_t:dir r_dir_perms; allow $1 var_run_t:file rw_file_perms; ') ######################################## ## ## Do not audit attempts to write to daemon runtime data files. ## ## ## The type of the process performing this action. ## # interface(`files_dontaudit_write_all_pids',` gen_require(` attribute pidfile; ') dontaudit $1 pidfile:file write; ') ######################################## ## ## Do not audit attempts to ioctl daemon runtime data files. ## ## ## The type of the process performing this action. ## # interface(`files_dontaudit_ioctl_all_pids',` gen_require(` attribute pidfile; ') dontaudit $1 pidfile:file ioctl; ') ######################################## # # files_read_all_pids(domain) # interface(`files_read_all_pids',` gen_require(` attribute pidfile; type var_t; ') allow $1 var_t:dir search_dir_perms; allow $1 pidfile:dir r_dir_perms; allow $1 pidfile:file r_file_perms; ') ######################################## # # files_delete_all_pids(domain) # interface(`files_delete_all_pids',` gen_require(` attribute pidfile; type var_t, var_run_t; class dir rw_dir_perms; class file { getattr unlink }; class lnk_file { getattr unlink }; class sock_file { getattr unlink }; ') allow $1 var_t:dir search; allow $1 var_run_t:{ sock_file lnk_file } { getattr unlink }; allow $1 var_run_t:dir rmdir; allow $1 pidfile:dir rw_dir_perms; allow $1 pidfile:file { getattr unlink }; allow $1 pidfile:sock_file { getattr unlink }; ') ######################################## # # files_delete_all_pid_dirs(domain) # interface(`files_delete_all_pid_dirs',` gen_require(` attribute pidfile; type var_t; ') allow $1 var_t:dir search; allow $1 pidfile:dir { rw_dir_perms rmdir }; ') ######################################## # # files_search_spool(domain) # interface(`files_search_spool',` gen_require(` type var_t, var_spool_t; class dir search; ') allow $1 var_t:dir search; allow $1 var_spool_t:dir search; ') ######################################## # # files_list_spool(domain) # interface(`files_list_spool',` gen_require(` type var_t, var_spool_t; class dir r_dir_perms; ') allow $1 var_t:dir search; allow $1 var_spool_t:dir r_dir_perms; ') ######################################## # # files_manage_generic_spool_dirs(domain) # interface(`files_manage_generic_spool_dirs',` gen_require(` type var_t, var_spool_t; class dir create_dir_perms; ') allow $1 var_t:dir search; allow $1 var_spool_t:dir create_dir_perms; ') ######################################## # # files_read_generic_spools(domain) # interface(`files_read_generic_spools',` gen_require(` type var_t, var_spool_t; class dir r_dir_perms; class file r_file_perms; ') allow $1 var_t:dir search; allow $1 var_spool_t:dir r_dir_perms; allow $1 var_spool_t:file r_file_perms; ') ######################################## # # files_manage_generic_spools(domain) # interface(`files_manage_generic_spools',` gen_require(` type var_t, var_spool_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 var_t:dir search; allow $1 var_spool_t:dir rw_dir_perms; allow $1 var_spool_t:file create_file_perms; ') ######################################## ## ## Unconfined access to files. ## ## ## Domain allowed access. ## # interface(`files_unconfined',` gen_require(` attribute file_type; ') # Create/access any file in a labeled filesystem; allow $1 file_type:{ file chr_file } ~execmod; allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *; # Mount/unmount any filesystem with the context= option. allow $1 file_type:filesystem *; # Bind to any network address. # cjp: need to check this, I dont think this has any effect. allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind; ifdef(`targeted_policy',` tunable_policy(`allow_execmod',` allow $1 file_type:file execmod; ') ') ')